Complete these planning and information-gathering tasks before installing, configuring, and setting up your Catalyst Center appliance. After you finish these tasks, install your appliance in the data center.

1. Review the recommended cabling and switching requirements for standalone and cluster installations. See Interface cable connections.

2. Gather IP addresses, subnets, and other IP traffic information to apply during appliance configuration. See Required IP addresses and subnets.

3. Prepare a solution that provides the required access to web-based resources. See Required internet URLs and fully qualified domain names and Provide secure access to the internet.

4. Reconfigure the firewalls and security policies for Catalyst Center traffic. See Communication ports. If you are using Catalyst Center to manage a Cisco Software-Defined Access (SD-Access) network, see also Required ports and protocols for Cisco Software-Defined Access.

5. Gather the additional information that is used during appliance configuration and first-time setup. See Required configuration information and Required first-time setup information.

You can use Catalyst Center to manage any type of network, including networks that employ the Cisco SD-Access fabric architecture. Cisco SD-Access transforms conventional networks into intent-based networks, so that you can automate tasks such as configuration, provisioning, and troubleshooting. The Cisco SD-Access solution accelerates network adaptation to business needs, improves issue resolution, and minimizes security-breach impacts.

This guide provides an overview of the Cisco SD-Access solution. If you plan to implement a Cisco SD-Access fabric with Catalyst Center, you can find more information and guidance in these resources

• For more information about how Catalyst Center leverages Cisco SD-Access to automate solutions that are not possible with typical networking approaches and techniques, see the Cisco Software-Defined Access Solution Design Guide.

• For guidance in using Cisco SD-Access access segmentation to enhance network security, see the SD-Access Segmentation Design Guide.

• For more information about Catalyst Center and the Cisco SD-Access solution working together with other Cisco and third-party products, see the Design Zone.

Connect the ports on the appliance to a switch that provides these types of network access. You must configure the Enterprise port and Intracluster port interfaces at a minimum, because they are essential for Catalyst Center functionality.

When NIC bonding is enabled on a third-generation appliance, a secondary instance of the Enterprise port, Intracluster port, Management port, and Internet port resides on the Intel E810-XXVDA4 NIC. Connect these ports to a switch that's different from the one that you will connect to the primary instance of these ports (see NIC bonding overview).

Note

During appliance configuration, the Maglev Configuration wizard prevents you from continuing until you assign the Cluster Link option to an interface. For both single-node and three-node deployments in a production environment, assign the Intracluster port as the Cluster Link. You cannot change the interface marked as the Cluster Link after configuration completes. To change it, you must reimage the appliance. (For a description of the tasks you need to complete in order to reimage your Catalyst Center appliance, see Reimage the appliance.) Set up the Cluster Port with an IP address to support the expansion to a three-node cluster. Connect the cluster link interface to a switch port, and ensure it is in the UP state. To build multiple clusters, you must use a separate IP scheme for each cluster to prevent cross-cluster interaction and corruption.

• (Required) 10-Gbps Enterprise port (network adapter 1): The purpose of this port is to enable Catalyst Center to communicate with and manage your network. Connect this port to a switch with connections to the enterprise network and configure one IP address with a subnet mask for the port.

  Primary instance:

  • This is the left port on the 32-core and 56-core Intel E810-XXVDA2 NIC, in the appliance PCIe riser 1/slot 1.

  • This is the left port on the 80-core Intel E810-XXVDA2 NIC, in the appliance riser 1A/slot 2.

  Secondary instance:

  • This is the second port on the 32-core and 56-core Intel E810-XXVDA4 NIC, in the appliance PCIe riser 3/slot 3.

  • This is the second port on the 80-core Intel E810-XXVDA4 network adapter, in the appliance riser 3A/slot 5.

• (Required) 10-Gbps Intracluster port (network adapter 2): The purpose of this port is to enable communications among the primary and secondary nodes in a cluster. Connect this port to a switch with connections to the other nodes in the cluster and configure one IP address with a subnet mask for the port.

