Cisco Catalyst Center 3.1.x on ESXi Deployment Guide

PDF

Deployment prerequisites

Updated: March 18, 2026

Want to summarize with AI?

Log in

VMware vSphere installation

VMware vSphere includes several components.

Use VMware vSphere 7.0.x or later, including all patches, for running Catalyst Center on ESXi. To access the overview of the VMware vSphere installation and setup process, see VMware Installation and Setup.

After installing VMware vSphere, verify that it can be reached from the computer you will use to deploy the virtual appliance's OVA file.

Enterprise interface reservations

An enterprise interface reservation is a network configuration requirement that

  • dedicates an interface on the virtual appliance for enterprise network connectivity,

  • requires recording the assigned IP address for later use during appliance setup, and

  • may support management interfaces and additional network interfaces for appliance administration.

Before setting up the virtual appliance:

  • Reserve at least one 1-Gbps or 10-Gbps Enterprise interface to connect to your enterprise network.

  • Note the IP address for this interface. You will enter it later during appliance configuration.

  • Optionally, reserve a 1-Gbps or 10-Gbps Management interface for accessing the Catalyst Center on ESXi GUI. Note its IP address if you plan to configure it.

Note these points:

  • The IP address of the intracluster interface is predefined. You do not need to enter it when you complete either the Maglev Configuration wizard with default mode selected or the browser-based Install Configuration wizard.

  • Catalyst Center on ESXi supports configuring one additional interface for use by the virtual appliance. If you do so, choose VMXNET from the Adapter Type drop-down list. If you select a different type, the appliance configuration will not complete successfully. For more information, see the Add a Network Adapter to a Virtual Machine topic in vSphere Virtual Machine Administration.

Import the IdenTrust certificate chain

The Catalyst Center on ESXi OVA file is signed with an IdenTrust CA certificate. This certificate is not included in the default VMware truststore.

If the certificate is invalid, the Deploy OVF Template wizard's Review details page displays a warning. To resolve this issue, you can import the IdenTrust certificate chain to the host or cluster on which you want to deploy the OVA file.

Procedure

1.

On the VMware ESXi host or cluster where your virtual appliance will reside, download trustidevcodesigning5-3.1.6-VA.tar.gz from the same location as the Catalyst Center on ESXi OVA file.
2.

Extract the downloaded file to a local directory.
3.

Log in to the vSphere Web Client.
4.

Choose Administration > Certificates > Certificate Management.
5.

In the Trusted Root Certificates field, click Add.
6.

In the Add Trusted Root Certificate dialog box, click Browse.
7.

Extract the file that you downloaded in Step 1 and select the trustidevcodesigning5.pem file. Then click Open.
8.

Check the Start Root certificate push to vCenter Hosts check box, then click Add.

A message confirms that the certificate chain is imported successfully.

After you complete the Deploy OVF Template wizard, the Publisher field in the Review details page shows that you are using a trusted certificate.

DNS, NTP, and proxy server settings

While configuring your virtual appliance, you must prepare the DNS, NTP, and proxy servers that your virtual appliance will use.

You will be prompted to specify three items:

  • The Domain Name System (DNS) server that Catalyst Center on ESXi will use to convert domain names to IP addresses.

  • The Network Time Protocol (NTP) server that Catalyst Center on ESXi will use for clock synchronization.

  • (Optional) The proxy server that Catalyst Center on ESXi will use to access internet-bound URLs.

Before you configure your virtual appliance, do the following:

  • Ensure that the servers you want to use are available and running.

  • For an NTP server, obtain its IP address or hostname. For a proxy server, collect either its URL or hostname and its login credentials.

Required internet URLs and fully qualified domain names

You must provide secure access to the required URLs and Fully Qualified Domain Names (FQDNs) for the virtual appliance to function.

This table describes the features that make use of each URL and FQDN. You must configure either your network firewall or a proxy server so that IP traffic can travel to and from the appliance and these resources.

Caution

If you do not provide access to the listed URLs and FQDNs, the associated features will not work as intended.

Note

Since the destination domain names for third-party vendors may change without notice, it is mandatory to specify them using wildcards.

For more information about for proxy access requirements, see "Provide secure access to the internet" in the Cisco Catalyst Center Third-Generation Installation Guide.

Table 1. Required URLs and FQDN access
In order to... ...Catalyst Center must access these URLs and FQDNs

Download updates for system software and application packages, and submit user feedback to the product team.

Recommended: *.ciscoconnectdna.com:4431

To avoid wildcards, specify these URLs instead:

  • https://www.ciscoconnectdna.com

  • https://cdn.ciscoconnectdna.com

  • https://registry.ciscoconnectdna.com

  • https://registry-cdn.ciscoconnectdna.com

  • https://app-cdn.ciscoconnectdna.com

Submit user feedback to the product team.

https://dnacenter.uservoice.com

Cisco Catalyst Center update package.

Smart Account and SWIM software downloads.

Authenticate with the cloud domain.

https://dnaservices.cisco.com

Integrate with ThousandEyes.

Version 3.1.6 and later:

  • app.thousandeyes.com

    This URL uses AWS and might map to *.awsglobalaccelerator.com. Other services that might use AWS could also map to the AWS domain.

