The following table details the planning and information-gathering tasks you must perform before attempting to install, configure
and set up your appliances. When you have completed the tasks in this table successfully, you can continue by physically installing
your appliances in the data center.
Click this link for a video series giving an overview of Cisco DNA Center and of the installation and configuration process.
About Cisco DNA Center and Software-Defined Access
You can use Cisco DNA Center to manage any type of network, including networks that employ Cisco's Software-Defined Access Fabric architecture (also known
as SD-Access or SDA). The revolutionary SDA approach transforms conventional networks into Intent-Based Networks, where business
logic becomes a physical part of the network, making it easy to automate day-to-day tasks such as configuration, provisioning
and troubleshooting. Cisco's SD-Access Solution reduces the time it takes to adapt the network to business needs, improves
issue resolutions, and reduces security-breach impacts.
A complete discussion of the SDA solution is outside the scope of this guide. Network architects and administrators planning
to implement an SDA Fabric architecture for use with Cisco DNA Center can find additional information and guidance from the following resources:
For more on the Digital Network Architecture that is the foundation of Cisco DNA Center and the SDA solution, and the roles other Cisco and third-party products and solutions play in this innovative architecture,
see the Cisco DNA Design Zone.
For other design guides, deployment guides, and white papers, see the Cisco Design Zone
Required Interface Cable Connections
In order to use Cisco DNA Center to manage your network, you must connect the appliance interface ports to your network, using switches to manage these connections.
While there are many possible alternative connection schemes, Cisco recommends that you make the following port-to-switch
10Gbps Cluster Port (Port 2, enp10so, Network Adapter 1): This is the left-hand port on the VIC 1227 card in the appliance mLOM slot. Its purpose is to enable communications among
the master and add-on nodes in a Cisco DNA Center cluster. Cable this port to an access switch with connections to the other nodes in the cluster.
10Gbps Enterprise Port (Port 1, enp9s0, Network Adapter 4): This is the right-hand port on the VIC 1227 card in the appliance mLOM slot. Its purpose is to enable Cisco DNA Center to communicate with and manage your network. Cable this port to an access switch with connections to the enterprise network.
1Gbps CIMC Port (M): This port provides browser access to the CIMC out-of-band appliance management interface and its graphic user interface.
Its purpose is to allow you to manage the appliance and its hardware. Cable this port to an access switch with connections
to your enterprise management network.
1Gbps Cisco DNA Center GUI Port (1, enp1s0f0, Network Adapter 2): This port provides access to the Cisco DNA Center graphic user interface. Its purpose is to enable users to manage your network using the Cisco DNA Center software. Cable this port to an access switch with connections to your enterprise management network.
1Gbps Cloud Port (2, enp1s0f1, Network Adapter 3): This port is optional. Use it only if you cannot connect the appliance to the Internet (including to your Internet proxy
server) using the 10Gbps Enterprise Port (Port 1, enp9s0, Network Adapter 4). If you need to use the Cloud Port, cable it
to an access switch with connections to your Internet proxy server.
The following figure shows the recommended connections for a standalone Cisco DNA Center master node:
The following figure shows recommended connections for a three-node cluster of Cisco DNA Center appliances. As you can see, all but one of the connections for each node in the cluster are the same as those for a standalone
node, and use the same ports. The exception is the cluster port, which is required so that each host in the cluster can communicate
with the others.
Multi-node cluster deployments require all member nodes to be in the same network and at the same site. Cisco DNA Center does not support distribution of nodes across multiple networks or sites.
When cabling the 10Gbps Enterprise and Cluster ports, please note that both ports support the following media types only:
FP-10G-USR (Ultra short range, MMF)
SFP-10G-SR(Short range, MMF)
SFP-10G-LR(Long range, SMF)
10GBASE-CU SFP+ Cable 1 Meter
10GBASE-CU SFP+ Cable 3 Meter
10GBASE-CU SFP+ Cable 5 Meter
10GBASE-CU SFP+ Cable 7 Meter
SFP-10GB-ACU Cable 7 Meter
Cisco access switches will automatically detect and adjust to the media type you use.
Required IP Addresses and Subnets
Before beginning the installation, you will need to ensure that your network has sufficient IP addresses available to assign
to each of the Cisco DNA Center appliance ports you plan on using.
Depending on whether you are installing the appliance as the master node or as an add-on node in a cluster, and on other options
you select, you will need the following appliance port (NIC) addresses:
All of the IP addresses called for in these requirements must be valid, physical IPv4 addresses with valid IPv4 netmasks.
