Cisco Catalyst Center Administrator Guide, Release 2.3.7.x

About system settings

To start using Catalyst Center, you must first configure the system settings. This allows the server to communicate outside the network, ensures secure communications, authenticates users, and supports other key tasks. Use the procedures in this chapter to configure the system settings.

Note

Any changes that you make to the Catalyst Center configuration—including changes to the proxy server settings—must be done from the Catalyst Center GUI.
Any changes to your Catalyst Center appliance's configuration settings must be done with the sudo maglev-config update command. Run this command in a KVM console opened from Cisco IMC.

In Catalyst Center 2.3.7.7 onwards:
- Change the maglev user password by specifying a new one in the Linux Password and Re-enter Linux Password fields. Leave these fields blank to continue using the current password.
- You can make the other configuration setting changes without entering the maglev user password.
By default, the Catalyst Center system time zone is set to UTC. Do not change this time zone because the Catalyst Center GUI works with your browser time zone.

User profile roles and permissions

Catalyst Center supports role-based access control (RBAC). Your permissions are defined by your user role. Catalyst Center has three main default user roles:

SUPER-ADMIN-ROLE
NETWORK-ADMIN-ROLE, and
OBSERVER-ROLE.

The SUPER-ADMIN-ROLE allows comprehensive access and supports creating and assigning custom roles in the Catalyst Center GUI. The NETWORK-ADMIN-ROLE and the OBSERVER-ROLE provide limited access.

If your user profile is assigned a restrictive role, you may have limited access to certain actions in Catalyst Center. For more information, contact your system administrator or see Configure role-based access control.

Use System 360

The System 360 tab provides at-a-glance information about Catalyst Center.

Procedure

Step 1

From the main menu, choose System > System 360.

Step 2

On the System 360 dashboard, review the following displayed data metrics:

Cluster

Hosts: Displays information about the Catalyst Center hosts. The displayed information includes the hosts IP addresses and detailed data about the services running on the host. Click the View Services link to view detailed data about the services running on the hosts.

Note

The host IP address has a color badge next to it. A green badge indicates that the host is healthy. A red badge indicates that the host is unhealthy.

The side panel displays the following information:

Node Status: Displays the health status of the node.

If the node health is unhealthy, hover over the status to view additional information for troubleshooting.
Services Status: Displays the health status of the services. Even if one service is down, the status is Unhealthy.
Name: Service name.
Appstack: App stack name.

An app stack is a loosely coupled collection of services. In this environment, a service is a horizontally scalable application that adds instances when demand increases and removes instances when demand decreases.
Health: Status of the service.
Version: Version of the service.
Tools: Displays metrics and logs for the service. Click the Metrics link to view service monitoring data in Grafana. Grafana is an open-source metric analytics and visualization suite. You can troubleshoot issues by reviewing the service monitoring data. For information about Grafana, see https://grafana.com/. Click the Logs link to view service logs in Kibana. Kibana is an open-source analytics and visualization platform. You can troubleshoot issues by reviewing the service logs. For information about Kibana, see https://www.elastic.co/products/kibana.

High Availability: Displays whether HA is enabled and active.

For instructions on how to activate HA on your cluster, see Activate high availability.

Important

HA requires three or more hosts to operate in Catalyst Center.

Cluster Tools: Lets you access the following tools:

Service Explorer: Access the app stack and the associated services.

Monitoring: Access multiple dashboards of Catalyst Center components using Grafana, which is an open-source metric analytics and visualization suite. Use the Monitoring tool to review and analyze key Catalyst Center metrics, such as memory and CPU usage. For information about Grafana, see https://grafana.com/.

Note

In a multihost Catalyst Center environment, expect duplication in the Grafana data due to the multiple hosts.

Log Explorer: Access Catalyst Center activity and system logs using Kibana. Kibana is an open-source analytics and visualization platform designed to work with Elasticsearch. Use the Log Explorer tool to review detailed activity and system logs. In the Kibana left navigation pane, click Dashboard. Then, click System Overview and view all of the system logs. For information about Kibana, see https://www.elastic.co/products/kibana.

Note

All logging in Catalyst Center is enabled, by default.

System Management

Software Updates: Displays the status of application or system updates. Click the View link to view the update details.

Note

An update has a color badge next to it. A green badge indicates that the update or actions related to the update succeeded. A yellow badge indicates that there is an available update.

Backups: Displays the status of the most recent backup. Click the View link to view all backup details.

Additionally, it displays the status of the next scheduled backup (or indicates that no backup is scheduled).

Note

A backup has a color badge next to it. A green badge indicates a successful backup with a timestamp. A yellow badge indicates that the next backup is not yet scheduled.

Application Health: Displays the health of automation and Assurance.

Note

Application health has a color badge next to it. A green badge indicates a healthy application. A red badge indicates that the application is unhealthy. Click the View link to troubleshoot.

Externally Connected Systems

Displays information about external network services used by Catalyst Center.

Identity Services Engine (ISE): Displays Cisco ISE configuration data, including the IP address and status of the primary and secondary Cisco ISE servers. Click the Configure link to configure Catalyst Center for integration with Cisco ISE.
IP Address Manager (IPAM): Displays IP address manager configuration data and the integration status. Click the Configure link to configure the IP Address Manager.

Step 3

Click System Health and review the topology of your Catalyst Center appliances and the external systems that are connected to your network.

For more information about the System Health window, see View the system topology.

View the services in System 360

The System 360 tab provides detailed information about the app stacks and services running on Catalyst Center. You can use this information to assist in troubleshooting issues with specific applications or services. For example, if you are having issues with Assurance, you can view monitoring data and logs for the NDP app stack and its component services.

Procedure

Step 1	From the main menu, choose System > System 360.
Step 2	In System 360 window, click Service Explorer tab. The node clusters and the associated services are displayed in a tree-like structure in a new browser window. Hover your cursor over the node to view the details such as serial number, product ID, and interface. The Services table shows all the services associated with the node. The managed services are marked as (M). In the Service table, click the global filter icon to filter services by app stack name, service health status (Up, Down, or In Progress), or managed services. Enter a service name in the Global Search field to find a service. Click the service name to view the service in its associated node.
Step 3	Click the service to launch the Service 360 view. The details include: Metrics: Click the link to view the services monitoring data in Grafana. Logs: Click the link to view the service logs in Kibana. Name: The service name. Appstack: The app stack name. Version: The version of the service. Health: The status of the service. Required Healthy Instances: Shows the number of healthy instances and indicates whether the service is managed. Instances: Click the instances to view details.
Step 4	Enter the service name in the Search field to search the services listed in the table.
Step 5	Click the filter icon in the services table to filter services by app stack name, service status (Up, Down, or In Progress), or managed service.

Monitor system health

From the System Health page, you can monitor the health of the physical components on your Catalyst Center appliances and monitor any issues that may occur. Refer to the included topics, which describe how to enable this functionality and use it in your production environment.

Establish Cisco IMC connectivity

To enable the System Health page, you must establish connectivity with Cisco Integrated Management Controller (Cisco IMC), which collects health information for your appliances' hardware. Complete this procedure.

Before you begin

Users with SUPER-ADMIN-ROLE permissions or CUSTOM-ROLE with "Write" permission to System Settings can configure Cisco IMC connectivity settings for an appliance.

Procedure

Step 1

From the main menu, choose System > Settings > System Configuration > System Health.

The IP address of each appliance in your cluster is listed in the Catalyst Center Address column.

Step 2

Enter the information required to log in to Cisco IMC:

Click the IP address for an appliance.

The Edit Catalyst Center Server Configuration slide-in pane is displayed.
Enter the IP address configured for the appliance's Cisco IMC port.
Enter your Cisco IMC username and password and click Save:
if necessary, repeat this step for the other appliances in your cluster.

Delete Cisco IMC settings

To delete the Cisco IMC connectivity settings configured for a particular appliance, complete this procedure.

Before you begin

Users with SUPER-ADMIN-ROLE permissions or CUSTOM-ROLE with "Write" permission to System Settings can delete these settings.

Procedure

Step 1	From the main menu, choose System > Settings > System Configuration > System Health.
Step 2	To delete settings for an appliance, click the corresponding delete icon () in the Actions column.
Step 3	In the confirmation window, click OK.

Subscribe to system event notifications

After you establish connectivity with Cisco IMC, Catalyst Center collects event information from Cisco IMC and stores this information as raw system events. The rules engine then processes these raw events and converts them into system event notifications that are displayed in the System Health topology. Complete the procedure described in the "Work with Event Notifications" topic of the Cisco Catalyst Center Platform User Guide, to receive these notifications in one of the available formats. When completing this procedure, select and subscribe to these events:

Table 1. System notification events in Catalyst Center

Event name

Event ID

Domain

Sub domain

Description

System Backup v2

SYSTEM-BACKUP-v2

System

System Backup

A notification is sent when the backup operation fails.

System Restore v2

SYSTEM-RESTORE-v2

System

System Restore

The event is generated on failure during restore operation.

System Software Upgrade v2

SYSTEM-SOFTWARE-UPGRADE-v2

System

System Software Upgrade

A notification is sent when the software upgrade operation fails.

Disaster Recovery health status v2

SYSTEM-DISASTER-RECOVERY-v2

System

Disaster Recovery

A notification is sent when the state of the disaster recovery system changes.

CMX connectivity failure v2

SYSTEM-EXTERNAL-CMX-v2

External Integrations

CMX Connectivity

A notification is sent when there's no connectivity with CMX.

External IPAM provider connectivity failure v2

SYSTEM-EXTERNAL-IPAM-v2

External Integrations

IPAM Integration

A notification is sent when there's no connectivity with an external IPAM provider.

ISE AAA trust establishment failure v2

SYSTEM-EXTERNAL-ISE-AAA-TRUST-v2

External Integrations

Cisco ISE AAA Trust Establishment

A notification is sent when the ISE AAA trust establishment fails.

ISE PAN ERS connectivity failure v2

SYSTEM-EXTERNAL-ISE-PAN-ERS-v2

External Integrations

Cisco ISE PAN ERS Connectivity

A notification is sent when there is no connectivity with the Cisco ISE primary and secondary PAN ERS.

ISE PxGrid health state change notification v2

SYSTEM-EXTERNAL-ISE-PXGRID-v2

External Integrations

Cisco pxGrid

A notification is sent when the health state of Cisco ISE PxGrid connections changes.

External ITSM provider connectivity failure v2

SYSTEM-EXTERNAL-ITSM-v2

External Integrations

ITSM Integration

A notification is sent when there's no connectivity with an external ITSM provider.

Certificate Status Notification v2

SYSTEM-CERTIFICATE-v2

System

System Certificate

A notification is sent when a system certificate, built-in certificate, proxy certificate, disaster recovery certificate, or a third-party trusted certificate expires, is revoked, or will expire in less than 90 days.

Cisco IMC Certificate Status Notification v2

CISCO-IMC-CERTIFICATE-v2

Appliance

Cisco IMC Certificate

A notification is sent when the Cisco IMC certificate has expired, been revoked, or will expire in less than 90 days.

Cisco IMC Connectivity status v2

CISCO-IMC-v2

Appliance

Cisco IMC

A notification is sent whenever Cisco IMC's connectivity status changes.

System Appliance Configuration Status Notification v2

CISCO-IMC-CONFIGURATION-v2

Appliance

Cisco IMC Configuration

A notification is sent when the Cisco IMC hardware configurations are not compliant with the Cisco standards.

System Hardware health status v2

CISCO-IMC-HARDWARE-v2

Appliance

Cisco IMC Hardware Health Status

A notification is sent when the health status of any hardware component changes. Supported hardware components include:

CPU
Memory
Disk
NIC
Fan
Power Supply
RAID controller

System managed services v2

SYSTEM-MANAGED-SERVICES-v2

System

System Managed Services

A notification is sent when the status of a platform-provided managed service changes.

Note

For managed services, the probe interval (the time it takes for Catalyst Center to delete stale events from its database) is 60 minutes. When managed services that have been down become active again, it takes this long for the System Health GUI to reflect that the services have been restored.

System Performance: Filesystem Utilization v2

SYSTEM-PERFORMANCE-v2:

System

System Performance: Filesystem Utilization

A notification is sent when filesystem (partition) utilization is approaching capacity.

System Scale Limits v2

SYSTEM-SCALE-LIMITS-v2:

System

System Scale Limits

A notification is sent when scale limits have been exceeded.

Application Health v2

SYSTEM-APPLICATION-HEALTH-v2

System

Application Health

A notification is sent when the health state of an application registered for monitoring changes.

Cisco Trusted Certificate Update Notifications v2

CISCO-TRUSTED-CERTIFICATE-BUNDLE-v2

System

Cisco Trusted Certificates

A notification is sent when a newer Cisco-trusted certificate bundle is available.

Internet URL Accessible Notifications v2

INTERNET-URL-ACCESS-v2

System

Internet Access

A notification is sent when Catalyst Center is unable to reach any of the URLs listed in Check required URLs access.

Event notification information

This table lists the key information that Catalyst Center provides when it generates a system health notification message.


Subdomain	Tag	Instance	State	Message
Domain: System
CPU	CPU	<node-hostname>:CPU-1	OK	Catalyst Center CPU-1 is working as expected on <node-hostname>
			NotOk	Catalyst Center CPU-1 has failed on <node-hostname>
			Disabled	Catalyst Center CPU-1 is disabled on <node-hostname>
Memory	Memory	<node-hostname>:DIMM_A1	Ok	Catalyst Center RAM DIMM_A1 is working as expected on <node-hostname>
Memory	Memory	<node-hostname>:DIMM_A1	NotOk	Catalyst Center RAM DIMM_A1 has failed on <node-hostname>
Disk	Disk	<node-hostname>:Disk1	Ok	Catalyst Center Disk 2 is working as expected on <node-hostname>
Disk	Disk	<node-hostname>:Disk1	NotOk	Catalyst Center Disk 2 has failed on <node-hostname>
RAID Controller	RAIDController	<node-hostname>:Controller-1	Ok	Catalyst Center RAID VD-2 is working as expected on <node-hostname>
			NotOk	Catalyst Center RAID VD-2 has degraded on <node-hostname>
			Disabled	Catalyst Center RAID VD-2 is offline on <node-hostname>
Network Interfaces	NIC	<node-hostname>:nic-1	Ok	Catalyst Center network interfaces are working as expected
Network Interfaces	NIC	<node-hostname>:nic-1	NotOk	Catalyst Center: <x> network interfaces are missing for <node-hostname>: nic-1
PSU_FAN	PSU	<node-hostname>:psu-1	Ok	Catalyst Center power supply (PSU-1) is powered on and thermal condition is normal for <node-hostname>
PSU_FAN	PSU	<node-hostname>:psu-1	NotOk	Catalyst Center power supply (PSU-2) is powered off and thermal condition is critical for <node-hostname>
Disaster Recovery	DisasterRecovery	<disaster-recovery-hostname>	Ok	Disaster recovery cluster is up Disaster recovery failover succeeded to <site-name>
			Degraded	Disaster recovery failover triggered from <site-name> to site-name Disaster recovery failed while failing over to <site-name> Disaster recovery standby cluster on <site-name> is down; cannot failover Disaster recovery witness is down; cannot failover Disaster recovery replication halted; recovery point objective will be impacted Disaster recovery pause failed Disaster recovery route advertisement failed Disaster recovery IPSec communication failed
			NotOk	Disaster recovery configuration failed Disaster recovery failed to rejoin the standby system
Platform Services	ManagedServices	<hostname>:<name>	OK	Managed Service <service-name> is Running
Platform Services	ManagedServices	<hostname>:<name>	NOTOK	Managed Service <service-name> is Interrupted
Scale Limits	wired_concurrent_clients	<hostname>:<name>	OK	OK
			NOTOK	The number of concurrent wired clients exceeded 26250 (105% of limit)
			DEGRADED	The number of concurrent wired clients exceeded 21250 (85% of limit)
			CAUTION	The number of concurrent wired clients exceeded 18750 (75% of limit)
	wireless_concurrent_clients	<hostname>:<name>	OK	OK
			NOTOK	The number of concurrent wireless clients exceeded 18750 (75% of limit)
			DEGRADED	The number of concurrent wireless clients exceeded 21250 (85% of limit)
			CAUTION	The number of concurrent wireless clients exceeded 18750 (75% of limit)
	wired_devices	<hostname>:<name>	OK	OK
			NOTOK	The number of wired devices exceeded 1050 (105% of limit)
			DEGRADED	The number of wired devices exceeded 850 (85% of limit)
			CAUTION	The number of wired Devices exceeded 750 (75% of limit)
	wireless_devices	<hostname>:<name>	OK	OK
			NOTOK	The number of wireless devices exceeded 3800 (105% of limit)
			DEGRADED	The number of wireless devices exceeded 3400 (85% of limit)
			CAUTION	The number of wireless devices exceeded 3000 (75% of limit)
	interfaces	<hostname>:<name>	OK	OK
			NOTOK	The number of interfaces exceeded 1140000000 (95% of limit)
			DEGRADED	The number of interfaces exceeded 1020000000 (85% of limit)
			CAUTION	The number of interfaces exceeded 900000000 (75% of limit)
	ippools	<hostname>:<name>	OK	OK
			NOTOK	The number of IP pools exceeded 47500 (95% of limit)
			DEGRADED	The number of IP pools exceeded 42500 (85% of limit)
			CAUTION	The number of IP pools exceeded 37500 (75% of limit)
	netflows	<hostname>:<name>	OK	OK
			NOTOK	The number of Netflows exceeded 37500 (75% of limit)
			DEGRADED	The number of Netflows exceeded xxx (x% of limit)
			CAUTION	The number of Netflows exceeded yyy (y% of limit)
	physical_ports	<hostname>:<name>	OK	OK
			NOTOK	The number of physical ports exceeded 50400 (95% of limit)
			DEGRADED	The number of physical ports exceeded 40800 (85% of limit)
			CAUTION	The number of physical ports exceeded 36000 (75% of limit)
	policy	<hostname>:<name>	OK	OK
			NOTOK	The number of policies exceeded 23750 (95% of limit)
			DEGRADED	The number of policies exceeded 21250 (85% of limit)
			CAUTION	The number of policies exceeded 18750 (75% of limit)
	security_group	<hostname>:<name>	OK	OK
			NOTOK	The number of security groups exceeded 3800 (95% of limit)
			DEGRADED	The number of security groups exceeded 3400 (85% of limit)
			CAUTION	The number of security groups exceeded 3000 (75% of limit)
	sites	<hostname>:<name>	OK	OK
			NOTOK	The number of sites exceeded 475 (95% of limit)
			DEGRADED	The number of sites exceeded 425 (85% of limit)
			CAUTION	The number of sites exceeded 375 (75% of limit)
	transient_clients	<hostname>:<name>	OK	OK
			NOTOK	The number of transient clients exceeded 71250 (95% of limit)
			DEGRADED	The number of transient clients exceeded 63750 (85% of limit)
			CAUTION	The number of transient clients exceeded 56250 (75% of limit)
	MongoDB	<hostname>:<name>	CRITICAL	The disk usage exceeded 16.58 GB (80% of limit)
	Postgres	<hostname>:<name>	CRITICAL	The disk usage exceeded 65.53 GB (80% of limit)
Software Upgrade	Upgrade	<hostname>:<name>	OK	Successfully finished downloading package <package-name> with version <package-version>
Software Upgrade	Upgrade	<hostname>:<name>	NOTOK	Catalog package download failed for <package-name>
Backup	Backup	<hostname>:<name>	OK	Successfully completed backup
Backup	Backup	<hostname>:<name>	NOTOK	Failed to backup
Restore	Restore	<hostname>:<name>	OK	Successfully restored
Restore	Restore	<hostname>:<name>	NOTOK	Failed to restore configuration
Domain: Connectivity
ISE	ISE_ERS	<Cisco-ISE-hostname>	Success	ISE AAA trust establishment succeeded for ISE server <ISE-server-details>
ISE	ISE_ERS	<Cisco-ISE-hostname>	Failed	ISE AAA trust establishment failed for ISE server <ISE-server-details>
Domain: Integrations
IPAM	IPAM	<IPAM-hostname>	Ok	IPAM connection to Catalyst Center established. IPAM <IPAM-IP-address>.
IPAM	IPAM	<IPAM-hostname>	Critical	IPAM connection to Catalyst Center offline. IPAM <IPAM-IP-address>.
ISE	ISE_AAA	<Cisco-ISE-hostname>	Up	ISE AAA trust establishment succeeded for ISE server. ISE <ISE-IP-address>
ISE	ISE_AAA	<Cisco-ISE-hostname>	Down	ISE AAA trust establishment failed for ISE server. ISE <ISE-IP-address>
CMX	CMX	<CMX-hostname>	serviceAvailable	CMX connection to Catalyst Center offline. CMX <CMX-IP-address>.
CMX	CMX	<CMX-hostname>	serviceNotAvailable	CMX connection to Catalyst Center offline. CMX <CMX-IP-address>.
ITSM	ITSM	<ITSM-hostname>	Up	ITSM connection to Catalyst Center offline. ITSM <ITSM-IP-address>.
ITSM	ITSM	<ITSM-hostname>	Down	ITSM connection to Catalyst Center offline. ITSM <ITSM-IP-address>.

