The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To start using Catalyst Center, you must first configure the system settings. This allows the server to communicate outside the network, ensures secure communications, authenticates users, and supports other key tasks. Use the procedures in this chapter to configure the system settings.
 Note |
|
Catalyst Center supports role-based access control (RBAC). Your permissions are defined by your user role. Catalyst Center has three main default user roles:
SUPER-ADMIN-ROLE
NETWORK-ADMIN-ROLE, and
OBSERVER-ROLE.
The SUPER-ADMIN-ROLE allows comprehensive access and supports creating and assigning custom roles in the Catalyst Center GUI. The NETWORK-ADMIN-ROLE and the OBSERVER-ROLE provide limited access.
If your user profile is assigned a restrictive role, you may have limited access to certain actions in Catalyst Center. For more information, contact your system administrator or see Configure role-based access control.
The System 360 tab provides at-a-glance information about Catalyst Center.
|
Step 1 |
From the main menu, choose . |
||||||||||||||
|
Step 2 |
On the System 360 dashboard, review the following displayed data metrics: Cluster
System Management
Externally Connected Systems Displays information about external network services used by Catalyst Center.
|
||||||||||||||
|
Step 3 |
Click System Health and review the topology of your Catalyst Center appliances and the external systems that are connected to your network. For more information about the System Health window, see View the system topology. |
The System 360 tab provides detailed information about the app stacks and services running on Catalyst Center. You can use this information to assist in troubleshooting issues with specific applications or services. For example, if you are having issues with Assurance, you can view monitoring data and logs for the NDP app stack and its component services.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
In System 360 window, click Service Explorer tab.
|
|
Step 3 |
Click the service to launch the Service 360 view. The details include:
|
|
Step 4 |
Enter the service name in the Search field to search the services listed in the table. |
|
Step 5 |
Click the filter icon in the services table to filter services by app stack name, service status (Up, Down, or In Progress), or managed service. |
From the System Health page, you can monitor the health of the physical components on your Catalyst Center appliances and monitor any issues that may occur. Refer to the included topics, which describe how to enable this functionality and use it in your production environment.
To enable the System Health page, you must establish connectivity with Cisco Integrated Management Controller (Cisco IMC), which collects health information for your appliances' hardware. Complete this procedure.
Users with SUPER-ADMIN-ROLE permissions or CUSTOM-ROLE with "Write" permission to System Settings can configure Cisco IMC connectivity settings for an appliance.
|
Step 1 |
From the main menu, choose . The IP address of each appliance in your cluster is listed in the Catalyst Center Address column.  |
|
Step 2 |
Enter the information required to log in to Cisco IMC:
|
To delete the Cisco IMC connectivity settings configured for a particular appliance, complete this procedure.
Users with SUPER-ADMIN-ROLE permissions or CUSTOM-ROLE with "Write" permission to System Settings can delete these settings.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
To delete settings for an appliance, click the corresponding delete icon ( |
|
Step 3 |
In the confirmation window, click OK. |
After you establish connectivity with Cisco IMC, Catalyst Center collects event information from Cisco IMC and stores this information as raw system events. The rules engine then processes these raw events and converts them into system event notifications that are displayed in the System Health topology. Complete the procedure described in the "Work with Event Notifications" topic of the Cisco Catalyst Center Platform User Guide, to receive these notifications in one of the available formats. When completing this procedure, select and subscribe to these events:
|
Event name |
Event ID |
Domain |
Sub domain |
Description |
||
|---|---|---|---|---|---|---|
|
System Backup v2 |
SYSTEM-BACKUP-v2 |
System |
System Backup |
A notification is sent when the backup operation fails. |
||
|
System Restore v2 |
SYSTEM-RESTORE-v2 |
System |
System Restore |
The event is generated on failure during restore operation. |
||
|
System Software Upgrade v2 |
SYSTEM-SOFTWARE-UPGRADE-v2 |
System |
System Software Upgrade |
A notification is sent when the software upgrade operation fails. |
||
|
Disaster Recovery health status v2 |
SYSTEM-DISASTER-RECOVERY-v2 |
System |
Disaster Recovery |
A notification is sent when the state of the disaster recovery system changes. |
||
|
CMX connectivity failure v2 |
SYSTEM-EXTERNAL-CMX-v2 |
External Integrations |
CMX Connectivity |
A notification is sent when there's no connectivity with CMX. |
||
|
External IPAM provider connectivity failure v2 |
SYSTEM-EXTERNAL-IPAM-v2 |
External Integrations |
IPAM Integration |
A notification is sent when there's no connectivity with an external IPAM provider. |
||
|
ISE AAA trust establishment failure v2 |
SYSTEM-EXTERNAL-ISE-AAA-TRUST-v2 |
External Integrations |
Cisco ISE AAA Trust Establishment |
A notification is sent when the ISE AAA trust establishment fails. |
||
|
ISE PAN ERS connectivity failure v2 |
SYSTEM-EXTERNAL-ISE-PAN-ERS-v2 |
External Integrations |
Cisco ISE PAN ERS Connectivity |
A notification is sent when there is no connectivity with the Cisco ISE primary and secondary PAN ERS. |
||
|
ISE PxGrid health state change notification v2 |
SYSTEM-EXTERNAL-ISE-PXGRID-v2 |
External Integrations |
Cisco pxGrid |
A notification is sent when the health state of Cisco ISE PxGrid connections changes. |
||
|
External ITSM provider connectivity failure v2 |
SYSTEM-EXTERNAL-ITSM-v2 |
External Integrations |
ITSM Integration |
A notification is sent when there's no connectivity with an external ITSM provider. |
||
|
Certificate Status Notification v2 |
SYSTEM-CERTIFICATE-v2 |
System |
System Certificate |
A notification is sent when a system certificate, built-in certificate, proxy certificate, disaster recovery certificate, or a third-party trusted certificate expires, is revoked, or will expire in less than 90 days. |
||
|
Cisco IMC Certificate Status Notification v2 |
CISCO-IMC-CERTIFICATE-v2 |
Appliance |
Cisco IMC Certificate |
A notification is sent when the Cisco IMC certificate has expired, been revoked, or will expire in less than 90 days. |
||
|
Cisco IMC Connectivity status v2 |
CISCO-IMC-v2 |
Appliance |
Cisco IMC |
A notification is sent whenever Cisco IMC's connectivity status changes. |
||
|
System Appliance Configuration Status Notification v2 |
CISCO-IMC-CONFIGURATION-v2 |
Appliance |
Cisco IMC Configuration |
A notification is sent when the Cisco IMC hardware configurations are not compliant with the Cisco standards. |
||
|
System Hardware health status v2 |
CISCO-IMC-HARDWARE-v2 |
Appliance |
Cisco IMC Hardware Health Status |
A notification is sent when the health status of any hardware component changes. Supported hardware components include:
|
||
|
System managed services v2 |
SYSTEM-MANAGED-SERVICES-v2 |
System |
System Managed Services |
A notification is sent when the status of a platform-provided managed service changes.
|
||
|
System Performance: Filesystem Utilization v2 |
SYSTEM-PERFORMANCE-v2: |
System |
System Performance: Filesystem Utilization |
A notification is sent when filesystem (partition) utilization is approaching capacity. |
||
|
System Scale Limits v2 |
SYSTEM-SCALE-LIMITS-v2: |
System |
System Scale Limits |
A notification is sent when scale limits have been exceeded. |
||
|
Application Health v2 |
SYSTEM-APPLICATION-HEALTH-v2 |
System |
Application Health |
A notification is sent when the health state of an application registered for monitoring changes. |
||
|
Cisco Trusted Certificate Update Notifications v2 |
CISCO-TRUSTED-CERTIFICATE-BUNDLE-v2 |
System |
Cisco Trusted Certificates |
A notification is sent when a newer Cisco-trusted certificate bundle is available. |
||
|
Internet URL Accessible Notifications v2 |
INTERNET-URL-ACCESS-v2 |
System |
Internet Access |
A notification is sent when Catalyst Center is unable to reach any of the URLs listed in Check required URLs access. |
This table presents the key information that Catalyst Center provides when it generates a system health notification message.
| Subdomain | Tag | Instance | State | Message |
|---|---|---|---|---|
|
Domain: System |
||||
| CPU | CPU | <node-hostname>:CPU-1 | OK |
Catalyst Center CPU-1 is working as expected on <node-hostname> |
| NotOk | Catalyst Center CPU-1 has failed on <node-hostname> | |||
| Disabled | Catalyst Center CPU-1 is disabled on <node-hostname> | |||
| Memory | Memory | <node-hostname>:DIMM_A1 | OK | Catalyst Center RAM DIMM_A1 is working as expected on <node-hostname> |
| NotOk | Catalyst Center RAM DIMM_A1 has failed on <node-hostname> | |||
| Disk | Disk | <node-hostname>:Disk1 | OK | Catalyst Center Disk 2 is working as expected on <node-hostname> |
| NotOk | Catalyst Center Disk 2 has failed on <node-hostname> | |||
| RAID Controller | RAIDController | <node-hostname>:Controller-1 | OK | Catalyst Center RAID VD-2 is working as expected on <node-hostname> |
| NotOk | Catalyst Center RAID VD-2 has degraded on <node-hostname> | |||
| Disabled | Catalyst Center RAID VD-2 is offline on <node-hostname> | |||
| Network Interfaces | NIC | <node-hostname>:nic-1 | OK | Catalyst Center network interfaces are working as expected |
| NotOk | Catalyst Center: <x> network interfaces are missing for <node-hostname>: nic-1 | |||
| PSU_FAN | PSU | <node-hostname>:psu-1 | OK | Catalyst Center power supply (PSU-1) is powered on and thermal condition is normal for <node-hostname> |
| NotOk | Catalyst Center power supply (PSU-2) is powered off and thermal condition is critical for <node-hostname> | |||
| Disaster Recovery | DisasterRecovery | <disaster-recovery-hostname> | OK |
|
| Degraded |
|
|||
| NotOk |
|
|||
| Platform Services | ManagedServices | <hostname>:<name> | OK |
Managed Service <service-name> is Running |
| NOTOK |
Managed Service <service-name> is Interrupted |
|||
| Scale Limits | wired_concurrent_clients | <hostname>:<name> | OK | OK |
| NOTOK | The number of concurrent wired clients exceeded 26250 (105% of limit) | |||
| DEGRADED | The number of concurrent wired clients exceeded 21250 (85% of limit) | |||
| CAUTION | The number of concurrent wired clients exceeded 18750 (75% of limit) | |||
| wireless_concurrent_clients | <hostname>:<name> | OK | OK | |
| NOTOK | The number of concurrent wireless clients exceeded 18750 (75% of limit) | |||
| DEGRADED | The number of concurrent wireless clients exceeded 21250 (85% of limit) | |||
| CAUTION | The number of concurrent wireless clients exceeded 18750 (75% of limit) | |||
| wired_devices | <hostname>:<name> | OK | OK | |
| NOTOK | The number of wired devices exceeded 1050 (105% of limit) | |||
| DEGRADED | The number of wired devices exceeded 850 (85% of limit) | |||
| CAUTION | The number of wired Devices exceeded 750 (75% of limit) | |||
| wireless_devices | <hostname>:<name> | OK | OK | |
| NOTOK | The number of wireless devices exceeded 3800 (105% of limit) | |||
| DEGRADED | The number of wireless devices exceeded 3400 (85% of limit) | |||
| CAUTION | The number of wireless devices exceeded 3000 (75% of limit) | |||
| interfaces | <hostname>:<name> | OK | OK | |
| NOTOK | The number of interfaces exceeded 1140000000 (95% of limit) | |||
| DEGRADED | The number of interfaces exceeded 1020000000 (85% of limit) | |||
| CAUTION | The number of interfaces exceeded 900000000 (75% of limit) | |||
| ippools | <hostname>:<name> | OK | OK | |
| NOTOK | The number of IP pools exceeded 47500 (95% of limit) | |||
| DEGRADED | The number of IP pools exceeded 42500 (85% of limit) | |||
| CAUTION | The number of IP pools exceeded 37500 (75% of limit) | |||
| netflows | <hostname>:<name> | OK | OK | |
| NOTOK | The number of Netflows exceeded 37500 (75% of limit) | |||
| DEGRADED | The number of Netflows exceeded xxx (x% of limit) | |||
| CAUTION | The number of Netflows exceeded yyy (y% of limit) | |||
|
physical_ports |
<hostname>:<name> | OK | OK | |
| NOTOK | The number of physical ports exceeded 50400 (95% of limit) | |||
| DEGRADED | The number of physical ports exceeded 40800 (85% of limit) | |||
| CAUTION | The number of physical ports exceeded 36000 (75% of limit) | |||
| policy | <hostname>:<name> | OK | OK | |
| NOTOK | The number of policies exceeded 23750 (95% of limit) | |||
| DEGRADED | The number of policies exceeded 21250 (85% of limit) | |||
| CAUTION | The number of policies exceeded 18750 (75% of limit) | |||
| security_group | <hostname>:<name> | OK | OK | |
| NOTOK | The number of security groups exceeded 3800 (95% of limit) | |||
| DEGRADED | The number of security groups exceeded 3400 (85% of limit) | |||
| CAUTION | The number of security groups exceeded 3000 (75% of limit) | |||
| sites | <hostname>:<name> | OK | OK | |
| NOTOK | The number of sites exceeded 475 (95% of limit) | |||
| DEGRADED | The number of sites exceeded 425 (85% of limit) | |||
| CAUTION | The number of sites exceeded 375 (75% of limit) | |||
| transient_clients | <hostname>:<name> | OK | OK | |
| NOTOK | The number of transient clients exceeded 71250 (95% of limit) | |||
| DEGRADED | The number of transient clients exceeded 63750 (85% of limit) | |||
| CAUTION | The number of transient clients exceeded 56250 (75% of limit) | |||
| MongoDB | <hostname>:<name> | CRITICAL | The disk usage exceeded 16.58 GB (80% of limit) | |
| Postgres | <hostname>:<name> | CRITICAL | The disk usage exceeded 65.53 GB (80% of limit) | |
| Software Upgrade | Upgrade | <hostname>:<name> | OK | Successfully finished downloading package <package-name> with version <package-version> |
| NOTOK | Catalog package download failed for <package-name> | |||
| Backup | Backup | <hostname>:<name> | OK | The backup completed successfully. |
|
NOTOK |
Failed to backup | |||
| Restore | Restore | <hostname>:<name> | OK | The restore operation completed successfully. |
| NOTOK | The configuration restore operation failed. | |||
|
Domain: Connectivity |
||||
| ISE | ISE_ERS | <Cisco-ISE-hostname> | Success | ISE AAA trust establishment succeeded for ISE server <ISE-server-details> |
| Failed | ISE AAA trust establishment failed for ISE server <ISE-server-details> | |||
|
Domain: Integrations |
||||
| IPAM | IPAM | <IPAM-hostname> | OK | IPAM connection to Catalyst Center established. IPAM <IPAM-IP-address>. |
| Critical | IPAM connection to Catalyst Center offline. IPAM <IPAM-IP-address>. | |||
| ISE | ISE_AAA | <Cisco-ISE-hostname> | Up | ISE AAA trust establishment succeeded for ISE server. ISE <ISE-IP-address> |
| Down | ISE AAA trust establishment failed for ISE server. ISE <ISE-IP-address> | |||
| CMX | CMX | <CMX-hostname> | serviceAvailable | CMX connection to Catalyst Center offline. CMX <CMX-IP-address>. |
| serviceNotAvailable | CMX connection to Catalyst Center offline. CMX <CMX-IP-address>. | |||
| ITSM | ITSM | <ITSM-hostname> | Up | ITSM connection to Catalyst Center offline. ITSM <ITSM-IP-address>. |
| Down | ITSM connection to Catalyst Center offline. ITSM <ITSM-IP-address>. | |||
System Health monitors Catalyst Center appliances. It generates a notification whenever a network component exceeds a particular threshold. The priority of the notification depends on the measured percentage of the threshold.
