Cisco Catalyst Center Global Manager Deployment Guide, Release 1.3.1

Required firewall ports and connectivity

Updated: April 2, 2026

Want to summarize with AI?

Overview

Details the necessary firewall access rules, specific TCP/UDP ports to open for various services (UI, shell, TACACS+, DNS, NTP, HTTPS, RADIUS, NFS), and connectivity requirements between Catalyst Center Global Manager and controllers.

Firewall Access: Allow outbound access to ciscoconnectdna.com.
Connectivity: Ensure connectivity exists between the Catalyst Center Global Manager and the controllers. Catalyst Center Global Manager supports only one interface for the enterprise edition.
Supported Infrastructure: includes:
- Physical or virtual Catalyst Center appliances (single node or High Availability (HA) or Virtual Appliance (VA)).
- VMware ESXi and vCenter, version 7.0.x or later
- Network Time Protocol (NTP) needs to be synchronized between the Catalyst Center Global Manager and Catalyst Centers. Alternatively, ensure they maintain a maximum time difference of one second.
Ports required to be open on the firewall: Open these ports on the firewall to enable communication with the HTTPS-enabled browsers and allow Catalyst Center Global Manager to interact with Catalyst Centers globally.


Port	Service name	Purpose	Recommended action
Administering or configuring Catalyst Center Global Manager.
TCP 443	UI, REST, HTTPS	GUI, REST, HTTPS management port.	Open the port.
TCP 2222	Catalyst Center Global Manager shell	Connect to the Catalyst Center Global Manager shell.	Keep the port open. Restrict the known IP address to be the source.
TCP 9004	Web UI installation	Serves the GUI-based installation page. (This port is required only if you decide to install Catalyst Center Global Manager using the web-based option.)	Keep the port open until the node installation is complete.
Catalyst Center Global Manager outbound to Catalyst Center and other systems.
TCP 49	TACACS+	Needed only if you are using external authentication such as Cisco ISE with a TACACS+ server.	Open the port only if you are using external authentication with a TACACS+ server.
UDP and TCP 53	DNS	Used to resolve a DNS name to an IP address.	Open the port when you use DNS names instead of IP addresses for other services, such as an NTP DNS name.
UDP 123	NTP	Catalyst Center Global Manager uses NTP to synchronize the time from the source that you specify.	Open the port for time synchronization.
TCP 443	HTTPS	Catalyst Center Global Manager uses HTTPS for cloud-tethered upgrades, periodic polling from Catalyst Center and communication with HTTPS-enabled browsers.	Open the port.
UDP 1645 or 1812	RADIUS	Needed only if you are using external authentication with a RADIUS server.	Open the port only if an external RADIUS server is used to authenticate user login to Catalyst Center.
111	NFS	Used for Assurance backups.	Open the port.
2049	NFS	Used for Assurance backups.	Open the port.
20048	NFS	Used for Assurance backups.	Open the port.
TCP and UDP 32767	NFS	Used for Assurance backups.	Open the port.

Need help?

Open a support case

(Requires a Cisco Service Contract)

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.