System health scale numbers

System Health monitors Catalyst Center appliances and generates a notification whenever a network component listed in the following table exceeds a particular threshold. The priority of the notification that is generated depends on the percentage of a threshold that has been measured:

When 75% of a threshold has been exceeded, an information (P3) notification is generated.
When 85% of a threshold has been exceeded, a warning (P2) notification is generated.
When 95% of a threshold has been exceeded, a critical (P1) notification is generated.

Note

See the "Supported Hardware Appliances" topic in the Release Notes for Cisco Catalyst Center for a listing of the Catalyst Center appliances that are available.
1,000,000 notifications are maintained in the audit log for every appliance (regardless of type) and are stored for one year.
To view the current appliance scale numbers, see the Cisco Catalyst Center Data Sheet.
System Health isn’t supported on Catalyst Center clusters consisting of three 44-core appliances.

View the system topology

From the System Health window's topology, you can view a graphical representation of your Catalyst Center appliances and the external systems that are connected to your network, such as Cisco Connected Mobile Experiences (Cisco CMX) and Cisco Identity Services Engine (Cisco ISE). Here, you can quickly identify any network components that are experiencing an issue and require further attention. In order to populate this page with appliance and external system data, you must first complete the tasks described in thse topics:

Establish Cisco IMC connectivity
Subscribe to system event notifications

To view this page, click the menu icon and choose System > System 360, then click the System Health tab. Topology data is polled every 30 seconds. If any new data is received, the topology automatically updates to reflect this data.

Note

Catalyst Center supports IPv6. When viewing a cluster on which IPv6 is enabled, the topology also displays the following information for that cluster's Enterprise virtual IP address:
- Pre field: 16-bit prefix
- GID field: 32-bit global ID
- Subnet field: 16-bit subnet value
The remainder of the cluster's Enterprise virtual IP address is used to label its topology icon.
An IPv6-enabled cluster can only connect to and retrieve data from external systems that also support IPv6.
Whenever a connected appliance or external system has a certificate installed that's set to expire, the topology does this:
- If a certificate is set to expire within 90 days, the topology displays a warning.
- If a certificate is set to expire within 30 days, the topology displays an error to bring your attention to the issue.
System Health runs a hardware compliance check regularly and indicates whenever a connected appliance or external system does not meet the minimum configuration requirements. For example, System Health updates the topology to indicate when the Write Through cache write policy is not set for a connected virtual drive.
If disaster recovery is operational in your production environment, System Health now provides hardware information for the appliances at both the main and recovery site. Previously, hardware information was provided only for main site appliances.

Troubleshoot appliance and external system issues

When viewing the System Health topology, the minor issue icon () and major issue icon () indicate network components that require attention. To begin troubleshooting the issue that a component is experiencing, place your cursor over its topology icon to open a pop-up window that displays this information:

A timestamp that indicates when the issue was detected.
If you are viewing the pop-up window for a Catalyst Center appliance, the Cisco IMC firmware version that is installed on the appliance.
A brief summary of the issue.
The current state or severity of the issue.
The domain, subdomain, and IP address or location associated with the issue.

If you open the pop-up window for a connected external system that has three or more associated servers or a Catalyst Center appliance that has three or more hardware components that are experiencing an issue, the More Details link is displayed. Click the link to open a slide-in pane that lists the relevant servers or components. You can then view information for a specific item by clicking > to maximize its entry.

Note

You can use the Support Bundle feature to access detailed root cause analysis (RCA) data. For more information about this feature, see the "Generate the Root Cause Analysis File from Catalyst Center" chapter in the Cisco Catalyst Center User Guide.

Troubleshoot external system connectivity issues

If Catalyst Center is currently unable to communicate with an external system, to ping that system and troubleshoot why it cannot be reached, do this procedure:

Before you begin

Do the following before you complete this procedure:

Install the Machine Reasoning package. See Download and install applications.
Create a role that has write permission to the Machine Reasoning function and assign that role to the user that completes this procedure. To access this parameter in the Create a User Role wizard, expand the System row in the Define the Access page. For more information, see Configure role-based access control.

Procedure

Step 1	From the top-right portion of the System Health window, choose Tools > Network Ping to open the Ping Device window. The window lists all the devices that Catalyst Center currently manages.
Step 2	Click the radio button for any device whose reachability status is Reachable and then click the Troubleshoot link. The Reasoner Inputs window opens.
Step 3	In the Target IP Address field, enter the IP address of the external system that cannot be reached.
Step 4	Click Run Machine Reasoning. A dialog box is displayed after Catalyst Center has pinged the external system.
Step 5	Click View Details to see whether the ping was successful.
Step 6	If the ping failed, click the View Relevant Activities link to open the Activity Details slide-in pane and then click the View Details icon. The Device Command Output window opens, listing possible causes for the inability to reach the external system.

Use the Validation tool

The Validation Tool tests both the Catalyst Center appliance hardware and connected external systems. The tool identifies any issues that need to be addressed before they seriously impact your network. The validation process makes numerous checks, such as:

The ability to connect to ciscoconnectdna.com (to download system and package updates).
The presence of expiring certificates.
The current health of appliance hardware and back-end services.
The network components that have exceeded a scale number threshold.

To access the tool:

From the main menu, choose System > System 360, and then click the System Health tab.
From the Tools drop-down menu, choose Validation Tool.

Navigate the Validation Tool window

The contents of the Validation Tool window depend on whether Catalyst Center has information for any validation runs that completed previously. If it doesn’t, the window looks like this:

Content of Validation Tool page when there are no validation runs completed previously

If Catalyst Center has validation run information, the window looks like this:

Content of Validation Tool page when the validation run information is available

This table describes the components that make up the Validation Tool window and their function when validation run information is available.

Callout

Description

1

Search Table field: Enter a search string to filter the validation runs that are listed on this window.

2

Add button: Click to open the New Validation Run slide-in pane and enter the required settings for a new run. For more information, see Start a validation run.

3

Validation Runs table: Lists the validation runs that completed previously. For each run, the table provides information such as its name, applicable validation set, and completion status.

Note

By default, the runs are ordered by start time, with the most recent run listed first.
A duration of zero is listed for any run that's currently in progress.

4

Delete button: With the check box for a validation run checked, click to delete the run. Then click Ok in the Warning dialog box to confirm deletion.

Note

You cannot delete a run that is in progress.

5

View Status link: Click to view the details for a particular run. For more information, see View Validation Run Details.

6

Refresh button: Click to refresh the information that is displayed on this window.

Start a validation run

To start a validation run, complete these steps.

Note

Only one validation run can take place at a time. If a validation run is already in progress, you need to wait until it completes before you can initiate another run.

Procedure

Step 1	Do one of these tasks in the Validation Tool window, depending on whether the Validation Runs table is displayed: If the table is not displayed, it means that either previous validation runs have been deleted or a validation run hasn’t been completed yet. Click New Validation Run. If the Validation Runs table is displayed, click Add. The New Validation Run slide-in pane opens.
Step 2	In the Name field, enter a name for the validation run. Ensure that the name that you enter is unique and contains only alphanumeric characters. Special characters aren’t allowed.
Step 3	(Optional) In the Description field, enter a brief description for the validation run you’re about to start. You can enter a description that contains a maximum of 250 characters.
Step 4	In the Validation Set(s) Selection area, check the check box for the validation sets you want to run. You can maximize a validation set to view the checks it makes.
Step 5	Click Run.

View Validation Run Details

From the Validation Run Details slide-in pane, you can view the checks that were made during the selected run, completion status, duration, and any other relevant information.

From here, you can also do these tasks:

To filter the information that’s provided, in the Search Table field, enter a search string.
To download the contents of this pane as a JSON file, click Export.
To copy the contents of this pane, click Copy.

Update the validation set

Validation sets should be updated whenever you upgrade Catalyst Center. In case you need to update validation sets manually, do this procedure:

Procedure

Step 1	From the main menu, choose System > Settings > System Configuration > System Health.
Step 2	Click the Validation Catalog tab.
Step 3	Click Download Latest to download a local copy of the latest available validation sets.
Step 4	Import the validation set to Catalyst Center: Click Import to open the Import Validation Set dialog box. Do one of these tasks: Click the Choose a file link and navigate to the .tar file that you want to import. Drag and drop the appropriate .tar file from your desktop into the highlighted area. Click Import.

System topology notifications

These tables list the various notifications that are displayed in the system topology of the System Health page for your Catalyst Center appliances and any connected external systems. Notifications are grouped by their corresponding severity:

Severity 1 (Error): Indicates a critical error, such as a disabled RAID controller or faulty power supply.
Severity 2 (Warning): Indicates an issue such as the inability to establish trust with a Cisco ISE server.

Severity 3: (Success): Indicates that a server or hardware component is operating as expected.

Note

If all the hardware components on an appliance are operating without any issues, an individual notification is not provided for each component. An OK notification displays instead.

Table 2. Catalyst Center appliance notifications
Component	Severity 1 notification	Severity 2 notification	Severity 3 notification
CPU	Processor CPU1 (SerialNumber - xxxxxx) State is Disabled	Processor CPU1 (SerialNumber - xxxxxx) Health is NotOk and State is Enabled	Processor CPU1 (SerialNumber - xxxxxx) Health is Ok and State is Enabled
Disk	Driver - PD1 State is Disabled	Driver - PD1 Health is Critical and State is Enabled	Driver - PD1 Health is Ok and State is Enabled
MemoryV1	Memory Summary (TOTALSYSTEMMEMORYGIB - 256) Health is NotOk	—	Memory Summary (TOTALSYSTEMMEMORYGIB - 256) Health is Ok
MemoryV2	Storage DIMM1 (SerialNumber - xxxxx) Status is NotOperable	—	Storage DIMM1 (SerialNumber - xxxxx) Status is Operable
NIC	NIC Adapter Card MLOM State is Disabled	NIC Adapter Card MLOM State is Enabled and port0 is Down	NIC Adapter Card MLOM State is Enabled and port0 is Up
Power supply	PowerSupply PSU1 (SerialNumber - xxxx) State is Disabled	—	PowerSupply PSU1 (SerialNumber - xxxx) State is Enabled
RAID	Cisco 12G SAS Modular Raid Controller (SerialNumber - xxxxx) State is Disabled	Cisco 12G SAS Modular Raid Controller (SerialNumber - xxxxx) Health is NotOK and State is Enabled	Cisco 12G SAS Modular Raid Controller (SerialNumber - xxxxx) Health is OK and State is Enabled

Table 3. Connected external system notifications
Component	Severity 1 notification	Severity 2 notification	Severity 3 notification
Cisco Connected Mobile Experiences (CMX) server	—	There is a critical issue with the integrated CMX server.	CMX server is integrated and servicing.
IP address management (IPAM) server	There is a critical issue with the connected third-party IPAM provider	—	A third-party IPAM provider is connected. There is no third-party IPAM provider connected. The third-party IPAM provider is currently synchronizing.
Cisco ISE—External RESTful Services (ERS)	—	ISE PAN ERS connection: ISE ERS API call unauthorized	ISE PAN ERS connection: ERS reachability with ISE - Success
Cisco ISE—Trust	—	ISE AAA Trust Establishment: Trust Establishment Error	ISE AAA Trust Establishment: Successfully established trust and discovered PSNs from PAN
IT service management (ITSM) server	Servicenow connection health status is NOT up and running	—	Servicenow connection health status is up and running

Disk use event notifications

System Health monitors disk use by the nodes in your system and sends a notification whenever use on any of these nodes reaches a level that can impact network operations. When use exceeds 75%, System Health sends a warning notification. And when use exceeds 85%, System Health sends a critical notification. To configure and subscribe to these notifications, complete the steps described in the "Work with Event Notifications" topic of the Catalyst Center Platform User Guide. When completing this procedure, select and subscribe to the System Performance: Filesystem Utilization event.

Note

After you restore a backup file or upgrade Catalyst Center, System Health restarts the monitoring of disk use and collects hourly updates.
In a three-node HA deployment, every configured partition on the three cluster nodes is monitored. Any generated notifications are specific to the relevant partition.
In a deployment where disaster recovery is enabled, System Health monitors disk use by the nodes at both the active and standby site.

Check for revoked and expired certificates

Catalyst Center checks daily for certificates that have been revoked, expired, or will expire in the near future. If you want to receive notifications whenever one of these events takes place, subscribe to the SYSTEM-CERTIFICATE-v2 and CISCO-IMC-CERTIFICATE-v2 events (see Subscribe to system event notifications). In addition to the notifications you receive in the format of your choosing, Catalyst Center also updates the System Health window's topology to indicate certificate events. To view these notifications, place your cursor over an appliance. If available, you can also click the More Details link to view notifications in the Appliance Details slide-in pane.

System Health window displaying a certificate event notification

Catalyst Center supports the storage and update of the Cisco trusted certificate bundle (ios.p7b) from the Cisco PKI web site. This bundle, which comes preinstalled with Catalyst Center, enables supported Cisco networking devices to authenticate the controller and its applications (such as Network Plug and Play) upon the presentation of a valid third-party vendor device certificate. Catalyst Center checks the status of the certificate bundle's third-party certificates individually. And for Cisco-signed certificates, it checks if a newer version of the bundle is available to download. To receive notifications when a third-party certificate or the trusted certificate bundle requires an update, subscribe to the CISCO-TRUSTED-CERTIFICATE-BUNDLE-v2 event.

Check required URLs access

Catalyst Center confirms whether these URLs are reachable:

http://validation.identrust.com/crl/hydrantidcao1.crl
http://commercial.ocsp.identrust.com
https://www.ciscoconnectdna.com
https://cdn.ciscoconnectdna.com
https://registry.ciscoconnectdna.com
https://registry-cdn.ciscoconnectdna.com

When any of these URLs are unreachable (especially the first two listed, as they're used to check the revocation status of system certificates), it could impact network operations. Subscribe to the INTERNET-URL-ACCESS-v2 event to receive a notification when this happens.

Suggested actions

This table lists the issues that you’ll most likely encounter while monitoring the health of your system and suggests actions you can take to remedy those issues.


Component	Subcomponent	Issue	Suggested actions
Cisco ISE	External RESTful Services (ERS)—Reachability	Timeout elapsed (possibly because the Cisco ISE ERS API load threshold has been exceeded).	Check your proxy configuration for a proxy server between Catalyst Center and Cisco ISE. Check whether you can reach Cisco ISE from Catalyst Center.
	External RESTful Services (ERS)—Reachability	Unable to establish a connection with Cisco ISE.	Check whether a firewall is configured. Check your proxy configuration for a proxy server between Catalyst Center and Cisco ISE. Check whether you can reach Cisco ISE from Catalyst Center.
	ERS—Availability	No response to ERS API call.	Check which version of Cisco ISE is installed. Check if ERS is enabled on Cisco ISE. See the "Enable External RESTful Services APIs" topic in the Cisco Identity Services Engine Administrator Guide for more information.
	ERS—Authentication	Cisco ISE ERS API call is unauthorized.	Check whether the AAA settings credentials and the Cisco ISE credentials are the same.
	ERS—Configuration	Cisco ISE certificate has been changed.	From the Catalyst Center GUI, reestablish trust. For more information, see the "Enable PKI in Cisco ISE" topic in the Cisco Identity Services Engine Administrator Guide.
	ERS—Unclassified/Generic Error	An undefined diagnostic error occurred.	Delete the AAA settings that are currently configured in Catalyst Center. Reenter the appropriate AAA settings. For more information, see the "Integrate Cisco ISE with Catalyst Center" topic in the Cisco Catalyst Center Second Generation Appliance Installation Guide. Reestablish trust. For more information, see the "Enable PKI in Cisco ISE" topic in the Cisco Identity Services Engine Administrator Guide.
	Trust—Reachability	Unable to establish an HTTPS connection.	Check whether the AAA settings credentials and the Cisco ISE credentials are the same.
	Trust—Reachability	The Catalyst Center endpoint URL configured for Cisco ISE certificate chain uploads is unreachable.	Check your proxy configuration for a proxy server between Catalyst Center and Cisco ISE. Check whether you can reach Cisco ISE from Catalyst Center.
	Trust—Configuration	Invalid Cisco ISE certificate chain.	If necessary, regenerate the Cisco ISE internal root CA chain. For more information, see the "ISE CA Chain Regeneration" topic in the Cisco Identity Services Engine Administrator Guide. Ensure that the internal CA certificate chain has not been removed from Cisco ISE.
	Trust—Configuration	The Catalyst Center endpoint URL configured for Cisco ISE certificate chain uploads is forbidden.	Launch the URL and check whether you can access the /aaa/Cisco ISE/certificate directory on the endpoint. Check whether the Use CSRF Check for Enhanced Security option is enabled in Cisco ISE. For more information, see the "Enable External RESTful Services APIs" topic in the Cisco Identity Services Engine Administrator Guide.
	Trust—Authentication	The Cisco ISE password has expired.	Regenerate the Cisco ISE admin password. For more information, see the "Administrative Access to Cisco ISE" topic in the Cisco Identity Services Engine Administrator Guide. Ensure that you can log in to the Cisco ISE GUI.
	Trust—Unclassified/Generic Error	An undefined diagnostic error occurred.	Delete the AAA settings that are currently configured in Catalyst Center. Reenter the appropriate AAA settings. For more information, see the "Integrate Cisco ISE with Catalyst Center" in the Cisco Catalyst Center Second Generation Appliance Installation Guide. Reestablish trust. For more information, see the "Enable PKI in Cisco ISE" topic in the Cisco Identity Services Engine Administrator Guide.
Cisco Connected Mobile Experiences (CMX) server IP address management (IPAM) server IT service management (ITSM) server	Reachability	Unable to establish connectivity with the server.	Check whether the server in question is currently down.
	Authentication	Unable to log in to the server.	Confirm that the correct login credentials are configured in Catalyst Center.
Hardware	Disk	The specified hardware component is experiencing an issue.	Replace the faulty component.
	Fan
	Power supply
	Memory module
	CPU
	Networking card
	RAID controller
	Networking	Interfaces are missing.	Connect to Cisco IMC. If the PID is UCSC-C220-M4 or UCSC-C220-M4S, complete the following steps: From the main menu, choose Compute > BIOS > Configure BIOS. Click the Advanced tab. Expand LOM and PCIe Slots Configuration. Enable the disabled mLOMs and reboot the host. For all other PIDs, replace the faulty component.
System configuration	Hardware configuration	You cannot specify write-back as the write cache policy for the Catalyst Center `<IP_address>` virtual drive. The write policy must be write-through.	Connect to Cisco IMC. From the main menu, choose Storage > Raid Controller. Click the Virtual Drive tab. Select a virtual drive and click Edit. If the write policy is not write-through, update the virtual drives. The write policy must be write-through.
System resources	Storage	The specified mount directory is full.	Clear up storage space in the current directory by removing unnecessary data. Specify a new mount directory that has more storage space.

Typical node operations

Hardware Peripherals RMA

We recommend that you perform a graceful shutdown of Catalyst Center when replacing hardware peripherals such as DIMMs, CPUs, or a single solid-state drive (SSD) during a return materials authorization (RMA) procedure.

Switch Under Maintenance Without HA

If a directly linked switch in the Layer 2 network is undergoing maintenance without a fallback (HA) mechanism to uphold network service, we recommend that you perform a graceful shutdown. To achieve Layer 2 network redundancy, see "NIC Bonding Overview" in the Cisco Catalyst Center Appliance Installation Guide.

Catalyst Center and Cisco ISE integration

Cisco ISE has three use cases with Catalyst Center:

Cisco ISE can be used as a AAA (pronounced "triple A") server for user, device, and client authentication. If you are not using access control policies, or are not using Cisco ISE as a AAA server for device authentication, you do not have to install and configure Cisco ISE.
Access control policies use Cisco ISE to enforce access control. Before you create and use access control policies, integrate Catalyst Center and Cisco ISE. The process involves installing and configuring Cisco ISE with specific services, and configuring Cisco ISE settings in Catalyst Center. For more information about installing and configuring Cisco ISE with Catalyst Center, see the Cisco Catalyst Center Installation Guide.
If your network uses Cisco ISE for user authentication, configure Assurance for Cisco ISE integration. This integration lets you see more information about wired clients, such as the username and operating system, in Assurance. For more information, see "About Cisco ISE Configuration for Catalyst Center" in the Cisco Catalyst Assurance User Guide.

After Cisco ISE is successfully registered and its trust established with Catalyst Center, Catalyst Center shares information with Cisco ISE. Catalyst Center devices that are assigned to a site that is configured with Cisco ISE as its AAA server have their inventory data propagated to Cisco ISE. Additionally, any updates to the following settings on these devices in Catalyst Center also updates Cisco ISE with the changes:

Device hostname
AAA server configurations under Design > Network Settings > Servers.
Device credentials
Device Loopback0 IP address
Device management IP address
Network Device Group (NDG) tag associated with the device

If a Catalyst Center device associated to a site with Cisco ISE as its AAA server is not propagated to Cisco ISE as expected, Catalyst Center automatically retries after waiting for a specific time interval. This subsequent attempt occurs when the initial Catalyst Center device push to Cisco ISE fails due to any networking issue, Cisco ISE downtime, or any other auto correctable errors. Catalyst Center attempts to establish eventual consistency with Cisco ISE by retrying to add the device or update its data to Cisco ISE. However, a retry is not attempted if the failure to propagate the device or device data to Cisco ISE is due to a rejection from Cisco ISE itself, as an input validation error.