  Primary instance:

  • This is the right port on the 32-core and 56-core Intel E810-XXVDA2 NIC, in the appliance PCIe riser 1/slot 1.

  • This is the right port on the 80-core Intel E810-XXVDA2 network adapter, in the appliance riser 1A/slot 2.

  Secondary instance:

  • This is first port on the 32-core and 56-core Intel E810-XXVDA4 NIC, in the appliance PCIe riser 3/slot 3.

  • This is the first port on the 80-core Intel E810-XXVDA4 NIC, in the appliance riser 3A/slot 5.

• (Optional) 1-Gbps/10-Gbps Management port (network adapter 3): This port provides access to the Catalyst Center GUI so you can use the software on the appliance. Connect this port to a switch with connections to your enterprise management network, and configure one IP address with a subnet mask for the port.

  Primary instance:

  • This is labeled 1 on the 32-core and 56-core appliance rear panel.

  • This is on the 80-core appliance rear panel, to the right of the second USB port.

  Secondary instance:

  • This is the fourth port on the 32-core and 56-core Intel E810-XXVDA4 NIC, in the appliance PCIe riser 3/slot 3.

  • This is the fourth port on the 80-core Intel E810-XXVDA4 network adapter, in the appliance riser 3A/slot 5.

• (Optional) 1-Gbps/10-Gbps Internet port (network adapter 4): This port, labeled 2 on the rear panel, is optional. Use it only if you cannot connect the appliance to the Internet (including to your Internet proxy server) using the 10-Gbps Enterprise Port (Network Adapter 1). If you need to use this port, connect it to a switch with connections to your Internet proxy server and configure one IP address with a subnet mask for the port.

  Primary instance:

  • This is labeled 2 on the 32-core and 56-core appliance rear panel.

  • This is on the 80-core appliance rear panel, between the Management and Cisco IMC ports.

  Secondary instance:

  • This is the third port on the 32-core and 56-core Intel E810-XXVDA4 NIC, in the appliance PCIe riser 3/slot 3.

  • This is the third port on the 80-core Intel E810-XXVDA4 network adapter, in the appliance riser 3A/slot 5.

• (Optional, but strongly recommended) 1-Gbps Cisco IMC port: This port, located to the right of the Internet port on all third-generation Catalyst Center appliances, provides browser access to the Cisco IMC out-of-band appliance management interface and its GUI. Its purpose is to allow you to manage the appliance and its hardware. Connect this port to a switch with connections to your enterprise management network and configure an IP address with a subnet mask for the port.

These figures show the recommended connections for a single-node Catalyst Center cluster, as well as the label that's assigned to each interface:

Note	For both the management and internet interface, their primary instance has a bandwidth of 1 Gbps and their secondary instance 10 Gbps.

Note	For both the Management and Internet interface, their primary instance has a bandwidth of 1 Gbps and their secondary instance 10 Gbps.

The connections for each node in a three-node Catalyst Center cluster are the same as those for a single-node cluster and use the same ports. Do this when you cable a three-node cluster:

• Connect the primary instance of each node's Enterprise Port, Intracluster Port, Management Port, Internet Port, and the Cisco IMC port to the primary switch.

• Connect the secondary instance of each node's Enterprise Port, Intracluster Port, Management Port, and Internet Port to the secondary switch.

For more details on each of the ports, see the rear panel diagram and accompanying descriptions for your chassis in Front and rear panels.

Note	Multinode cluster deployments require all the member nodes to be in the same network and at the same site. The appliance does not support distribution of nodes across multiple networks or sites.