System Health generates notifications at these threshold percentages:
When 75% of a threshold is exceeded, an information (P3) notification is generated.
When 85% of a threshold is exceeded, a warning (P2) notification is generated.
When 95% of a threshold is exceeded, a critical (P1) notification is generated.
Note |
|
From the System Health window's topology, you can view a graphical representation of your Catalyst Center appliances and the external systems that are connected to your network, such as Cisco Connected Mobile Experiences (Cisco CMX) and Cisco Identity Services Engine (Cisco ISE). You can quickly identify any network components that are experiencing an issue and require further attention.
To display appliance and external system data on this page, complete the tasks described in these topics:
To view this page, click the menu icon and choose , then click the System Health tab. Topology data is polled every 30 seconds. If any new data is received, the topology automatically updates to reflect this data.
Note |
|
When viewing the System Health topology, the minor issue icon (
) and major issue icon (
) indicate network components that require attention. To troubleshoot an issue experienced by a component, place your cursor
over its topology icon. A pop-up window will display this information:
A timestamp that indicates when the issue was detected.
If you are viewing the pop-up window for a Catalyst Center appliance, the Cisco IMC firmware version that is installed on the appliance.
A brief summary of the issue.
The current state or severity of the issue.
The domain, subdomain, and IP address or location associated with the issue.
If you open the pop-up window for a connected external system that has three or more associated servers or a Catalyst Center appliance that has three or more hardware components that are experiencing an issue, the More Details link is displayed. Click the link to open a slide-in pane that lists the relevant servers or components. You can then view information for a specific item by clicking > to maximize its entry.
Note |
You can use the Support Bundle feature to access detailed root cause analysis (RCA) data. For more information about this feature, see the "Generate the Root Cause Analysis File from Catalyst Center" chapter in the Cisco Catalyst Center User Guide. |
If Catalyst Center is currently unable to communicate with an external system, use this procedure to ping that system and troubleshoot the connectivity issue.
Do the following before you complete this procedure:
Install the Machine Reasoning package. See Download and install applications.
Create a role with write permission to the Machine Reasoning function. Assign that role to the user who completes this procedure. To access this parameter in the Create a User Role wizard, expand the System row on the Define the Access page. For more information, see Configure role-based access control.
|
Step 1 |
From the top-right portion of the System Health window, choose to open the Ping Device window. The window lists all the devices that Catalyst Center currently manages. |
|
Step 2 |
Click the radio button for any device whose reachability status is Reachable and then click the Troubleshoot link. The Reasoner Inputs window opens. |
|
Step 3 |
In the Target IP Address field, enter the IP address of the external system that cannot be reached. |
|
Step 4 |
Click Run Machine Reasoning. A dialog box is displayed after Catalyst Center has pinged the external system. |
|
Step 5 |
Click View Details to see whether the ping was successful. |
|
Step 6 |
If the ping failed, click the View Relevant Activities link to open the Activity Details slide-in pane and then click the View Details icon. The Device Command Output window opens, listing possible causes for the inability to reach the external system. |
The Validation Tool tests both the Catalyst Center appliance hardware and connected external systems. It identifies any issues that need to be addressed before they seriously impact your network. The validation process performs multiple checks, such as:
The ability to connect to ciscoconnectdna.com to download system and package updates.
The presence of expiring certificates.
The current health of appliance hardware and back end services.
The network components that have exceeded a scale number threshold.
To access the tool:
From the main menu, choose , and then click the System Health tab.
From the Tools drop-down menu, choose Validation Tool.
The contents of the Validation Tool window depend on whether Catalyst Center has information for any validation runs that completed previously. If it doesn’t, the window looks like this:
If Catalyst Center has validation run information, the window looks like this:
This table describes the components that make up the Validation Tool window and their function when validation run information is available.
| Callout | Description | ||
|---|---|---|---|
|
1 |
Search Table field: Enter a search string to filter the validation runs that are listed on this window. |
||
|
2 |
Add button: Click to open the New Validation Run slide-in pane and enter the required settings for a new run. For more information, see Start a validation run. |
||
|
3 |
|
||
|
4 |
Delete button: With the check box for a validation run checked, click to delete the run. Then click Ok in the Warning dialog box to confirm deletion.
|
||
|
5 |
View Status link: Click to view the details for a particular run. For more information, see View Validation Run Details. |
||
|
6 |
Refresh button: Click to refresh the information that is displayed on this window. |
To start a validation run, complete these steps.
Note |
Only one validation run can take place at a time. If a validation run is already in progress, wait for it to complete before starting another run. |
|
Step 1 |
Do one of these tasks in the Validation Tool window, depending on whether the Validation Runs table is displayed:
The New Validation Run slide-in pane opens. |
|
Step 2 |
In the Name field, enter a name for the validation run. Enter a unique name that contains only alphanumeric characters. Do not use special characters. |
|
Step 3 |
(Optional) In the Description field, enter a brief description for the validation run you’re about to start. You can enter a description that contains a maximum of 250 characters. |
|
Step 4 |
In the Validation Set(s) Selection area, check the check box for the validation sets you want to run. You can maximize a validation set to view the checks it makes. |
|
Step 5 |
Click Run. |
From the Validation Run Details slide-in pane, you can view the checks that were made during the selected run, completion status, duration, and any other relevant information.
From here, you can also do these tasks:
To filter the information that’s provided, in the Search Table field, enter a search string.
To download the contents of this pane as a JSON file, click Export.
To copy the contents of this pane, click Copy.
Validation sets should be updated whenever you upgrade Catalyst Center. In case you need to update validation sets manually, do this procedure:
|
Step 1 |
From the main menu, choose .  |
|
Step 2 |
Click the Validation Catalog tab. |
|
Step 3 |
Click Download Latest to download a local copy of the latest available validation sets. |
|
Step 4 |
Import the validation set to Catalyst Center:
|
These tables list the various notifications that are displayed in the system topology of the System Health page for your Catalyst Center appliances and any connected external systems. Notifications are grouped by their corresponding severity:
Severity 1 (Error): Indicates a critical error, such as a disabled RAID controller or faulty power supply.
Severity 2 (Warning): Indicates an issue, such as the inability to establish trust with a Cisco ISE server.
Severity 3 (Success): Indicates that a server or hardware component is operating as expected.
Note |
If all the hardware components on an appliance are operating without any issues, an individual notification is not provided for each component. Instead, an OK notification is displayed. |
| Component | Severity 1 notification | Severity 2 notification | Severity 3 notification |
|---|---|---|---|
|
CPU |
Processor CPU1 (SerialNumber - xxxxxx) State is Disabled |
Processor CPU1 (SerialNumber - xxxxxx) Health is NotOk and State is Enabled |
Processor CPU1 (SerialNumber - xxxxxx) Health is Ok and State is Enabled |
|
Disk |
Driver - PD1 State is Disabled |
Driver - PD1 Health is Critical and State is Enabled |
Driver - PD1 Health is Ok and State is Enabled |
|
MemoryV1 |
Memory Summary (TOTALSYSTEMMEMORYGIB - 256) Health is NotOk |
— |
Memory Summary (TOTALSYSTEMMEMORYGIB - 256) Health is Ok |
|
MemoryV2 |
Storage DIMM1 (SerialNumber - xxxxx) Status is NotOperable |
— |
Storage DIMM1 (SerialNumber - xxxxx) Status is Operable |
|
NIC |
NIC Adapter Card MLOM State is Disabled |
NIC Adapter Card MLOM State is Enabled and port0 is Down |
NIC Adapter Card MLOM State is Enabled and port0 is Up |
|
Power supply |
Power Supply PSU1 (SerialNumber - xxxx) State is Disabled |
— |
Power Supply PSU1 (SerialNumber - xxxx) State is Enabled |
|
RAID |
Cisco 12G SAS Modular Raid Controller (SerialNumber - xxxxx) State is Disabled |
Cisco 12G SAS Modular Raid Controller (SerialNumber - xxxxx) Health is NotOK and State is Enabled |
Cisco 12G SAS Modular Raid Controller (SerialNumber - xxxxx) Health is OK and State is Enabled |
| Component | Severity 1 notification | Severity 2 notification | Severity 3 notification |
|---|---|---|---|
|
Cisco Connected Mobile Experiences (CMX) server |
— |
There is a critical issue with the integrated CMX server. |
CMX server is integrated and servicing. |
|
IP address management (IPAM) server |
There is a critical issue with the connected third-party IPAM provider |
— |
|
|
Cisco ISE—External RESTful Services (ERS) |
— |
ISE PAN ERS connection: ISE ERS API call unauthorized |
ISE PAN ERS connection: ERS reachability with ISE - Success |
|
Cisco ISE—Trust |
— |
ISE AAA Trust Establishment: Trust Establishment Error |
ISE AAA Trust Establishment: Successfully established trust and discovered PSNs from PAN |
|
IT service management (ITSM) server |
ServiceNow connection health status is not up and running |
— |
ServiceNow connection health status is up and running |
System Health monitors disk use by all nodes in your system. When disk use on any node reaches a level that could impact network operations, System Health automatically sends a notification.
When disk use exceeds 75 percent, a warning notification is sent.
When disk use exceeds 85 percent, a critical notification is sent.
To configure and subscribe to these notifications, complete the steps described in the "Work with Event Notifications" topic of the Catalyst Center Platform User Guide. When completing this procedure, select and subscribe to the System Performance: Filesystem Utilization event.
Note |
|
Catalyst Center checks daily for certificates that have been revoked, expired, or will expire in the near future. If you want to receive notifications whenever one of these events takes place, subscribe to the SYSTEM-CERTIFICATE-v2 and CISCO-IMC-CERTIFICATE-v2 events (see Subscribe to system event notifications). In addition to the notifications you receive in the format of your choosing, Catalyst Center also updates the System Health window's topology to indicate certificate events. To view these notifications, place your cursor over an appliance. If available, you can also click the More Details link to view notifications in the Appliance Details slide-in pane.
Catalyst Center supports the storage and update of the Cisco trusted certificate bundle (ios.p7b) from the Cisco PKI web site. This bundle, which comes preinstalled with Catalyst Center, enables supported Cisco networking devices to authenticate the controller and its applications (such as Network Plug and Play) upon the presentation of a valid third-party vendor device certificate. Catalyst Center checks the status of the certificate bundle's third-party certificates individually. For Cisco-signed certificates, the system checks if a newer version of the bundle is available to download. To receive notifications when a third-party certificate or the trusted certificate bundle requires an update, subscribe to the CISCO-TRUSTED-CERTIFICATE-BUNDLE-v2 event.
Catalyst Center confirms whether these URLs are reachable:
http://validation.identrust.com/crl/hydrantidcao1.crl
http://commercial.ocsp.identrust.com
https://www.ciscoconnectdna.com
https://cdn.ciscoconnectdna.com
https://registry.ciscoconnectdna.com
https://registry-cdn.ciscoconnectdna.com
When any of these URLs are unreachable (especially the first two listed, as they're used to check the revocation status of system certificates), it could impact network operations. Subscribe to the INTERNET-URL-ACCESS-v2 event to receive a notification when this happens.
This table lists the issues that you’ll most likely encounter while monitoring the health of your system and suggests actions you can take to remedy those issues.
| Component | Subcomponent | Issue | Suggested actions |
|---|---|---|---|
|
Cisco ISE |
External RESTful Services (ERS)—Reachability |
Timeout elapsed (possibly because the Cisco ISE ERS API load threshold has been exceeded). |
|
|
Unable to establish a connection with Cisco ISE. |
|
||
|
ERS—Availability |
No response to ERS API call. |
|
|
|
ERS—Authentication |
Cisco ISE ERS API call is unauthorized. |
Check whether the AAA settings credentials and the Cisco ISE credentials are the same. |
|
|
ERS—Configuration |
Cisco ISE certificate has been changed. |
From the Catalyst Center GUI, reestablish trust. For more information, see the "Enable PKI in Cisco ISE" topic in the Cisco Identity Services Engine Administrator Guide. |
|
|
ERS—Unclassified/Generic Error |
An undefined diagnostic error occurred. |
|
|
|
Trust—Reachability |
Unable to establish an HTTPS connection. |
Check whether the AAA settings credentials and the Cisco ISE credentials are the same. |
|
|
The Catalyst Center endpoint URL configured for Cisco ISE certificate chain uploads is unreachable. |
|
||
|
Trust—Configuration |
Invalid Cisco ISE certificate chain. |
|
|
|
The Catalyst Center endpoint URL configured for Cisco ISE certificate chain uploads is forbidden. |
|
||
|
Trust—Authentication |
The Cisco ISE password has expired. |
|
|
|
Trust—Unclassified/Generic Error |
An undefined diagnostic error occurred. |
|
|
|
Cisco Connected Mobile Experiences (CMX) server IP address management (IPAM) server IT service management (ITSM) server |
Reachability |
Unable to establish connectivity with the server. |
Check whether the server in question is currently down. |
|
Authentication |
Unable to log in to the server. |
Confirm that the correct login credentials are configured in Catalyst Center. |
|
|
Hardware |
Disk |
The specified hardware component is experiencing an issue. |
Replace the faulty component. |
|
Fan |
|||
|
Power supply |
|||
|
Memory module |
|||
|
CPU |
|||
|
Networking card |
|||
|
RAID controller |
|||
|
Networking |
Interfaces are missing. |
|
|
|
System configuration |
Hardware configuration |
You cannot specify write-back as the write cache policy for the Catalyst Center <IP_address> virtual drive. The write policy must be write-through. |
|
|
System resources |
Storage |
The specified mount directory is full. |
|
We recommend that you perform a graceful shutdown of Catalyst Center when replacing hardware peripherals such as DIMMs, CPUs, or a single solid-state drive (SSD) during a return materials authorization (RMA) procedure.
