Overview

Lists the internet addresses Catalyst Center must be able to access.

You must provide secure access to the required URLs and Fully Qualified Domain Names (FQDNs) for the appliance to function.

This table describes the features that make use of each URL and FQDN. You must configure either your network firewall or a proxy server so that IP traffic can travel to and from the appliance and these resources.

Caution

If you do not provide access to the listed URLs and FQDNs, the associated features will not work as intended.

Note

The appliance interface configured to route internet-bound traffic serves as the source for all communications.

Since the destination domain names for third-party vendors may change without notice, it is mandatory to specify them using wildcards.

For more information about internet proxy access requirements, see Provide secure access to the internet.

Table 1. Required URLs and FQDN access
In order to...	...Catalyst Center must access these URLs and FQDNs
Download updates for system software and application packages, and submit user feedback to the product team.	Recommended: *.ciscoconnectdna.com:443¹ To avoid wildcards, specify these URLs instead: https://www.ciscoconnectdna.com https://cdn.ciscoconnectdna.com https://registry.ciscoconnectdna.com https://registry-cdn.ciscoconnectdna.com https://app-cdn.ciscoconnectdna.com
Submit user feedback to the product team.	https://dnacenter.uservoice.com
Cisco Catalyst Center update package.	https://.ciscoconnectdna.com/ .cloudfront.net .tesseractcloud.com
Smart Account and SWIM software downloads.	https://apx.cisco.com https://cloudsso.cisco.com/as/token.oauth2 https://.cisco.com/ https://download-ssc.cisco.com/
Authenticate with the cloud domain.	https://dnaservices.cisco.com
Integrate with ThousandEyes.	Version 3.1.6 and later: app.thousandeyes.com This URL uses AWS and might map to .awsglobalaccelerator.com. Other services that might use AWS could also map to the AWS domain. api.thousandeyes.com Version 3.1.5 and earlier: .awsglobalaccelerator.com api.thousandeyes.com
Allow API calls to enable access to Cisco CX Cloud Success Tracks. Otherwise, the enhancements made to extended configuration-based scanning for the Security Advisories, Bug Identifier, and EOX features that Machine Reasoning Engine (MRE) supports will not operate as expected.	https://api-cx.cisco.com
Integrate with Webex.	http://analytics.webexapis.com https://webexapis.com
User feedback.	https://dnacenter.uservoice.com
Connectivity with Cisco Catalyst Cloud and apps hosted there (e.g. AppX MS Teams Integration, Talos integration).	*.cisco.com:443 Otherwise, specific FQDNs are: neoffers.cisco.com neoffers-de.cisco.com neoffers-sg.cisco.com dnaservices.cisco.com
Integrate with Cisco Meraki.	(Version 3.1.5 and earlier) Recommended: .dashboard.meraki.com .meraki.com Customers who want to avoid wildcards can specify this URL instead: api.meraki.com:443
Integrate with Cisco Meraki.	(Version 3.1.6 and later) Recommended: *.meraki.com:443 Customers who want to avoid wildcards can specify these URLs instead: dashboard.meraki.com:443 api.meraki.com:443
Check SSL/TLS certificate revocation status using OCSP/CRL.	Version 3.1.5 and earlier: http://validation.identrust.com/crl/hydrantidcao1.crl http://commercial.ocsp.identrust.com .lencr.org (necessary for Catalyst Center to connect with Cisco Umbrella) Version 3.1.6 and later: http://validation.identrust.com http://commercial.ocsp.identrust.com Note* These URLs must be reachable both directly and through the proxy server configured for Catalyst Center.
Allow Cisco authorized specialists to collect troubleshooting data when Catalyst Center Remote Support functionality is enabled.	wss://prod.radkit-cloud.cisco.com:443
Integrate with cisco.com and Cisco Smart Licensing.	*.cisco.com:443 To avoid wildcards, specify these URLs instead: software.cisco.com cloudsso.cisco.com cloudsso1.cisco.com cloudsso2.cisco.com apiconsole.cisco.com api.cisco.com apx.cisco.com smartreceiver.cisco.com sso.cisco.com apmx-prod1-vip.cisco.com apmx-prod2-vip.cisco.com Version 3.1.6 and later: tools.cisco.com Version 3.1.6 and later: tools1.cisco.com Version 3.1.6 and later: tools2.cisco.com
Connect to the Network-Based Application Recognition (NBAR) cloud.	prod.sdavc-cloud-api.com:443
Enable the Rogue Management application to detect rogue vendor names.	Version 3.1.5 and earlier: https://standards-oui.ieee.org/oui/oui.txt Version 3.1.6 and later: https://standards-oui.ieee.org/
Enable the Rogue Management application to detect rogue vendor names.	Version 3.1.6 and later: https://standards-oui.ieee.org/
Render accurate information in site and location maps.	www.mapbox.com Version 3.1.5 and earlier: .mapbox.com/:443. For a proxy, the destination is .mapbox.com/ Version 3.1.6 and later: .tiles.mapbox.com/ :443. For a proxy, the destination is .tiles.mapbox.com/ Note These URLs are required by the browser to render maps. Browsers must support WebGL (https://webglreport.com/?v=1).
For Cisco AI Network Analytics data collection, configure your network or HTTP proxy to allow outbound HTTPS (TCP 443) access to the cloud hosts.	https://api.use1.prd.kairos.ciscolabs.com (US East Region) https://api.euc1.prd.kairos.ciscolabs.com (EU Central Region)
Access a menu of interactive help flows that let you complete specific tasks from the GUI.	https://ec.walkme.com
Access the licensing service.	https://swapi.cisco.com
Integrate with Cisco Spaces.	https://dnaspaces.io https://dnaspaces.eu https://ciscospaces.sg

¹ Cisco owns and maintains ciscoconnectdna.com and its subdomains. The Cisco Connect DNA infrastructure meets Cisco Security and Trust guidelines. It is tested for security on a continuous basis. This infrastructure is robust, with built-in load balancing and automation capabilities. A cloud operations team monitors and maintains the infrastructure to ensure continuous availability.

Required internet URLs and fully qualified domain names

Overview

Need help?