Supported media types for cabling the 10 Gbps enterprise and cluster ports include:

• SFP-10G-SR-S (Short range, MMF)

• SFP-10G-LR (Long range, SMF)

• SFP-H10GB-CU1M (Twinax cable, passive, 1 meter (3.28 feet))

• SFP-H10GB-CU3M (Twinax cable, passive, 3 meters (9.84 feet))

• SFP-H10GB-CU5M (Twinax cable, passive, 5 meters (16.4 feet))

• SFP-H10GB-ACU7M (Twinax cable, active, 7 meters (23 feet))

Before beginning the installation, you must ensure that your network has sufficient IP addresses available to assign to each of the appliance ports that you plan on using. Depending on whether you are installing the appliance as a single-node cluster or as a primary or secondary node in a three-node cluster, you will need these appliance port (NIC) addresses:

• Enterprise port address (Required): One IP address with a subnet mask.

• Cluster port address (Required): One IP address with a subnet mask.

• Management port address (Optional): One IP address with a subnet mask.

• Internet port address (Optional): One IP address with a subnet mask. This is an optional port, used only when you cannot connect to the cloud using the Enterprise port. You do not need an IP address for the Internet port unless you must use it for this purpose.

• CIMC port address (Optional, but strongly recommended): One IP address with a subnet mask.

Note	All of the IP addresses called for in these requirements must be valid IPv4 addresses with valid IPv4 netmasks. Ensure that the addresses and their corresponding subnets do not overlap. Service communication issues can result if they do.

You will also need additional IP addresses and dedicated IP subnets, which are prompted for and applied during the configuration of the appliance, including:

• Cluster virtual IP addresses: One virtual IP (VIP) address per configured network interface per cluster. This requirement applies to three-node clusters and single-node clusters that are likely to be converted into a three-node cluster in the future. You must supply a VIP for each network interface you configure. Each VIP should be from the same subnet as the IP address of the corresponding configured interface.

  There are four interfaces on each appliance: Enterprise, Cluster, Management, and Internet. At a minimum, you must configure the Enterprise and Cluster port interfaces, because they are required for Catalyst Center functionality. An interface is considered configured if you supply an IP address for that interface, along with a subnet mask and one or more associated gateways or static routes. If you skip an interface entirely during configuration, that interface is considered as not configured.

  Note

  If you have a single-node setup and do not plan to convert it into a three-node cluster in the future, you are not required to specify a VIP address. However, if you decide to do so, you must specify a VIP address for every configured network interface as if you were configuring for a three-node cluster. If the intracluster link for a single-node cluster fails, the VIP addresses associated with the Management and Enterprise interfaces also fail. When this happens: Catalyst Center is unusable until the intracluster link is restored. The Software Image Management [SWIM] and Cisco Identity Services Engine [ISE] integration becomes non-operational. Cisco Catalyst Assurance data cannot be gathered from Network Data Platform [NDP] collectors. Do not use a link-local or nonroutable IP address for the Enterprise or Management interface.

• Default gateway IP address: The IP address for your network's preferred default gateway. If no other routes match the traffic, traffic will be routed through this IP address. Typically, you should assign the default gateway to the interface in your network configuration that accesses the internet. For information on security considerations to keep in mind when deploying Catalyst Center, see the Cisco Catalyst Center Security Best Practices Guide.

• DNS server IP addresses: The IP addresses for your network's preferred Domain Name System (DNS) servers. Specify up to three DNS server IP addresses as a space-separated list during configuration.

  Caution

  Problems can occur if you specify more than three servers for an appliance.

• (Optional) Static route addresses: The IP addresses, subnet masks, and gateways for one or more static routes. During configuration, you can specify multiple static-route IP addresses, netmasks, and gateways by entering them as a space-separated list.

  You can set one or more static routes for an interface on the appliance. You should supply static routes when you want to route traffic in a specific direction other than the default gateway. Each of the interfaces with static routes will be set as the device through which the traffic will be routed in the IP route command table. For this reason, it is important to match the static route directions with the interface through which the traffic will be sent.

  Static routes are not recommended in network device routing tables, like those used by switches and routers. Dynamic routing protocols are better for this. However, you should add static routes where needed, to allow the appliance access to particular parts of the network that can be reached no other way.