If a directly linked switch in the Layer 2 network is undergoing maintenance without a fallback (HA) mechanism to uphold network service, we recommend that you perform a graceful shutdown. To achieve Layer 2 network redundancy, see "NIC Bonding Overview" in the Cisco Catalyst Center Appliance Installation Guide.
Cisco ISE has three use cases with Catalyst Center:
Cisco ISE can be used as a AAA (pronounced "triple A") server for user, device, and client authentication. If you are not using access control policies, or are not using Cisco ISE as a AAA server for device authentication, you do not have to install and configure Cisco ISE.
Access control policies use Cisco ISE to enforce access control. Before you create and use access control policies, integrate Catalyst Center and Cisco ISE. The process involves installing and configuring Cisco ISE with specific services, and configuring Cisco ISE settings in Catalyst Center. For more information about installing and configuring Cisco ISE with Catalyst Center, see the Cisco Catalyst Center Installation Guide.
If your network uses Cisco ISE for user authentication, configure Assurance for Cisco ISE integration. This integration lets you see more information about wired clients, such as the username and operating system, in Assurance. For more information, see "About Cisco ISE Configuration for Catalyst Center" in the Cisco Catalyst Assurance User Guide.
After Cisco ISE is successfully registered and its trust established with Catalyst Center, Catalyst Center shares information with Cisco ISE. Catalyst Center devices that are assigned to a site that is configured with Cisco ISE as its AAA server have their inventory data propagated to Cisco ISE. Additionally, any updates to the following settings on these devices in Catalyst Center also updates Cisco ISE with the changes:
Device hostname
AAA server configurations under .
Device credentials
Device Loopback0 IP address
Device management IP address
Network Device Group (NDG) tag associated with the device
If a Catalyst Center device associated to a site with Cisco ISE as its AAA server is not propagated to Cisco ISE as expected, Catalyst Center automatically retries after waiting for a specific time interval. This subsequent attempt occurs when the initial Catalyst Center device push to Cisco ISE fails due to any networking issue, Cisco ISE downtime, or any other auto correctable errors. Catalyst Center attempts to establish eventual consistency with Cisco ISE by retrying to add the device or update its data to Cisco ISE. However, a retry is not attempted if the failure to propagate the device or device data to Cisco ISE is due to a rejection from Cisco ISE itself, as an input validation error.
If you change the RADIUS shared secret for Cisco ISE, Cisco ISE does not update Catalyst Center with the changes. To update the shared secret in Catalyst Center to match Cisco ISE, edit the AAA server with the new password. Catalyst Center downloads the new certificate from Cisco ISE, and updates Catalyst Center.
Cisco ISE does not share existing device information with Catalyst Center. The only way for Catalyst Center to know about the devices in Cisco ISE is if the devices have the same name in Catalyst Center; Catalyst Center and Cisco ISE uniquely identify devices for this integration through the device's hostname variable.
Note |
The process that propagates Catalyst Center inventory devices to Cisco ISE and updates the changes to it are all captured in the Catalyst Center audit logs. If there are any issues in the Catalyst Center-to-Cisco ISE workflow, view the audit logs in the Catalyst Center GUI for information. |
Catalyst Center integrates with the primary Administration ISE node. When you access Cisco ISE from Catalyst Center, you connect with this node.
Catalyst Center polls Cisco ISE every 15 minutes. If the Cisco ISE server is down, Catalyst Center shows the Cisco ISE server as red (unreachable).
When the Cisco ISE server is unreachable, Catalyst Center increases polling to 15 seconds, and then doubles the polling time to 30 seconds, 1 minute, 2 minutes, 4 minutes, and so on, until it reaches the maximum polling time of 15 minutes. Catalyst Center continues to poll every 15 minutes for 3 days. If Catalyst Center does not regain connectivity, it stops polling and updates the Cisco ISE server status to Untrusted. If this happens, you must reestablish trust between Catalyst Center and the Cisco ISE server.
Network Device Group (NDG) tags, which are prefixed with NDG:, are reflected in Cisco ISE.
When you delete devices integrated with Cisco ISE, those deleted devices are moved to the new NDG group in Cisco ISE.
Review the following additional requirements and recommendations to verify Catalyst Center and Cisco ISE integration:
Catalyst Center and Cisco ISE integration is not supported over a proxy server. If you have Cisco ISE configured with a proxy server in your network, configure Catalyst Center such that it does not use the proxy server; it can do this by bypassing the proxy server's IP address.
Catalyst Center and Cisco ISE integration is not supported through a Catalyst Center virtual IP address (VIP). If you are using an enterprise CA-issued certificate for Catalyst Center, make sure the Catalyst Center certificate includes the IP addresses of all interfaces on Catalyst Center in the Subject Alternative Name (SAN) extension. If Catalyst Center is a three-node cluster, the IP addresses of all interfaces from all three nodes must be included in the SAN extension of the Catalyst Center certificate.
You must have Admin-level access in Cisco ISE.
Disable password expiry for the Admin user in Cisco ISE. Alternatively, make sure that you update the password before it expires.
When the Cisco ISE certificate changes, Catalyst Center must be updated. To do that, edit the AAA server (Cisco ISE), reenter the password, and save. This forces Catalyst Center to download the certificate chain for the new admin certificate from Cisco ISE, and update Catalyst Center. If you are using Cisco ISE in HA mode, and the admin certificate changes on either the primary or secondary administrative node, you must update Catalyst Center.
Catalyst Center configures certificates for itself and for Cisco ISE to connect over pxGrid. You can use other certificates with pxGrid for connections to other pxGrid clients, such as Firepower. These other connections do not interfere with the Catalyst Center and Cisco ISE pxGrid connection.
You can change the RADIUS secret password. You provided the secret password when you configured Cisco ISE as a AAA server under . To change the secret password, choose and click the Change Shared Secret link. This causes Cisco ISE to use the new secret password when connecting to network devices managed by Catalyst Center.
In distributed Cisco ISE clusters, each node performs only certain functions, such as PAN (Admin), MnT (Monitoring and Troubleshooting), or PSN (Policy Service). It is possible to have only Admin certificate usage on PAN nodes, and only EAP Authentication certificate usage on PSN nodes. However, this configuration prevents Catalyst Center and Cisco ISE integration for pxGrid. Therefore, we recommend that you enable EAP Authentication certificate usage on the Cisco ISE primary PAN node.
To ensure that Catalyst Center recognizes a PSN after it's been upgraded, you must do the following:
Readd the PAN that's associated with the PSN. In the Cisco Identity Services Engine Administrator Guide, see "Configure a Primary Policy Administration Node."
Reintegrate Cisco ISE with Catalyst Center. In the Cisco Catalyst Center Installation Guide, see the "Integrate Cisco ISE with Catalyst Center" topic.
Catalyst Center supports certificate revocation checks via CRL Distribution Point (CDP) and Online Certificate Status Protocol (OCSP). During integration, Catalyst Center receives the Cisco ISE admin certificate over port 9060 and verifies its validity based on the CDP and OCSP URLs inside that Cisco ISE admin certificate. If both CDP (which contains a list of CRLs) and OCSP are configured, Catalyst Center uses OCSP to verify the revocation status of the certificate and falls back to CDP if the OCSP URL is not accessible. If there are multiple CRLs present in CDP, Catalyst Center contacts the next CRL if the first CRL is not reachable. However, due to a JDK PKI Oracle bug, the system does not check for all CRL entries.
Proxy is not supported for certificate verification. Catalyst Center contacts the CRL and OCSP servers without proxy.
OCSP and CRL entries are optional in the certificate.
LDAP is not supported as a protocol for certificate validation. Do not include LDAP URLs in CDP or AIA extensions.
All URLs in CDP and OCSP must be reachable from Catalyst Center. Unreachable URLs can cause a poor integration experience, including a failed integration.
The Cisco ISE certificates' subject name and issuer must adhere to ASN.1 PrintableString characters, where only spaces and the following characters are allowed: A – Z, a – z, 0 – 9, ‘ ( ) + , - . / : = ?
Catalyst Center allows you to anonymize wired and wireless endpoints data. You can scramble personally identifiable data, such as the user ID, and device hostname of wired and wireless endpoints.
Ensure that you enable anonymization before you run Discovery. If you anonymize the data after you run Discovery, the new data coming into the system is anonymized, but the existing data isn’t anonymized.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
In the Anonymize Data window, check the Enable Anonymization check box. |
|
Step 3 |
Click Save. |
Catalyst Center uses AAA servers for user authentication and Cisco ISE for both user authentication and access control. Use this procedure to configure AAA servers, including Cisco ISE.
If you are using Cisco ISE to perform both policy and AAA functions, make sure that Catalyst Center and Cisco ISE are integrated.
If you are using another product (not Cisco ISE) to perform AAA functions, make sure to do these task:
Register Catalyst Center with the AAA server, including defining the shared secret on both the AAA server and Catalyst Center.
Define an attribute name for Catalyst Center on the AAA server.
For a Catalyst Center multihost cluster configuration, define all individual host IP addresses and the virtual IP address for the multihost cluster on the AAA server.
Before you configure Cisco ISE, confirm that:
You have deployed Cisco ISE on your network. For information on supported Cisco ISE versions, see the Cisco Catalyst Center Compatibility Matrix. For information on installing Cisco ISE, see the Cisco Identity Services Engine Install and Upgrade guides.
If you have a standalone Cisco ISE deployment, you must integrate Catalyst Center with the Cisco ISE node and enable the pxGrid service and External RESTful Services (ERS) on that node.
If you have a distributed Cisco ISE deployment:
You must integrate Catalyst Center with the primary policy administration node (PAN), and enable ERS on the PAN.
Note |
We recommend that you use ERS through the PAN. However, for backup, you can enable ERS on the Policy Service Nodes (PSNs). |
You must enable the pxGrid service on one of the Cisco ISE nodes within the distributed deployment. Although you can decide to do so, you do not have to enable pxGrid on the PAN. You can enable pxGrid on any Cisco ISE node in your distributed deployment.
The PSNs that you configure in Cisco ISE to handle TrustSec or SD Access content and Protected Access Credentials (PACs) must also be defined in . For more information, see the Cisco Identity Services Engine Administrator Guide.
You must enable communication between Catalyst Center and Cisco ISE on these ports: 443, 5222, 8910, and 9060.
The Cisco ISE host on which pxGrid is enabled must be reachable from Catalyst Center on the IP address of the Cisco ISE eth0 interface.
The Cisco ISE node can reach the fabric underlay network via the appliance's NIC.
The Cisco ISE admin node certificate must contain the Cisco ISE IP address or the fully qualified domain name (FQDN) in either the certificate subject name or the Subject Alternative Name (SAN).
The Catalyst Center system certificate must list both the Catalyst Center appliance IP address and FQDN in the SAN field.
|
Step 1 |
From the main menu, choose . |
||||
|
Step 2 |
From the Add drop-down list, select AAA or ISE. |
||||
|
Step 3 |
To configure the primary AAA server, enter this information:
|
||||
|
Step 4 |
To configure a Cisco ISE server, enter these details:
|
||||
|
Step 5 |
Click Advanced Settings and configure the settings:
|
||||
|
Step 6 |
Click Add. |
||||
|
Step 7 |
To add a secondary server, repeat the preceding steps. |
||||
|
Step 8 |
To view the Cisco ISE integration status of a device:
|
Use this procedure to enable the Cisco AI Analytics features to export network event data from network devices and inventory, site hierarchy, and topology data to the Cisco AI Cloud.
Make sure that you have the Advantage software license for Catalyst Center. The AI Network Analytics application is part of the Advantage software license.
Make sure that the latest version of the AI Network Analytics application is installed. See Download and install applications.
Make sure that your network or HTTP proxy is configured to allow outbound HTTPS (TCP 443) access to these cloud hosts:
api.use1.prd.kairos.ciscolabs.com (US East Region)
api.euc1.prd.kairos.ciscolabs.com (EU Central Region)
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
Scroll down to External Services and select Cisco AI Analytics. 
|
|
Step 3 |
Do one of these tasks:
|
|
Step 4 |
In the Success dialog box, click Okay.  .
|
|
Step 5 |
(Recommended) In the AI Network Analytics window, click Download Configuration file. |
AI agents use X.509 client certificates to authenticate to the AI Cloud. Certificates are created and signed by the AI Cloud CA upon tenant onboarding to the AI Cloud and remain valid for three years (reduced to one year in August 2021). Before their expiration, client certificates must be renewed to avoid losing cloud connectivity. An automatic certificate renewal mechanism is in place. This mechanism requires that you manually back up the certificate after renewal. The backup is required in case you restore or migrate to a new Catalyst Center.
After renewal, a notification is shown on every AI Analytics window (Peer Comparison, Heatmap, Network Comparison, Trends and Insights) to tell you to back up the new AI Network Analytics configuration.
To disable Cisco AI Network Analytics data collection, you must disable the AI Network Analytics feature:
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
Scroll down to External Services and choose Cisco AI Analytics.  ) indicates that the feature is enabled. If the check box is unchecked (  ), the feature is disabled.
|
|
Step 3 |
In the AI Network Analytics area, click the Enable AI Network Analytics toggle button so that it’s unchecked ( |
|
Step 4 |
Click Update. |
|
Step 5 |
To delete your network data from the Cisco AI Network Analytics cloud, contact the Cisco Technical Response Center (TAC) and open a support request. |
|
Step 6 |
If you have misplaced your previous configuration, click Download configuration file. |
Machine Reasoning knowledge packs are step-by-step workflows that are used by the Machine Reasoning Engine (MRE) to identify security issues and improve automated root cause analysis. These knowledge packs are continuously updated as more information is received. The Machine Reasoning Knowledge Base is a repository of these knowledge packs (workflows). To have access to the latest knowledge packs, you can either configure Catalyst Center to automatically update the Machine Reasoning Knowledge Base daily, or you can do a manual update.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
Scroll down to External Services and select Machine Reasoning Knowledge Base.