  • api.thousandeyes.com

Version 3.1.5 and earlier:

  • *.awsglobalaccelerator.com

  • api.thousandeyes.com

Allow API calls to enable access to Cisco CX Cloud Success Tracks. Otherwise, the enhancements made to extended configuration-based scanning for the Security Advisories, Bug Identifier, and EOX features that Machine Reasoning Engine (MRE) supports will not operate as expected.

https://api-cx.cisco.com

Integrate with Webex.

  • http://analytics.webexapis.com

  • https://webexapis.com

User feedback.

https://dnacenter.uservoice.com

Connectivity with Cisco Catalyst Cloud and apps hosted there (e.g. AppX MS Teams Integration, Talos integration).

*.cisco.com:443

Otherwise, specific FQDNs are:

  • neoffers.cisco.com

  • neoffers-de.cisco.com

  • neoffers-sg.cisco.com

  • dnaservices.cisco.com

Integrate with Cisco Meraki.

Recommended: *.meraki.com:443

Customers who want to avoid wildcards can specify these URLs instead:

  • dashboard.meraki.com:443

  • api.meraki.com:443

  • n63.meraki.com:443

Check SSL/TLS certificate revocation status using OCSP/CRL.

Version 3.1.5 and earlier:

Version 3.1.6 and later:

Note

Ensure these URLs are reachable directly and through the proxy server configured for Catalyst Center.

Allow Cisco authorized specialists to collect troubleshooting data when Catalyst Center Remote Support functionality is enabled.

wss://prod.radkit-cloud.cisco.com:443

Integrate with cisco.com and Cisco Smart Licensing.

*.cisco.com:443

To avoid wildcards, specify these URLs instead:

  • software.cisco.com

  • cloudsso.cisco.com

  • cloudsso1.cisco.com

  • cloudsso2.cisco.com

  • apiconsole.cisco.com

  • api.cisco.com

  • apx.cisco.com

  • smartreceiver.cisco.com

  • sso.cisco.com

  • apmx-prod1-vip.cisco.com

  • apmx-prod2-vip.cisco.com

  • Version 3.1.6 and later: tools.cisco.com

  • Version 3.1.6 and later: tools1.cisco.com

  • Version 3.1.6 and later: tools2.cisco.com

Connect to the Network-Based Application Recognition (NBAR) cloud.

prod.sdavc-cloud-api.com:443

Enable the Rogue Management application to detect rogue vendor names.

Version 3.1.6 and later: https://standards-oui.ieee.org/

Render accurate information in site and location maps.

  • www.mapbox.com

  • *.tiles.mapbox.com/* :443. For a proxy, the destination is *.tiles.mapbox.com/*

For Cisco AI Network Analytics data collection, configure your network or HTTP proxy to allow outbound HTTPS (TCP 443) access to the cloud hosts.

Access a menu of interactive help flows that let you complete specific tasks from the GUI.

https://ec.walkme.com

Access the licensing service.

https://swapi.cisco.com

Integrate with Cisco Spaces.
1 Cisco owns and maintains ciscoconnectdna.com and its subdomains. The Cisco Connect DNA infrastructure meets Cisco Security and Trust guidelines. It is tested for security on a continuous basis. This infrastructure is robust, with built-in load balancing and automation capabilities. A cloud operations team monitors and maintains the infrastructure to ensure continuous availability.

Enable storage input/output control

For the datastore in which you are planning to deploy a virtual appliance, complete the following procedure so the appliance's virtual machine input/out (I/O) is prioritized over other virtual machines when the network is experiencing I/O congestion.

Procedure

1.

In the vSphere Client, navigate to and click the datastore in which you plan to deploy a virtual appliance.
2.

Click the Configure tab, then click General.
3.

In the Datastore Capabilities area, click Edit.
4.

In the Configure Storage I/O Control window, do the following:

  1. Click the Enable Storage I/O Control and statistics collection radio button.

  2. In the Storage I/O congestion threshold area, configure the congestion threshold you want to use.

    You can either specify a peak throughput percentage or enter a value (in milliseconds).

  3. (Optional) In the Statistic Collection area, check the Include I/O statistics for SDRS check box.
5.

Click OK.

HA admission control settings

You cannot create three-node clusters by connecting Catalyst Center on ESXi VMs. To enable high availability (HA), use the HA functionality in VMware vSphere. Enable strict admission control to ensure that:

  • The system does not power on a virtual machine if that action would violate availability constraints.

  • The system enforces configured failover capacity limits.

  • HA operates as expected during a failover.

Quick Start Workflow preparations

After you create a virtual machine on an ESXi host and configure a Catalyst Center on ESXi virtual appliance, you'll be prompted to complete the Quick Start workflow. By completing this workflow, you will discover the devices that Catalyst Center on ESXi will manage. You will also enable the collection of telemetry from those devices. Complete these tasks to finish the workflow:

  • Decide on the username and password for the new admin user you will create. The default admin username and password (admin/P@ssword9) should be used only the first time you log in to Catalyst Center on ESXi.

    Changing this password is critical to network security, especially when the people who set up a Catalyst Center on ESXi virtual appliance are not the same people who will serve as its administrators.

  • Obtain the credentials you use to log in to Cisco.com.

  • Identify the users who need access to your system. For these users, define their roles, unique passwords, and privilege settings.

You have the option to use an IPAM server and Cisco Identity Services Engine (ISE) with your virtual appliance. If you choose to use one or both of them, you'll also need to obtain the relevant URL and login information.