• NTP server IP addresses: The DNS-resolvable hostname or IP address for at least one Network Time Protocol (NTP) server.

  During configuration, you can specify multiple NTP server IP addresses/masks or hostnames by entering them as a space-separated list. For a production deployment, we recommend that you configure a minimum of three NTP servers.

  Specify these NTP servers during preflight hardware synchronization, and again during the configuration of the software on each appliance in the cluster. Time synchronization is critical to the accuracy of data and the coordination of processing across a multihost cluster. Before deploying the appliance in a production environment, make sure that the time on the appliance system clock is current and that the NTP servers you specified are keeping accurate time. If you are planning to integrate the appliance with ISE, you should also ensure that ISE is synchronizing with the same NTP servers as the appliance.

• Container subnet: Identifies one dedicated IP subnet for the appliance to use in managing and getting IP addresses for communications among its internal application services, such as Assurance, inventory collection, and so on. By default, Catalyst Center configures a link-local subnet (169.254.32.0/20) for this parameter. We recommend that you use this subnet. If you decide to enter another subnet, ensure that it does not conflict or overlap with any other subnet used by Catalyst Center's internal network or any external network. Also ensure that the minimum size of the subnet is 21 bits. The subnet you specify must conform with the IETF RFC 1918 and RFC 6598 specifications for private networks, which support these address ranges:

  • 10.0.0.0/8

  • 172.16.0.0/12

  • 192.168.0.0/16

  • 100.64.0.0/10

  For details, see RFC 1918, Address Allocation for Private Internets, and RFC 6598, IANA-Reserved IPv4 Prefix for Shared Address Space.

  Important

  Ensure that you specify a valid CIDR subnet. Otherwise, incorrect bits will be present in the 172.17.1.0/20 and 172.17.61.0/20 subnets. After configuration of your Catalyst Center appliance is completed, you cannot assign a different subnet without first reimaging the appliance (see Reimage the appliance).

• Cluster subnet: Identifies one dedicated IP subnet for the appliance to use in managing and getting IPs for communications among its infrastructure services, such as database access, the message bus, and so on. By default, Catalyst Center configures a link-local subnet (169.254.48.0/20) for this parameter, and we recommend that you use this subnet. If you decide to enter another subnet, ensure that it does not conflict with or overlap any other subnet used by Catalyst Center's internal network or any external network. Also ensure that the minimum size of the subnet is 21 bits. The subnet you specify must conform with the IETF RFC 1918 and RFC 6598 specifications for private networks, which support these address ranges:

  • 10.0.0.0/8

  • 172.16.0.0/12

  • 192.168.0.0/16

  • 100.64.0.0/10

  For details, see RFC 1918, Address Allocation for Private Internets, and RFC 6598, IANA-Reserved IPv4 Prefix for Shared Address Space.

  If you were to specify 10.10.10.0/21 as your Container subnet, you could also specify a Cluster subnet of 10.0.8.0/21 since these two subnets do not overlap. Also, the configuration wizard detects overlaps (if any) between these subnets and prompts you to correct the overlap.

  Important

  Ensure that you specify a valid CIDR subnet. Otherwise, incorrect bits will be present in the 172.17.1.0/20 and 172.17.61.0/20 subnets. After configuration of your Catalyst Center appliance is completed, you cannot assign a different subnet without first reimaging the appliance (see Reimage the appliance). When entering an IP address for the Cluster port, container subnet, or cluster subnet, don't specify an address that falls within the 169.254.0.0/23 subnet.

The recommended total IP address space for the two Container and Cluster subnets contains 4,096 addresses, broken down into two /21 subnets of 2,048 addresses each. The two /21 subnets must not overlap. The Catalyst Center internal services require a dedicated set of IP addresses. This is a Catalyst Center microservice architecture requirement. To accommodate this requirement, you must allocate two dedicated subnets for each Catalyst Center system.