When there’s a new update to the Machine Reasoning Knowledge Base, the AVAILABLE UPDATE area is displayed in the Machine Reasoning Knowledge Base window, which provides the Version and Details about the update.
|
|
Step 3 |
(Recommended) Check the AUTO UPDATE check box to automatically update the Machine Reasoning Knowledge Base. You can perform an automatic update only if Catalyst Center is successfully connected to the Machine Reasoning Engine in the cloud. |
|
Step 4 |
To manually update the Machine Reasoning Knowledge Base in Catalyst Center, do one of these tasks:
|
|
Step 5 |
Check the CISCO CX CLOUD SERVICE FOR NETWORK BUG IDENTIFIER AND SECURITY ADVISORY check box to enable Cisco CX Cloud connection with network bug identifier and security advisory. |
|
Step 6 |
In the Security Advisories Settings area click the RECURRING SCAN toggle button to enable or disable the weekly recurring scan. |
|
Step 7 |
Click the CISCO CX CLOUD toggle button to enable or disable the Cisco CX cloud. |
Complete this procedure to configure the credentials Catalyst Center uses for software image and update downloads. These credentials are the username and password that you use to log in to the Cisco website
Important |
|
Only users with SUPER-ADMIN-ROLE permissions or CUSTOM-ROLE with "Write" permission to System Settings can perform this procedure. For more information, see About user roles.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
Configure the Cisco.com user: |
|
Step 3 |
Confirm that the user was configured successfully.
|
To delete the cisco.com credentials that are currently configured for Catalyst Center, complete this procedure.
Note |
|
Only a user with SUPER-ADMIN-ROLE permissions or CUSTOM-ROLE with "Write" permission to System Settings can perform this procedure. For more information, see About user roles.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
Click the Delete link. |
|
Step 3 |
In the resulting dialog box, click Delete to confirm the operation. |
Connection mode manages the connections between smart-enabled devices in your network that interact with Catalyst Center and the Cisco Smart Software Manager (SSM). Ensure that you have SUPER-ADMIN access permission to configure the different connection modes.
The SSL certificate for the SSM must include the associated IP address within the SAN field.
|
Step 1 |
From the main menu, choose . Connection modes include:
|
|
Step 2 |
Choose Direct to enable a direct connection to the Cisco SSM cloud. |
|
Step 3 |
If your organization is security sensitive, choose On-Prem CSSM. The on-prem option lets you access a subset of Cisco SSM functionality without using a direct internet connection to manage your licenses with the Cisco SSM cloud. |
|
Step 4 |
Choose Smart proxy to register your smart-enabled devices with the Cisco SSM cloud through Catalyst Center. With this mode, devices do not need a direct connection to the Cisco SSM cloud. Catalyst Center proxies the requests from the device to the Cisco SSM cloud through itself. While provisioning the call-home configuration to the device, if the satellite is configured with FQDN, the FQDN of the satellite is pushed instead of the IP address. |
You can register Catalyst Center as a controller for Cisco Plug and Play (PnP) Connect, in a Cisco Smart Account for redirection services. This lets you synchronize the device inventory from the Cisco PnP Connect cloud portal to PnP in Catalyst Center.
Only a user with SUPER-ADMIN-ROLE or CUSTOM-ROLE with system management permissions can perform this procedure.
In the Smart account, users are assigned roles that specify the functions and authorized to perform:
Smart Account Admin user can access all the Virtual Accounts.
Users can access assigned Virtual Accounts only.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
If you have already configured the Cisco.com user, skip ahead to Step 3. If you haven't, complete these steps: |
|
Step 3 |
Click Register to register a virtual account. |
|
Step 4 |
In the Register Virtual Account window, the Smart Account you configured is displayed in the Select Smart Account drop-down list. You can select an account from the Select Virtual Account drop-down list. |
|
Step 5 |
Click the required IP or FQDN radio button. |
|
Step 6 |
Enter the IP address or FQDN (Fully Qualified Domain Name) of the controller. |
|
Step 7 |
Enter the profile name. A profile is created for the selected virtual account with the configuration that you provided. |
|
Step 8 |
Check the Use as Default Controller Profile check box to register this Catalyst Center controller as the default controller in the Cisco PnP Connect cloud portal. |
|
Step 9 |
Click Register. |
You receive a notification whenever a Plug and Play (PnP) event takes place in Catalyst Center by creating event notifications. See the "Work with Event Notifications" topic in the Cisco Catalyst Center Platform User Guide to configure the supported channels and create event notifications.
Ensure that you create event notifications for these PnP events:
| Event name | Event ID | Description |
|---|---|---|
|
Add device failed |
NETWORK-TASK_FAILURE-3-008 |
Device(s) are not added through single or bulk import. An error occurs when adding devices through single or bulk import. |
|
Add device successful |
NETWORK-TASK_COMPLETE-4-007 |
Device(s) are added through single or bulk import successfully. |
|
Device in error state |
NETWORK-ERROR_1-002 |
Device goes to Error state. |
|
Device in provisioned state |
NETWORK-INFO_4-003 |
Device goes to Provisioned state. |
|
Device stuck in onboarding state |
NETWORK-TASK_PROGRESS-2-006 |
Device is stuck in onboarding state for more than 15 minutes. |
|
Device waiting to be claimed |
NETWORK-INFO_2-001 |
Device reaches Unclaimed state and is ready to be provisioned. |
|
Smart Account sync failed |
NETWORK-TASK_FAILURE-1-005 |
Smart Account sync is failed for some devices. |
|
Smart Account sync successful |
NETWORK-TASK_COMPLETE-4-004 |
Smart Account sync is successful for some devices. |
Cisco Smart Account credentials are used for connecting to your Smart Licensing account. The License Manager tool uses the details of license information from this Smart Account for entitlement and license management.
Important |
Cisco has implemented a new authentication infrastructure. As a result, if you configured Smart Account credentials in a previous release and upgraded to 2.3.7.9 or later, you'll need to reauthenticate the associated Smart Accounts. |
Ensure that you have SUPER-ADMIN-ROLE permissions or CUSTOM-ROLE with "Write" permission to System Settings.
|
Step 1 |
From the main menu, choose . |
||
|
Step 2 |
Link the appropriate Smart Account user and Smart Account name to your Smart Licensing account: |
||
|
Step 3 |
If you want to change the selected Smart Account Name, click Change. You will be prompted to select the Smart Account that will be used for connecting to your Smart Licensing Account on Cisco SSM cloud.
|
||
|
Step 4 |
Click View all virtual accounts to view all the virtual accounts associated with the Smart Account.
|
||
|
Step 5 |
(Optional) If you want to register smart license-enabled devices automatically to a virtual account, check the Auto register smart license enabled devices check box. A list of virtual accounts associated with the smart account is displayed. |
||
|
Step 6 |
Select the required virtual account. Whenever a smart license-enabled device is added in the inventory, it’s automatically registered to the selected virtual account. |
||
|
Step 7 |
If you want to remove the licensed smart account users and their associated historical data, click Delete historical information. The Delete Historical Data slide-in pane displays the licensed smart account users. It also displays the existing smart accounts that aren’t currently present in Catalyst Center, but their historical data is still available. |
||
|
Step 8 |
In the Smart Account list area check the check box next to the smart account that you want to delete. |
||
|
Step 9 |
Click Delete. |
||
|
Step 10 |
Click Delete in the subsequent confirmation window. |
||
|
Step 11 |
Check the Delete the associated license historical information check box to delete the historical information of the associated license. |
Cisco Smart licensing allows you to register Catalyst Center on to the Cisco SSM.
To use Smart Licensing, you must first set up a Smart Account on Cisco Software Central (software.cisco.com).
For a more detailed overview on Cisco licensing, go to cisco.com/go/licensingguide.
Note |
Smart license registration for a Catalyst Center instance is supported using these connection modes:
|
To enable Smart Licensing, you must configure Cisco Credentials (see Configure Cisco credentials) and upload Catalyst Center license conventions in Cisco SSM.
To enable Smart Licensing, you must add a Smart Account in . For more information, see Configure Smart Account.
|
Step 1 |
From the main menu, choose . By default, Smart Account details are displayed. |
|
Step 2 |
Choose a virtual account from the Search Virtual Account drop-down list to register. |
|
Step 3 |
Click Register. |
|
Step 4 |
After successful registration, click the View Available Licenses link to view the available Catalyst Center licenses. |
Device controllability is a system-level process on Catalyst Center that enforces state synchronization for some device-layer features. Its purpose is to aid in the deployment of network settings that Catalyst Center needs to manage devices. Changes are made on network devices when running discovery, when adding a device to inventory, or when assigning a device to a site.
To view the configuration that is pushed to the device, go to and from the Focus drop-down list, choose Provision. In the Provision Status column, click See Details.
Note |
When Catalyst Center configures or updates devices, the transactions are captured in the audit logs, which you can use to track changes and troubleshoot issues. |
Device settings enabled as part of device controllability include:
Device Discovery
SNMP Credentials
NETCONF Credentials
Adding Devices to Inventory
Cisco TrustSec (CTS) Credentials
Note |
Cisco TrustSec (CTS) Credentials are pushed during inventory only if the Global site is configured with Cisco ISE as AAA. Otherwise, CTS is pushed to devices during "Assign to Site" when the site is configured with Cisco ISE as AAA. |
Assigning Devices to a Site
Wired Endpoint Data Collection Enablement
Controller Certificates
Note |
For Cisco IOS devices, we recommend that you configure the time zone from the device UI console to prevent any issues in the processing of PKCS certificate expiry time. |
SNMP Trap Server Definitions
Syslog Server Definitions
Application Visibility
Application QoS Policy
NetFlow Server Definitions
Wireless Service Assurance (WSA)
Wireless Telemetry
DTLS Ciphersuite
AP Impersonation
IPDT Enablement
Device controllability is enabled by default. If you do not want device controllability enabled, disable it manually. For more information, see Configure device controllability.
When device controllability is disabled, Catalyst Center does not configure any of the preceding credentials or features on devices while running discovery or when the devices are assigned to a site.
Circumstances that dictate whether or not device controllability configures network settings on devices include:
Device Discovery: If SNMP and NETCONF credentials are not already present on a device, these settings are configured during the discovery process.
Device in Inventory: After a successful initial inventory collection, IPDT is configured on the devices.
In earlier releases, the following IPDT commands were configured:
) in the 
ip device tracking
ip device tracking probe delay 60
ip device tracking probe use-sviFor each interface:
interface $physicalInterface
ip device tracking maximum 65535In the current release, the following IPDT commands are configured for any newly discovered device:
device-tracking tracking
device-tracking policy IPDT_POLICY
tracking enableFor each interface:
interface $physicalInterface
device-tracking attach-policy IPDT_POLICYDevice in Global Site: When you successfully add, import, or discover a device, Catalyst Center places the device in the Managed state and assigns it to the Global site by default. Even if you have defined SNMP server, Syslog server, and NetFlow collector settings for the Global site, Catalyst Center does not change these settings on the device.
Device Moved to Site: If you move a device from the Global site to a new site that has SNMP server, Syslog server, and NetFlow collector settings configured, Catalyst Center changes these settings on the device to the settings configured for the new site.
Device Removed from Site: If you remove a device from a site, Catalyst Center does not remove the SNMP server, Syslog server, and NetFlow collector settings from the device.
Device Deleted from Catalyst Center: If you delete a device from Catalyst Center and check the Configuration Clean-up check box, the SNMP server, Syslog server, and NetFlow collector settings are removed from the device.
Device Moved from Site to Site: If you move a device—for example, from Site A to Site B—Catalyst Center replaces the SNMP server, Syslog server, and NetFlow collector settings on the device with the settings assigned to Site B.
Update Site Telemetry Changes: The changes made to any settings that are under the scope of device controllability are applied to the network devices during device provisioning or when the Update Telemetry Settings action is performed.
When device controllability is enabled, if Catalyst Center can't connect to the device through the user-provided SNMP credentials and collect device information, Catalyst Center pushes the user-provided SNMP credentials to the device. For SNMPv3, the user is created under the default group.
Note |
For Cisco AireOS devices, the user-provided SNMPv3 passphrase must contain from 12 to 31 characters. |
Device controllability deploys the required network settings that Catalyst Center needs to manage devices. Device controllability is enabled by default.
To manually disable device controllability, use this procedure.
Note |
If you disable device controllability, Catalyst Center doesn't automatically configure discovered devices with essential settings, including SNMP credentials, trap servers, IP Device Tracking (IPDT), NetFlow, Syslog, and NETCONF. If you assign a device to a site after disabling device controllability, Catalyst Center doesn't support out-of-band configuration change notifications and management of APs, because Catalyst Center is no longer registered as a trap receiver on the device. |
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
Uncheck the Enable Device Controllability check box. |
|
Step 3 |
To prevent Catalyst Center from automatically correcting any issues identified in device telemetry configuration, leave the Enable autocorrect telemetry config check box unchecked. When autocorrect telemetry is enabled, Catalyst Center automatically detects and resolves certificate issues related to secure communication between devices and Catalyst Center. (This feature doesn’t address configuration issues with NetFlow, NBAR, or CBAR telemetry.) Catalyst Center checks each device for certificate changes every 15 minutes, and each device can be fixed only once within a 24-hour period. By default, this check box is disabled. You can only enable it when device controllability is enabled. |
|
Step 4 |
Click Save. |
You must accept the end-user license agreement (EULA) before you download software or provision a device.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
If you have already configured the Cisco.com user, skip ahead to Step 3. If you haven't, complete these steps: |
|
Step 3 |
Open the Cisco End User License Agreement Supplemental Product Terms link in a new browser tab. |
|
Step 4 |
Open and read the Catalyst Center EULA. |
|
Step 5 |
Check the I have read and accept the Device EULA check box. |
|
Step 6 |
Click Save. |
You can configure retry and timeout values for SNMP.
Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About user roles.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
Configure these fields:
|
|
Step 3 |
Click Save. |
|
Step 4 |
(Optional) To return to the default settings, click Reset and Save. |
When Internet Control Message Protocol (ICMP) ping is enabled and there are unreachable access points in FlexConnect mode, Catalyst Center uses ICMP to ping these access points every 5 minutes to enhance reachability.
To enable an ICMP ping:
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
Check the Enable ICMP ping for unreachable access points in FlexConnect mode check box. |
|
Step 3 |
Click Save. |
Catalyst Center allows you to use the site assigned during the PnP claim as the AP location for PnP onboarding. If you check the Configure AP Location check box, Catalyst Center configures the assigned site as the AP location for PnP onboarding. If you uncheck this check box, use the Configure Access Points workflow to configure the AP location for PnP onboarding. For more information, see "AP Configuration in Catalyst Center" in the Catalyst Center User Guide.
Note |
These settings aren’t applicable during the day-n operations. To configure the AP location for day-n operations, you can use the Configure Access Points workflow. |
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
Check the Configure AP Location check box. |
|
Step 3 |
Click Save. |
An image distribution server helps in the storage and distribution of software images. You can configure up to three external image distribution servers to distribute software images. You can also set up one or more protocols for the newly added image distribution servers.
For information about the supported servers, see the "Server Requirements for Automation Data Backup" section in Backup server requirements.
|
Step 1 |
From the main menu, choose . |
||
|
Step 2 |
In the Image Distribution Servers window, click Servers. The table displays details about the host, username, SFTP, SCP, and connectivity of image distribution servers. |
||
|
Step 3 |
Click Add to add a new image distribution server. The Add a New Image Distribution Server slide-in pane is displayed. |
||
|
Step 4 |
Configure these image distribution server settings:
|
||
|
Step 5 |
Click Save. |
||
|
Step 6 |
Because some legacy wireless controller software versions support only weak ciphers (such as SHA1-based ciphers) for SFTP, Catalyst Center should enable SFTP compatibility mode for SFTP connections from wireless controllers for software image management and wireless assurance. You can temporarily enable support for weak ciphers on the Catalyst Center SFTP server for up to 90 days. To allow weak ciphers:
|
||
|
Step 7 |
(Optional) To edit the settings, click the Edit icon next to the corresponding image distribution server, make the required changes, and click Save. |
||
|
Step 8 |
(Optional) To delete an image distribution server, click the Delete icon next to the corresponding image distribution server and click Delete. |
To enable authorization on a device:
|
Step 1 |
From the main menu, choose . |
||
|
Step 2 |
From the Device Settings drop-down list, choose PnP Device Authorization.
|
||
|
Step 3 |
Check the Device Authorization check box to enable authorization on the device. |
||
|
Step 4 |
Click Save. |
Catalyst Center allows you to create custom prompts for the username and password. You can configure the devices in your network to use custom prompts and collect information about the devices.
|
Step 1 |
From the main menu, choose . The Device Prompts window opens. |
||
|
Step 2 |
Click Create Custom Prompt. The Create Custom Prompt slide-in pane opens. |
||
|
Step 3 |
To create custom prompts for the username:
|
||
|
Step 4 |
To create custom prompts for the password,:
|
||
|
Step 5 |
Drag and drop the custom prompts in the order that you want.
|
||
|
Step 6 |
Click the edit icon to edit a custom prompt. |
||
|
Step 7 |
Click the delete icon to delete a custom prompt.
|
Catalyst Center performs periodic backup of your device running configuration. You can choose the day and time for the backup and the total number of config drifts that can be saved per device.
Note |
|
|
Step 1 |
From the main menu, choose . |
||
|
Step 2 |
In the Configuration Archive window, click the Internal tab. |
||
|
Step 3 |
Click the Number of config drift per device drop-down list and choose the number of config drifts to save per device. You can save 7–50 config drifts per device. The total config drifts to save include all the labeled configs for the device.
|
||
|
Step 4 |
Choose the backup day and time. The selected backup date and time is based on the time zone of the Catalyst Center cluster deployed for your network. |
||
|
Step 5 |
Click Save. After the backup is scheduled, you can view it in the activity center. |
||
|
Step 6 |
Click the External tab to configure an external server for archiving the device configuration. For more information, see Configure an external server for archiving device configuration. |
You can configure an external SFTP server for archiving the running configuration of devices.
For information about the supported servers, see the "Server Requirements for Automation Data Backup" section in Backup server requirements.
Confirm that SSH, SFTP, and SCP are enabled on the external server.
|
Step 1 |
From the main menu, choose . |
||
|
Step 2 |
In the Configuration Archive window, click the External tab. |
||
|
Step 3 |
Click Add to add an External Repository.
|
||
|
Step 4 |
In the Add New External Repository slide-in pane, complete the following details: |
||
|
Step 5 |
Click Save. |
||
|
Step 6 |
To edit the SFTP server details, click the edit button under the Action column. |
||
|
Step 7 |
To remove the SFTP server, click the delete button under the Action column. |
You can register cloud access keys after installing the Cloud Device Provisioning Application package in Catalyst Center. The system supports multiple cloud access keys. Each key is used as a separate cloud profile that contains all the AWS infrastructure constructs or resources that are discovered by using that cloud access key. After a cloud access key is added, an AWS VPC inventory collection is triggered automatically for it. The AWS infrastructure constructs resources that get discovered by VPC inventory collection for that cloud access key that can then be viewed and used for cloud provisioning of CSRs and wireless controllers.
Obtain the access key ID and secret key from the Amazon Web Services (AWS) console.
Subscribe to CSR or wireless controller products in the AWS marketplace and verify the image ID for the target region.
Identify the key pair that CSRs will use during HA failover on AWS. The key pair's name is selected from a list in Catalyst Center when provisioning CSRs in that region.
Identify the IAM role that CSRs will use during HA failover on AWS. The IAM role is selected from a list in Catalyst Center when provisioning CSRs.
Configure the proxy for Catalyst Center to communicate with AWS via HTTPS REST APIs. See Configure the proxy.
The Cloud Connect extension to the eNFV app is enabled by deploying a separate Cloud Device Provisioning Application package. The package is not included by default in the standard Catalyst Center installation. You must download and install the package from a catalog server. For more information, see Download and install applications.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
Click Add. |
|
Step 3 |
Enter the Access Key Name and choose the Cloud Platform from the drop-down list. Enter the Access Key ID and Secret Key obtained from the AWS console. |
|
Step 4 |
Click Save and Discover. |
After a cloud access key is added, an AWS VPC inventory collection is triggered automatically for it. It takes several minutes to synchronize with the cloud platform. Inventory collection is scheduled to occur at the default interval.
After successful cloud inventory collection, the Cloud tab in the Provision section provides a view of the collected AWS VPC inventory.
Integrity Verification (IV) monitors key device data for unexpected changes or invalid values that indicate possible compromise, if any of the devices are at risk. It does this by comparing each device's software, hardware, platform, and configuration settings against an authoritative set of Known Good Values (KGV) for these settings for all supported Cisco devices. The objective is to minimize the impact of a compromise by substantially reducing the time to detect unauthorized changes to a Cisco device.
Note |
IV runs integrity verification checks on software images that are uploaded into Catalyst Center. To run these checks, the IV service needs the Known Good Value (KGV) file to be uploaded. |
To provide security integrity, Cisco devices must be verified as running authentic and valid software. Currently, Cisco devices have no point of reference to determine whether they are running authentic Cisco software. IV uses a system to compare the collected image integrity data with the KGV for Cisco software.
Cisco produces and publishes a KGV data file that contains KGVs for many of its products. This KGV file is in standard JSON format, is signed by Cisco, and is bundled with other files into a single KGV file that can be retrieved from the Cisco website. The KGV file is posted at:
https://cscrdr.cloudapps.cisco.com/cscrdr/security/center/files/trust/Cisco_KnownGoodValues.tar
The KGV file is imported into IV and used to verify integrity measurements obtained from the network devices.
Note |
Device integrity measurements are made available to and used entirely within the IV. Connectivity between IV and cisco.com is not required. The KGV file can be air-gap transferred into a protected environment and loaded into the IV. |
Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About user roles.
|
Step 1 |
From the main menu, choose . |
||
|
Step 2 |
Review the current KGV file information:
|
||
|
Step 3 |
To import the KGV file, do one of these steps:
|
||
|
Step 4 |
If you clicked Import Latest from Cisco, a connection is made to cisco.com and the latest KGV file is automatically imported to Catalyst Center.
|
||
|
Step 5 |
If you clicked Import New from Local, the Import KGV window appears. |
||
|
Step 6 |
Do one of these procedures to import locally:
|
||
|
Step 7 |
Click Import. The KGV file is imported into Catalyst Center. |
||
|
Step 8 |
After the import is finished, verify the current KGV file information in the GUI to ensure that it has been updated. IV automatically downloads the latest KGV file from cisco.com to your system 7 days after Catalyst Center is deployed. The auto downloads continue every 7 days. You can also download the KGV file manually to your local system and then import it to Catalyst Center. For example, if a new KGV file is available on a Friday and the auto download is every 7 days (on a Monday), you can download it manually. The KGV auto download information that displays includes:
|
After importing the latest KGV file, choose to view the integrity of the imported images.
Note |
The effect of importing a KGV file can be seen in the Image Repository window, if the images that are already imported have an Unable to verify status (physical or virtual). Additionally, future image imports, if any, will also refer to the newly uploaded KGV for verification. |
Catalyst Center allows you to cancel or clear all stale or stuck IV workflows and initiate a new workflow. This feature is asynchronous in nature because it takes some time for the functionality to come into effect.
With the IV KGV file download workflow, you trigger the latest KGV download directly from cisco.com, or you manually upload a new KGV. In addition, a scheduler runs daily to download or update the latest KGV bundle from cisco.com.
If a scheduler IV workflow or a user-triggered IV workflow gets stuck during the KGV file download or during another phase, you cannot submit a new request. Only one IV KGV workflow is allowed at a time. There is no option for you to submit a new request, other than raising a service request and doing a service restart. To overcome this issue, Catalyst Center has introduced a new API that allows you to cancel any stale or stuck IV workflow, clear the task entry associated with the canceled IV workflow, and reset the locking mechanism, which prevents a simultaneous request to submit a new IV workflow request.
Note |
This cancellation function:
|
Catalyst Center periodically compares the operational SD-Access fabric nodes hardware and software attributes against information in the Cisco SD-Access Compatibility Matrix.
Any compatibility issues that are detected will be aggregated and displayed in the SD-Access Compliance state of each fabric site. The fabric site's aggregate Compliance state can be reviewed from the window.
To import or download the latest SD-Access compatibility matrix information:
|
Step 1 |
From the main menu, choose . The SD-Access Compatibility Matrix window displays the information of the compatibility matrix that was last imported.
The date and time of the autodownload is also displayed in the SD-Access Compatibility Matrix window. |
||||
|
Step 2 |
To manually import the SD-Access compatibility matrix file, click the Import Latest From Cisco hyperlink.
|
||||
|
Step 3 |
For air-gapped deployments, the ability to import the SD-Access compatibility matrix file from Cisco is not possible, so Catalyst Center provides the following upload process:
|
Catalyst Center 2.3.7.5 and later releases give you the option to disable SD-Access image compatibility checks.
Note |
Always enable SD-Access image compatibility checks to ensure proper network operations. |
To disable the SD-Access image compatibility checks:
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
On the SD-Access Compatibility Matrix window, click the SD-Access Image Compatibility Checks toggle button so that it is unchecked. |
You can configure Catalyst Center to communicate with an external IP address manager (IPAM). When you use Catalyst Center to create, reserve, or delete any IP address pool, Catalyst Center conveys this information to your external IPAM.
Requirements for external IPAM integration:
Create a role that has write permission to the IPAM function and assign it to the user account used for integration with Catalyst Center.
To enable IP pool creation by LAN automation for point-to-point addressing, the role must include:
For Infoblox: Write permission for Network Views.
For Bluecat: Full access permission for Configurations.
|
Step 1 |
From the main menu, choose . |
||
|
Step 2 |
In the Server Name field, enter the name of the IPAM server. |
||
|
Step 3 |
In the Server URL field, enter the URL or IP address of the IPAM server. A warning icon and message appear, indicating that the certificate is not trusted for this server. To import the trust certificate directly from the IPAM: |
||
|
Step 4 |
In the Username and Password fields, enter the IPAM credentials. |
||
|
Step 5 |
From the Provider drop-down list, choose a provider.
|
||
|
Step 6 |
From the View drop-down list, choose a default IPAM network view. If you only have one view configured, only default appears in the drop-down list. The network view is created in the IPAM and is used as a container for IP address pools. |
||
|
Step 7 |
If you want to synchronize the IP address pools on Catalyst Center with the IPAM, check the Sync global pools from IP Address Pools to the selected view from IPAM server check box. If you don't want to synchronize the IP pools, leave the check box unchecked.
|
||
|
Step 8 |
Click Save. |
Go to to verify that the certificate has been successfully added.
Note |
In trusted certificates, the certificate is referenced as a third-party trusted certificate. |
Go to and verify the information to ensure that your external IP address manager configuration succeeded.
Catalyst Center provides Webex meeting session information for Client 360.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
Click Authenticate to Webex. |
|
Step 3 |
In the Cisco Webex pop-up window, enter the email address and click Sign In. |
|
Step 4 |
Enter the password and click Sign In. Webex authentication is completed successfully. |
|
Step 5 |
Under Default Email Domain for Webex Meetings Sign-In, enter the Webex user email domain and click Save. The Webex domain is organization-wide, and all users who use the domain can host or attend meetings. |
|
Step 6 |
(Optional) Under Authentication Token, click Delete to delete Webex authentication. |
When activated, Catalyst Center provides call quality metrics information for Application 360 and Client 360 dashboards.
You must have a Microsoft Teams account with admin privileges.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
From the Region drop-down list, select the DNA Cloud US region. For the integration to work, Microsoft Teams must be enabled in the same region (DNA Cloud US). |
|
Step 3 |
Click the |
|
Step 4 |
Click Activate. You are redirected to the Cisco Catalyst - Cloud window. |
|
Step 5 |
In the Cisco Catalyst - Cloud window: |
Use this procedure to activate, deactivate, or check the status of MS-Teams integration on the devices through Cisco Cloud Services.