If you change the RADIUS shared secret for Cisco ISE, Cisco ISE does not update Catalyst Center with the changes. To update the shared secret in Catalyst Center to match Cisco ISE, edit the AAA server with the new password. Catalyst Center downloads the new certificate from Cisco ISE, and updates Catalyst Center.

Cisco ISE does not share existing device information with Catalyst Center. The only way for Catalyst Center to know about the devices in Cisco ISE is if the devices have the same name in Catalyst Center; Catalyst Center and Cisco ISE uniquely identify devices for this integration through the device's hostname variable.

Note

The process that propagates Catalyst Center inventory devices to Cisco ISE and updates the changes to it are all captured in the Catalyst Center audit logs. If there are any issues in the Catalyst Center-to-Cisco ISE workflow, view the audit logs in the Catalyst Center GUI for information.

Catalyst Center integrates with the primary Administration ISE node. When you access Cisco ISE from Catalyst Center, you connect with this node.

Catalyst Center polls Cisco ISE every 15 minutes. If the Cisco ISE server is down, Catalyst Center shows the Cisco ISE server as red (unreachable).

When the Cisco ISE server is unreachable, Catalyst Center increases polling to 15 seconds, and then doubles the polling time to 30 seconds, 1 minute, 2 minutes, 4 minutes, and so on, until it reaches the maximum polling time of 15 minutes. Catalyst Center continues to poll every 15 minutes for 3 days. If Catalyst Center does not regain connectivity, it stops polling and updates the Cisco ISE server status to Untrusted. If this happens, you must reestablish trust between Catalyst Center and the Cisco ISE server.

Network Device Group (NDG) tags, which are prefixed with NDG:, are reflected in Cisco ISE.

When you delete devices integrated with Cisco ISE, those deleted devices are moved to the new NDG group in Cisco ISE.

Review the following additional requirements and recommendations to verify Catalyst Center and Cisco ISE integration:

Catalyst Center and Cisco ISE integration is not supported over a proxy server. If you have Cisco ISE configured with a proxy server in your network, configure Catalyst Center such that it does not use the proxy server; it can do this by bypassing the proxy server's IP address.
Catalyst Center and Cisco ISE integration is not supported through a Catalyst Center virtual IP address (VIP). If you are using an enterprise CA-issued certificate for Catalyst Center, make sure the Catalyst Center certificate includes the IP addresses of all interfaces on Catalyst Center in the Subject Alternative Name (SAN) extension. If Catalyst Center is a three-node cluster, the IP addresses of all interfaces from all three nodes must be included in the SAN extension of the Catalyst Center certificate.
You must have Admin-level access in Cisco ISE.
Disable password expiry for the Admin user in Cisco ISE. Alternatively, make sure that you update the password before it expires. For more information, see the Cisco Identity Services Engine Administrator Guide.
When the Cisco ISE certificate changes, Catalyst Center must be updated. To do that, edit the AAA server (Cisco ISE), reenter the password, and save. This forces Catalyst Center to download the certificate chain for the new admin certificate from Cisco ISE, and update Catalyst Center. If you are using Cisco ISE in HA mode, and the admin certificate changes on either the primary or secondary administrative node, you must update Catalyst Center.
Catalyst Center configures certificates for itself and for Cisco ISE to connect over pxGrid. You can use other certificates with pxGrid for connections to other pxGrid clients, such as Firepower. These other connections do not interfere with the Catalyst Center and Cisco ISE pxGrid connection.
You can change the RADIUS secret password. You provided the secret password when you configured Cisco ISE as a AAA server under System > Settings > External Services > Authentication and Policy Servers. To change the secret password, choose Design > Network Settings > Network and click the Change Shared Secret link. This causes Cisco ISE to use the new secret password when connecting to network devices managed by Catalyst Center.
In distributed Cisco ISE clusters, each node performs only certain functions, such as PAN (Admin), MnT (Monitoring and Troubleshooting), or PSN (Policy Service). It is possible to have only Admin certificate usage on PAN nodes, and only EAP Authentication certificate usage on PSN nodes. However, this configuration prevents Catalyst Center and Cisco ISE integration for pxGrid. Therefore, we recommend that you enable EAP Authentication certificate usage on the Cisco ISE primary PAN node.
To ensure that Catalyst Center recognizes a PSN after it's been upgraded, you must do the following:
1. Readd the PAN that's associated with the PSN. In the Cisco Identity Services Engine Administrator Guide, see the "Configure a Primary Policy Administration Node" topic.
2. Reintegrate Cisco ISE with Catalyst Center. In the Cisco Catalyst Center Installation Guide, see the "Integrate Cisco ISE with Catalyst Center" topic.
Catalyst Center supports certificate revocation checks via CRL Distribution Point (CDP) and Online Certificate Status Protocol (OCSP). During integration, Catalyst Center receives the Cisco ISE admin certificate over port 9060 and verifies its validity based on the CDP and OCSP URLs inside that Cisco ISE admin certificate. If both CDP (which contains a list of CRLs) and OCSP are configured, Catalyst Center uses OCSP to verify the revocation status of the certificate and falls back to CDP if the OCSP URL is not accessible. If there are multiple CRLs present in CDP, Catalyst Center contacts the next CRL if the first CRL is not reachable. However, due to a JDK PKI Oracle bug, the system does not check for all CRL entries.

Proxy is not supported for certificate verification. Catalyst Center contacts the CRL and OCSP servers without proxy.
- OCSP and CRL entries are optional in the certificate.
- LDAP is not supported as a protocol for certificate validation. Do not include LDAP URLs in CDP or AIA extensions.
- All URLs in CDP and OCSP must be reachable from Catalyst Center. Unreachable URLs can cause a poor integration experience, including a failed integration.
The Cisco ISE certificates' subject name and issuer must adhere to ASN.1 PrintableString characters, where only spaces and the following characters are allowed: A – Z, a – z, 0 – 9, ‘ ( ) + , - . / : = ?

Anonymize data

Catalyst Center allows you to anonymize wired and wireless endpoints data. You can scramble personally identifiable data, such as the user ID, and device hostname of wired and wireless endpoints.

Ensure that you enable anonymization before you run Discovery. If you anonymize the data after you run Discovery, the new data coming into the system is anonymized, but the existing data isn’t anonymized.

Procedure

Step 1

From the main menu, choose System > Settings > Trust & Privacy > Anonymize Data.

Step 2

In the Anonymize Data window, check the Enable Anonymization check box.

Step 3

Click Save.

After you enable anonymization, you can only search for the device using nonanonymized information such as the MAC address, IP address, and so on.

Configure authentication and policy servers

Catalyst Center uses AAA servers for user authentication and Cisco ISE for both user authentication and access control. Use this procedure to configure AAA servers, including Cisco ISE.

Before you begin

If you are using Cisco ISE to perform both policy and AAA functions, make sure that Catalyst Center and Cisco ISE are integrated.

If you are using another product (not Cisco ISE) to perform AAA functions, make sure to do these task:

Register Catalyst Center with the AAA server, including defining the shared secret on both the AAA server and Catalyst Center.
Define an attribute name for Catalyst Center on the AAA server.
For a Catalyst Center multihost cluster configuration, define all individual host IP addresses and the virtual IP address for the multihost cluster on the AAA server.

Before you configure Cisco ISE, confirm that:

You have deployed Cisco ISE on your network. For information on supported Cisco ISE versions, see the Cisco Catalyst Center Compatibility Matrix. For information on installing Cisco ISE, see the Cisco Identity Services Engine Install and Upgrade guides.
If you have a standalone Cisco ISE deployment, you must integrate Catalyst Center with the Cisco ISE node and enable the pxGrid service and External RESTful Services (ERS) on that node.

If you have a distributed Cisco ISE deployment:

You must integrate Catalyst Center with the primary policy administration node (PAN), and enable ERS on the PAN.

Note

We recommend that you use ERS through the PAN. However, for backup, you can enable ERS on the Policy Service Nodes (PSNs).

You must enable the pxGrid service on one of the Cisco ISE nodes within the distributed deployment. Although you can decide to do so, you do not have to enable pxGrid on the PAN. You can enable pxGrid on any Cisco ISE node in your distributed deployment.

The PSNs that you configure in Cisco ISE to handle TrustSec or SD Access content and Protected Access Credentials (PACs) must also be defined in Work Centers > Trustsec > Trustsec Servers > Trustsec AAA Servers. For more information, see the Cisco Identity Services Engine Administrator Guide.

You must enable communication between Catalyst Center and Cisco ISE on these ports: 443, 5222, 8910, and 9060.
The Cisco ISE host on which pxGrid is enabled must be reachable from Catalyst Center on the IP address of the Cisco ISE eth0 interface.
The Cisco ISE node can reach the fabric underlay network via the appliance's NIC.
The Cisco ISE admin node certificate must contain the Cisco ISE IP address or the fully qualified domain name (FQDN) in either the certificate subject name or the Subject Alternative Name (SAN).
The Catalyst Center system certificate must list both the Catalyst Center appliance IP address and FQDN in the SAN field.

Procedure

Step 1

From the main menu, choose System > Settings > External Services > Authentication and Policy Servers.

Step 2

From the Add drop-down list, select AAA or ISE.

Step 3

To configure the primary AAA server, enter this information:

Server IP Address: IP address of the AAA server.
Shared Secret: Key for device authentications. The shared secret must contain from 4 to 100 characters. It cannot contain a space, question mark (?), or less-than angle bracket (<).

Note

Make sure that you do not configure a PSN that is part of an existing Cisco ISE cluster as a primary AAA server.

Step 4

To configure a Cisco ISE server, enter these details:

Server IP Address: IP address of the Cisco ISE server.
Shared Secret: Key for device authentications. The shared secret must contain from 4 to 100 characters. It cannot contain a space, question mark (?), or less-than angle bracket (<).
Username: Username that is used to log in to Cisco ISE via HTTPS.

Password: Password for the Cisco ISE HTTPS username.

Note

The username and password must be an ISE admin account that belongs to the Super Admin.

FQDN: Fully qualified domain name (FQDN) of the Cisco ISE server.

Note

We recommend that you copy the FQDN that is defined in Cisco ISE (Administration > Deployment > Deployment Nodes > List) and paste it directly into this field.
The FQDN that you enter must match the FQDN, Common Name (CN), or Subject Alternative Name (SAN) defined in the Cisco ISE certificate.

The FQDN consists of two parts, a hostname and the domain name, in this format:

hostname.domainname.com

For example, the FQDN for a Cisco ISE server can be ise.cisco.com.

Virtual IP Address(es): Virtual IP address of the load balancer behind which the Cisco ISE policy service nodes (PSNs) are located. If you have multiple PSN farms behind different load balancers, you can enter a maximum of six virtual IP addresses.

Step 5

Click Advanced Settings and configure the settings:

Connect to pxGrid: Check this check box to enable a pxGrid connection.

If you want to use the Catalyst Center system certificate as the pxGrid client certificate (sent to Cisco ISE to authenticate the Catalyst Center system as a pxGrid client), check the Use Catalyst Center Certificate for pxGrid check box. You can use this option if all the certificates that are used in your operating environments must be generated by the same Certificate Authority (CA). If this option is disabled, Catalyst Center will send a request to Cisco ISE to generate a pxGrid client certificate for the system to use.

When you enable this option, ensure that:
- The Catalyst Center certificate is generated by the same CA as is in use by Cisco ISE (otherwise, the pxGrid authentication fails).
- The Certificate Extended Key Use (EKU) field includes "Client Authentication."

Protocol: TACACS and RADIUS (the default). You can select both protocols.

Attention

If you do not enable TACACS for a Cisco ISE server here, you cannot configure the Cisco ISE server as a TACACS server under Design > Network Settings > Servers when configuring a AAA server for network device authentication.

Authentication Port: UDP port used to relay authentication messages to the AAA server. The default UDP port used for authentication is 1812.
Accounting Port: UDP port used to relay important events to the AAA server. The default is UDP port 1812.
Port: TCP port used to communicate with the TACACS server. The default TCP port used for TACACS is 49.
Retries: Number of times that Catalyst Center attempts to connect with the AAA server before abandoning the attempt to connect. The default number of attempts is 3.
Timeout: The time period for which the device waits for the AAA server to respond before abandoning the attempt to connect. The default timeout is 4 seconds.

Note

After the required information is provided, Cisco ISE is integrated with Catalyst Center in two phases. It takes several minutes for the integration to complete. The phase-wise integration status is shown in the Authentication and Policy Servers window and System 360 window.

Cisco ISE server registration phase:

Authentication and Policy Servers window: "In Progress"
System 360 window: "Primary Available"

pxGrid subscriptions registration phase:

Authentication and Policy Servers window: "Active"
System 360 window: "Primary Available" and "pxGrid Available"

If the status of the configured Cisco ISE server is shown as "FAILED" due to a password change, click Retry, and update the password to resynchronize the Cisco ISE connectivity.

Step 6

Click Add.

Step 7

To add a secondary server, repeat the preceding steps.

Step 8

To view the Cisco ISE integration status of a device:

From the main menu, choose Provision > Inventory.

The Inventory window displays the device information.
From the Focus drop-down menu, select Provision.
In the Devices table, the Provisioning Status column displays information about the provisioning status of your device (Success, Failed, or Not Provisioned).

Click See Details to open a slide-in pane with additional information.
In the slide-in pane that appears, click See Details.
Scroll down to the ISE Device Integration tile to view detailed information about the integration status of the device.

Configure Cisco AI Network Analytics

Use this procedure to enable the Cisco AI Analytics features to export network event data from network devices and inventory, site hierarchy, and topology data to the Cisco AI Cloud.

Before you begin

Make sure that you have the Advantage software license for Catalyst Center. The AI Network Analytics application is part of the Advantage software license.
Make sure that the latest version of the AI Network Analytics application is installed. See Download and install applications.
Make sure that your network or HTTP proxy is configured to allow outbound HTTPS (TCP 443) access to these cloud hosts:
- api.use1.prd.kairos.ciscolabs.com (US East Region)
- api.euc1.prd.kairos.ciscolabs.com (EU Central Region)

Procedure

Step 1	From the main menu, choose System > Settings.
Step 2	Scroll down to External Services and select Cisco AI Analytics. The AI Network Analytics window opens.
Step 3	Do one of these tasks: If you have an earlier version of Cisco AI Network Analytics installed in your appliance, do these steps: Click Recover from a config file. The Restore AI Network Analytics window opens. Drag-and-drop the configuration files in the area provided or select the files from your file system. Click Restore. Cisco AI Network Analytics might take a few minutes to restore, and then the Success dialog box opens. For the first-time configuration of Cisco AI Network Analytics, do these steps: Click Configure. In the Where should we securely store your data? area, select the location to store your data. Options are: Europe (Germany) or US East (North Virginia). The system starts testing cloud connectivity as indicated by the Testing cloud connectivity... tab. After cloud connectivity testing completes, the Testing cloud connectivity... tab changes to Cloud connection verified. Click Next. The terms and conditions window opens. Click the Accept Cisco Universal Cloud Agreement check box to agree to the terms and conditions, and then click Enable. Cisco AI Network Analytics might take a few minutes to enable, and then the Success dialog box opens.
Step 4	In the Success dialog box, click Okay. The AI Network Analytics window opens, and the Enable AI Network Analytics toggle button displays .
Step 5	(Recommended) In the AI Network Analytics window, click Download Configuration file.

Client certificate renewal

AI agents use X.509 client certificates to authenticate to the AI Cloud. Certificates are created and signed by the AI Cloud CA upon tenant onboarding to the AI Cloud and remain valid for three years (reduced to one year in August 2021). Before their expiration, client certificates must be renewed to avoid losing cloud connectivity. An automatic certificate renewal mechanism is in place. This mechanism requires that you manually back up the certificate after renewal. The backup is required in case you restore or migrate to a new Catalyst Center.

After renewal, a notification is shown on every AI Analytics window (Peer Comparison, Heatmap, Network Comparison, Trends and Insights) to tell you to back up the new AI Network Analytics configuration.

Disable Cisco AI Network Analytics

To disable Cisco AI Network Analytics data collection, you must disable the AI Network Analytics feature:

Procedure

Step 1	From the main menu, choose System > Settings.
Step 2	Scroll down to External Services and choose Cisco AI Analytics. For each feature, a check mark ( ) indicates that the feature is enabled. If the check box is unchecked ( ), the feature is disabled.
Step 3	In the AI Network Analytics area, click the Enable AI Network Analytics toggle button so that it’s unchecked ( ).
Step 4	Click Update.
Step 5	To delete your network data from the Cisco AI Network Analytics cloud, contact the Cisco Technical Response Center (TAC) and open a support request.
Step 6	If you have misplaced your previous configuration, click Download configuration file.

Update the Machine Reasoning Knowledge Base

Machine Reasoning knowledge packs are step-by-step workflows that are used by the Machine Reasoning Engine (MRE) to identify security issues and improve automated root cause analysis. These knowledge packs are continuously updated as more information is received. The Machine Reasoning Knowledge Base is a repository of these knowledge packs (workflows). To have access to the latest knowledge packs, you can either configure Catalyst Center to automatically update the Machine Reasoning Knowledge Base daily, or you can do a manual update.

Procedure

Step 1	From the main menu, choose System > Settings.
Step 2	Scroll down to External Services and select Machine Reasoning Knowledge Base. The Machine Reasoning Knowledge Base window shows this information: INSTALLED: Shows the installed version and installation date of the Machine Reasoning Knowledge Base package. When there’s a new update to the Machine Reasoning Knowledge Base, the AVAILABLE UPDATE area is displayed in the Machine Reasoning Knowledge Base window, which provides the Version and Details about the update. AUTO UPDATE: Automatically updates the Machine Reasoning Knowledge Base in Catalyst Center daily. CISCO CX CLOUD SERVICE FOR NETWORK BUG IDENTIFIER, SECURITY ADVISORY, FIELD NOTICES AND EOX: Integrates Catalyst Center with CX Cloud that allows you to perform an automated config. This integration provides enhanced vulnerability detection on devices directly from the security advisories tool on Catalyst Center.
Step 3	(Recommended) Check the AUTO UPDATE check box to automatically update the Machine Reasoning Knowledge Base. The Next Attempt area shows the date and time of the next update. You can perform an automatic update only if Catalyst Center is successfully connected to the Machine Reasoning Engine in the cloud.
Step 4	To manually update the Machine Reasoning Knowledge Base in Catalyst Center, do one of these tasks: Under AVAILABLE UPDATES, click Update. A Success pop-up window appears with the status of the update. Manually download the Machine Reason Knowledge Base to your local machine and import it to Catalyst Center. Do these steps: Click Download. The Opening mre_workflow_signed dialog box appears. Open or save the downloaded file to the desired location in your local machine, and then click OK. Click Import to import the downloaded Machine Reasoning Knowledge Base from your local machine to Catalyst Center.
Step 5	Check the CISCO CX CLOUD SERVICE FOR NETWORK BUG IDENTIFIER AND SECURITY ADVISORY check box to enable Cisco CX Cloud connection with network bug identifier and security advisory.
Step 6	In the Security Advisories Settings area click the RECURRING SCAN toggle button to enable or disable the weekly recurring scan.
Step 7	Click the CISCO CX CLOUD toggle button to enable or disable the Cisco CX cloud.

Configure Cisco credentials

Complete this procedure to configure the credentials Catalyst Center uses for software image and update downloads. These credentials are the username and password that you use to log in to the Cisco website

Important

Cisco has implemented a new authentication infrastructure. As a result, if you configured a Cisco.com user in a previous Catalyst Center release and upgraded to 2.3.7.9 or later, you'll need to reauthenticate that user.
Catalyst Center no longer stores the Cisco.com user's credentials locally, for security purposes.

Before you begin

Only users with SUPER-ADMIN-ROLE permissions or CUSTOM-ROLE with "Write" permission to System Settings can perform this procedure. For more information, see About user roles.

Procedure

Step 1

From the main menu, choose System > Settings > Cisco Accounts > Cisco.com Credentials.

Step 2

Configure the Cisco.com user:

Open an Incognito/private window in your browser (to avoid using previously cached credentials).
Open another Catalyst Center GUI instance and log in.
Open another instance of the Cisco.com Credentials window.

Complete one of these tasks:


If you...	Then...
completed a fresh installation of Catalyst Center 2.3.7.9 or later,	configure a new Cisco.com user by clicking the Add link in the Cisco.com ID field.
upgraded to Catalyst Center 2.3.7.9 or later and want to use the same Cisco.com user that was configured previously,	reauthenticate that user by clicking the Re-Authenticate link in the Cisco.com ID field.
upgraded to Catalyst Center 2.3.7.9 or later and don't want to use the same Cisco.com user as before,	delete the old Cisco.com user and then configure a new one. Click the Delete link in the Cisco.com ID field. Confirm the operation by clicking Delete in the resulting dialog box. Click the Add link in the Cisco.com ID field.

