Overview
Explains extra ports, protocols, and network traffic required with the Cisco SD-Access infrastructure.
This topic describes the ports, protocols, and types of traffic involved in a typical Cisco SD-Access fabric deployment, similar to what is shown in the figure.
If you have implemented Cisco SD-Access in your network, use this table to plan your firewall and security policies for your Cisco SD-Access infrastructure. This setup also allows Catalyst Center to automate your network management.
The appliance interface configured to route internet-bound traffic serves as the source for all communications.
| Source port1 | Source | Destination port | Destination | Description |
| Any |
Catalyst Center |
UDP 53 |
DNS server |
From Catalyst Center to DNS server |
| Any |
Catalyst Center |
TCP 22 |
Fabric underlay |
From Catalyst Center to fabric switches' loopbacks for SSH |
| Any |
Catalyst Center | TCP 23 |
Fabric underlay |
From Catalyst Center to fabric switches' loopbacks for TELNET |
| Any |
Catalyst Center |
UDP 161 |
Fabric underlay |
From Catalyst Center to fabric switches' loopbacks for SNMP device discovery |
| ICMP |
Catalyst Center |
ICMP |
Fabric underlay |
From Catalyst Center to fabric switches' loopbacks for SNMP device discovery |
| Any |
Catalyst Center |
TCP 443 |
Fabric underlay |
Hosts applications for switches and for NFVIS |
| Any |
Catalyst Center |
UDP 6007 |
Switches and routers |
From Catalyst Center to switches and routers for NetFlow |
| Any |
Catalyst Center |
TCP 830 |
Fabric underlay |
From Catalyst Center to fabric switches for Netconf (Cisco SD-Access embedded wireless) |
| UDP 123 |
Catalyst Center |
UDP 123 |
Fabric underlay |
From Catalyst Center to fabric switches for the initial period during LAN automation |
| Any |
Catalyst Center |
UDP 123 |
NTP server |
From Catalyst Center to NTP server |
| Any |
Catalyst Center |
TCP 22, UDP 161 |
Cisco Wireless Controller |
From Catalyst Center to Cisco wireless controller |
| ICMP |
Catalyst Center |
ICMP |
Cisco Wireless Controller |
From Catalyst Center to Cisco Wireless Controller |
| Any | AP | TCP 32626 | Catalyst Center | Used for receiving traffic statistics and packet capture data used by the Cisco Catalyst Assurance Intelligent Capture (gRPC) feature. |
| Source port | Source | Destination port | Destination | Description |
| Any | Catalyst Center | TCP 443 | registry.ciscoconnectdna.com | Download Catalyst Center package updates |
| Any | Catalyst Center | TCP 443 | www.ciscoconnectdna.com | Download Catalyst Center package updates |
| Any | Catalyst Center | TCP 443 | registry-cdn.ciscoconnectdna.com | Download Catalyst Center package updates |
| Any | Catalyst Center | TCP 443 | cdn.ciscoconnectdna.com | Download Catalyst Center package updates |
| Any | Catalyst Center | TCP 443 | software.cisco.com | Download device software |
| Any | Catalyst Center | TCP 443 | cloudsso.cisco.com | Validate Cisco.com and Smart Account credentials |
| Any | Catalyst Center | TCP 443 | cloudsso1.cisco.com | Validate Cisco.com and Smart Account credentials |
| Any | Catalyst Center | TCP 443 | cloudsso2.cisco.com | Validate Cisco.com and Smart Account credentials |
| Any | Catalyst Center | TCP 443 | apiconsole.cisco.com | CSSM Smart Licensing API |
| Any | Catalyst Center | TCP 443 | sso.cisco.com | Cisco.com credentials and Smart Licensing |
| Any | Catalyst Center | TCP 443 | api.cisco.com | Cisco.com credentials and Smart Licensing |
| Any | Catalyst Center | TCP 443 | apx.cisco.com | Cisco.com credentials and Smart Licensing |
| Any | Catalyst Center | TCP 443 | dashboard.meraki.com | Meraki integration |
| Any | Catalyst Center | TCP 443 | api.meraki.com | Meraki integration |
| Any | Catalyst Center | TCP 443 | n63.meraki.com | Meraki integration |
| Any | Catalyst Center | TCP 443 | dnacenter.uservoice.com | User feedback submission |
| Any | Catalyst Center Admin Client | TCP 443 | *.mapbox.com/:443 | Render maps in the browser (for access through proxy, the destination is *.mapbox.com/*) |
| Any | Catalyst Center | TCP 443 | www.mapbox.com | Maps and Cisco Wireless Controller country code identification |