You must have a Microsoft Teams account with admin privileges.
|
Step 1 |
Log in to Cisco Cloud Services with your cisco.com credentials. If you do not have cisco.com credentials, you can create them. |
|
Step 2 |
From the main menu, choose Applications and Products. |
|
Step 3 |
From the Region drop-down list, select the DNA Cloud US region. For the integration to work, Microsoft Teams must be enabled in the same region (DNA Cloud US). |
|
Step 4 |
Click the |
|
Step 5 |
In the AppX MS-Teams tile, click Activate. For details, see Configure an AppX MS-Teams integration. |
|
Step 6 |
After the product is activated, click Exit. |
|
Step 7 |
You are redirected to the Applications window. |
|
Step 8 |
Click the AppX MS-Team tile to view the details in the App 360 window. |
|
Step 9 |
(Optional) To activate products from the App 360 window: |
|
Step 10 |
(Optional) To deactivate the product:
|
|
Step 11 |
(Optional) To disconnect the product from AppX MS-Teams application: |
You can configure Catalyst Center to communicate with an external ThousandEyes API agent to enable ThousandEyes integration using an authentication token. After integration, Catalyst Center provides ThousandEyes agent test data in the Application Health dashboard.
Ensure that you have deployed the ThousandEyes agent through application hosting, which supports Cisco Catalyst 9300 and 9400 Series switches.
|
Step 1 |
From the main menu, choose . |
||
|
Step 2 |
In the Insert new token here field, enter the authentication token.
|
||
|
Step 3 |
Click Save. |
||
|
Step 4 |
To connect ThousandEyes account to Catalyst Center:
|
||
|
Step 5 |
To disconnect the ThousandEyes, click Disconnect. |
To assist in troubleshooting service issues, you can change the logging level for the Catalyst Center services.
A logging level determines the amount of data that is captured in the log files. Each logging level is cumulative; that is, each level contains all the data generated by the specified level and higher levels, if any. For example, setting the logging level to Info also captures Warn and Error logs. We recommend that you adjust the logging level to assist in troubleshooting issues by capturing more data. For example, by adjusting the logging level, you can capture more data to review in a root cause analysis or RCA support file.
The default logging level for services is informational (Info). You can change the logging level from informational to a different logging level (Debug or Trace) to capture more information.
 Caution |
Due to the type of information that might be disclosed, logs collected at the Debug level or higher should have restricted access. |
Note |
Log files are created and stored in a centralized location on your Catalyst Center host for display in the GUI. From this location, Catalyst Center can query and display logs in the GUI (). Logs are available to query for only the last 2 days. Logs that are older than 2 days are purged automatically from this location. |
Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About user roles.
|
Step 1 |
From the main menu, choose . The Debugging Logs window is displayed. |
|
Step 2 |
From the Service drop-down list, choose a service to adjust its logging level. The Service drop-down list displays the services that are currently configured and running on Catalyst Center. |
|
Step 3 |
Enter the Logger Name. This is an advanced feature that has been added to control which software components emit messages into the logging framework. Use this feature with care. Misuse of this feature can result in loss of information needed for technical support purposes. Log messages will be written only for the loggers (packages) specified here. By default, the Logger Name includes packages that start with com.cisco. You can enter additional package names as comma-separated values. Do not remove the default values unless you are explicitly directed to do so. Use * to log all packages. |
|
Step 4 |
From the Logging Level drop-down list, choose the new logging level for the service. Catalyst Center supports logging levels in descending order of detail, including:
|
|
Step 5 |
From the Time Out field, choose the time period for the logging level. Configure logging-level time periods in increments of 15 minutes up to an unlimited time period. If you specify an unlimited time period, the default level of logging should be reset each time a troubleshooting activity is completed. |
|
Step 6 |
Review your selection and click Save. |
You can update the polling interval at the global level for all devices by choosing . Or, you can update the polling interval at the device level for a specific device by choosing Device Inventory. When you set the polling interval using the Network Resync Interval, that value takes precedence over the Device Inventory polling interval value.
Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About user roles.
Make sure that you have devices in your inventory. If not, discover devices using the Discovery feature.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
In the Resync Interval field, enter a new time value (in minutes). |
|
Step 3 |
(Optional) Check the Override for all devices check box to override the existing configured polling interval for all devices. |
|
Step 4 |
Click Save. |
Audit logs capture information about the various applications running on Catalyst Center. Audit logs also capture information about device public key infrastructure (PKI) notifications. The information in these audit logs can be used to help in troubleshooting issues, if any, involving the applications or the device CA certificates.
Audit logs also record system events that occurred, when and where they occurred, and which users initiated them. With audit logging, configuration changes to the system get logged in separate log files for auditing.
|
Step 1 |
From the main menu, choose . The Audit Logs window opens, where you can view logs about the current policies in your network. These policies are applied to network devices by the applications installed on Catalyst Center. |
||
|
Step 2 |
Click the timeline slider to specify the time range of data you want displayed on the window:
|
||
|
Step 3 |
Click the arrow next to an audit log to view the corresponding child audit logs. Each audit log can be a parent to several child audit logs. By clicking the arrow, you can view a series of additional child audit logs.
|
||
|
Step 4 |
(Optional) From the list of audit logs in the left pane, click a specific audit log message. In the right pane, click . With the copied ID, you can use the API to retrieve the audit log message based on the event ID. The audit log displays the Description, User, Interface, and Destination of each policy in the right pane.
|
||
|
Step 5 |
(Optional) Click Filter to filter the log by User ID, Log ID, or Description. |
||
|
Step 6 |
Click the pencil icon to subscribe to the audit log events. A list of syslog servers is displayed. |
||
|
Step 7 |
Check the syslog server check box that you want to connect to and click Save.
|
||
|
Step 8 |
In the right pane, use the Search field to search for specific text in the log message. |
||
|
Step 9 |
From the main menu, choose to view the upcoming, in-progress, completed, and failed tasks (such as operating system updates or device replacements) and existing, pending-review, and failed work items. |
Enabling syslogs for audit logs offers these benefits:
Centralized logging: Collect and store logs in one place for easier monitoring.
Security monitoring: Quickly detect unauthorized or suspicious activities.
Compliance: Maintain tamper-proof records for audits and investigations.
You can export the audit logs from Catalyst Center to multiple syslog servers by connecting to them.
Configure the syslog servers in the area.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
At the top of the window, click the pencil icon. |
|
Step 3 |
Select the syslog servers that you want to connect to and click Save. |
|
Step 4 |
(Optional) To disconnect from a syslog server, deselect it and click Save. |
The Visibility and Control of Configurations feature provides a solution to further secure your planned network configurations before deploying them on to your devices. With enhanced visibility, you can enforce the previewing of device configurations (CLI and NETCONF commands) before deploying them. Visibility is enabled by default. When visibility is enabled, you cannot deploy your device configurations until you review them. With enhanced control, you can send the planned network configurations to IT Service Management (ITSM) for approval. When control is enabled, you cannot deploy the configurations until an IT administrator approves them.
Note |
If a provisioning workflow supports Visibility and Control of Configurations, this banner message displays when you schedule the deployment of your task: This workflow supports enforcing network administrators and other users to preview configurations before deploying them on the network devices. To configure this setting, go to . |
Make sure that ITSM is enabled and configured in Catalyst Center so that you can enable ITSM Approval. For information about how to enable and configure ITSM, see “Configure the Catalyst Center Automation Events for ITSM (ServiceNow) Bundle” in the Catalyst Center ITSM Integration Guide.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
Click the Configuration Preview toggle button to enable or disable visibility. Enabling visibility means you must preview the device configurations before deploying them. Disabling visibility means you are not enforcing the previewing of device configurations before deploying them. When visibility is disabled, you can schedule and deploy the configurations with or without previewing them. |
|
Step 3 |
(Optional) Click the ITSM Approval toggle button to enable or disable control. Enabling control means you must submit the planned network configurations to an ITSM administrator for approval before deploying them. Disabling control means you are not requiring ITSM approval before the deployment of planned network configurations. When control is disabled, you can deploy the configurations without ITSM approval. |
You can view, search, and filter for task and work item details on the Tasks window.
|
Step 1 |
From the main menu, choose . By default, the Tasks window displays all the upcoming, in-progress, failed, and successful tasks and existing, pending-review, and failed work items. All failed tasks have a trace ID that provides a hint to analyze the error log quickly. The left SUMMARY pane displays filtering options for you to refine the list of displayed tasks and work items. You can expand and collapse the SUMMARY pane by clicking the arrow icon. |
||||||||||||
|
Step 2 |
Use this table to view, search, and filter for task and work item details on the Tasks window.
|
You can view information about all the upcoming, in-progress, failed, and successful tasks running on Catalyst Center.
A task is an operation that you or the system scheduled, which can reoccur. If you have a task, this means that you have no corresponding work items to complete for it to deploy as scheduled.
The information available in a task depends on its category, and there are a variety of categories. Common task categories include provision, config archive, inventory, and security advisories. However, all tasks display the following details: who initiated the task, its category, its completion status, its success status, and its start date, last updated date, and end date.
|
Step 1 |
From the main menu, choose . By default, the Tasks window displays all the upcoming, in-progress, failed, and successful tasks and existing, pending-review, and failed work items.
|
||||||||||||||
|
Step 2 |
Use this table to view, edit, or delete a task on the Tasks window.
|
If you enabled the Visibility and Control of Configurations feature, a work item is created when you choose Generate configuration preview during any workflow. When the configurations are reviewed and ready for deployment, the work item becomes a task.
To enable Visibility and Control of Configurations, see Enable visibility and control of configurations.
|
Step 1 |
From the main menu, choose . By default, the Tasks window displays all the upcoming, in-progress, failed, and successful tasks and existing, pending-review, and failed work items. |
||||||||||||||||
|
Step 2 |
Use this table to view and discard a work item on the Tasks window.
|
To deploy the previewed device configurations or submit the planned network configurations for ITSM approval, see "Visibility and Control of Configurations Workflow," “Visibility and Control of Wireless Device Configurations,” or “Visibility and Control of Fabric Configurations” in the Cisco Catalyst Center User Guide.
Complete this procedure to activate high availability (HA) on your Catalyst Center cluster:
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
Confirm that the page displays the three Catalyst Center appliances in your cluster.  |
|
Step 3 |
Click Activate High Availability. |
|
Step 4 |
Confirm that HA has been enabled:
|
In cases where firewalls or other rules exist between Catalyst Center and any third-party apps that need to reach the Catalyst Center platform, you must configure Integration Settings. These cases occur when the IP address of Catalyst Center is internally mapped to another IP address that connects to the internet or an external network.
Important |
After a backup and restore of Catalyst Center, you need to access the Integration Settings page and update (if necessary) the Callback URL Host Name or IP Address using this procedure. |
You have installed the Catalyst Center platform.
|
Step 1 |
From the main menu, choose . |
||
|
Step 2 |
Enter the Callback URL Host Name or IP Address that the third-party app needs to connect to when communicating with the Catalyst Center platform.
|
||
|
Step 3 |
Click Apply. |
You can set up a message that is displayed to all users after they log in to Catalyst Center.
Only a user with SUPER-ADMIN-ROLE or CUSTOM-ROLE with system management permissions can perform this procedure.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
In the Login Message text box, enter the message. |
|
Step 3 |
Click Save. The message appears below the Log In button on the Catalyst Center login page. Later, if you want to remove this message, do the following:
|
If Catalyst Center has a proxy server configured as an intermediary between itself and the network devices that it manages, you must configure access to the proxy server.
Note |
Catalyst Center does not support a proxy server that uses Windows New Technology LAN Manager (NTLM) authentication. |
Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About user roles.
|
Step 1 |
From the main menu, choose . |
||
|
Step 2 |
From the System Configuration drop-down list, choose . |
||
|
Step 3 |
Enter the proxy server URL address. |
||
|
Step 4 |
Enter the proxy server port number.
|
||
|
Step 5 |
(Optional) If the proxy server requires authentication, click Update and enter the username and password for access to the proxy server. |
||
|
Step 6 |
Check the Validate Settings check box to have Catalyst Center validate your proxy configuration settings when applying them. |
||
|
Step 7 |
Review your selections and click Save. To cancel your selection, click Reset. To delete an existing proxy configuration, click Delete. After configuring the proxy, you can view the configuration in the Proxy window. |
You can configure geo map settings in Catalyst Center.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
Choose any one of the available administrative boundaries that identify geographic features with characteristics defined differently by audiences belonging to various regional, cultural, or political groups.
|
|
Step 3 |
Click Save. |
Catalyst Center provides many security features for itself, for the hosts and network devices that it monitors and manages. You must clearly understand and configure the security features correctly. Follow these security recommendations:
Deploy Catalyst Center in a private internal network and behind a firewall that does not expose Catalyst Center to an untrusted network, such as the internet.
If you have separate management and enterprise networks, connect Catalyst Center's management and enterprise interfaces to your management and enterprise networks, respectively. Doing so ensures network isolation between the services used to administer and manage Catalyst Center and the services used to communicate with and manage your network devices.
If deploying Catalyst Center in a three-node cluster setup, verify that the cluster interfaces are connected in an isolated network.
Upgrade Catalyst Center with critical upgrades, including security patches, as soon as possible after a patch announcement. For more information, see the Catalyst Center Upgrade Guide.
Restrict the remote URLs accessed by Catalyst Center using an HTTPS proxy server. Catalyst Center is configured to access the internet to download software updates, licenses, and device software, as well as provide up-to-date map information, user feedback, and so on. Providing internet connections for these purposes is a mandatory requirement. However, provide connections securely through an HTTPS proxy server.
Restrict the ingress and egress management and enterprise network connections to and from Catalyst Center using a firewall, by only allowing known IP addresses and ranges and blocking network connections to unused ports.
Replace the self-signed server certificate from Catalyst Center with the certificate signed by your internal certificate authority (CA).
If possible in your network environment, disable SFTP Compatibility Mode. This mode allows legacy network devices to connect to Catalyst Center using older cipher suites.
Disable the browser-based appliance configuration wizard, which comes with a self-signed certificate.
Security recommendation: Upgrade the minimum TLS version to TLSv1.2 for incoming TLS connections to Catalyst Center.
Northbound REST API requests from an external network, include northbound REST API-based apps, browsers, and network devices connecting to Catalyst Center using HTTPS. The Transport Layer Security (TLS) protocol makes such requests secure.
By default, Catalyst Center supports TLSv1.1 and TLSv1.2, but does not support RC4 ciphers for SSL/TLS connections. Since RC4 ciphers have well-known weaknesses, we recommend that you upgrade the minimum TLS version to TLSv1.2 if your network devices support it.