In the Information pop-up window, check the I am in private or incognito mode check box and then click Proceed.
In the Activate your device pop-up window, confirm that an activation code is displayed and then click Next.
In the Log in pop-up window, enter the cisco.com user's email address and then click Next.
In the Verify with your password pop-up window, enter the cisco.com user's password and then click Verify.

The Device activated pop-up window appears.

Step 3

Confirm that the user was configured successfully.

Close the Device Activated pop-up window.
Refresh the Cisco.com Credentials page.
In the Cisco.com ID field, confirm that the email address you entered for the user is displayed. Also confirm that you see both the Change and Delete links.

Clear Cisco credentials

To delete the cisco.com credentials that are currently configured for Catalyst Center, complete this procedure.

Note

When you perform any tasks that involve software downloads or device provisioning and cisco.com credentials are not configured, you’ll be prompted to enter them before you can proceed. In the resulting dialog box, check the Save For Later check box in order to save these credentials for use throughout Catalyst Center. Otherwise, you’ll need to enter credentials each time you perform these tasks.
Completing this procedure will undo your acceptance of the end-user license agreement (EULA). See Accept the license agreement for a description of how to reenter EULA acceptance.

Before you begin

Only a user with SUPER-ADMIN-ROLE permissions or CUSTOM-ROLE with "Write" permission to System Settings can perform this procedure. For more information, see About user roles.

Procedure

Step 1	From the main menu, choose System > Settings > Cisco Accounts > Cisco.com Credentials.
Step 2	Click the Delete link.
Step 3	In the resulting dialog box, click Delete to confirm the operation.

Configure connection mode

Connection mode manages the connections between smart-enabled devices in your network that interact with Catalyst Center and the Cisco Smart Software Manager (SSM). Ensure that you have SUPER-ADMIN access permission to configure the different connection modes.

The SSL certificate for the SSM must include the associated IP address within the SAN field.

Procedure

Step 1

From the main menu, choose System > Settings > Cisco Accounts > SSM Connection Mode.

Connection modes include:

Direct
On-Prem CSSM
Smart proxy

Step 2

Choose Direct to enable a direct connection to the Cisco SSM cloud.

Step 3

If your organization is security sensitive, choose On-Prem CSSM. The on-prem option lets you access a subset of Cisco SSM functionality without using a direct internet connection to manage your licenses with the Cisco SSM cloud.

Before you enable On-Prem CSSM, confirm that the satellite is deployed, up, and running in your network site.

If the satellite is configured with FQDN, the call-home configuration of satellite FQDN is pushed instead of the IP address.
Enter the details for the On-Prem CSSM Host, Smart Account name, Client ID, and Client Secret.

In the Smart Account field, enter the name of one SSM on-prem account only. Do not use a space or an underscore in the name.

For information about how to retrieve the client ID and client secret, see the Cisco Smart Software Manager On-Prem User Guide.
Click Test Connection to validate the Cisco SSM connection.
Click Save and then Confirm.
If there are devices that need to be registered again with the changed SSM, the Need to Re-Register Devices dialog box appears. Click OK in the dialog box.

In the Tools > License Manager > Devices window, choose the devices that you want to register again and click Sync Connection Mode.

Note

Such devices display the Connection Mode out of sync tag or message.

In the Resync Devices dialog box:
- Enter the Smart Account.
- Enter the Virtual Account.
- Click Now to start the resync immediately or click Later to schedule the resync at a specific time.
- Click Resync.
The Recent Tasks window shows the resync status of the devices.

Step 4

Choose Smart proxy to register your smart-enabled devices with the Cisco SSM cloud through Catalyst Center. With this mode, devices do not need a direct connection to the Cisco SSM cloud. Catalyst Center proxies the requests from the device to the Cisco SSM cloud through itself.

While provisioning the call-home configuration to the device, if the satellite is configured with FQDN, the FQDN of the satellite is pushed instead of the IP address.

Register Plug and Play

You can register Catalyst Center as a controller for Cisco Plug and Play (PnP) Connect, in a Cisco Smart Account for redirection services. This lets you synchronize the device inventory from the Cisco PnP Connect cloud portal to PnP in Catalyst Center.

Before you begin

Only a user with SUPER-ADMIN-ROLE or CUSTOM-ROLE with system management permissions can perform this procedure.

In the Smart account, users are assigned roles that specify the functions and authorized to perform:

Smart Account Admin user can access all the Virtual Accounts.
Users can access assigned Virtual Accounts only.

Procedure

Step 1

From the main menu, choose System > Settings > Cisco Accounts > PnP Connect.

A table of PnP connected profiles is displayed.

Step 2

If you have already configured the Cisco.com user, skip ahead to Step 3. If you haven't, complete these steps:

Open an Incognito/private window in your browser (to avoid using previously cached credentials).
Open another Catalyst Center GUI instance and log in.
Open another instance of the PnP Connect window.

Complete one of these tasks:


If you...	Then...
completed a fresh installation of Catalyst Center 2.3.7.9 or later,	configure a new Cisco.com user by clicking the Add link in the Cisco.com ID field.
upgraded to Catalyst Center 2.3.7.9 or later and want to use the same Cisco.com user that was configured previously,	reauthenticate that user by clicking the Re-Authenticate link in the Cisco.com ID field.
upgraded to Catalyst Center 2.3.7.9 or later and don't want to use the same Cisco.com user as before,	delete the old Cisco.com user and then configure a new one. Click the Delete link in the Cisco.com ID field. Confirm the operation by clicking Delete in the resulting dialog box. Click the Add link in the Cisco.com ID field.

In the Information pop-up window, check one or both of these check boxes and then click Authenticate:
- Mandatory: I am in private or incognito mode
- Optional: Save credentials
In the Activate your device pop-up window, confirm that an activation code is displayed and then click Next.
In the Log in pop-up window, enter the cisco.com user's email address and then click Next.
In the Verify with your password pop-up window, enter the cisco.com user's password and then click Verify.

The Device activated pop-up window appears.
Close the Device Activated pop-up window.
Refresh the PnP Connect window.
In the Cisco.com ID field, confirm that the email address you entered for the user is displayed. Also confirm that you see the Change link.

Step 3

Click Register to register a virtual account.

Step 4

In the Register Virtual Account window, the Smart Account you configured is displayed in the Select Smart Account drop-down list. You can select an account from the Select Virtual Account drop-down list.

Step 5

Click the required IP or FQDN radio button.

Step 6

Enter the IP address or FQDN (Fully Qualified Domain Name) of the controller.

Step 7

Enter the profile name. A profile is created for the selected virtual account with the configuration that you provided.

Step 8

Check the Use as Default Controller Profile check box to register this Catalyst Center controller as the default controller in the Cisco PnP Connect cloud portal.

Step 9

Click Register.

Create PnP event notifications

You receive a notification whenever a Plug and Play (PnP) event takes place in Catalyst Center by creating event notifications. See the "Work with Event Notifications" topic in the Cisco Catalyst Center Platform User Guide to configure the supported channels and create event notifications.

Ensure that you create event notifications for these PnP events:


Event name	Event ID	Description
Add device failed	NETWORK-TASK_FAILURE-3-008	Device(s) are not added through single or bulk import. An error occurs when adding devices through single or bulk import.
Add device successful	NETWORK-TASK_COMPLETE-4-007	Device(s) are added through single or bulk import successfully.
Device in error state	NETWORK-ERROR_1-002	Device goes to Error state.
Device in provisioned state	NETWORK-INFO_4-003	Device goes to Provisioned state.
Device stuck in onboarding state	NETWORK-TASK_PROGRESS-2-006	Device is stuck in onboarding state for more than 15 minutes.
Device waiting to be claimed	NETWORK-INFO_2-001	Device reaches Unclaimed state and is ready to be provisioned.
Smart Account sync failed	NETWORK-TASK_FAILURE-1-005	Smart Account sync is failed for some devices.
Smart Account sync successful	NETWORK-TASK_COMPLETE-4-004	Smart Account sync is successful for some devices.

Configure Smart Account

Cisco Smart Account credentials are used for connecting to your Smart Licensing account. The License Manager tool uses the details of license information from this Smart Account for entitlement and license management.

Important

Cisco has implemented a new authentication infrastructure. As a result, if you configured Smart Account credentials in a previous release and upgraded to 2.3.7.9 or later, you'll need to reauthenticate the associated Smart Accounts.

Before you begin

Ensure that you have SUPER-ADMIN-ROLE permissions or CUSTOM-ROLE with "Write" permission to System Settings.

Procedure

Step 1

From the main menu, choose System > Settings > Cisco Accounts > Smart Account.

Step 2

Link the appropriate Smart Account user and Smart Account name to your Smart Licensing account:

Open an Incognito/private window in your browser (to avoid using previously cached credentials).
Open another Catalyst Center GUI instance and log in.
Open another instance of the Smart Account window.
Click the Add link.
In the Information pop-up window, check the I am in private or incognito mode check box and then click Proceed.
In the Activate your device pop-up window, confirm that an activation code is displayed and then click Next.
In the Log in pop-up window, enter the cisco.com user's email address and then click Next.
In the Verify with your password pop-up window, enter the cisco.com user's password and then click Verify.

The Device activated pop-up window appears.

Confirm whether the Smart Account user you just added is listed in both the Smart Account Credentials and Expired Smart Accounts sections:


If the Smart Account user...	Then...
is listed in both sections,	delete the user from the Expired Smart Accounts section by clicking their trash icon in the Actions column.
is not listed in both sections,	proceed to Step 3.

Step 3

If you want to change the selected Smart Account Name, click Change. You will be prompted to select the Smart Account that will be used for connecting to your Smart Licensing Account on Cisco SSM cloud.

Choose the Smart Account from the drop-down list.
Click Save.

Step 4

Click View all virtual accounts to view all the virtual accounts associated with the Smart Account.

Note

Cisco Accounts supports multiple smart and virtual accounts.

Step 5

(Optional) If you want to register smart license-enabled devices automatically to a virtual account, check the Auto register smart license enabled devices check box. A list of virtual accounts associated with the smart account is displayed.

Step 6

Select the required virtual account. Whenever a smart license-enabled device is added in the inventory, it’s automatically registered to the selected virtual account.

Step 7

If you want to remove the licensed smart account users and their associated historical data, click Delete historical information.

The Delete Historical Data slide-in pane displays the licensed smart account users. It also displays the existing smart accounts that aren’t currently present in Catalyst Center, but their historical data is still available.

Step 8

In the Smart Account list area check the check box next to the smart account that you want to delete.

Step 9

Click Delete.

Step 10

Click Delete in the subsequent confirmation window.

Step 11

Check the Delete the associated license historical information check box to delete the historical information of the associated license.

Smart Licensing

Cisco Smart licensing allows you to register Catalyst Center on to the Cisco SSM.

To use Smart Licensing, you must first set up a Smart Account on Cisco Software Central (software.cisco.com).

For a more detailed overview on Cisco licensing, go to cisco.com/go/licensingguide.

Note

Smart license registration for a Catalyst Center instance is supported using these connection modes:

Direct
On-Prem Cisco SSM, and
Smart proxy.

Before you begin

To enable Smart Licensing, you must configure Cisco Credentials (see Configure Cisco credentials) and upload Catalyst Center license conventions in Cisco SSM.
To enable Smart Licensing, you must add a Smart Account in System > Settings > Cisco Accounts > Smart Account. For more information, see Configure Smart Account.

Procedure

Step 1	From the main menu, choose System > Settings > Cisco Accounts > Smart Licensing. By default, Smart Account details are displayed.
Step 2	Choose a virtual account from the Search Virtual Account drop-down list to register.
Step 3	Click Register.
Step 4	After successful registration, click the View Available Licenses link to view the available Catalyst Center licenses.

Device controllability

Device controllability is a system-level process on Catalyst Center that enforces state synchronization for some device-layer features. Its purpose is to aid in the deployment of network settings that Catalyst Center needs to manage devices. Changes are made on network devices when running discovery, when adding a device to inventory, or when assigning a device to a site.

To view the configuration that is pushed to the device, go to Provision > Inventory and from the Focus drop-down list, choose Provision. In the Provision Status column, click See Details.

Note

When Catalyst Center configures or updates devices, the transactions are captured in the audit logs, which you can use to track changes and troubleshoot issues.

Device settings enabled as part of device controllability include:

Device Discovery
- SNMP Credentials
- NETCONF Credentials

Adding Devices to Inventory

Cisco TrustSec (CTS) Credentials

Note

Cisco TrustSec (CTS) Credentials are pushed during inventory only if the Global site is configured with Cisco ISE as AAA. Otherwise, CTS is pushed to devices during "Assign to Site" when the site is configured with Cisco ISE as AAA.

Assigning Devices to a Site

Wired Endpoint Data Collection Enablement

Controller Certificates

Note

For Cisco IOS devices, we recommend that you configure the time zone from the device UI console to prevent any issues in the processing of PKCS certificate expiry time.

SNMP Trap Server Definitions
Syslog Server Definitions
Application Visibility
Application QoS Policy
NetFlow Server Definitions
Wireless Service Assurance (WSA)
Wireless Telemetry
DTLS Ciphersuite
AP Impersonation
IPDT Enablement

Device controllability is enabled by default. If you do not want device controllability enabled, disable it manually. For more information, see Configure device controllability.

When device controllability is disabled, Catalyst Center does not configure any of the preceding credentials or features on devices while running discovery or when the devices are assigned to a site.

Circumstances that dictate whether or not device controllability configures network settings on devices include:

Device Discovery: If SNMP and NETCONF credentials are not already present on a device, these settings are configured during the discovery process.
Device in Inventory: After a successful initial inventory collection, IPDT is configured on the devices.

In earlier releases, the following IPDT commands were configured:
```
ip device tracking
ip device tracking probe delay 60
ip device tracking probe use-svi
```
For each interface:
```
interface $physicalInterface
ip device tracking maximum 65535
```
In the current release, the following IPDT commands are configured for any newly discovered device:
```
device-tracking tracking
device-tracking policy IPDT_POLICY
tracking enable
```
For each interface:
```
interface $physicalInterface
device-tracking attach-policy IPDT_POLICY
```
Device in Global Site: When you successfully add, import, or discover a device, Catalyst Center places the device in the Managed state and assigns it to the Global site by default. Even if you have defined SNMP server, Syslog server, and NetFlow collector settings for the Global site, Catalyst Center does not change these settings on the device.
Device Moved to Site: If you move a device from the Global site to a new site that has SNMP server, Syslog server, and NetFlow collector settings configured, Catalyst Center changes these settings on the device to the settings configured for the new site.
Device Removed from Site: If you remove a device from a site, Catalyst Center does not remove the SNMP server, Syslog server, and NetFlow collector settings from the device.
Device Deleted from Catalyst Center: If you delete a device from Catalyst Center and check the Configuration Clean-up check box, the SNMP server, Syslog server, and NetFlow collector settings are removed from the device.
Device Moved from Site to Site: If you move a device—for example, from Site A to Site B—Catalyst Center replaces the SNMP server, Syslog server, and NetFlow collector settings on the device with the settings assigned to Site B.
Update Site Telemetry Changes: The changes made to any settings that are under the scope of device controllability are applied to the network devices during device provisioning or when the Update Telemetry Settings action is performed.

When device controllability is enabled, if Catalyst Center can't connect to the device through the user-provided SNMP credentials and collect device information, Catalyst Center pushes the user-provided SNMP credentials to the device. For SNMPv3, the user is created under the default group.

Note

For Cisco AireOS devices, the user-provided SNMPv3 passphrase must contain from 12 to 31 characters.

Configure device controllability

Device controllability deploys the required network settings that Catalyst Center needs to manage devices. Device controllability is enabled by default.

To manually disable device controllability, use this procedure.

Note

If you disable device controllability, Catalyst Center doesn't automatically configure discovered devices with essential settings, including SNMP credentials, trap servers, IP Device Tracking (IPDT), NetFlow, Syslog, and NETCONF.

If you assign a device to a site after disabling device controllability, Catalyst Center doesn't support out-of-band configuration change notifications and management of APs, because Catalyst Center is no longer registered as a trap receiver on the device.

Procedure

Step 1	From the main menu, choose System > Settings > Device Settings > Device Controllability.
Step 2	Uncheck the Enable Device Controllability check box.
Step 3	To prevent Catalyst Center from automatically correcting any issues identified in device telemetry configuration, leave the Enable autocorrect telemetry config check box unchecked. When autocorrect telemetry is enabled, Catalyst Center automatically detects and resolves certificate issues related to secure communication between devices and Catalyst Center. (This feature doesn’t address configuration issues with NetFlow, NBAR, or CBAR telemetry.) Catalyst Center checks each device for certificate changes every 15 minutes, and each device can be fixed only once within a 24-hour period. By default, this check box is disabled. You can only enable it when device controllability is enabled.
Step 4	Click Save.

Accept the license agreement

You must accept the end-user license agreement (EULA) before you download software or provision a device.

Procedure

Step 1

From the main menu, choose System > Settings > Device Settings > Device EULA Acceptance.

Step 2

If you have already configured the Cisco.com user, skip ahead to Step 3. If you haven't, complete these steps:

Open an Incognito/private window in your browser (to avoid using previously cached credentials).
Open another Catalyst Center GUI instance and log in.
Open another instance of the Device EULA Acceptance window. From the main menu, choose System > Settings > Device Settings > Device EULA Acceptance.

Complete one of these tasks:


If you...	Then...
completed a fresh installation of Catalyst Center 2.3.7.9 or later,	configure a new Cisco.com user by clicking the Add link in the Cisco.com ID field.
upgraded to Catalyst Center 2.3.7.9 or later and want to use the same Cisco.com user that was configured previously,	reauthenticate that user by clicking the Re-Authenticate link in the Cisco.com ID field.
upgraded to Catalyst Center 2.3.7.9 or later and don't want to use the same Cisco.com user as before,	delete the old Cisco.com user and then configure a new one. Click the Delete link in the Cisco.com ID field. Confirm the operation by clicking Delete in the resulting dialog box. Click the Add link in the Cisco.com ID field.

In the Information pop-up window, check the I am in private or incognito mode check box and then click Proceed.
In the Activate your device pop-up window, confirm that an activation code is displayed and then click Next.
In the Log in pop-up window, enter the cisco.com user's email address and then click Next.
In the Verify with your password pop-up window, enter the cisco.com user's password and then click Verify.

The Device activated pop-up window appears.
Close the Device Activated pop-up window.
Refresh the Device EULA Acceptance window.
In the Cisco.com ID field, confirm that the email address you entered for the user is displayed. Also confirm that you see the Change link.

Step 3

Open the Cisco End User License Agreement Supplemental Product Terms link in a new browser tab.

Step 4

Open and read the Catalyst Center EULA.

Step 5

Check the I have read and accept the Device EULA check box.

Step 6

Click Save.

Configure SNMP properties

You can configure retry and timeout values for SNMP.

Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About user roles.

Procedure

Step 1	From the main menu, choose System > Settings > Device Settings > SNMP.
Step 2	Configure these fields: Retries: Number of attempts allowed to connect to the device. Valid values are from 1 to 3. The default is 3. Timeout: Number of seconds Catalyst Center waits when trying to establish a connection with a device before timing out. Valid values are from 1 to 300 seconds in intervals of 5 seconds. The default is 5 seconds.
Step 3	Click Save.
Step 4	(Optional) To return to the default settings, click Reset and Save.

Enable ICMP ping

When Internet Control Message Protocol (ICMP) ping is enabled and there are unreachable access points in FlexConnect mode, Catalyst Center uses ICMP to ping these access points every 5 minutes to enhance reachability.

To enable an ICMP ping:

Procedure

Step 1	From the main menu, choose System > Settings > Device Settings > ICMP Ping.
Step 2	Check the Enable ICMP ping for unreachable access points in FlexConnect mode check box.
Step 3	Click Save.

Configure AP location for PnP onboarding

Catalyst Center allows you to use the site assigned during the PnP claim as the AP location for PnP onboarding. If you check the Configure AP Location check box, Catalyst Center configures the assigned site as the AP location for PnP onboarding. If you uncheck this check box, use the Configure Access Points workflow to configure the AP location for PnP onboarding. For more information, see "AP Configuration in Catalyst Center" in the Catalyst Center User Guide.

Note

These settings aren’t applicable during the day-n operations. To configure the AP location for day-n operations, you can use the Configure Access Points workflow.

Procedure

Step 1	From the main menu, choose System > Settings > Device Settings > PnP AP Location.
Step 2	Check the Configure AP Location check box.
Step 3	Click Save.

Configure an image distribution server

An image distribution server helps in the storage and distribution of software images. You can configure up to three external image distribution servers to distribute software images. You can also set up one or more protocols for the newly added image distribution servers.

For information about the supported servers, see the "Server Requirements for Automation Data Backup" section in Backup server requirements.

Procedure

Step 1

From the main menu, choose System > Settings > Device Settings > Image Distribution Servers.

Step 2

In the Image Distribution Servers window, click Servers.

The table displays details about the host, username, SFTP, SCP, and connectivity of image distribution servers.

Step 3

Click Add to add a new image distribution server.

The Add a New Image Distribution Server slide-in pane is displayed.

Step 4

Configure these image distribution server settings:

Host: Enter the hostname or IP address of the image distribution server.

Root Location: Enter the working root directory for file transfers.