| Source port2 | Source | Destination port | Destination | Description |
| UDP 68 | Fabric underlay | UDP 67 | DHCP server | From fabric switches and routers to the DHCP server for DHCP Relay packets initiated by the fabric edge nodes. |
| Any | Fabric underlay | TCP 80 | Catalyst Center | From fabric switch and router loopback IPs to Catalyst Center for PnP |
| Any | Fabric underlay | TCP 443 | Catalyst Center | From fabric switch and router loopback IPs to Catalyst Center for image upgrade |
| Any | Fabric underlay | UDP 162 | Catalyst Center | From fabric switch and router loopback IPs to Catalyst Center for SNMP Traps |
| Any | Fabric underlay | UDP 514 | Catalyst Center | From fabric switches and routers to Cisco Catalyst Assurance |
| Any | Fabric underlay | UDP 6007 | Catalyst Center | From fabric switches and routers to Catalyst Center for NetFlow |
| Any | Fabric underlay | UDP 123 | Catalyst Center | From fabric switches to Catalyst Center; used when doing LAN automation |
| ICMP | Fabric underlay | ICMP | Catalyst Center | From fabric switch and router loopbacks to Catalyst Center for SNMP: device discovery |
| UDP 161 | Fabric underlay | Any | Catalyst Center | From fabric switch and router loopbacks to Catalyst Center for SNMP: Device Discovery |
| Any | Fabric underlay | UDP 53 | DNS server | From fabric switches and routers to DNS server for name resolution |
| TCP and UDP 4342 | Fabric underlay, control plane | Any | Fabric routers, switches, and Cisco Wireless Controller |
|
| TCP and UDP 4342 | Fabric underlay, control plane | TCP and UDP 4342 | Fabric routers, switches, and Cisco Wireless Controller |
|
| Any | Fabric underlay | UDP 4789 | Fabric Routers and Switches | Fabric-encapsulated data packets (VXLAN-GPO) |
| Any | Fabric underlay | UDP 1645/1646/1812/1813 | Cisco ISE | From fabric switch and router loopback IPs to Cisco ISE for RADIUS |
| ICMP | Fabric underlay | ICMP | Cisco ISE | From fabric switches and routers to Cisco ISE for troubleshooting |
| UDP 1700/3799 | Fabric underlay | Any | Cisco ISE | From fabric switches to Cisco ISE for care-of address (CoA) |
| Any | Fabric underlay | UDP 123 | NTP server | From fabric switch and router loopback IPs to the NTP server |
| Any | Control plane | UDP and TCP 4342/4343 | Fabric routers, switches, and Cisco Wireless Controller |
|
| UDP and TCP 4342/4343 | Control plane | Any | Fabric routers, switches, and Cisco Wireless Controller |
|
| Source port | Source | Destination port | Destination | Description |
| UDP 5246/5247/5248 | Cisco Wireless Controller | Any | AP IP address pool | From Cisco Wireless Controller to an AP subnet for CAPWAP |
| ICMP | Cisco Wireless Controller | ICMP | AP IP address pool | From Cisco Wireless Controller to APs allowing ping for troubleshooting |
| Any | Cisco Wireless Controller |
|
Catalyst Center | From Cisco Wireless Controller to Catalyst Center for Assurance |
| Any | Cisco Wireless Controller | UDP 69/5246/5247 TCP 22 | AP IP address pool | From Cisco Wireless Controller to an AP subnet for CAPWAP |
| Any | Cisco Wireless Controller | UDP and TCP 4342/4343 | Control plane | From Cisco Wireless Controller to control-plane loopback IP address |
| Any | Cisco Wireless Controller | TCP 22 | Catalyst Center | From Cisco Wireless Controller to Catalyst Center for device discovery |
| UDP 161 | Cisco Wireless Controller | Any | Catalyst Center | From Cisco Wireless Controller to Catalyst Center for SNMP |
| Any | Cisco Wireless Controller | UDP 162 | Catalyst Center | From Cisco Wireless Controller to Catalyst Center for SNMP traps |
| Any |
Cisco Wireless Controller |
TCP 16113 |
Cisco Mobility Services Engine (MSE) and Cisco Spectrum Expert |
From Cisco Wireless Controller to Cisco MSE and Spectrum Expert for NMSP |
| Any |
Cisco Wireless Controller |
UDP 6007 |
Catalyst Center |
From wireless controllers to Catalyst Center for NetFlow network telemetry |
| ICMP | Cisco Wireless Controller | ICMP | Catalyst Center | From Cisco Wireless Controller to allow ping for troubleshooting |
| Any |
