Overview
Information about securing the Catalyst Center deployment by efficiently managing the ports.
Use the table to learn which ports Catalyst Center uses, which services communicate over them, and the reasons for their use. The Recommended Action column explains if you can restrict network traffic to known IP addresses or ranges, block connections without affecting Catalyst Center functionality, or if you must keep the port open.
Outbound communications from Catalyst Center use the routable interface IP address of the node hosting a service. For multinode clusters, include each node's interface IP and VIP address in the proxy and firewall rules.
Security recommendations:
Deploy a firewall between Catalyst Center and the management or enterprise network to secure your Catalyst Center deployment using a layered approach.
Open the ports to specific IP addresses or ranges.
Some destination ports in Catalyst Center are duplicated. Review the relevant section to learn how and why to use each network service. Limit source or destination IP addresses or ranges in the firewall rules. If a service is not used in your Catalyst Center deployment, keep the port closed.
| Port | Service name | Purpose | Recommended action |
|---|---|---|---|
| Administering or configuring Catalyst Center |
|||
| TCP 443 |
UI, REST, HTTPS |
GUI, REST, HTTPS management port. |
Keep the port open. |
| TCP 2222 |
Catalyst Center shell |
Connect to the Catalyst Center shell. |
Keep the port open. Restrict the known IP address to be the source. |
| TCP 9004 |
Web UI installation |
Serves the GUI-based installation page (required only if you decide to install Catalyst Center using the web-based option). |
Keep the port open until you complete the node installation. |
| TCP 9005 |
Web UI installation API service |
Serves the API for the web-based installation (connected by the browser client from port 9004; no external agent requires access). |
Keep the port open until the cluster formation is complete. |
| Administering or configuring Cisco IMC |
|||
| TCP 22 |
Catalyst Center shell |
Connects to the Catalyst Center shell. |
Keep the port open. Configure the known IP address as the source. |
| UDP and TCP 53 |
DNS |
Used to resolve a DNS name to an IP address. |
Keep the port open if DNS names are used instead of IP addresses for other services, such as an NTP DNS name. |
| UDP and TCP 389 |
LDAP |
Cisco IMC user management LDAP. |
Optional if external user authentication via LDAP is needed. |
| TCP 443 |
UI, REST, HTTPS |
Web UI, REST, HTTPS management port. |
Keep the port open. |
| UDP and TCP 636 |
LDAPS |
Cisco IMC user management via LDAP over SSL. |
Optional if external user authentication via LDAPS is needed. |
| TCP 2068 |
HTTPS |
Remote KVM console redirect port. |
Keep the port open until you complete the node installation. |
| UDP 123 |
NTP |
Synchronize the time with an NTP server. |
Keep the port open. |
| UDP 161 |
SNMP polling/config |
SNMP server polling and configurations. |
Optional for SNMP server polling and configurations. |
| UDP 162 |
SNMP traps |
Send SNMP traps to an external SNMP server. |
Optional for a SNMP server collector. |
| UDP 514 |
Syslog |
View faults and logs on an external server. |
Optional for sending message logs to an external server. |
| Catalyst Center outbound to device and other systems | |||
| — |
ICMP |
Catalyst Center uses ICMP messages to discover network devices and troubleshoot network connectivity issues. |
Enable ICMP. |
| TCP 22 |
SSH |
Catalyst Center uses SSH to connect to network devices so that it can:
Catalyst Center also uses SSH (port 22) for automation backup to the remote sync (rsync) storage server. |
SSH must be open between Catalyst Center and the managed network. |
| TCP 23 |
Telnet |
Avoid using Telnet. Use SSH for secure communication.