Note

For Cisco AireOS Wireless Controllers, image distribution fails if the configured path is longer than 16 characters.

Username: Enter a username to log in to the image distribution server. The username must have read/write privileges in the working root directory of the server.
Password: Enter a password to log in to the image distribution server.
Port Number: Enter the port number on which the image distribution server is running.

Step 5

Click Save.

Step 6

Because some legacy wireless controller software versions support only weak ciphers (such as SHA1-based ciphers) for SFTP, Catalyst Center should enable SFTP compatibility mode for SFTP connections from wireless controllers for software image management and wireless assurance. You can temporarily enable support for weak ciphers on the Catalyst Center SFTP server for up to 90 days. To allow weak ciphers:

Hover over the i icon next to the IP address of the SFTP server and click Click here.
In the Compatibility Mode slide-in pane, check the Compatibility Mode check box and enter a duration (from 1 minute to 90 days).
Click Save.

Step 7

(Optional) To edit the settings, click the Edit icon next to the corresponding image distribution server, make the required changes, and click Save.

Step 8

(Optional) To delete an image distribution server, click the Delete icon next to the corresponding image distribution server and click Delete.

Enable PnP device authorization

To enable authorization on a device:

Procedure

Step 1

From the main menu, choose System > Settings > Device Settings.

Step 2

From the Device Settings drop-down list, choose PnP Device Authorization.

Note

By default, devices are automatically authorized.

Step 3

Check the Device Authorization check box to enable authorization on the device.

Step 4

Click Save.

Configure device prompts

Catalyst Center allows you to create custom prompts for the username and password. You can configure the devices in your network to use custom prompts and collect information about the devices.

Create custom prompts

Procedure

Step 1

From the main menu, choose System > Settings > Device Settings > Device Prompts.

The Device Prompts window opens.

Step 2

Click Create Custom Prompt.

The Create Custom Prompt slide-in pane opens.

Step 3

To create custom prompts for the username:

From the Prompt Type drop-down list, choose username.
In the Prompt Text field, enter the text in Regular Expression (Regex).
Click Save.

Step 4

To create custom prompts for the password,:

From the Prompt Type drop-down list, choose password.
In the Prompt Text field, enter the text in Regular Expression (Regex).
Click Save.

Note

The custom prompts are displayed in the Device Prompts window. You can create up to eight custom prompts for the username and password.

Step 5

Drag and drop the custom prompts in the order that you want.

Note

Catalyst Center maintains the order of the custom prompts and passes the prompts to the devices as comma-separated values. The custom prompt in the top order gets higher priority.

Step 6

Click the edit icon to edit a custom prompt.

Step 7

Click the delete icon to delete a custom prompt.

Note

Username prompts and password prompts must have unique Regex. Creating the same or similar Regex causes authentication issues with the devices.

Configure device configuration backup settings

Catalyst Center performs periodic backup of your device running configuration. You can choose the day and time for the backup and the total number of config drifts that can be saved per device.

Note

Daily Backup: Catalyst Center performs an automated configuration backup that is scheduled to run every day at 11:00 p.m. (UTC time zone). During this process, Catalyst Center compares the timestamp of the last device configuration collection with the timestamp of the device configuration archived. If the difference is more than 30 minutes, the device configuration archive will be performed.

Daily backup is not performed on the day when weekly backup is scheduled.
Weekly Backup: Catalyst Center performs an automated configuration backup, that is scheduled to run every Sunday at 11:30 p.m. (UTC time zone).

Procedure

Step 1

From the main menu, choose System > Settings > Configuration Archive.

Step 2

In the Configuration Archive window, click the Internal tab.

Step 3

Click the Number of config drift per device drop-down list and choose the number of config drifts to save per device.

You can save 7–50 config drifts per device. The total config drifts to save include all the labeled configs for the device.

Note

By default, the number of config drifts to save per device is 15.

Step 4

Choose the backup day and time.

The selected backup date and time is based on the time zone of the Catalyst Center cluster deployed for your network.

Step 5

Click Save.

After the backup is scheduled, you can view it in the activity center.

Step 6

Click the External tab to configure an external server for archiving the device configuration. For more information, see Configure an external server for archiving device configuration.

Configure an external server for archiving device configuration

You can configure an external SFTP server for archiving the running configuration of devices.

For information about the supported servers, see the "Server Requirements for Automation Data Backup" section in Backup server requirements.

Before you begin

Confirm that SSH, SFTP, and SCP are enabled on the external server.

Procedure

Step 1

From the main menu, choose System > Settings > Configuration Archive.

Step 2

In the Configuration Archive window, click the External tab.

Step 3

Click Add to add an External Repository.

Note

Only one SFTP server can be added.

Step 4

In the Add New External Repository slide-in pane, complete the following details:

Host: Enter the host IP address.

Root Location: Enter the location of the root folder.

Note

Ensure the root location path is absolute and not relative.
The external server root location must be empty.

Server Protocol: Enter the username, password, and port number of the SFTP server.

Choose the Backup Format:

RAW: A full running configuration will be disclosed. All sensitive/private configurations are unmasked in the backup data. Enter a password to lock the backup file.

Note

File passwords are not saved on Catalyst Center. You must remember the password to access the files on the SFTP server.

Sanitized (Masked): The sensitive/private configuration details in the running configuration will be masked.

The password is applicable only when the raw backup format is selected.

Schedule the backup cycle.

Enter the backup date, time, time zone, and recurrence interval.

Step 5

Click Save.

Step 6

To edit the SFTP server details, click the edit button under the Action column.

Step 7

To remove the SFTP server, click the delete button under the Action column.

Cloud access keys

You can register cloud access keys after installing the Cloud Device Provisioning Application package in Catalyst Center. The system supports multiple cloud access keys. Each key is used as a separate cloud profile that contains all the AWS infrastructure constructs or resources that are discovered by using that cloud access key. After a cloud access key is added, an AWS VPC inventory collection is triggered automatically for it. The AWS infrastructure constructs resources that get discovered by VPC inventory collection for that cloud access key that can then be viewed and used for cloud provisioning of CSRs and wireless controllers.

Before you begin

Obtain the access key ID and secret key from the Amazon Web Services (AWS) console.
Subscribe to CSR or wireless controller products in the AWS marketplace and verify the image ID for the target region.
Identify the key pair that CSRs will use during HA failover on AWS. The key pair's name is selected from a list in Catalyst Center when provisioning CSRs in that region.
Identify the IAM role that CSRs will use during HA failover on AWS. The IAM role is selected from a list in Catalyst Center when provisioning CSRs.
Configure the proxy for Catalyst Center to communicate with AWS via HTTPS REST APIs. See Configure the proxy.
The Cloud Connect extension to the eNFV app is enabled by deploying a separate Cloud Device Provisioning Application package. The package is not included by default in the standard Catalyst Center installation. You must download and install the package from a catalog server. For more information, see Download and install applications.

Procedure

Step 1	From the main menu, choose System > Settings > Cloud Access Keys.
Step 2	Click Add.
Step 3	Enter the Access Key Name and choose the Cloud Platform from the drop-down list. Enter the Access Key ID and Secret Key obtained from the AWS console.
Step 4	Click Save and Discover.

What to do next

After a cloud access key is added, an AWS VPC inventory collection is triggered automatically for it. It takes several minutes to synchronize with the cloud platform. Inventory collection is scheduled to occur at the default interval.
After successful cloud inventory collection, the Cloud tab in the Provision section provides a view of the collected AWS VPC inventory.

Integrity Verification

Integrity Verification (IV) monitors key device data for unexpected changes or invalid values that indicate possible compromise, if any of the devices are at risk. It does this by comparing each device's software, hardware, platform, and configuration settings against an authoritative set of Known Good Values (KGV) for these settings for all supported Cisco devices. The objective is to minimize the impact of a compromise by substantially reducing the time to detect unauthorized changes to a Cisco device.

Note

IV runs integrity verification checks on software images that are uploaded into Catalyst Center. To run these checks, the IV service needs the Known Good Value (KGV) file to be uploaded.

Upload the KGV file

To provide security integrity, Cisco devices must be verified as running authentic and valid software. Currently, Cisco devices have no point of reference to determine whether they are running authentic Cisco software. IV uses a system to compare the collected image integrity data with the KGV for Cisco software.

Cisco produces and publishes a KGV data file that contains KGVs for many of its products. This KGV file is in standard JSON format, is signed by Cisco, and is bundled with other files into a single KGV file that can be retrieved from the Cisco website. The KGV file is posted at:

https://cscrdr.cloudapps.cisco.com/cscrdr/security/center/files/trust/Cisco_KnownGoodValues.tar

The KGV file is imported into IV and used to verify integrity measurements obtained from the network devices.

Note

Device integrity measurements are made available to and used entirely within the IV. Connectivity between IV and cisco.com is not required. The KGV file can be air-gap transferred into a protected environment and loaded into the IV.

Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About user roles.

Procedure

Step 1

From the main menu, choose System > Settings > External Services > Integrity Verification.

Step 2

Review the current KGV file information:

File Name: Name of the KGV tar file.
Imported By: Catalyst Center user who imported the KGV file. If it is automatically downloaded, the value is System.
Imported Time: Time at which the KGV file is imported.
Imported Mode: Local or remote import mode.
Records: Records processed.
File Hash: File hash for the KGV file.
Published: Publication date of the KGV file.

Step 3

To import the KGV file, do one of these steps:

Click Import New from Local to import a KGV file locally.
Click Import Latest from Cisco to import a KGV file from cisco.com.

Note

The Import Latest from Cisco option does not require a firewall setup. However, if a firewall is already set up, only the connection to https://cscrdr.cloudapps.cisco.com must be open.

Step 4

If you clicked Import Latest from Cisco, a connection is made to cisco.com and the latest KGV file is automatically imported to Catalyst Center.

Note

A secure connection is made using the certificates added to Catalyst Center and its proxy (if one was configured during the first-time setup).

Step 5

If you clicked Import New from Local, the Import KGV window appears.

Step 6

Do one of these procedures to import locally:

Drag and drop a local KGV file into the Import KGV field.
Click Click here to select a KGV file from your computer to select a KGV file from a folder on your computer.
Click the Latest KGV file link and download the latest KGV file before dragging and dropping it into the Import KGV field.

Step 7

Click Import.

The KGV file is imported into Catalyst Center.

Step 8

After the import is finished, verify the current KGV file information in the GUI to ensure that it has been updated.

IV automatically downloads the latest KGV file from cisco.com to your system 7 days after Catalyst Center is deployed. The auto downloads continue every 7 days. You can also download the KGV file manually to your local system and then import it to Catalyst Center. For example, if a new KGV file is available on a Friday and the auto download is every 7 days (on a Monday), you can download it manually.

The KGV auto download information that displays includes:

Frequency: The frequency of the auto download.
Last Attempt: The last time the KGV scheduler was triggered.
Status: The status of the KGV scheduler's last attempt.

Message: A status message.

Note

When you import the latest KGV file, if there is any error, an error message displays. These error messages are now translated into multiple languages.

What to do next

After importing the latest KGV file, choose Design > Image Repository to view the integrity of the imported images.

Note

The effect of importing a KGV file can be seen in the Image Repository window, if the images that are already imported have an Unable to verify status (physical or virtual). Additionally, future image imports, if any, will also refer to the newly uploaded KGV for verification.

Update the KGV bundle

Catalyst Center allows you to cancel or clear all stale or stuck IV workflows and initiate a new workflow. This feature is asynchronous in nature because it takes some time for the functionality to come into effect.

With the IV KGV file download workflow, you trigger the latest KGV download directly from cisco.com, or you manually upload a new KGV. In addition, a scheduler runs daily to download or update the latest KGV bundle from cisco.com.

If a scheduler IV workflow or a user-triggered IV workflow gets stuck during the KGV file download or during another phase, you cannot submit a new request. Only one IV KGV workflow is allowed at a time. There is no option for you to submit a new request, other than raising a service request and doing a service restart. To overcome this issue, Catalyst Center has introduced a new API that allows you to cancel any stale or stuck IV workflow, clear the task entry associated with the canceled IV workflow, and reset the locking mechanism, which prevents a simultaneous request to submit a new IV workflow request.

Note

This cancellation function:

Applies only if you choose Import Latest From Cisco while importing the KGV file.
Works only for stale workflows, not for other scenarios.

Cisco SD-Access Compatibility Matrix

Catalyst Center periodically compares the operational SD-Access fabric nodes hardware and software attributes against information in the Cisco SD-Access Compatibility Matrix.

Any compatibility issues that are detected will be aggregated and displayed in the SD-Access Compliance state of each fabric site. The fabric site's aggregate Compliance state can be reviewed from the Provision > SD-Access > Fabric Sites window.

To import or download the latest SD-Access compatibility matrix information:

Procedure

Step 1

From the main menu, choose System > Settings > SD-Access Compatibility Matrix.

The SD-Access Compatibility Matrix window displays the information of the compatibility matrix that was last imported.

Note

Catalyst Center runs an autodownload for SD-Access compatibility matrix information that is scheduled to run once everyday.

The date and time of the autodownload is also displayed in the SD-Access Compatibility Matrix window.

Step 2

To manually import the SD-Access compatibility matrix file, click the Import Latest From Cisco hyperlink.

Note

A banner is displayed at the top of the SD-Access Compatibility Matrix window if the latest version of the file already exists.

Step 3

For air-gapped deployments, the ability to import the SD-Access compatibility matrix file from Cisco is not possible, so Catalyst Center provides the following upload process:

Download the SD-Access compatibility matrix file from Cisco SD-Access Compatibility Matrix for your device role and Catalyst Center package version.

Note

You should not make any changes to the downloaded JSON file.

Click the Import New From Local hyperlink and do one of the following:
- Click Choose a file to import the file.
- Drag and drop the JSON file to the drag and drop area.

Note

The file size cannot exceed 10 MB.

Disable SD-Access image compatibility checks

Catalyst Center 2.3.7.5 and later releases give you the option to disable SD-Access image compatibility checks.

Note

Always enable SD-Access image compatibility checks to ensure proper network operations.

To disable the SD-Access image compatibility checks:

Procedure

Step 1	From the main menu, choose System > Settings > SD-Access Compatibility Matrix.
Step 2	On the SD-Access Compatibility Matrix window, click the SD-Access Image Compatibility Checks toggle button so that it is unchecked.

Configure an IP address manager

You can configure Catalyst Center to communicate with an external IP address manager (IPAM). When you use Catalyst Center to create, reserve, or delete any IP address pool, Catalyst Center conveys this information to your external IPAM.

Before you begin

Requirements for external IPAM integration:

Create a role that has write permission to the IPAM function and assign it to the user account used for integration with Catalyst Center.
To enable IP pool creation by LAN automation for point-to-point addressing, the role must include:
- For Infoblox: Write permission for Network Views.
- For Bluecat: Full access permission for Configurations.

Procedure

Step 1

From the main menu, choose System > Settings > External Services > IP Address Manager.

Step 2

In the Server Name field, enter the name of the IPAM server.

Step 3

In the Server URL field, enter the URL or IP address of the IPAM server.

A warning icon and message appear, indicating that the certificate is not trusted for this server. To import the trust certificate directly from the IPAM:

Click the warning icon.

A Certificate Warning dialog box appears.
Verify the issuer, serial number, and validity dates for the certificate.
If the information is correct, check the check box to allow Catalyst Center to access the IP address and add the untrusted certificate to the trusted certificates.
Click Allow.

Step 4

In the Username and Password fields, enter the IPAM credentials.

Step 5

From the Provider drop-down list, choose a provider.

Note

If you choose BlueCat as your provider, ensure that your user has been granted API access in the BlueCat Address Manager. See your BlueCat documentation for information about configuring API access for your user or users.

To integrate Catalyst Center with BlueCat in Federal Information Processing Standards (FIPS) mode, use BlueCat 9.3.0.

Step 6

From the View drop-down list, choose a default IPAM network view. If you only have one view configured, only default appears in the drop-down list. The network view is created in the IPAM and is used as a container for IP address pools.

Step 7

If you want to synchronize the IP address pools on Catalyst Center with the IPAM, check the Sync global pools from IP Address Pools to the selected view from IPAM server check box. If you don't want to synchronize the IP pools, leave the check box unchecked.

Note

You should only skip the synchronization if you know that the view of the IPAM is already synchronized with the IP address pool on Catalyst Center. For example, this can occur when:

The IPAM has been upgraded through backup and restore to a new server instance
The IPAM was accidentally deleted and you want to readd it

If you skip synchronization when adding or updating the IPAM when the view is out of sync with IP address pools on Catalyst Center, pool operations might fail in the future.

Step 8

Click Save.

What to do next

Go to System > Settings > Trust & Privacy > Trusted Certificates to verify that the certificate has been successfully added.

Note

In trusted certificates, the certificate is referenced as a third-party trusted certificate.

Go to System > System 360 and verify the information to ensure that your external IP address manager configuration succeeded.

Configure Webex integration

Catalyst Center provides Webex meeting session information for Client 360.

Procedure

Step 1	From the main menu, choose System > Settings > External Services > Webex Integration.
Step 2	Click Authenticate to Webex.
Step 3	In the Cisco Webex pop-up window, enter the email address and click Sign In.
Step 4	Enter the password and click Sign In. Webex authentication is completed successfully.
Step 5	Under Default Email Domain for Webex Meetings Sign-In, enter the Webex user email domain and click Save. The Webex domain is organization-wide, and all users who use the domain can host or attend meetings.
Step 6	(Optional) Under Authentication Token, click Delete to delete Webex authentication.

Configure an AppX MS-Teams integration

When activated, Catalyst Center provides call quality metrics information for Application 360 and Client 360 dashboards.

Before you begin

You must have a Microsoft Teams account with admin privileges.

Procedure

Step 1

From the main menu, choose System > Settings > External Services > Cisco Catalyst - Cloud.

Step 2

From the Region drop-down list, select the DNA Cloud US region. For the integration to work, Microsoft Teams must be enabled in the same region (DNA Cloud US).

Step 3

Click the icon, search by name, and locate AppX MS-Teams.

Step 4

Click Activate.

You are redirected to the Cisco Catalyst - Cloud window.

Step 5

In the Cisco Catalyst - Cloud window:

Log in to Cisco Catalyst - Cloud with your cisco.com credentials.

If you do not have cisco.com credentials, you can create them.
In the Activate application on your product window, click the consent flow link and do these tasks:
- In the Sign in to your account window, enter the Microsoft admin username and password, and click Sign In.
- Click Accept.
In the Activate application on your product window, select Catalyst Center and click Next.

To register a new Catalyst Center, click the here link and:
- In the Host Name/IP field, enter the Catalyst Center IP address.
- In the Product Name field, enter the Catalyst Center name.
- In the Type field, enter the Catalyst Center type.
- Click Register.
Cisco Catalyst - Cloud synchronizes with Catalyst Center automatically; you are redirected to the Choose the Scope for your Cisco Catalyst Center window. Click Next.
In the Summary window, review the configuration settings. To make any changes, click Edit.

Click Activate.

You are redirected back to Catalyst Center.

Note

If you want to deactivate the product or disconnect from AppX MS-Teams application, see Configure an AppX MS-Teams integration through Cisco Cloud Services.

Configure an AppX MS-Teams integration through Cisco Cloud Services

Use this procedure to activate, deactivate, or check the status of MS-Teams integration on the devices through Cisco Cloud Services.

Before you begin

You must have a Microsoft Teams account with admin privileges.

Procedure

Step 1

Log in to Cisco Cloud Services with your cisco.com credentials.

If you do not have cisco.com credentials, you can create them.

Step 2

From the main menu, choose Applications and Products.

Step 3

From the Region drop-down list, select the DNA Cloud US region. For the integration to work, Microsoft Teams must be enabled in the same region (DNA Cloud US).

Step 4

Click the icon, search by name, and locate AppX MS-Teams.

Step 5

In the AppX MS-Teams tile, click Activate. For details, see Configure an AppX MS-Teams integration.

Step 6

After the product is activated, click Exit.

Step 7

You are redirected to the Applications window.

Step 8

Click the AppX MS-Team tile to view the details in the App 360 window.

Step 9

(Optional) To activate products from the App 360 window:

In the Product Activations table, click Add.

Choose the product that you want to activate and click Next.

Note

You cannot select more than one product at a time.

In the Summary window, review the configuration settings. To make any changes, click Edit. Otherwise, click Activate.

Step 10

(Optional) To deactivate the product:

Click the AppX MS-Teams tile.
In the Product Activations table, check the check box next to the product that you want to deactivate.
From the More Action drop-down list, choose Deactivate.
In the confirmation window, click Deactivate.

Step 11

(Optional) To disconnect the product from AppX MS-Teams application:

Click the AppX MS-Teams tile to view the details in the App 360 window.
In the top menu bar, click View all details.

The Details slide-in pane is displayed.
Click Disconnect now.

Configure ThousandEyes integration

You can configure Catalyst Center to communicate with an external ThousandEyes API agent to enable ThousandEyes integration using an authentication token. After integration, Catalyst Center provides ThousandEyes agent test data in the Application Health dashboard.

Before you begin

Ensure that you have deployed the ThousandEyes agent through application hosting, which supports Cisco Catalyst 9300 and 9400 Series switches.