Cisco Wireless Controller and various syslog servers |
UDP 514 |
Cisco Wireless Controller |
Syslog (optional) |
| Any | Cisco Wireless Controller | UDP 53 | DNS server | From Cisco Wireless Controller to DNS server |
| Any | Cisco Wireless Controller | TCP 443 | Cisco ISE | From Cisco Wireless Controller to Cisco ISE for Guest SSID web authorization |
| Any | Cisco Wireless Controller | UDP 1645,1812 | Cisco ISE | From Cisco Wireless Controller to Cisco ISE for RADIUS authentication |
| Any | Cisco Wireless Controller | UDP 1646, 1813 | Cisco ISE | From Cisco Wireless Controller to Cisco ISE for RADIUS accounting |
| Any | Cisco Wireless Controller | UDP 1700, 3799 | Cisco ISE | From Cisco Wireless Controller to Cisco ISE for RADIUS CoA |
| ICMP | Cisco Wireless Controller | ICMP | Cisco ISE | From Cisco Wireless Controller to Cisco ISE ICMP for troubleshooting |
| Any | Cisco Wireless Controller | UDP 123 | NTP server | From Cisco Wireless Controller to NTP server |
| Source port | Source | Destination port | Destination | Description |
| UDP 68 | AP IP address pool | UDP 67 | DHCP server | From an AP IP Address pool to DHCP server. |
| ICMP | AP IP address pool | ICMP | DHCP server | From an AP IP Address pool to ICMP for troubleshooting. |
| Any |
AP IP address pool |
514 |
Various |
Syslog (destination configurable). Default is 255.255.255.255. |
| Any | AP IP address pool | UDP 69/5246/5247/5248 | Cisco Wireless Controller | From an AP IP Address pool to Cisco Wireless Controller for CAPWAP. |
| ICMP | AP IP address pool | ICMP | Cisco Wireless Controller | From an AP IP Address pool to Cisco Wireless Controller, allowing ping for troubleshooting. |
| Source port3 | Source | Destination port | Destination | Description |
| Any | Cisco ISE | TCP 64999 | Border | From Cisco ISE to border node for SGT Exchange Protocol (SXP) |
| Any | Cisco ISE | UDP 514 | Catalyst Center | From Cisco ISE to syslog server (Catalyst Center) |
| UDP 1645/1646/1812/1813 | Cisco ISE | Any | Fabric underlay | From Cisco ISE to fabric switches and routers for RADIUS and authorization |
| Any | Cisco ISE | UDP 1700/3799 | Fabric underlay,Cisco Wireless Controller | From Cisco ISE to fabric switch and router loopback IP addresses for RADIUS Change of Authorization (CoA). UDP port 3799 must also be open from Cisco ISE to the wireless controller for CoA. |
| ICMP | Cisco ISE | ICMP | Fabric underlay | From Cisco ISE to fabric switches for troubleshooting |
| Any | Cisco ISE | UDP 123 | NTP server | From Cisco ISE to NTP server |
| UDP 1812/1645/1813/1646 | Cisco ISE | Any | Cisco Wireless Controller | From Cisco ISE to Cisco Wireless Controller for RADIUS |
| ICMP | Cisco ISE | ICMP | Cisco Wireless Controller | From Cisco ISE to Cisco Wireless Controller for troubleshooting |
| Source port | Source | Destination port | Destination | Description |
| UDP 67 | DHCP server | UDP 68 | AP IP address pool | From DHCP server to fabric APs |
| ICMP | DHCP server | ICMP | AP IP address pool | ICMP for troubleshooting: fabric to DHCP |
| UDP 67 | DHCP server | UDP 68 | Fabric underlay | From DHCP to fabric switches and routers |
| ICMP | DHCP server | ICMP | Fabric underlay | ICMP for troubleshooting: fabric to DHCP |
| UDP 67 | DHCP server | UDP 68 | User IP address pool | From DHCP server to fabric switches and routers |
| ICMP | DHCP server | ICMP | User IP address pool | ICMP for troubleshooting: User to DHCP |
| Source port | Source | Destination port | Destination | Description |
| UDP 123 | NTP server | Any | Cisco ISE | From NTP server to Cisco ISE |
| UDP 123 | NTP server | Any | Catalyst Center | From NTP server to Catalyst Center |
| UDP 123 | NTP server | Any | Fabric underlay | From NTP server to fabric switch and router loopback |
| UDP 123 | NTP server | Any | Cisco Wireless Controller | From NTP server to Cisco Wireless Controller |
| Source port | Source | Destination port | Destination | Description |
| UDP 53 | DNS server | Any | Fabric underlay | From DNS server to fabric switches |
| UDP 53 | DNS server | Any | Cisco wireless controller | From DNS server to Cisco Wireless Controller |