The appliance requires this amount of address space to maintain system performance. It uses internal routing and tunneling technologies for east-west (internode) communications. Using overlapping address spaces forces the appliance to run Virtual Routing and Forwarding (VRF) FIBs internally. This process creates multiple encapsulation and decapsulation steps for packets going between services. These steps cause high internal latency and result in cascading impacts at higher layers.

The Kubernetes-based service containerization architecture of Catalyst Center is another reason. Each appliance uses the IP addresses in this space for each Kubernetes K8 node. Multiple nodes can make up a single service. Currently, Catalyst Center supports more than 100 services, each requiring several IP addresses, and new features and corresponding services are being added all the time. The address space requirement is intentionally large to ensure that Cisco can add new services and features without running out of IP addresses. This also avoids requiring the reallocation of contiguous address spaces when upgrading systems.

The services supported over these subnets are also enabled at Layer 3. The Cluster space, in particular, carries data between application and infrastructure services, and is heavily used.

The RFC 1918 and RFC 6598 requirement is because of the requirement by Catalyst Center to download packages and updates from the cloud. If the selected IP address ranges do not conform with RFC 1918 and RFC 6598, this can quickly lead to problems with public IP address overlaps.

You must provide secure access to the required URLs and Fully Qualified Domain Names (FQDNs) for the appliance to function.

This table describes the features that make use of each URL and FQDN. You must configure either your network firewall or a proxy server so that IP traffic can travel to and from the appliance and these resources.

Caution

If you do not provide access to the listed URLs and FQDNs, the associated features will not work as intended.

Note	The appliance interface configured to route internet-bound traffic serves as the source for all communications.

For more information about about internet proxy access requirements, see Provide secure access to the internet.

By default, your appliance connects to the internet to download software updates, licenses, device software, map information, and user feedback. Maintain an internet connection for these configuration tasks.

Note	The appliance interface that's configured to route internet-bound traffic acts as the source for all communications.

Use an HTTPS proxy server to access remote URLs securely. Also use an HTTPS proxy server so your appliance can access the URLs in the Required internet URLs and fully qualified domain names list. During appliance installation, you are prompted to enter the proxy server's URL, port number, and login credentials if needed.

Your appliance currently supports communication with proxy servers over HTTP only. Place the HTTPS proxy server anywhere within your network. The proxy server communicates with the internet using HTTPS, while the appliance uses HTTP to communicate with the proxy. Specify the proxy’s HTTP port when configuring the appliance.

To change the proxy setting after configuration, use the GUI.

During appliance configuration, you must enter this information, in addition to the items listed in Required IP addresses and subnets:

• Linux username: This is maglev. Use this username on all appliances in a cluster, including the primary and secondary nodes. You cannot change the username.

• Linux password: Identifies the password for the Linux user named maglev. This password ensures secure access to each appliance using the Linux command line. If needed, you can assign a different password for the maglev user on each appliance in the cluster.

  Ensure that the password you configure complies with the Password requirements.

  The Linux password is encrypted and hashed in the Catalyst Center database. If you are deploying a multinode cluster, you will also be prompted to enter the primary node's Linux password on each of the secondary nodes.

• Password generation seed (Optional): Instead of creating a Linux password, you can enter a seed phrase and click Generate Password. The Maglev Configuration wizard generates a random and secure password using this seed phrase. You can further edit the generated password by using the Auto Generated Password field.

• Administrator passphrase: Identifies the password used for web access to Catalyst Center in a cluster. This is the password for the superuser account admin, which you use to log in to Catalyst Center for the first time (see Complete the Quick Start workflow). You are prompted to change this password when you log in for the first time.

  Ensure that the password you configure complies with the Password requirements.

• Cisco IMC user password: Identifies the password used for access to the Cisco IMC GUI. The factory default is password, but you are prompted to change it when you first set up Cisco IMC for access using a web browser (see Enable browser access to the Cisco Integrated Management Controller).

  The Cisco IMC user password must meet the same requirements as the Linux password described earlier. It can be changed back to password only by a reset to factory defaults.