Procedure

Step 1

From the main menu, choose System > Settings > External Services > ThousandEyes Integration.

Step 2

In the Insert new token here field, enter the authentication token.

Note

To receive the OAuth Bearer Token, go to the ThousandEyes page.

Step 3

Click Save.

Step 4

To connect ThousandEyes account to Catalyst Center:

Click Start set up. The device authentication code is displayed.
Click Login and enter the device authentication code in the Cisco ThousandEyes authentication pop-up window and click Verify.
In the ThousandEyes login window, enter the ThousandEyes credentials and click Login.

Step 5

To disconnect the ThousandEyes, click Disconnect.

Configure debugging logs

To assist in troubleshooting service issues, you can change the logging level for the Catalyst Center services.

A logging level determines the amount of data that is captured in the log files. Each logging level is cumulative; that is, each level contains all the data generated by the specified level and higher levels, if any. For example, setting the logging level to Info also captures Warn and Error logs. We recommend that you adjust the logging level to assist in troubleshooting issues by capturing more data. For example, by adjusting the logging level, you can capture more data to review in a root cause analysis or RCA support file.

The default logging level for services is informational (Info). You can change the logging level from informational to a different logging level (Debug or Trace) to capture more information.

Caution

Due to the type of information that might be disclosed, logs collected at the Debug level or higher should have restricted access.

Note

Log files are created and stored in a centralized location on your Catalyst Center host for display in the GUI. From this location, Catalyst Center can query and display logs in the GUI (System > System 360 > Log Explorer). Logs are available to query for only the last 2 days. Logs that are older than 2 days are purged automatically from this location.

Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About user roles.

Procedure

Step 1	From the main menu, choose System > Settings > System Configuration > Debugging Logs. The Debugging Logs window is displayed.
Step 2	From the Service drop-down list, choose a service to adjust its logging level. The Service drop-down list displays the services that are currently configured and running on Catalyst Center.
Step 3	Enter the Logger Name. This is an advanced feature that has been added to control which software components emit messages into the logging framework. Use this feature with care. Misuse of this feature can result in loss of information needed for technical support purposes. Log messages will be written only for the loggers (packages) specified here. By default, the Logger Name includes packages that start with `com.cisco`. You can enter additional package names as comma-separated values. Do not remove the default values unless you are explicitly directed to do so. Use `*` to log all packages.
Step 4	From the Logging Level drop-down list, choose the new logging level for the service. Catalyst Center supports logging levels in descending order of detail, including: Trace: Trace messages Debug: Debugging messages Info: Normal, but significant condition messages Warn: Warning condition messages Error: Error condition messages
Step 5	From the Time Out field, choose the time period for the logging level. Configure logging-level time periods in increments of 15 minutes up to an unlimited time period. If you specify an unlimited time period, the default level of logging should be reset each time a troubleshooting activity is completed.
Step 6	Review your selection and click Save.

Configure the network resync interval

You can update the polling interval at the global level for all devices by choosing System > Settings > Network Resync Interval. Or, you can update the polling interval at the device level for a specific device by choosing Device Inventory. When you set the polling interval using the Network Resync Interval, that value takes precedence over the Device Inventory polling interval value.

Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About user roles.
Make sure that you have devices in your inventory. If not, discover devices using the Discovery feature.

Procedure

Step 1	From the main menu, choose System > Settings > Device Settings > Network Resync Interval.
Step 2	In the Resync Interval field, enter a new time value (in minutes).
Step 3	(Optional) Check the Override for all devices check box to override the existing configured polling interval for all devices.
Step 4	Click Save.

View audit logs

Audit logs capture information about the various applications running on Catalyst Center. Audit logs also capture information about device public key infrastructure (PKI) notifications. The information in these audit logs can be used to help in troubleshooting issues, if any, involving the applications or the device CA certificates.

Audit logs also record system events that occurred, when and where they occurred, and which users initiated them. With audit logging, configuration changes to the system get logged in separate log files for auditing.

Procedure

Step 1

From the main menu, choose Activities > Audit Logs.

The Audit Logs window opens, where you can view logs about the current policies in your network. These policies are applied to network devices by the applications installed on Catalyst Center.

Step 2

Click the timeline slider to specify the time range of data you want displayed on the window:

In the Time Range area, select a time range—Last 2 Weeks, Last 7 Days, Last 24 Hours, or Last 3 Hours.
To specify a custom range, click By Date and specify the start and end date and time.
Click Apply.

Step 3

Click the arrow next to an audit log to view the corresponding child audit logs.

Each audit log can be a parent to several child audit logs. By clicking the arrow, you can view a series of additional child audit logs.

Note

An audit log captures data about a task done by Catalyst Center. Child audit logs are subtasks to a task done by Catalyst Center.

Step 4

(Optional) From the list of audit logs in the left pane, click a specific audit log message. In the right pane, click Event ID > Copy Event ID to Clipboard. With the copied ID, you can use the API to retrieve the audit log message based on the event ID.

The audit log displays the Description, User, Interface, and Destination of each policy in the right pane.

Note

The audit log displays northbound operation details such as POST, DELETE, and PUT with payload information, and southbound operation details such as the configuration pushed to a device. For detailed information about the APIs on Cisco DevNet, see Catalyst Center Platform Intent APIs.

Step 5

(Optional) Click Filter to filter the log by User ID, Log ID, or Description.

Step 6

Click the pencil icon to subscribe to the audit log events.

A list of syslog servers is displayed.

Step 7

Check the syslog server check box that you want to connect to and click Save.

Note

Uncheck the syslog server check box to unsubscribe from the audit log events and click Save.

Step 8

In the right pane, use the Search field to search for specific text in the log message.

Step 9

From the main menu, choose Activities > Tasks to view the upcoming, in-progress, completed, and failed tasks (such as operating system updates or device replacements) and existing, pending-review, and failed work items.

Export audit logs to syslog servers

Enabling syslogs for audit logs offers these benefits:

Centralized logging: Collect and store logs in one place for easier monitoring.
Security monitoring: Quickly detect unauthorized or suspicious activities.
Compliance: Maintain tamper-proof records for audits and investigations.

You can export the audit logs from Catalyst Center to multiple syslog servers by connecting to them.

Before you begin

Configure the syslog servers in the System > Settings > External Services > Destinations > Syslog area.

Procedure

Step 1	From the main menu, choose Activities > Audit Logs.
Step 2	At the top of the window, click the pencil icon.
Step 3	Select the syslog servers that you want to connect to and click Save.
Step 4	(Optional) To disconnect from a syslog server, deselect it and click Save.

Enable visibility and control of configurations

The Visibility and Control of Configurations feature provides a solution to further secure your planned network configurations before deploying them on to your devices. With enhanced visibility, you can enforce the previewing of device configurations (CLI and NETCONF commands) before deploying them. Visibility is enabled by default. When visibility is enabled, you cannot deploy your device configurations until you review them. With enhanced control, you can send the planned network configurations to IT Service Management (ITSM) for approval. When control is enabled, you cannot deploy the configurations until an IT administrator approves them.

Note

If a provisioning workflow supports Visibility and Control of Configurations, this banner message displays when you schedule the deployment of your task:

This workflow supports enforcing network administrators and other users to preview configurations before deploying them on the network devices. To configure this setting, go to System > Settings > Visibility and Control of Configurations.

Before you begin

Make sure that ITSM is enabled and configured in Catalyst Center so that you can enable ITSM Approval. For information about how to enable and configure ITSM, see “Configure the Catalyst Center Automation Events for ITSM (ServiceNow) Bundle” in the Catalyst Center ITSM Integration Guide.

Procedure

Step 1

From the main menu, choose System > Settings > System Configuration > Visibility and Control of Configurations.

Step 2

Click the Configuration Preview toggle button to enable or disable visibility.

Enabling visibility means you must preview the device configurations before deploying them.

Disabling visibility means you are not enforcing the previewing of device configurations before deploying them. When visibility is disabled, you can schedule and deploy the configurations with or without previewing them.

Step 3

(Optional) Click the ITSM Approval toggle button to enable or disable control.

Enabling control means you must submit the planned network configurations to an ITSM administrator for approval before deploying them.

Disabling control means you are not requiring ITSM approval before the deployment of planned network configurations. When control is disabled, you can deploy the configurations without ITSM approval.

View, search, and filter for task and work item details

You can view, search, and filter for task and work item details on the Tasks window.

Procedure

Step 1

From the main menu, choose Activities > Tasks.

By default, the Tasks window displays all the upcoming, in-progress, failed, and successful tasks and existing, pending-review, and failed work items. All failed tasks have a trace ID that provides a hint to analyze the error log quickly. The left SUMMARY pane displays filtering options for you to refine the list of displayed tasks and work items. You can expand and collapse the SUMMARY pane by clicking the arrow icon.

Step 2

Use this table to view, search, and filter for task and work item details on the Tasks window.

Action

Steps

Filter for specific task and work item details.

In the SUMMARY pane, under Type, click Task to filter for only tasks or Work Item to filter for only work items.

Filter for task and work item details using the filter options available under Status, Review Status, Last Updated, Categories, and Recurring.

The Tasks window displays the results of applied filters.

Tip

Under Categories, you can search for a specific category by clicking Show all and using the Search field.

Remove an applied filter.

In the SUMMARY pane, under FILTERED BY, click x next to the applied filter.

The Tasks window displays the results of removing the filter.
You can also remove the Status, Review Status, and Categories filters by unchecking the check boxes.

Search for a task and work item by title or username.

By default, the Search field, searches tasks and work items by description. If any filters are applied when you search for a task or work item, the system searches within the applied filters. For example, if you applied the In Progress filter and search for all tasks and work items with “provision” in the name, the system searches only in-progress tasks and work items for this keyword.

In the Search by description field, enter a description of the task or work item.

The Tasks window displays the filtered list of tasks and work items based on the entered description.
To search by username, in the Search field, do the following:
1. Click the filter icon.
2. Click username.
3. Enter a username in the Search by username field.
4. Click Apply.

Sort the list of tasks and work items.

By default, the tasks and work items are listed by when they were last updated. You can sort tasks and work items by their start time or update time.

To the right of the Search field, hover your cursor over the sort drop-down list and choose a sorting option.

The Tasks window displays the sorted list of tasks and work items based on the chosen sorting option.

View, edit, stop, and delete tasks

You can view information about all the upcoming, in-progress, failed, and successful tasks running on Catalyst Center.

A task is an operation that you or the system scheduled, which can reoccur. If you have a task, this means that you have no corresponding work items to complete for it to deploy as scheduled.

The information available in a task depends on its category, and there are a variety of categories. Common task categories include provision, config archive, inventory, and security advisories. However, all tasks display the following details: who initiated the task, its category, its completion status, its success status, and its start date, last updated date, and end date.

Procedure

Step 1

From the main menu, choose Activities > Tasks.

By default, the Tasks window displays all the upcoming, in-progress, failed, and successful tasks and existing, pending-review, and failed work items.

Note

If you enabled Site Settings for multiple devices in different time zones in a task, the Starts field displays the start time of the device in the earliest time zone based on your local time zone. For example, let’s say that you are in the Pacific Time Zone, and you have two devices scheduled to deploy on May 8, 2024, at 12 PM. One device is in San Jose, CA, and the other device is in Bengaluru, India. The Starts field displays May 8, 2024, at 12:00 PM, because your local time zone aligns with the device in the earliest time zone. If you are in Bengaluru, India, this field displays May 9, 2024, at 12:30 AM, because your local time is 12 hours and 30 minutes ahead of the device in the earliest time zone.

Step 2

Use this table to view, edit, or delete a task on the Tasks window.

Action

Steps

View a task.

Click the task name to open a slide-in pane with more information.

The task details depend on what type of task you’re viewing.

In the slide-in pane, depending on the details displayed, you can do the following:

View device and provisioning details by clicking Device Details or Provision Details.
View more information about in-progress, completed, and failed tasks by clicking View Details or See Details.
Search for a task using Search Table.
Filter for a task using the filter icon in the top-right corner of the table.

Download an error report of a failed task by clicking Download Error Report.

A tar file is created and saved to your local machine.

Tip

While creating a support case, you can attach the downloaded error report in addition to other details you may want to include.

Edit the schedule of a recurring task.

Locate the task and click Edit.
In the Edit Schedule slide-in pane, define the Start Date and Start Time.
Using the Recurrence toggle button, click a recurrence interval.
In the Run at Interval field, enter a value.
(Optional) To schedule an end date and time for this task, do the following:
1. Check the Set Schedule End check box.
2. To end the task on a specific date, click End Date and choose the date.
3. To end the task after a number of occurrences, click End After and in the Occurrences field, enter a numerical value.
Click Preview to review the changes in the table.
Ensure the table’s listed Site Time (the device’s time zone) and Local Time (your time zone) for each device reflect the intended scheduled time
When you're ready, click Save.

Stop a task.

Click the task name to open a slide-in pane with more information.

Click Stop.

Note

Stop is disabled if the provisioning workflow doesn’t support this capability.

In the Stop dialog box, click Yes to confirm the stoppage of the task.

A task can only be stopped when it is in progress. When the system starts configuring devices, the task can't be stopped. Only the devices pending provisioning are stopped.

Delete a task.

Locate the task and click Delete.

View and discard work items

If you enabled the Visibility and Control of Configurations feature, a work item is created when you choose Generate configuration preview during any workflow. When the configurations are reviewed and ready for deployment, the work item becomes a task.

To enable Visibility and Control of Configurations, see Enable visibility and control of configurations.

Procedure

Step 1

From the main menu, choose Activities > Tasks.

By default, the Tasks window displays all the upcoming, in-progress, failed, and successful tasks and existing, pending-review, and failed work items.

Step 2

Use this table to view and discard a work item on the Tasks window.

Action

Steps

View a work item.

In the SUMMARY pane, under Type, click Work Item.

The Tasks window filters for and displays only work items.
Click the work item name to open a slide-in pane with more information.

The first listed device's configuration preview is displayed.

In the slide-in pane, you can do the following:

Preview a device's configurations by choosing a device in the left pane.
Filter the data in the configuration preview pane with the View by Configuration Source drop-down list.

View a side-by-side comparison view of the planned configuration and the running configuration or view only the planned configuration by clicking the view switcher ().

Note

Viewing YANG configurations in the side-by-side comparison view isn’t supported.

Click one command in one configuration to highlight the corresponding command in the other configuration when you’re in the side-by-side comparison view.

Note

Keep the following limitations in mind:

The system supports only side-by-side highlighting for first-level commands, not sublevel commands.
All commands must be a complete match for the system to display the side-by-side highlighting between configurations.
If you click any commands starting with No in one configuration, the system will ignore the No portion when checking for a match in the other configuration.

Search for a value in the displayed configuration with the Search configuration field.

Display the workflow progression view for the selected device by clicking Back to workflow progress in the top-right corner of the right pane. To return to the configuration preview pane, click Go to generated config.

Note

Back to workflow progress and Go to generated config are only available if the workflow supports the workflow progression view.

Discard a work item.

Locate the work item and click Discard.

You can also click the work item name to open a slide-in pane and then click Discard.

In the Discard dialog box, do one of the following:

If you want to discard the work item and return to the current activity, click Discard.

Note

Discarding the work item means you can't recover it later.

If you want to retain any generated configurations and discard all other resources, check the Retain generated configs (if any) check box and click Accept.

After retaining any generated configurations and discarding all other resources, the work item displays Exit instead of Exit and Preview Later because you've previewed all the configurations and chosen to discard the nongenerated ones.

Tip

Consider retaining any generated configurations and discarding all other resources if a configuration preview fails so that you or your IT administrator can further inspect the issue.

What to do next

To deploy the previewed device configurations or submit the planned network configurations for ITSM approval, see "Visibility and Control of Configurations Workflow," “Visibility and Control of Wireless Device Configurations,” or “Visibility and Control of Fabric Configurations” in the Cisco Catalyst Center User Guide.

Activate high availability

Complete this procedure to activate high availability (HA) on your Catalyst Center cluster:

Procedure

Step 1	From the main menu, choose System > Settings > System Configuration > High Availability.
Step 2	Confirm that the page displays the three Catalyst Center appliances in your cluster.
Step 3	Click Activate High Availability.
Step 4	Confirm that HA has been enabled: The Status field displays `Active`. In the top-right corner of the High Availability page, click the Activities link. In the resulting table, verify that the status displayed for the HA activation event is `SUCCESS`.

Configure integration settings

In cases where firewalls or other rules exist between Catalyst Center and any third-party apps that need to reach the Catalyst Center platform, you must configure Integration Settings. These cases occur when the IP address of Catalyst Center is internally mapped to another IP address that connects to the internet or an external network.

Important

After a backup and restore of Catalyst Center, you need to access the Integration Settings page and update (if necessary) the Callback URL Host Name or IP Address using this procedure.

Before you begin

You have installed the Catalyst Center platform.

Procedure

Step 1

From the main menu, choose System > Settings > Integration Settings.

Step 2

Enter the Callback URL Host Name or IP Address that the third-party app needs to connect to when communicating with the Catalyst Center platform.

Note

The Callback URL Host Name or IP Address is the external facing hostname or IP address that is mapped internally to Catalyst Center. Configure the VIP address for a three-node cluster setup.

Step 3

Click Apply.

Set up a login message

You can set up a message that is displayed to all users after they log in to Catalyst Center.

Before you begin

Only a user with SUPER-ADMIN-ROLE or CUSTOM-ROLE with system management permissions can perform this procedure.

Procedure

Step 1

From the main menu, choose System > Settings > System Configuration > Login Message.

Step 2

In the Login Message text box, enter the message.

Step 3

Click Save.

The message appears below the Log In button on the Catalyst Center login page.

Later, if you want to remove this message, do the following:

Return to the Login Message settings page.
Click Clear and then click Save.

Configure the proxy

If Catalyst Center has a proxy server configured as an intermediary between itself and the network devices that it manages, you must configure access to the proxy server.

Note

Catalyst Center does not support a proxy server that uses Windows New Technology LAN Manager (NTLM) authentication.

Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About user roles.

Procedure

Step 1

From the main menu, choose System > Settings > System Configuration.

Step 2

From the System Configuration drop-down list, choose Proxy > Outgoing Proxy.

Step 3

Enter the proxy server URL address.

Step 4

Enter the proxy server port number.

Note

For HTTP, the port number is usually 80.
The port number ranges from 0 through 65535.

Step 5

(Optional) If the proxy server requires authentication, click Update and enter the username and password for access to the proxy server.

Step 6

Check the Validate Settings check box to have Catalyst Center validate your proxy configuration settings when applying them.

Step 7

Review your selections and click Save.

To cancel your selection, click Reset. To delete an existing proxy configuration, click Delete.

After configuring the proxy, you can view the configuration in the Proxy window.

Configure geo map settings

You can configure geo map settings in Catalyst Center.

Procedure

Step 1

From the main menu, choose System > Settings > System Configuration > Geo Map Settings.

Step 2

Choose any one of the available administrative boundaries that identify geographic features with characteristics defined differently by audiences belonging to various regional, cultural, or political groups.

China (CN)
India (IN)
Japan (JP)
United States (US) (default)

Step 3

Click Save.

Security recommendations

Catalyst Center provides many security features for itself, for the hosts and network devices that it monitors and manages. You must clearly understand and configure the security features correctly. Follow these security recommendations:

Deploy Catalyst Center in a private internal network and behind a firewall that does not expose Catalyst Center to an untrusted network, such as the internet.
If you have separate management and enterprise networks, connect Catalyst Center's management and enterprise interfaces to your management and enterprise networks, respectively. Doing so ensures network isolation between the services used to administer and manage Catalyst Center and the services used to communicate with and manage your network devices.
If deploying Catalyst Center in a three-node cluster setup, verify that the cluster interfaces are connected in an isolated network.
Upgrade Catalyst Center with critical upgrades, including security patches, as soon as possible after a patch announcement. For more information, see the Catalyst Center Upgrade Guide.
Restrict the remote URLs accessed by Catalyst Center using an HTTPS proxy server. Catalyst Center is configured to access the internet to download software updates, licenses, and device software, as well as provide up-to-date map information, user feedback, and so on. Providing internet connections for these purposes is a mandatory requirement. However, provide connections securely through an HTTPS proxy server.
Restrict the ingress and egress management and enterprise network connections to and from Catalyst Center using a firewall, by only allowing known IP addresses and ranges and blocking network connections to unused ports.
Replace the self-signed server certificate from Catalyst Center with the certificate signed by your internal certificate authority (CA).
If possible in your network environment, disable SFTP Compatibility Mode. This mode allows legacy network devices to connect to Catalyst Center using older cipher suites.
Disable the browser-based appliance configuration wizard, which comes with a self-signed certificate.

Change the minimum TLS version and enable RC4-SHA (not secure)

Security recommendation: Upgrade the minimum TLS version to TLSv1.2 for incoming TLS connections to Catalyst Center.

Northbound REST API requests from an external network, include northbound REST API-based apps, browsers, and network devices connecting to Catalyst Center using HTTPS. The Transport Layer Security (TLS) protocol makes such requests secure.

By default, Catalyst Center supports TLSv1.1 and TLSv1.2, but does not support RC4 ciphers for SSL/TLS connections. Since RC4 ciphers have well-known weaknesses, we recommend that you upgrade the minimum TLS version to TLSv1.2 if your network devices support it.