Catalyst Center provides a configuration option to downgrade the minimum TLS version and enable RC4-SHA. You can use this option if your network devices under Catalyst Center control cannot support the existing minimum TLS version (TLSv1.1) or ciphers. For security reasons, however, we recommend that you do not downgrade Catalyst Center TLS version or enable RC4-SHA ciphers.
To change the TLS version or enable RC4-SHA for Catalyst Center, log in to the corresponding appliance and use the CLI.
Note |
CLI commands can change from one release to the next. The CLI example uses command syntax that might not apply to all Catalyst Center releases, especially Catalyst Center on ESXi releases. |
You must have maglev SSH access privileges to do this procedure.
Note |
This security feature applies to port 443 on Catalyst Center. Doing this procedure may disable traffic on the port to the Catalyst Center infrastructure for a few seconds. For this reason, you must configure TLS infrequently and only during off-peak hours or during a maintenance period. |
|
Step 1 |
Using an SSH client, log in to the Catalyst Center appliance with the IP address that you specified using the configuration wizard. The IP address to enter for the SSH client is the IP address that you configured for the network adapter. This IP address connects the appliance to the external network. |
||
|
Step 2 |
When prompted, enter your username and password for SSH access. |
||
|
Step 3 |
Enter this command to check the TLS version currently enabled on the cluster. |
||
|
Step 4 |
If you want to change the TLS version on the cluster, enter these commands. For example, you can change the current TLS version to an earlier version if your network devices under Catalyst Center control cannot support the existing TLS version. This example shows how to change from TLS Version 1.1 to 1.0: This example shows how to change from TLS Version 1.1 to 1.2 (only allowed if you haven't enabled RC4-SHA):
|
||
|
Step 5 |
If you want to change the TLS version for streaming telemetry connections between Catalyst Center and Catalyst 9000 devices (via the TCP 25103 port), enter this command. For example, you can change the current TLS version if the network devices that Catalyst Center manages can support TLS version 1.2. This example shows how to change from TLS Version 1.1 to 1.2: |
||
|
Step 6 |
Enter this command to enable RC4-SHA on a cluster (not secure; proceed only if needed). Enabling RC4-SHA ciphers is not supported when TLS Version 1.2 is the minimum version. |
||
|
Step 7 |
Enter the command at the prompt to confirm that TLS and RC4-SHA are configured.
|
||
|
Step 8 |
To disable the RC4-SHA ciphers that you enabled previously, enter this command on the cluster: |
||
|
Step 9 |
Log out of the Catalyst Center appliance. |
In some network configurations, proxy gateways might exist between Catalyst Center and the remote network it manages (containing various network devices). Common ports, such as 80 and 443, pass through the gateway proxy in the DMZ, and for this reason, SSL sessions from the network devices meant for Catalyst Center terminate at the proxy gateway. Therefore, the network devices located within these remote networks can only communicate with Catalyst Center through the proxy gateway. For the network devices to establish secure and trusted connections with Catalyst Center, or, if present, a proxy gateway, the network devices should have their PKI trust stores appropriately provisioned with the relevant CA root certificates or the server’s own certificate under certain circumstances.
If such a proxy is in place during onboarding of devices through PnP Discovery/Services, the proxy and the Catalyst Center server certificate must be the same so that network devices can trust and authenticate Catalyst Center securely.
In network topologies where a proxy gateway is present between Catalyst Center and the remote network it manages, import a proxy gateway certificate in to Catalyst Center:
Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About user roles.
You must use the proxy gateway's IP address to reach Catalyst Center and its services.
You should have the certificate file that is currently being used by the proxy gateway. The certificate file contents should consist of any of these:
The proxy gateway’s certificate in PEM or DER format, with the certificate being self-signed.
The proxy gateway’s certificate in PEM or DER format, with the certificate being issued by a valid, well-known CA.
The proxy gateway's certificate and its chain in PEM or DER format.
The certificate used by the devices and the proxy gateway must be imported in to Catalyst Center by following this procedure.
|
Step 1 |
From the main menu, choose . |
||
|
Step 2 |
From the System Configuration drop-down list, choose . |
||
|
Step 3 |
In the Proxy Certificate window, view the current proxy gateway certificate data (if it exists).
|
||
|
Step 4 |
To add a proxy gateway certificate, drag and drop the self-signed or CA certificate into the Drag and Drop Here area.
|
||
|
Step 5 |
Click Save. |
||
|
Step 6 |
Refresh the Proxy Certificate window to view the updated proxy gateway certificate data. |
||
|
Step 7 |
Click the Enable button to enable the proxy gateway certificate functionality. If you click the Enable button, the controller returns the imported proxy gateway certificate when requested by a proxy gateway. If you don't click the Enable button, the controller returns its own self-signed or imported CA certificate to the proxy gateway. The Enable button is dimmed if the proxy gateway certificate functionality is used. |
If SSL decryption is enabled on the proxy server that is configured between Catalyst Center and the Cisco cloud from which it downloads software updates, ensure that the proxy is configured with a certificate that is issued from an official certificate authority. If you are using a private certificate, complete the following steps.
Note |
For added security, access to the root shell is disabled in Catalyst Center. With restricted shell, users can't access the underlying operating system and file system, which reduces operational risk. However, the commands in this section require that you contact the Cisco TAC to access the root shell temporarily. |
|
Step 1 |
Transfer your proxy server’s certificate (in PEM format) to a directory on the Catalyst Center server. |
|
Step 2 |
As a maglev user, SSH to the Catalyst Center server and enter this command, where <directory> is the location of the certificate file on the Catalyst Center server and <proxy.pem> is your proxy server’s TLS/SSL certificate file: The command returns an output that is similar to the following: |
|
Step 3 |
Check the command output for the line "1 added" and confirm that the number added is not zero. The number can be one or greater, based on the certificates in the chain. |
|
Step 4 |
Enter these commands to restart docker and the catalog server: |
|
Step 5 |
In Catalyst Center, upload the same certificate and check the connectivity. |
Catalyst Center uses a number of certificates, such as the ones generated by Kubernetes and the ones used by Kong and Credential Manager Services. These certificates are valid for one year, which starts as soon as you install your cluster. Catalyst Center automatically renews these internal certificates for another year before they are set to expire.
We recommend that you renew internal certificates before they expire, not after.
You can only renew internal certificates that are set to expire up to 100 days from now. This procedure does not do anything to certificates that will expire later than that.
The script refreshes only self-signed certificates, not third-party/certificate authority (CA)-signed certificates. For third-party/CA-signed certificates, the script updates the internal certificates used by Kubernetes and the Credential Manager.
For self-signed certificates, the renewal process does not require you to push certificates back out to devices, because the root CA is unchanged.
The term cluster applies to both single-node and three-node Catalyst Center setups.
|
Step 1 |
Ensure that each cluster node is healthy and not experiencing any issues. |
|
Step 2 |
To view a list of the certificates that are currently used by that node and their expiration date, enter this command: |
|
Step 3 |
Renew the internal certificates that are set to expire soon by entering this command: |
|
Step 4 |
Repeat the preceding steps for the other cluster nodes. |
|
Step 5 |
For utility help, enter: |
Catalyst Center supports the Certificate Authority Management feature, which is used to authenticate sessions (HTTPS). These sessions use commonly recognized trusted agents that are called CAs. Catalyst Center uses the Certificate Authority Management feature to import, store, and manage X.509 certificates from your internal CA. The imported certificate becomes an identity certificate for Catalyst Center, and Catalyst Center presents this certificate to its clients for authentication. The clients are the northbound API applications and network devices.
You can import these files (in either the PEM or PKCS file format) using the Catalyst Center GUI:
X.509 certificate
Private key
Note |
For the private key, Catalyst Center supports the import of RSA keys. Keep the private key secure in your own key management system. The private key must have a minimum modulus size of 2048 bits. |
You must obtain a valid X.509 certificate and private key issued by your internal CA. The certificate must correspond to a private key in your possession before importing the files. After importing the files, the security functionality that is based on the X.509 certificate and private key is automatically activated. Catalyst Center presents the certificate to any device or application that requests it. Northbound API applications and network devices can use these credentials to establish a trust relationship with Catalyst Center.
Note |
Avoid using and importing a self-signed certificate to Catalyst Center. Import a valid X.509 certificate from your internal CA. Replace the default self-signed certificate with one signed by your internal CA to ensure proper Plug and Play functionality |
Catalyst Center supports only one imported X.509 certificate and private key at a time. When you import a second certificate and private key, the latter overwrites the first (existing) imported certificate and private key values.
Catalyst Center is able to import certificates and private keys through its GUI. If subordinate certificates are involved in a certificate chain leading to the certificate that is to be imported into Catalyst Center (signed certificate), both the subordinate certificates as well as the root certificate of these subordinate CAs must be appended together into a single file to be imported. When appending these certificates, you must append them in the same order as the actual chain of certification.
The following certificates should be pasted together into a single PEM file. Review the certificate subject name and issuer to ensure that the correct certificates are being imported and correct order is maintained. Ensure that all of the certificates in the chain are pasted together.
Signed Catalyst Center certificate: Its Subject field includes CN=<FQDN of Catalyst Center>, and the issuer has the CN of the issuing authority.
Note |
If you install a certificate signed by your internal certificate authority (CA), ensure that the certificate specifies all of the DNS names (including the Catalyst Center FQDN) that are used to access Catalyst Center in the alt_names section. For more information, see "Generate a Certificate Request Using Open SSL" in the Catalyst Center Security Best Practices Guide. |
Issuing (subordinate) CA certificate that issues the Catalyst Center certificate: Its Subject field has CN of the (subordinate) CA that issues the Catalyst Center certificate, and the issuer is that of the root CA.
Next issuing (root/subordinate CA) certificate that issues the subordinate CA certificate: Its Subject field is the root CA, and the issuer has the same value as the Subject field. If they are not the same, you must append the next issuer, and so on.
Catalyst Center allows you to import and store an X.509 certificate from your certificate authority (CA) and private key that's generated by Catalyst Center. These can be used to create a secure and trusted environment between Catalyst Center, northbound API applications, and network devices. You can import a certificate and a private key on the System Certificates window.
To update the Catalyst Center server certificate:
Generate a Certificate Signing Request (CSR).
Submit the CSR to your CA to get a signed certificate.
Import the signed certificate and its chain into Catalyst Center.
This procedure uses Microsoft Active Directory Certificate Services as an example CA. If you use a different CA, adapt the steps accordingly.
Note |
We recommend that you complete this procedure whenever you need to update Catalyst Center's server certificate and private key. If you prefer to complete a CLI-based procedure, see the "Generate a certificate request using OpenSSL" topic in the Catalyst Center Security Best Practices Guide. |
You must obtain a valid X.509 certificate from your internal CA that corresponds to your private key.
|
Step 1 |
From the main menu, choose . This window displays information about Catalyst Center server certificates and provides actions to manage those certificates. The System Certificates table displays this information for each certificate:
|
|||||||||||||||||||||
|
Step 2 |
Click + New Certificate Request (CSR). This + New Certificate Request (CSR) link is enabled when you generate the CSR for the first time. If you don't want to use the existing CSR, delete the existing request.
|
|||||||||||||||||||||
|
Step 3 |
In the New Certificate Request (CSR) slide-in pane, create the CSR.
|
|||||||||||||||||||||
|
Step 4 |
In the Certificate Signing Request slide-in pane, download a copy of the CSR.
 |
|||||||||||||||||||||
|
Step 5 |
Submit a certificate request to the CA and download the issuer CA chain from the CA. For example, you can submit a certificate request using Microsoft Active Directory Certificate Services by following these steps.
|
|||||||||||||||||||||
|
Step 6 |
Confirm that the certificate issuer provided the certificate full chain (server and CA) in p7b. When in doubt, complete these steps to examine and assemble the chain: |
|||||||||||||||||||||
|
Step 7 |
On the Catalyst Center GUI, in the + System Certificates window, click + Import Certificate. |
|||||||||||||||||||||
|
Step 8 |
In the Import Certificate slide-in pane, import the signed certificate with its certificate signed authority chain concatenated into Catalyst Center.
|
|||||||||||||||||||||
|
Step 9 |
After logging back in to Catalyst Center, go to the System Certificates window to view the updated certificate data. Under User For, click the hyperlinked text for the updated certificate to view a slide-in pane with information about the issuer, CA, and valid dates. |
You can view and manage certificates that are issued by Catalyst Center for managed devices to authenticate and identify the devices.
As a best practice, when a device is no longer managed by Catalyst Center (for example, because the device is lost or no longer active), revoke or delete the device certificate.
|
Step 1 |
From the main menu, choose . The Device Certificate window shows the status of issued certificates in separate status tabs:
|
|
Step 2 |
To revoke a valid certificate:
|
|
Step 3 |
To delete an expired certificate:
|
|
Step 4 |
If you want to export the certificate details, click Export. The certificate details are exported in CSV format. |
Catalyst Center lets you change the certificate lifetime of network devices that the private (internal) Catalyst Center CA manages and monitors. The Catalyst Center default value for the certificate lifetime is 365 days. After the certificate lifetime value is changed using the Catalyst Center GUI, network devices that subsequently request a certificate from Catalyst Center are assigned this lifetime value.
Note |
The device certificate lifetime value cannot exceed the CA certificate lifetime value. Also, if the remaining lifetime of the CA certificate is less than the configured device's certificate lifetime, the device receives a certificate lifetime value equal to the remaining CA certificate lifetime. |
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
Review the device certificate and the current device certificate lifetime. |
|
Step 3 |
In the Device Certificates window, click Modify. |
|
Step 4 |
In the Device Certificates Lifetime dialog box, enter the new value in days. |
|
Step 5 |
Click Save. |
A certificate authority (CA) is an entity that manages the certificates and keys that are used to establish and secure server-client connections. Catalyst Center provides a private (internal) Catalyst Center CA, which acts as the device CA. This Catalyst Center CA can either operate as a root CA or be configured as a subordinate CA, which cannot be reversed.
The device CA, a private CA that is provided by Catalyst Center, manages the certificates and keys that are used to establish and secure server-client connections. To change the role of the device CA from a root CA to a subordinate CA, complete this procedure.