|
If you must use Telnet for device management, understand that Telnet does not provide security mechanisms such as encryption. Use SSH for secure management. |
| TCP 49 |
TACACS+ |
Needed only if you are using external authentication such as Cisco ISE with a TACACS+ server. |
Open the port only if you use external authentication with a TACACS+ server. |
| TCP 80 |
HTTP |
Catalyst Center uses HTTP for trust pool updates. |
To access Cisco-supported trust pools, configure your network to allow outgoing traffic from the appliance to this URL: |
| TCP 80 |
OCSP/CRL |
Catalyst Center verifies SSL/TLS certificate revocation status using OCSP/CRL. |
Ensure these URLs are reachable directly and through the proxy server configured for Catalyst Center. If they are not reachable, Catalyst Center skips certificate revocation checks when connecting to cisco.com. |
| UDP 53 |
DNS |
Catalyst Center uses DNS to resolve hostnames. |
Keep the port open for DNS hostname resolution. |
| TCP and UDP 111, 20048, and 32767 |
NFS |
Used for Assurance backups. |
Keep the port open. |
| UDP 123 |
NTP |
Catalyst Center uses NTP to synchronize the time from the source that you specify. |
Keep the port open for time synchronization. |
| UDP 161 |
SNMP |
Catalyst Center uses SNMP to discover network devices; to read device inventory details, including device type; and for telemetry data purposes, including CPU and RAM. |
Keep the port open for network device management and discovery. |
| TCP 443 |
HTTPS |
Catalyst Center uses HTTPS for cloud-tethered upgrades. |
Keep the port open for cloud tethering, telemetry, and software upgrades. Keep the port open for Cisco ISE. |
| TCP 830 |
NETCONF |
Catalyst Center uses NETCONF for device inventory, discovery, and configuration. |
Keep the port open for network device management and discovery of devices that support NETCONF. |
| UDP 1645 or 1812 |
RADIUS |
Needed only if you are using external authentication with a RADIUS server. |
Keep the port open only if an external RADIUS server is used to authenticate user login to Catalyst Center. |
| TCP 5222, 8910 |
Cisco ISE |
Catalyst Center uses Cisco ISE XMP for PxGrid. |
Keep the port open for Cisco ISE. |
| TCP 9060 |
Cisco ISE |
Catalyst Center uses Cisco ISE ERS API traffic. |
Keep the port open for Cisco ISE. |
| Device to Catalyst Center | |||
| — |
ICMP |
Devices use ICMP messages to communicate network connectivity issues. |
Enable ICMP to allow device communication. |
| TCP 22, 80, 443 |
HTTPS, SFTP, HTTP |
Software image download from Catalyst Center through HTTPS:443, SFTP:22, HTTP:80. Certificate download from Catalyst Center through HTTPS:443, HTTP:80 (Cisco 9800 Wireless Controller, PnP), Sensor/Telemetry. JWT (auth token) fetch from Catalyst Center through HTTPS:443 (any Access Point using the Cisco Catalyst Assurance Intelligent Capture feature).
|
Ensure that firewall rules limit the source IP address for hosts or network devices granted access on these ports. For more information on HTTP 80 usage, see the "HTTP Port 80 Exception List" topic in the Cisco Catalyst Center Security Best Practices Guide. |
| UDP 67 |
BOOTP |
Used to initiate communication between a network device and Catalyst Center. |
Keep the port open. |
| UDP 123 |
NTP |
Devices use NTP for time synchronization. |
Keep the port open to allow devices to synchronize the time. |
| UDP 162 |
SNMP |
Catalyst Center receives SNMP network telemetry from devices. |
Keep the port open for data analytics based on SNMP. |
| UDP 514 |
Syslog |
Catalyst Center receives syslog messages from devices. |
Keep the port open for data analytics based on syslog. |
| 2049 |
NFS |
Used for Assurance backups. |
Keep the port open. |
| UDP 6007 |
NetFlow |
Catalyst Center receives NetFlow network telemetry from devices. |
Keep the port open for data analytics based on NetFlow. |
| TCP 9991 |
Wide Area Bonjour Service |
Catalyst Center receives multicast Domain Name System (mDNS) traffic from the Service Discovery Gateway (SDG) agents using the Bonjour Control Protocol. |
Keep the port open on Catalyst Center if the Bonjour application is installed. |
| UDP 21730 |
Application Visibility Service |
Application Visibility Service CBAR device communication. |
Keep the port open when CBAR is enabled on a network device. |
| TCP 25103 |
Cisco 9800 Wireless Controller and Cisco Catalyst 9000 switches with streaming telemetry enabled |
Used for telemetry. |
Keep the port open for telemetry connections between Catalyst Center and Catalyst 9000 devices. |
| TCP 32626 |
Intelligent Capture (gRPC) collector |
Used to establish a gRPC channel for receiving AP/client statistics and packet capture data related to the Cisco Catalyst Assurance Intelligent Capture feature. |
Keep the port open if you are using the Cisco Catalyst Assurance Intelligent Capture (gRPC) feature. |