Catalyst Center provides a configuration option to downgrade the minimum TLS version and enable RC4-SHA. You can use this option if your network devices under Catalyst Center control cannot support the existing minimum TLS version (TLSv1.1) or ciphers. For security reasons, however, we recommend that you do not downgrade Catalyst Center TLS version or enable RC4-SHA ciphers.

To change the TLS version or enable RC4-SHA for Catalyst Center, log in to the corresponding appliance and use the CLI.

Note

CLI commands can change from one release to the next. The CLI example uses command syntax that might not apply to all Catalyst Center releases, especially Catalyst Center on ESXi releases.

Before you begin

You must have maglev SSH access privileges to do this procedure.

Note

This security feature applies to port 443 on Catalyst Center. Doing this procedure may disable traffic on the port to the Catalyst Center infrastructure for a few seconds. For this reason, you must configure TLS infrequently and only during off-peak hours or during a maintenance period.

Procedure

Step 1

Using an SSH client, log in to the Catalyst Center appliance with the IP address that you specified using the configuration wizard.

The IP address to enter for the SSH client is the IP address that you configured for the network adapter. This IP address connects the appliance to the external network.

Step 2

When prompted, enter your username and password for SSH access.

Step 3

Enter this command to check the TLS version currently enabled on the cluster.

Here is an example:

Input
$ magctl service tls_version --tls-min-version show
Output
TLS minimum version is 1.1

Step 4

If you want to change the TLS version on the cluster, enter these commands. For example, you can change the current TLS version to an earlier version if your network devices under Catalyst Center control cannot support the existing TLS version.

This example shows how to change from TLS Version 1.1 to 1.0:

Input
$ magctl service tls_version --tls-min-version 1.0
Output
Enabling TLSv1.0 is recommended only for legacy devices
Do you want to continue? [y/N]: y
WARNING: Enabling TLSv1.0 for api-gateway
deployment.extensions/kong patched

This example shows how to change from TLS Version 1.1 to 1.2 (only allowed if you haven't enabled RC4-SHA):

Input
$ magctl service tls_version --tls-min-version 1.2
Output
Enabling TLSv1.2 will disable TLSv1.1 and below
Do you want to continue? [y/N]: y
WARNING: Enabling TLSv1.2 for api-gateway
deployment.extensions/kong patched

Note

TLS Version 1.2 cannot be set as the minimum version if RC4-SHA ciphers are enabled.

Step 5

If you want to change the TLS version for streaming telemetry connections between Catalyst Center and Catalyst 9000 devices (via the TCP 25103 port), enter this command. For example, you can change the current TLS version if the network devices that Catalyst Center manages can support TLS version 1.2.

This example shows how to change from TLS Version 1.1 to 1.2:

Input
$ magctl service tls_version --tls-min-version 1.2 -a assurance-backend collector-iosxe-db
Output
Enabling TLSv1.2 will disable TLSv1.1 and below
Do you want to continue? [y/N]: y
WARNING: Enabling TLSv1.2 for api-gateway
deployment.apps/collector-iosxe-db patched

Step 6

Enter this command to enable RC4-SHA on a cluster (not secure; proceed only if needed).

Enabling RC4-SHA ciphers is not supported when TLS Version 1.2 is the minimum version.

This example shows TLS version 1.2 is not enabled:

Input
$ magctl service ciphers --ciphers-rc4=enable kong
Output
Enabling RC4-SHA cipher will have security risk
Do you want to continue? [y/N]: y
WARNING: Enabling RC4-SHA Cipher for kong
deployment.extensions/kong patched

Step 7

Enter the command at the prompt to confirm that TLS and RC4-SHA are configured.

Here is an example:

Input
$ magctl service display kong 
Output
      containers:
      - env:
        - name: TLS_V1
          value: "1.1"
        - name: RC4_CIPHERS
          value: "true"

Note

If RC4 and TLS minimum versions are set, they are listed in the env: of the magctl service display kong command. If these values are not set, they do not appear in the env:.

Step 8

To disable the RC4-SHA ciphers that you enabled previously, enter this command on the cluster:

Input
$ magctl service ciphers --ciphers-rc4=disable kong
Output
WARNING: Disabling RC4-SHA Cipher for kong
deployment.extensions/kong patched

Step 9

Log out of the Catalyst Center appliance.

Configure the proxy certificate

In some network configurations, proxy gateways might exist between Catalyst Center and the remote network it manages (containing various network devices). Common ports, such as 80 and 443, pass through the gateway proxy in the DMZ, and for this reason, SSL sessions from the network devices meant for Catalyst Center terminate at the proxy gateway. Therefore, the network devices located within these remote networks can only communicate with Catalyst Center through the proxy gateway. For the network devices to establish secure and trusted connections with Catalyst Center, or, if present, a proxy gateway, the network devices should have their PKI trust stores appropriately provisioned with the relevant CA root certificates or the server’s own certificate under certain circumstances.

If such a proxy is in place during onboarding of devices through PnP Discovery/Services, the proxy and the Catalyst Center server certificate must be the same so that network devices can trust and authenticate Catalyst Center securely.

In network topologies where a proxy gateway is present between Catalyst Center and the remote network it manages, import a proxy gateway certificate in to Catalyst Center:

Before you begin

Only a user with SUPER-ADMIN-ROLE permissions can perform this procedure. For more information, see About user roles.
You must use the proxy gateway's IP address to reach Catalyst Center and its services.
You should have the certificate file that is currently being used by the proxy gateway. The certificate file contents should consist of any of these:
- The proxy gateway’s certificate in PEM or DER format, with the certificate being self-signed.
- The proxy gateway’s certificate in PEM or DER format, with the certificate being issued by a valid, well-known CA.
- The proxy gateway's certificate and its chain in PEM or DER format.

The certificate used by the devices and the proxy gateway must be imported in to Catalyst Center by following this procedure.

Procedure

Step 1

From the main menu, choose System > Settings > System Configuration.

Step 2

From the System Configuration drop-down list, choose Proxy > Incoming Proxy.

Step 3

In the Proxy Certificate window, view the current proxy gateway certificate data (if it exists).

Note

The Expiration Date and Time is displayed as a Greenwich Mean Time (GMT) value. A system notification appears in the Catalyst Center GUI two months before the certificate expires.

Step 4

To add a proxy gateway certificate, drag and drop the self-signed or CA certificate into the Drag and Drop Here area.

Note

Only PEM or DER files (public-key cryptography standard file formats) can be imported into Catalyst Center using this area. Additionally, private keys are neither required nor uploaded into Catalyst Center for this procedure.

Step 5

Click Save.

Step 6

Refresh the Proxy Certificate window to view the updated proxy gateway certificate data.

The information displayed in the Proxy Certificate window should have changed to reflect the new certificate name, issuer, and certificate authority.

Step 7

Click the Enable button to enable the proxy gateway certificate functionality.

If you click the Enable button, the controller returns the imported proxy gateway certificate when requested by a proxy gateway. If you don't click the Enable button, the controller returns its own self-signed or imported CA certificate to the proxy gateway.

The Enable button is dimmed if the proxy gateway certificate functionality is used.

Upload an SSL intercept proxy certificate

If SSL decryption is enabled on the proxy server that is configured between Catalyst Center and the Cisco cloud from which it downloads software updates, ensure that the proxy is configured with a certificate that is issued from an official certificate authority. If you are using a private certificate, complete the following steps.

Note

For added security, access to the root shell is disabled in Catalyst Center. With restricted shell, users can't access the underlying operating system and file system, which reduces operational risk. However, the commands in this section require that you contact the Cisco TAC to access the root shell temporarily.

Procedure

Step 1	Transfer your proxy server’s certificate (in PEM format) to a directory on the Catalyst Center server.
Step 2	As a maglev user, SSH to the Catalyst Center server and enter this command, where `<directory>` is the location of the certificate file on the Catalyst Center server and `<proxy.pem>` is your proxy server’s TLS/SSL certificate file: `$ sudo /usr/local/bin/update_cacerts.sh -v -a /<directory>/<proxy.pem>` The command returns an output that is similar to the following: `Reading CA cert from file /tmp/sdn.pem Adding certificate import_1E:94:6D:2C:81:22:BB:B2:2E:24:BD:72:57:AE:35:AD:EC:5E:71:44.crt Updating /etc/ca-certificates.conf Updating certificates in /etc/ssl/certs… 1 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d… done. Deleting tempfiles /tmp/file0PpQxV /temp/filePtmQ8U /tmp/filercR3cV`
Step 3	Check the command output for the line "1 added" and confirm that the number added is not zero. The number can be one or greater, based on the certificates in the chain.
Step 4	Enter these commands to restart docker and the catalog server: `sudo systemctl restart docker magctl service restart -d catalogserver`
Step 5	In Catalyst Center, upload the same certificate and check the connectivity. Log in to the Catalyst Center GUI. Navigate to System > Settings > Certificates > Trusted Certificates and upload the same certificate. For more information, see Configure trusted certificates. Check the cloud, Cisco Connected Mobile Experiences (CMX), and Cisco Spaces connectivity.

Renew internal certificates

Catalyst Center uses a number of certificates, such as the ones generated by Kubernetes and the ones used by Kong and Credential Manager Services. These certificates are valid for one year, which starts as soon as you install your cluster. Catalyst Center automatically renews these internal certificates for another year before they are set to expire.

We recommend that you renew internal certificates before they expire, not after.
You can only renew internal certificates that are set to expire up to 100 days from now. This procedure does not do anything to certificates that will expire later than that.
The script refreshes only self-signed certificates, not third-party/certificate authority (CA)-signed certificates. For third-party/CA-signed certificates, the script updates the internal certificates used by Kubernetes and the Credential Manager.
For self-signed certificates, the renewal process does not require you to push certificates back out to devices, because the root CA is unchanged.
The term cluster applies to both single-node and three-node Catalyst Center setups.

Procedure

Step 1	Ensure that each cluster node is healthy and not experiencing any issues.
Step 2	To view a list of the certificates that are currently used by that node and their expiration date, enter this command: `sudo maglev-config certs info`
Step 3	Renew the internal certificates that are set to expire soon by entering this command: `sudo maglev-config certs refresh`
Step 4	Repeat the preceding steps for the other cluster nodes.
Step 5	For utility help, enter: `$ sudo maglev-config certs --help Usage: maglev-config certs [OPTIONS] COMMAND [ARGS]... Options: --help Show this message and exit. Commands: info refresh`

Certificate and private key support

Catalyst Center supports the Certificate Authority Management feature, which is used to authenticate sessions (HTTPS). These sessions use commonly recognized trusted agents that are called CAs. Catalyst Center uses the Certificate Authority Management feature to import, store, and manage X.509 certificates from your internal CA. The imported certificate becomes an identity certificate for Catalyst Center, and Catalyst Center presents this certificate to its clients for authentication. The clients are the northbound API applications and network devices.

You can import these files (in either the PEM or PKCS file format) using the Catalyst Center GUI:

X.509 certificate
Private key

Note

For the private key, Catalyst Center supports the import of RSA keys. Keep the private key secure in your own key management system. The private key must have a minimum modulus size of 2048 bits.

You must obtain a valid X.509 certificate and private key issued by your internal CA. The certificate must correspond to a private key in your possession before importing the files. After importing the files, the security functionality that is based on the X.509 certificate and private key is automatically activated. Catalyst Center presents the certificate to any device or application that requests it. Northbound API applications and network devices can use these credentials to establish a trust relationship with Catalyst Center.

Note

Avoid using and importing a self-signed certificate to Catalyst Center. Import a valid X.509 certificate from your internal CA. Replace the default self-signed certificate with one signed by your internal CA to ensure proper Plug and Play functionality

Catalyst Center supports only one imported X.509 certificate and private key at a time. When you import a second certificate and private key, the latter overwrites the first (existing) imported certificate and private key values.

Certificate chain support

Catalyst Center is able to import certificates and private keys through its GUI. If subordinate certificates are involved in a certificate chain leading to the certificate that is to be imported into Catalyst Center (signed certificate), both the subordinate certificates as well as the root certificate of these subordinate CAs must be appended together into a single file to be imported. When appending these certificates, you must append them in the same order as the actual chain of certification.

The following certificates should be pasted together into a single PEM file. Review the certificate subject name and issuer to ensure that the correct certificates are being imported and correct order is maintained. Ensure that all of the certificates in the chain are pasted together.

Signed Catalyst Center certificate: Its Subject field includes CN=<FQDN of Catalyst Center>, and the issuer has the CN of the issuing authority.

Note

If you install a certificate signed by your internal certificate authority (CA), ensure that the certificate specifies all of the DNS names (including the Catalyst Center FQDN) that are used to access Catalyst Center in the alt_names section. For more information, see "Generate a Certificate Request Using Open SSL" in the Catalyst Center Security Best Practices Guide.

Issuing (subordinate) CA certificate that issues the Catalyst Center certificate: Its Subject field has CN of the (subordinate) CA that issues the Catalyst Center certificate, and the issuer is that of the root CA.
Next issuing (root/subordinate CA) certificate that issues the subordinate CA certificate: Its Subject field is the root CA, and the issuer has the same value as the Subject field. If they are not the same, you must append the next issuer, and so on.

Update the Catalyst Center server certificate

Catalyst Center allows you to import and store an X.509 certificate from your certificate authority (CA) and private key that's generated by Catalyst Center. These can be used to create a secure and trusted environment between Catalyst Center, northbound API applications, and network devices. You can import a certificate and a private key on the System Certificates window.

To update the Catalyst Center server certificate:

Generate a Certificate Signing Request (CSR).
Submit the CSR to your CA to get a signed certificate.
Import the signed certificate and its chain into Catalyst Center.

This procedure uses Microsoft Active Directory Certificate Services as an example CA. If you use a different CA, adapt the steps accordingly.

Note

We recommend that you complete this procedure whenever you need to update Catalyst Center's server certificate and private key. If you prefer to complete a CLI-based procedure, see the "Generate a certificate request using OpenSSL" topic in the Catalyst Center Security Best Practices Guide.

Before you begin

You must obtain a valid X.509 certificate from your internal CA that corresponds to your private key.

Procedure

Step 1

From the main menu, choose System > Settings > Certificates > System Certificates.

This window displays information about Catalyst Center server certificates and provides actions to manage those certificates. The System Certificates table displays this information for each certificate:

Issued To: Indicates who the certificate was issued to.
Issued By: Name of the entity that has signed and issued the certificate.
Used For: Indicates whether the certificate is used for the controller, disaster recovery, or both.
Certificate Serial Number: Shows the last five characters of the certificate serial number.
Time Left: Time left in the certificate life.
Status: Shows the certificate status.

Valid From/Valid To: Indicates when the certificate is valid.

Note

The certificate's valid dates and times are displayed as a Greenwich Mean Time (GMT) value. A system notification displays in the notification center two months before the certificate expires. Click the notifications icon in the top-right corner of the window to view it.

Action: Shows available actions to manage the certificate, such as replace or delete.

Step 2

Click + New Certificate Request (CSR).

This + New Certificate Request (CSR) link is enabled when you generate the CSR for the first time.

If you don't want to use the existing CSR, delete the existing request.

In the table, locate the request that you want to delete.
Under Action, click Delete for that request.
In the Warning dialog box, click OK.

The + New Certificate Request (CSR) link is enabled.

Step 3

In the New Certificate Request (CSR) slide-in pane, create the CSR.

Under Used For, check the check boxes to indicate whether the CSR is for the controller, disaster recovery, or both.
Enter the values for these required fields:
- Key Algorithm: The algorithm used to generate the key.
- Digest: The digest algorithm used to secure and verify the CSR.
- Key Length: The certificate key's bit size.
- Common Name: The server's IP address, hostname, or FQDN.
- Key Usage: Purpose of the certificate's key. See RFC 5280, Section 4.2.1.3 for a description of the available values.
- Extended Key Usage: Additional purpose of the certificate's key. See RFC 5280, Section 4.2.1.12 for a description of the available values.
Click Next to generate the CSR.

Step 4

In the Certificate Signing Request slide-in pane, download a copy of the CSR.

Click Download CSR.

The CSR is downloaded locally as a Base64 file.
Click Done.

A new CSR is opened in the Certificate Signing Request slide-in pane.

Step 5

Submit a certificate request to the CA and download the issuer CA chain from the CA.

For example, you can submit a certificate request using Microsoft Active Directory Certificate Services by following these steps.

Copy the CSR that you just downloaded.
Open Active Directory Certificate Services in a new browser window.
On the Welcome page, click Request a certificate.
On the Request a Certificate page, click advanced certificate request.
On the Submit a Certificate Request or Renewal Request page, paste the request in the Saved Request field, select a certificate template, and click Submit.

Ensure that the selected certificate template is configured for both client and server authentication.
On the Certificate Issued page, select how you want the certificate encoded and click Download certificate chain.

The certificate chain is downloaded from the CA.

Step 6

Confirm that the certificate issuer provided the certificate full chain (server and CA) in p7b. When in doubt, complete these steps to examine and assemble the chain:

Download the p7b bundle in DER format and save it as server-cert-chain.p7b.

Enter this command:

openssl pkcs7 -in server-cert-chain.p7b -inform DER -out server-cert-chain.pem -print_certs

Step 7

On the Catalyst Center GUI, in the + System Certificates window, click + Import Certificate.

Step 8

In the Import Certificate slide-in pane, import the signed certificate with its certificate signed authority chain concatenated into Catalyst Center.

Under Used For, check the check boxes to indicate whether this certificate is for the controller, disaster recovery, or both.

Under Type, select the file format type for the certificate using this table.

Type

Description

Action

PEM Chain

Privacy-enhanced mail file format.

Click PEM Chain.

If the certificate issuer provides the certificate and its issuer CA chain in loose files, complete these steps.

Gather the PEM (base64) files or use OpenSSL to convert DER files to the PEM format.
Concatenate the certificate and its issuer CA, starting with the certificate, followed by subordinate CA, all the way to the root CA, and output it to the server-cert-chain.pem file.

cat certificate.pem subCA.pem rootCA.pem > server-cert-chain.pem

PKCS

Public-Key Cryptography Standard file format.

Click PKCS.

Note

PKCS file type is disabled if you chose the + New Certificate Request (CSR) option to request a certificate.

Upload the file based on its type.

If you upload a...

Then...

PEM file and, if applicable, the private key,

Drag and drop the PEM and private key files.

Note

A PEM file must have a valid PEM format extension (.pem, .cer, or .crt). The maximum file size for the certificate is 1 MB.
Private keys must have a valid private key format extension (.key). The maximum file size for the private key is 1 MB.
If you used + New Certificate Request (CSR) to create a CSR, there is no private key to import. The private key is stored within Catalyst Center.

After the uploads succeeds, the system certificate and private key are validated.

For the private key, under Encrypted, indicate if you want it encrypted.

If you indicate Yes, enter the password for the private key in the Password field.

PKCS file

In the Bundle Password field, enter the password for the certificate.

Drag and drop the PKCS file.

Note

A PKCS file must have a valid PKCS format extension (.pfx or .p12). The maximum file size for the certificate is 1 MB.

After the upload succeeds, the system certificate is validated.

Click Save.

Step 9

After logging back in to Catalyst Center, go to the System Certificates window to view the updated certificate data.

Under User For, click the hyperlinked text for the updated certificate to view a slide-in pane with information about the issuer, CA, and valid dates.

Manage device certificates

You can view and manage certificates that are issued by Catalyst Center for managed devices to authenticate and identify the devices.

As a best practice, when a device is no longer managed by Catalyst Center (for example, because the device is lost or no longer active), revoke or delete the device certificate.

Procedure

Step 1	From the main menu, choose System > Settings > Certificates > Device Certificates. The Device Certificate window shows the status of issued certificates in separate status tabs: Expired: Shows the list of expired certificates. Expiring: Shows the list of certificates that are nearing the expiry date in ascending order. All: Shows the list of valid, expired, and expiring certificates. Revoked: Shows the list of revoked certificates.
Step 2	To revoke a valid certificate: Click All. In the Actions column, click the Revoke icon that corresponds to the certificate that you want to revoke. In the confirmation window, click OK.
Step 3	To delete an expired certificate: Click the All. In the Actions column, click the Delete icon that corresponds to the certificate that you want to delete. In the confirmation window, click OK.
Step 4	If you want to export the certificate details, click Export. The certificate details are exported in CSV format.

Configure the device certificate lifetime

Catalyst Center lets you change the certificate lifetime of network devices that the private (internal) Catalyst Center CA manages and monitors. The Catalyst Center default value for the certificate lifetime is 365 days. After the certificate lifetime value is changed using the Catalyst Center GUI, network devices that subsequently request a certificate from Catalyst Center are assigned this lifetime value.

Note

The device certificate lifetime value cannot exceed the CA certificate lifetime value. Also, if the remaining lifetime of the CA certificate is less than the configured device's certificate lifetime, the device receives a certificate lifetime value equal to the remaining CA certificate lifetime.

Procedure

Step 1	From the main menu, choose System > Settings > Certificates > Device Certificates.
Step 2	Review the device certificate and the current device certificate lifetime.
Step 3	In the Device Certificates window, click Modify.
Step 4	In the Device Certificates Lifetime dialog box, enter the new value in days.
Step 5	Click Save.