You can change the role of the private (internal) Catalyst Center CA from a root CA to a subordinate CA using the Certificate Authority window in the GUI. When making this change:
If you want to have Catalyst Center act as a subordinate CA, ensure that you have a root CA, for example, Microsoft CA, and agree to use its certificate.
As long as the subordinate CA is not fully configured, Catalyst Center continues to operate as an internal root CA.
Generate a Certificate Signing Request file for Catalyst Center and ensure it is manually signed by your external root CA, as described in this procedure.
Note |
Catalyst Center continues to run as an internal root CA during this time period. |
After the Certificate Signing Request is signed by the external root CA, this signed file must be imported back into Catalyst Center using the GUI (as described in this procedure).
After the import, Catalyst Center initializes itself as the subordinate CA and provides all the existing functionalities of a subordinate CA.
When you switch a CA's role from root to subordinate, the old CA is retired and the new subordinate CA's PKI chain takes over. The revocation list is published by a CA, and after the CA is retired, revocation is moot since trust cannot be established. If your organization's policy mandates that unused certificates are revoked first, you can revoke the certificate from the GUI's Device Certificates window before switching the CA's role from root to subordinate.
Device controllability (enabled by default) will automatically update the device with a new certificate chain, sourced from the subordinate CA. New telemetry connections would only authenticate with this new certificate chain, which aligns with the trusted subordinate CA on the authenticator side.
The subordinate CA certificate lifetime displayed in the GUI is read directly from the certificate and is not calculated using the system time. Therefore, if you install a certificate with a lifespan of 1 year today and look at it in the GUI the same time next year, the GUI will still show that the certificate has a 1-year lifetime.
The subordinate CA certificate must be in PEM or DER format only.
The subordinate CA does not interact with the higher CAs; therefore, it is not aware of revocation, if any, of the certificates at a higher level. Because of this, any information about certificate revocation is also not communicated from the subordinate CA to the network devices. Because the subordinate CA does not have this information, all the network devices use only the subordinate CA as the CRL Distribution Points (CDP) source.
Consider that if you use EAP-Transport Level Security (EAP-TLS) authentication for AP profiles in Plug and Play (PnP), you cannot use a subordinate CA. You can only use a root CA.
You must have a copy of the root CA certificate.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
Click the CA Management tab. |
|
Step 3 |
Review the existing root or subordinate CA certificate configuration information from the GUI:
|
|
Step 4 |
In the CA Management tab, click Enable SubCA Mode button. |
|
Step 5 |
Review the warnings that display: For example,
|
|
Step 6 |
Click OK to proceed. |
|
Step 7 |
Drag and drop your root CA certificate into the Import External Root CA Certificate Chain field and click Upload. The root CA certificate is uploaded into Catalyst Center and used to generate a Certificate Signing Request. After the upload process finishes, a |
|
Step 8 |
Click Next. Catalyst Center generates and displays the Certificate Signing Request. |
|
Step 9 |
View the Catalyst Center-generated Certificate Signing Request in the GUI and do one of these actions:
|
|
Step 10 |
Send the Certificate Signing Request file to your root CA. Your root CA will then return a subordinate CA file, which you must import back into Catalyst Center. |
|
Step 11 |
After receiving the subordinate CA file from your root CA, access the Catalyst Center GUI again and return to the Certificate Authority window. |
|
Step 12 |
Click the CA Management tab. |
|
Step 13 |
Click Yes for the Change CA mode button. After clicking Yes, the GUI view with the Certificate Signing Request display. |
|
Step 14 |
Click Next. The Certificate Authority window displays the Import SubCA Certificate field. |
|
Step 15 |
Drag and drop your subordinate CA certificate into the Import SubCA Certificate field and click Apply. The subordinate CA certificate is uploaded into Catalyst Center. After the upload finishes, the GUI displays the subordinate CA mode under the CA Management tab. |
|
Step 16 |
Review the fields under the CA Management tab:
|
Catalyst Center lets you apply a subordinate certificate as a rollover subordinate CA when 70 percent of the existing subordinate CA lifetime has elapsed.
To initiate subordinate CA rollover provisioning, you must have changed the certificate authority role to subordinate CA mode. See Change the role of the certificate authority from root to subordinate.
70 percent or more of the lifetime of the current subordinate CA certificate must have expired. When this occurs, Catalyst Center displays a Renew button under the CA Management tab.
You must have a signed copy of the rollover subordinate CA certificate.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
In the CA Management tab, review the CA certificate configuration information:
|
|
Step 3 |
Click Renew. Catalyst Center uses the existing subordinate CA to generate and display the rollover subordinate CA Certificate Signing Request. |
|
Step 4 |
View the generated Certificate Signing Request in the GUI and do one of these actions:
|
|
Step 5 |
Send the Certificate Signing Request file to your root CA. Your root CA will then return a rollover subordinate CA file that you must import back into Catalyst Center. The Certificate Signing Request for the subordinate CA rollover must be signed by the same root CA who signed the subordinate CA you imported when you switched from RootCA mode to SubCA mode. |
|
Step 6 |
After receiving the rollover subordinate CA file from your root CA, return to the Certificate Authority window. |
|
Step 7 |
Click the CA Management tab. |
|
Step 8 |
Click Next in the GUI in which the Certificate Signing Request displays. The Certificate Authority window displays the Import Sub CA Certificate field. |
|
Step 9 |
Drag and drop your subordinate rollover CA certificate into the Import Sub CA Certificate field and click Apply. The rollover subordinate CA certificate is uploaded into Catalyst Center. After the upload finishes, the GUI changes to disable the Renew button under the CA Management tab. |
Catalyst Center uses the Simple Certificate Enrollment Protocol (SCEP) for enrollment and the provisioning of certificates to network devices. You can use your own SCEP broker and certificate service, or you can use an external SCEP broker. To set up an external SCEP broker, complete this procedure:
Note |
For more information regarding SCEP, see Simple Certificate Enrollment Protocol Overview. |
|
Step 1 |
From the main menu, choose . |
||
|
Step 2 |
In the Certificate Authority window, click the Use external SCEP broker radio button. |
||
|
Step 3 |
Use one of these options to upload an external certificate:
|
||
|
Step 4 |
Click Upload. |
||
|
Step 5 |
By default, Manages Device Trustpoint is enabled, meaning Catalyst Center configures the sdn-network-infra-iwan trustpoint on the device. You must complete these steps:
If Manages Device Trustpoint is disabled, for devices to send wired and wireless Assurance telemetry to Catalyst Center, you must manually configure the sdn-network-infra-iwan trustpoint on the device and then import a certificate. See Configure the Device Certificate Trustpoint. |
||
|
Step 6 |
Click Save. The external CA certificate is uploaded. If you want to replace the uploaded external certificate, click Replace Certificate and enter the required details. |
After uploading an external certificate, to switch back to the internal certificate:
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
In the Certificate Authority window, click the Use Catalyst Center radio button. |
|
Step 3 |
In the Switching back to Internal Certificate Authority alert, click Apply. The Settings have been updated message appears. For more information, see Change the role of the certificate authority from root to subordinate. |
Catalyst Center allows you to download the device certificates that are required to set up an external entity such as an AAA server or a Cisco ISE server to authenticate the devices.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
Click Download to export the device CA and add it as the trusted CA on the external entities. |
If Manages Device Trustpoint is disabled in Catalyst Center, for devices to send wired and wireless Assurance telemetry to Catalyst Center, you must manually configure the sdn-network-infra-iwan trustpoint on the device and then import a certificate.
This manual configuration procedure is required to enroll from an external CA via SCEP.
|
Step 1 |
Enter the following commands: |
|
Step 2 |
(Optional, but recommended) Automatically renew the certificate and avoid certificate expiry: |
|
Step 3 |
(Optional) Specify the interface that is reachable to the enrollment URL. Otherwise, the default is the source interface of the http service. |
Catalyst Center contains a preinstalled Cisco trusted certificate bundle (Cisco Trusted External Root Bundle). Catalyst Center also supports the import and storage of an updated trusted certificate bundle from Cisco. The trusted certificate bundle is used by supported Cisco networking devices to establish a trust relationship with Catalyst Center and its applications.
Note |
The Cisco trusted certificate bundle is a file called ios.p7b that only supported Cisco devices can unbundle and use. This ios.p7b file contains root certificates of valid certificate authorities, including Cisco. This Cisco trusted certificate bundle is available on the Cisco cloud (Cisco InfoSec). The bundle is located at https://www.cisco.com/security/pki/. |
The trusted certificate bundle provides you with a safe and convenient way to use the same CA to manage all your network device certificates, as well as your Catalyst Center certificate. Catalyst Center uses the trusted certificate bundle to validate its own certificate and any proxy gateway certificate and to determine whether the certificates are valid CA-signed certificates. Additionally, the trusted certificate bundle is available for upload to Network PnP-enabled devices at the beginning of their PnP workflow so that they can trust Catalyst Center for subsequent HTTPS-based connections.
You import the Cisco trusted bundle using the Trusted Certificates window in the GUI.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
In the Trusted Certificates window, click the Update trusted certificates now hyperlink to initiate a new download and install of the trusted certificate bundle. The hyperlink is displayed on the window only when an updated version of the ios.p7b file is available and internet access is available. After the new trusted certificate bundle is downloaded and installed on Catalyst Center, Catalyst Center makes this trusted certificate bundle available to supported Cisco devices for download. |
|
Step 3 |
If you want to import a new certificate file, click Import, choose a valid certificate file from your local system, and click Import in the Import Certificate window. |
|
Step 4 |
Click Export to export the certificate details in CSV format. |
To reduce operational risk to the underlying operating system and files, Catalyst Center provides a default restricted shell with access to only these commands:
icon, search by name, and locate 
).
$ ?
Help:
cat concatenate and print files in restricted mode
clear clear the terminal screen
date display the current time in the given FORMAT, or set the system date
debug enable console debug logs
df file system information
dmesg print or control the kernel ring buffer.
du summarize disk usage of the set of FILEs, recursively for directories.
free quick summary of memory usage
history enable shell commands history
htop interactive process viewer.
ip print routing, network devices, interfaces and tunnels.
last show a listing of last logged in users.
ls restricted file system view chrooted to maglev Home
lscpu print information about the CPU architecture.
magctl tool to manage a Maglev deployment
maglev maglev admin commands
maglev-config tool to configure a Maglev deployment
manufacture_check tool to perform manufacturing checks
netstat print networking information.
nslookup query Internet name servers interactively.
ntpq standard NTP query program.
ping send ICMP ECHO_REQUEST to network hosts.
ps check status of active processes in the system
rca root cause analysis collection utilities
reboot Reboot the machine
rm delete files in restricted mode
route print the IP routing table.
runonce Execute runonce scripts
scp restricted secure copy
sftp secure file transfer
shutdown Shutdown the machine
ssh OpenSSH SSH client.
tail Print the last 10 lines of each FILE to standard output
top display sorted list of system processes
traceroute print the route packets trace to network host.
uname print system information.
uptime tell how long the system has been running.
vi text editor
w show who is logged on and what they are doing.To obtain root shell access, you must contact the Cisco TAC. Access the root shell only temporarily to facilitate troubleshooting.
Product telemetry data is collected by default in Catalyst Center, but you can opt out of some data collection. The data collection is designed to help the development of product features and address any operational issues, providing greater value and return on investment (ROI). Cisco collects the following categories of data: Cisco.com ID, System, Feature Usage, Network Device Inventory, and License Entitlement. See the Cisco Catalyst Center Data Sheet for a more expansive list of data that we collect. To opt out of some of data collection, contact your Cisco account representative and the Cisco Technical Assistance Center (TAC).
From the main menu, choose . You can review the license agreement, the privacy statement, and the privacy data sheet from the Product Telemetry window.
You can configure the account lockout policy to manage user login attempts, account lockout period, and number of login retries.
|
Step 1 |
From the main menu, choose . |
||
|
Step 2 |
Click the Enforce Account Lockout toggle button so that you see a check mark. |
||
|
Step 3 |
Enter values for these Enforce Account Lockout parameters:
|
||
|
Step 4 |
Select the Idle Session Timeout value (the duration after which the session expires and users are redirected to the login page). The default is 1 hour. |
||
|
Step 5 |
Click Save. If you leave the session idle, a Session Timeout dialog box appears five minutes before the session timeout. To continue, do one of these tasks:
|
You can configure the password expiration policy to manage:
Password expiration frequency
Number of days that users are notified before their password expires
Grace period
|
Step 1 |
From the main menu, choose . |
||
|
Step 2 |
Click the Enforce Password Expiry toggle button so that you see a check mark. |
||
|
Step 3 |
Enter values for the following Enforce Password Expiry parameters:
|
||
|
Step 4 |
Click Save to set the password expiry settings. |
IP access control allows you to control the access to Catalyst Center based on the IP address of the host or network. This feature controls access to the Catalyst Center GUI only; this feature doesn’t control enterprise-wide network access.
Catalyst Center provides options for IP access control, including:
Allow all IP addresses to access Catalyst Center (the default).
Allow only selected IP addresses to access Catalyst Center.
To configure IP access control and allow only selected IP addresses to access Catalyst Center:
Ensure that you have SUPER-ADMIN-ROLE permissions.
Add the Catalyst Center services subnet, cluster service subnet, and cluster interface subnet to the list of allowed subnets.
|
Step 1 |
From the main menu, choose . |
||
|
Step 2 |
Click the Allow only listed IP addresses to connect radio button. |
||
|
Step 3 |
Click Add IP List. |
||
|
Step 4 |
In the IP Address field of the Add IP slide-in pane, enter your IPv4 address.
|
||
|
Step 5 |
In the Subnet Mask field, enter the subnet mask. The valid range for subnet mask is from 0 through 32. |
||
|
Step 6 |
Click Save. |
To add more IP addresses to the IP access list:
Ensure that you enable IP access control. For more information, see Enable IP access control.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
Click Add. |
|
Step 3 |
In the IP Address field of the Add IP slide-in pane, enter the IPv4 address of the host or network. |
|
Step 4 |
In the Subnet Mask field, enter the subnet mask. 
|
|
Step 5 |
Click Save. |
To delete an IP address from the IP access list and disable its access to Catalyst Center:
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
In the Action column, click the Delete icon for the corresponding IP address. |
|
Step 3 |
Click Delete. |
Ensure that you have SUPER-ADMIN-ROLE permissions.
|
Step 1 |
From the main menu, choose . |
|
Step 2 |
Click the Allow all IP addresses to connect radio button. |
Feedback