• Primary node IP address: Required only when you are installing secondary nodes in a cluster. This is the IP address of the cluster port on the primary node (see Interface cable connections).

After you have configured your appliances, log in to Catalyst Center and complete the essential setup tasks. During this first-time setup, provide this information:

• New admin superuser password: You will be prompted to enter a new password for the Catalyst Center admin super user. Resetting the super user password enhances operational security. This is especially important if, for example, the enterprise staff member who installed and configured the Catalyst Center appliance is not a Catalyst Center user or administrator.

• Cisco.com credentials: The cisco.com user ID and password that your organization uses to register software downloads and receive system communications through email.

• Cisco Smart Account credentials: The cisco.com Smart Account user ID and password your organization uses for managing your device and software licenses.

• IP Address Manager URL and credentials: The host name, URL, admin user name, and admin password of the third-party IP address manager (IPAM) server you plan to use with Catalyst Center. This release supports InfoBlox and Bluecat.

• Proxy URL, port, and credentials: The URL (host name or IP address), port number, user name, and user password of the proxy server you plan to use with Catalyst Center in order to get updates to the Catalyst Center software, manage device licenses, and retrieve other downloadable content.

• Catalyst Center users: User names, passwords, and privilege settings for the new Catalyst Center users you will be creating. Always use one of the new user accounts for normal Catalyst Center operations. Use the admin super user account only for reconfiguring Catalyst Center and for operations that require super user privileges.

Important

Ensure that the passwords you configure for Catalyst Center users and the admin super user comply with the Password requirements.

For details about how to launch and respond to the first-time setup wizard that prompts you for this information, see Complete the Quick Start workflow.

Use this information to complete additional setup tasks, which can be done after your first login:

• Catalyst Center server IP address and credentials: You will need the Cisco ISE server IP address and credentials, administrative user name, and password. These are needed to log in to and configure your organization's ISE server to share data with Catalyst Center, as explained in Integrate Cisco ISE With Catalyst Center.

  When you install or upgrade to the latest 2.3.7.x release of Catalyst Center, the system checks whether Cisco ISE is configured as an authentication and policy (AAA) server. If the correct version of Cisco ISE is already configured, you can start migrating group policy data from Cisco ISE to Catalyst Center.

  If Cisco ISE is not configured, or if the required version of Cisco ISE is not present, Catalyst Center installs, but Group Based Policy is disabled. You must install or upgrade Cisco ISE and connect it to Catalyst Center. You can then start the data migration.

  Catalyst Center data present in the previous version is preserved when you upgrade. The data migration operation merges data from Catalyst Center and Cisco ISE. If a conflict occurs during migration, the system uses data from Cisco ISE.

  If Catalyst Center becomes unavailable, and it is imperative to manage policies before Catalyst Center becomes available again, there is an option in Cisco ISE to override the Read-Only setting. This allows you to make policy changes directly in Cisco ISE. After Catalyst Center is available again, you must disable the Read-Only override on Cisco ISE, and re-synchronize the policy data on Catalyst Center Group Based Access Control Settings page.

  Caution

  Use this option only when necessary. Changes made directly in Cisco ISE do not transfer to Catalyst Center.

• Authorization and policy server information: If you are using Cisco ISE as your authentication and policy server, you need the same information listed in the previous bullet, plus:

  • ISE CLI user name

  • CLI password

  • server FQDN

  • subscriber name (such as cc )

  • ISE SSH key (optional)

  • protocol choice (RADIUS or TACACS)

  • authentication port

  • accounting port

  • retry and timeout settings

  If you are using an authorization and policy server that is not Cisco ISE, you will need the server's IP address, protocol choice (RADIUS or TACACS), authentication port, accounting port, and retry and timeout settings.

  This information is required to integrate Catalyst Center with your chosen authentication and policy server, as explained in Configure authentication and policy servers.

• SNMP retry and timeout values: This is required to set up device polling and monitoring, as explained in Configure SNMP properties.