Certificate authority

A certificate authority (CA) is an entity that manages the certificates and keys that are used to establish and secure server-client connections. Catalyst Center provides a private (internal) Catalyst Center CA, which acts as the device CA. This Catalyst Center CA can either operate as a root CA or be configured as a subordinate CA, which cannot be reversed.

Change the role of the certificate authority from root to subordinate

The device CA, a private CA that is provided by Catalyst Center, manages the certificates and keys that are used to establish and secure server-client connections. To change the role of the device CA from a root CA to a subordinate CA, complete this procedure.

You can change the role of the private (internal) Catalyst Center CA from a root CA to a subordinate CA using the Certificate Authority window in the GUI. When making this change:

If you want to have Catalyst Center act as a subordinate CA, ensure that you have a root CA, for example, Microsoft CA, and agree to use its certificate.
As long as the subordinate CA is not fully configured, Catalyst Center continues to operate as an internal root CA.

Generate a Certificate Signing Request file for Catalyst Center and ensure it is manually signed by your external root CA, as described in this procedure.

Note

Catalyst Center continues to run as an internal root CA during this time period.

After the Certificate Signing Request is signed by the external root CA, this signed file must be imported back into Catalyst Center using the GUI (as described in this procedure).

After the import, Catalyst Center initializes itself as the subordinate CA and provides all the existing functionalities of a subordinate CA.
When you switch a CA's role from root to subordinate, the old CA is retired and the new subordinate CA's PKI chain takes over. The revocation list is published by a CA, and after the CA is retired, revocation is moot since trust cannot be established. If your organization's policy mandates that unused certificates are revoked first, you can revoke the certificate from the GUI's Device Certificates window before switching the CA's role from root to subordinate.

Device controllability (enabled by default) will automatically update the device with a new certificate chain, sourced from the subordinate CA. New telemetry connections would only authenticate with this new certificate chain, which aligns with the trusted subordinate CA on the authenticator side.
The subordinate CA certificate lifetime displayed in the GUI is read directly from the certificate and is not calculated using the system time. Therefore, if you install a certificate with a lifespan of 1 year today and look at it in the GUI the same time next year, the GUI will still show that the certificate has a 1-year lifetime.
The subordinate CA certificate must be in PEM or DER format only.
The subordinate CA does not interact with the higher CAs; therefore, it is not aware of revocation, if any, of the certificates at a higher level. Because of this, any information about certificate revocation is also not communicated from the subordinate CA to the network devices. Because the subordinate CA does not have this information, all the network devices use only the subordinate CA as the CRL Distribution Points (CDP) source.
Consider that if you use EAP-Transport Level Security (EAP-TLS) authentication for AP profiles in Plug and Play (PnP), you cannot use a subordinate CA. You can only use a root CA.

Before you begin

You must have a copy of the root CA certificate.

Procedure

Step 1	From the main menu, choose System > Settings > Certificate Authority.
Step 2	Click the CA Management tab.
Step 3	Review the existing root or subordinate CA certificate configuration information from the GUI: Root CA Certificate: Displays the current root CA certificate (either external or internal). Root CA Certificate Lifetime: Displays the current lifetime value of the current root CA certificate, in days. Current CA Mode: Displays the current CA mode (root CA or subordinate CA). SubCA Mode: Enables a change from a root CA to a subordinate CA.
Step 4	In the CA Management tab, click Enable SubCA Mode button.
Step 5	Review the warnings that display: For example, Changing from root CA to subordinate CA is a process that cannot be reversed. You must ensure that no network devices have been enrolled or issued a certificate in root CA mode. Revoke any devices enrolled in root CA mode before changing to subordinate CA. Network devices must come online only after the subordinate CA configuration process finishes.
Step 6	Click OK to proceed.
Step 7	Drag and drop your root CA certificate into the Import External Root CA Certificate Chain field and click Upload. The root CA certificate is uploaded into Catalyst Center and used to generate a Certificate Signing Request. After the upload process finishes, a `Certificate Uploaded Successfully` message is displayed.
Step 8	Click Next. Catalyst Center generates and displays the Certificate Signing Request.
Step 9	View the Catalyst Center-generated Certificate Signing Request in the GUI and do one of these actions: Click the Download link to download a local copy of the Certificate Signing Request file. You can then attach this Certificate Signing Request file to an email to send to your root CA. Click the Copy to the Clipboard link to copy the Certificate Signing Request file's content. You can then paste this Certificate Signing Request content to an email or include it as an attachment to an email and send it to your root CA.
Step 10	Send the Certificate Signing Request file to your root CA. Your root CA will then return a subordinate CA file, which you must import back into Catalyst Center.
Step 11	After receiving the subordinate CA file from your root CA, access the Catalyst Center GUI again and return to the Certificate Authority window.
Step 12	Click the CA Management tab.
Step 13	Click Yes for the Change CA mode button. After clicking Yes, the GUI view with the Certificate Signing Request display.
Step 14	Click Next. The Certificate Authority window displays the Import SubCA Certificate field.
Step 15	Drag and drop your subordinate CA certificate into the Import SubCA Certificate field and click Apply. The subordinate CA certificate is uploaded into Catalyst Center. After the upload finishes, the GUI displays the subordinate CA mode under the CA Management tab.
Step 16	Review the fields under the CA Management tab: Sub CA Certificate: Displays the current subordinate CA certificate. External Root CA Certificate: Displays the root CA certificate. Sub CA Certificate Lifetime: Displays the lifetime value of the subordinate CA certificate, in days. Current CA Mode: Displays SubCA mode.

Provision a rollover subordinate CA certificate

Catalyst Center lets you apply a subordinate certificate as a rollover subordinate CA when 70 percent of the existing subordinate CA lifetime has elapsed.

Before you begin

To initiate subordinate CA rollover provisioning, you must have changed the certificate authority role to subordinate CA mode. See Change the role of the certificate authority from root to subordinate.
70 percent or more of the lifetime of the current subordinate CA certificate must have expired. When this occurs, Catalyst Center displays a Renew button under the CA Management tab.
You must have a signed copy of the rollover subordinate CA certificate.

Procedure

Step 1	From the main menu, choose System > Settings > Certificates > Certificate Authority.
Step 2	In the CA Management tab, review the CA certificate configuration information: Subordinate CA Certificate: Displays the current subordinate CA certificate. External Root CA Certificate: Displays the root CA certificate. Subordinate CA Certificate Lifetime: Displays the lifetime value of the current subordinate CA certificate, in days. Current CA Mode: Displays SubCA mode.
Step 3	Click Renew. Catalyst Center uses the existing subordinate CA to generate and display the rollover subordinate CA Certificate Signing Request.
Step 4	View the generated Certificate Signing Request in the GUI and do one of these actions: Click the Download link to download a local copy of the Certificate Signing Request file. You can then attach this Certificate Signing Request file to an email to send it to your root CA. Click the Copy to the Clipboard link to copy the content of the Certificate Signing Request file. You can then paste this Certificate Signing Request content to an email or include it as an attachment to an email and send it to your root CA.
Step 5	Send the Certificate Signing Request file to your root CA. Your root CA will then return a rollover subordinate CA file that you must import back into Catalyst Center. The Certificate Signing Request for the subordinate CA rollover must be signed by the same root CA who signed the subordinate CA you imported when you switched from RootCA mode to SubCA mode.
Step 6	After receiving the rollover subordinate CA file from your root CA, return to the Certificate Authority window.
Step 7	Click the CA Management tab.
Step 8	Click Next in the GUI in which the Certificate Signing Request displays. The Certificate Authority window displays the Import Sub CA Certificate field.
Step 9	Drag and drop your subordinate rollover CA certificate into the Import Sub CA Certificate field and click Apply. The rollover subordinate CA certificate is uploaded into Catalyst Center. After the upload finishes, the GUI changes to disable the Renew button under the CA Management tab.

Use an external SCEP broker

Catalyst Center uses the Simple Certificate Enrollment Protocol (SCEP) for enrollment and the provisioning of certificates to network devices. You can use your own SCEP broker and certificate service, or you can use an external SCEP broker. To set up an external SCEP broker, complete this procedure:

Note

For more information regarding SCEP, see Simple Certificate Enrollment Protocol Overview.

Procedure

Step 1

From the main menu, choose System > Settings > Certificates > Certificate Authority.

Step 2

In the Certificate Authority window, click the Use external SCEP broker radio button.

Step 3

Use one of these options to upload an external certificate:

Choose a file
Drag and drop to upload

Note

Only file types such as .pem, .crt, and .cer are accepted. The file size cannot exceed 1 MB.

Step 4

Click Upload.

Step 5

By default, Manages Device Trustpoint is enabled, meaning Catalyst Center configures the sdn-network-infra-iwan trustpoint on the device. You must complete these steps:

Enter the enrollment URL where the device requests the certificate via SCEP.
(Optional) Enter any optional subject fields used by the certificate, such as country, locality, state, organization, and organization unit. The common name (CN) is automatically configured by Catalyst Center with the device platform ID and device serial number.
In the Revocation Check field, click the drop-down list and choose the appropriate revocation check option.
(Optional) Check the Auto Renew check box and enter an auto enrollment percentage.

If Manages Device Trustpoint is disabled, for devices to send wired and wireless Assurance telemetry to Catalyst Center, you must manually configure the sdn-network-infra-iwan trustpoint on the device and then import a certificate. See Configure the Device Certificate Trustpoint.

Step 6

Click Save.

The external CA certificate is uploaded.

If you want to replace the uploaded external certificate, click Replace Certificate and enter the required details.

Switch back to an internal certificate authority

After uploading an external certificate, to switch back to the internal certificate:

Procedure

Step 1

From the main menu, choose System > Settings > Certificates > Certificate Authority.

Step 2

In the Certificate Authority window, click the Use Catalyst Center radio button.

Step 3

In the Switching back to Internal Certificate Authority alert, click Apply.

The Settings have been updated message appears. For more information, see Change the role of the certificate authority from root to subordinate.

Export the Catalyst Center certificate authority

Catalyst Center allows you to download the device certificates that are required to set up an external entity such as an AAA server or a Cisco ISE server to authenticate the devices.

Procedure

Step 1	From the main menu, choose System > Settings > Certificates > Certificate Authority.
Step 2	Click Download to export the device CA and add it as the trusted CA on the external entities.

Configure the device certificate trustpoint

If Manages Device Trustpoint is disabled in Catalyst Center, for devices to send wired and wireless Assurance telemetry to Catalyst Center, you must manually configure the sdn-network-infra-iwan trustpoint on the device and then import a certificate.

This manual configuration procedure is required to enroll from an external CA via SCEP.

Procedure

Step 1

Enter the following commands:

crypto pki trustpoint sdn-network-infra-iwan
  enrollment url http://<SCEP_enrollment_URL_to_external_CA> 
  fqdn <device_FQDN>
  subject-name CN=<device_platform_ID>_<device_serial_number>_sdn-network-infra-iwan
  revocation-check <crl, crl none, or none>  # to perform revocation check with CRL, CRL fallback to no check, or no check
  rsakeypair sdn-network-infra-iwan
  fingerprint <CA_fingerprint> # to verify that the CA at the url connection matches the fingerprint given

Step 2

(Optional, but recommended) Automatically renew the certificate and avoid certificate expiry:

auto-enroll 80 regenerate

Step 3

(Optional) Specify the interface that is reachable to the enrollment URL. Otherwise, the default is the source interface of the http service.

source interface <interface>

Configure trusted certificates

Catalyst Center contains a preinstalled Cisco trusted certificate bundle (Cisco Trusted External Root Bundle). Catalyst Center also supports the import and storage of an updated trusted certificate bundle from Cisco. The trusted certificate bundle is used by supported Cisco networking devices to establish a trust relationship with Catalyst Center and its applications.

Note

The Cisco trusted certificate bundle is a file called ios.p7b that only supported Cisco devices can unbundle and use. This ios.p7b file contains root certificates of valid certificate authorities, including Cisco. This Cisco trusted certificate bundle is available on the Cisco cloud (Cisco InfoSec). The bundle is located at https://www.cisco.com/security/pki/.

The trusted certificate bundle provides you with a safe and convenient way to use the same CA to manage all your network device certificates, as well as your Catalyst Center certificate. Catalyst Center uses the trusted certificate bundle to validate its own certificate and any proxy gateway certificate and to determine whether the certificates are valid CA-signed certificates. Additionally, the trusted certificate bundle is available for upload to Network PnP-enabled devices at the beginning of their PnP workflow so that they can trust Catalyst Center for subsequent HTTPS-based connections.

You import the Cisco trusted bundle using the Trusted Certificates window in the GUI.

Procedure

Step 1	From the main menu, choose System > Settings > Certificates > Trusted Certificates.
Step 2	In the Trusted Certificates window, click the Update trusted certificates now hyperlink to initiate a new download and install of the trusted certificate bundle. The hyperlink is displayed on the window only when an updated version of the ios.p7b file is available and internet access is available. After the new trusted certificate bundle is downloaded and installed on Catalyst Center, Catalyst Center makes this trusted certificate bundle available to supported Cisco devices for download.
Step 3	If you want to import a new certificate file, click Import, choose a valid certificate file from your local system, and click Import in the Import Certificate window.
Step 4	Click Export to export the certificate details in CSV format.

About restricted shell

To reduce operational risk to the underlying operating system and files, Catalyst Center provides a default restricted shell with access to only these commands:

$ ?
Help:
  cat                  concatenate and print files in restricted mode
  clear                clear the terminal screen
  date                 display the current time in the given FORMAT, or set the system date
  debug                enable console debug logs
  df                   file system information
  dmesg                print or control the kernel ring buffer.
  du                   summarize disk usage of the set of FILEs, recursively for directories.
  free                 quick summary of memory usage
  history              enable shell commands history
  htop                 interactive process viewer.
  ip                   print routing, network devices, interfaces and tunnels.
  last                 show a listing of last logged in users.
  ls                   restricted file system view chrooted to maglev Home
  lscpu                print information about the CPU architecture.
  magctl               tool to manage a Maglev deployment
  maglev               maglev admin commands
  maglev-config        tool to configure a Maglev deployment
  manufacture_check    tool to perform manufacturing checks
  netstat              print networking information.
  nslookup             query Internet name servers interactively.
  ntpq                 standard NTP query program.
  ping                 send ICMP ECHO_REQUEST to network hosts.
  ps                   check status of active processes in the system
  rca                  root cause analysis collection utilities
  reboot               Reboot the machine
  rm                   delete files in restricted mode
  route                print the IP routing table.
  runonce              Execute runonce scripts
  scp                  restricted secure copy
  sftp                 secure file transfer
  shutdown             Shutdown the machine
  ssh                  OpenSSH SSH client.
  tail                 Print the last 10 lines of each FILE to standard output
  top                  display sorted list of system processes
  traceroute           print the route packets trace to network host.
  uname                print system information.
  uptime               tell how long the system has been running.
  vi                   text editor
  w                    show who is logged on and what they are doing.

To obtain root shell access, you must contact the Cisco TAC. Access the root shell only temporarily to facilitate troubleshooting.

About product telemetry

Product telemetry data is collected by default in Catalyst Center, but you can opt out of some data collection. The data collection is designed to help the development of product features and address any operational issues, providing greater value and return on investment (ROI). Cisco collects the following categories of data: Cisco.com ID, System, Feature Usage, Network Device Inventory, and License Entitlement. See the Cisco Catalyst Center Data Sheet for a more expansive list of data that we collect. To opt out of some of data collection, contact your Cisco account representative and the Cisco Technical Assistance Center (TAC).

From the main menu, choose System > Settings > Terms and Conditions > Product Telemetry. You can review the license agreement, the privacy statement, and the privacy data sheet from the Product Telemetry window.

Account lockout

You can configure the account lockout policy to manage user login attempts, account lockout period, and number of login retries.

Procedure

Step 1

From the main menu, choose System > Settings > Trust & Privacy > Account Lockout.

Step 2

Click the Enforce Account Lockout toggle button so that you see a check mark.

Step 3

Enter values for these Enforce Account Lockout parameters:

Maximum Login Retries
Lockout Effective Periods (minutes)
Reset Login Retries after (minutes)

Note

Hover your cursor over Info to view details for each parameter.

Step 4

Select the Idle Session Timeout value (the duration after which the session expires and users are redirected to the login page). The default is 1 hour.

Step 5

Click Save.

If you leave the session idle, a Session Timeout dialog box appears five minutes before the session timeout.

To continue, do one of these tasks:

If you want to continue the session, click Stay signed in.
To end the session immediately, click Sign out.

Password expiry

You can configure the password expiration policy to manage:

Password expiration frequency
Number of days that users are notified before their password expires
Grace period

Procedure

Step 1

From the main menu, choose System > Settings > Trust & Privacy > Password Expiry.

Step 2

Click the Enforce Password Expiry toggle button so that you see a check mark.

Step 3

Enter values for the following Enforce Password Expiry parameters:

Password Expiry Period (days)
Password Expiration Warning (days)
Grace Period (days)

Note

Hover your cursor over Info to view details for each parameter.

Step 4

Click Save to set the password expiry settings.

IP access control

IP access control allows you to control the access to Catalyst Center based on the IP address of the host or network. This feature controls access to the Catalyst Center GUI only; this feature doesn’t control enterprise-wide network access.

Catalyst Center provides options for IP access control, including:

Allow all IP addresses to access Catalyst Center (the default).
Allow only selected IP addresses to access Catalyst Center.

Configure IP access control

To configure IP access control and allow only selected IP addresses to access Catalyst Center:

Enable IP access control
Add an IP address to the IP access list
(Optional) Delete an IP address from the IP access list

Enable IP access control

Before you begin

Ensure that you have SUPER-ADMIN-ROLE permissions.
Add the Catalyst Center services subnet, cluster service subnet, and cluster interface subnet to the list of allowed subnets.

Procedure

Step 1

From the main menu, choose System > Settings > Trust & Privacy > IP Access Control.

Step 2

Click the Allow only listed IP addresses to connect radio button.

Step 3

Click Add IP List.

Step 4

In the IP Address field of the Add IP slide-in pane, enter your IPv4 address.

Note

If you don’t add your IP address to the IP access list, you may lose access to Catalyst Center.

Step 5

In the Subnet Mask field, enter the subnet mask.

The valid range for subnet mask is from 0 through 32.

Step 6

Click Save.

Add an IP address to the IP access list

To add more IP addresses to the IP access list:

Before you begin

Ensure that you enable IP access control. For more information, see Enable IP access control.

Procedure

Step 1	From the main menu, choose System > Settings > Trust & Privacy > IP Access Control.
Step 2	Click Add.
Step 3	In the IP Address field of the Add IP slide-in pane, enter the IPv4 address of the host or network.
Step 4	In the Subnet Mask field, enter the subnet mask. The valid range for subnet mask is from 0 through 32.
Step 5	Click Save.

Delete an IP address from the IP access list

To delete an IP address from the IP access list and disable its access to Catalyst Center:

Before you begin

Ensure that you have enabled IP access control and added IP addresses to the IP access list. For more information, see Enable IP access control and Add an IP address to the IP access list.

Procedure

Step 1	From the main menu, choose System > Settings > Trust & Privacy > IP Access Control.
Step 2	In the Action column, click the Delete icon for the corresponding IP address.
Step 3	Click Delete.

Disable IP access control

To disable IP access control and allow all IP addresses to access Catalyst Center:

Before you begin

Ensure that you have SUPER-ADMIN-ROLE permissions.

Procedure

Step 1	From the main menu, choose System > Settings > Trust & Privacy > IP Access Control.
Step 2	Click the Allow all IP addresses to connect radio button.

Bias-Free Language

Results

Chapter: Configure System Settings

Configure System Settings

About system settings

User profile roles and permissions

Use System 360

Procedure

View the services in System 360

Procedure

Monitor system health

Establish Cisco IMC connectivity

Before you begin

Procedure

Delete Cisco IMC settings

Before you begin

Procedure

Subscribe to system event notifications

Event notification information

System health scale numbers

View the system topology

Troubleshoot appliance and external system issues

Troubleshoot external system connectivity issues

Before you begin

Procedure

Use the Validation tool

Navigate the Validation Tool window

Start a validation run

Procedure

View Validation Run Details

Update the validation set

Procedure

System topology notifications

Disk use event notifications

Check for revoked and expired certificates

Check required URLs access

Suggested actions

Typical node operations

Hardware Peripherals RMA

Switch Under Maintenance Without HA

Catalyst Center and Cisco ISE integration

Anonymize data

Procedure

Configure authentication and policy servers

Before you begin

Procedure

Configure Cisco AI Network Analytics

Before you begin

Procedure

Client certificate renewal

Disable Cisco AI Network Analytics

Procedure

Update the Machine Reasoning Knowledge Base

Procedure

Configure Cisco credentials

Before you begin

Procedure

Clear Cisco credentials

Before you begin

Procedure

Configure connection mode

Procedure

Register Plug and Play

Before you begin

Procedure

Create PnP event notifications

Configure Smart Account

Before you begin

Procedure

Smart Licensing

Before you begin

Procedure

Device controllability

Configure device controllability

Procedure

Accept the license agreement

Procedure

Configure SNMP properties

Before you begin