Cloud Port Address (Optional): One IP address with subnet mask for the 1Gbps Cloud Port (2, enp1s0f1, Network Adapter 3) shown in the figure below. This
is an optional port, used only when you cannot connect to the cloud using the Enterprise Port. You do not need an IP for the
Cloud Port unless you must use it for this purpose.
Cisco DNA Center GUI Port Address (Required): One IP address with subnet mask for the 1Gbps Cisco DNA Center Port (1, enp1s0f0, Network Adapter 2) shown in the figure below. This port is required, as it allows you to access the Cisco DNA Center GUI.
CIMC Port Address (Required): One IP address with subnet mask for the 1Gbps CIMC Port (Port M) shown in the figure below.
Enterprise Port Address (Required): One IP address with subnet mask for the 10Gbps Enterprise Port (Port 1, enp9s0, Network Adapter 4) shown in the figure below.
Cluster Port Address (Required): One IP address with subnet mask for the 10Gbps Cluster Port (Port 2, enp10so, Network Adapter 1) shown in the figure below.
During configuration, the Maglev Configuration Wizard will not permit you to proceed until you have assigned the Cluster Link
option to an interface. Cisco recommends that you designate port enp10s0 as the Cluster Link. Please be aware, however, that
the interface marked as the Cluster Link cannot be changed once configuration completes. If you must later change the interface
marked as the Cluster Link, a reinstall will be required. With this in mind, Cisco recommends setting up the Cluster Port
with an IP address even if it is not going to be cabled, so as to allow for expansion to a three-node cluster in the future.
You will also need the following additional IP addresses and dedicated IP subnets, which are prompted for and applied during
configuration of the appliance:
Cluster Virtual IP Address (Required): One IP address with subnet mask for a VIP used for all traffic between the appliance cluster and your enterprise network.
As this is a virtual IP, it is stored as part of the master node configuration.
If you are installing the appliance as standalone master node, this is technically optional. However, you will be prompted
for it during configuration and it is required in order to add nodes and create a multi-node cluster configuration. For these
reasons, Cisco strongly recommends that you choose and assign the cluster VIP address during configuration of the master node.
Default Gateway IP Address (Required): The IP address for your network's preferred default gateway. If no other routes match the traffic, traffic will be routed
through this IP address. The default gateway IP must be in the same subnet as the Enterprise Port Address.
DNS Server IP Addresses (Required): The IP address and subnet mask for one or more of your network's preferred DNS servers. During configuration, you can specify
multiple DNS server IP addresses and netmasks by entering them as a space-separated list. Note that, due to an unresolved
bug, customers currently cannot change the list of DNS servers after configuration. If you find that you must change the list
of DNS server IPs after configuration, contact the Cisco Technical Assistance Center (TAC).
Static Route Addresses (Optional): The IP addresses, subnet masks and gateways for one or more static routes. During configuration, you can specify multiple
static-route IP addresses, netmasks and gateways by entering them as a space-separated list.
You can set one or more static routes for any interface on the appliance. You should supply static routes when you want to
route traffic in a specific direction other than the default gateway. Each of the interfaces with static routes will be set
as the "device" the traffic will be routed through in the IP route command table. For this reason, it is important to match
the static route directions with the interface though which the traffic will be sent.
Static routes are not recommended in network device routing tables such as those used by switches and routers. Dynamic routing
protocols are better for this. However, you should add them where needed to allow the Cisco DNA Center appliance access to particular parts of the network that can be reached no other way.
NTP Server IP Addresses (Required): The DNS-resolvable hostname, or IP address and subnet mask, for at least one Network Time Protocol (NTP) server.
During configuration, you can specify multiple NTP server IPs/masks or hostnames by entering them as a space-separated list.
For a production deployment, Cisco recommends that you configure a minimum of three NTP servers.
You will specify these servers during pre-flight hardware synchronization and again during configuration of the Cisco DNA Center software on each appliance in the cluster. Time synchronization is critical to the accuracy of Cisco DNA Center data and coordination of processing across a multi-host cluster. Before deploying Cisco DNA Center in production, make sure that the time on the appliance system clock is current and that the Network Time Protocol (NTP)
servers you specified are keeping accurate time. If you are planning to integrate Cisco DNA Center with Cisco Identity Services Engine (ISE), you should also ensure that ISE is synchronizing with the same NTP servers as
Cisco DNA Center.
Services Subnet (Required): Identifies one dedicated IP subnet for Cisco DNA Center to use in managing and getting IPs for communications among its internal application services, such as Assurance, inventory
collection, and so on. The dedicated IPv4 Services Subnet must not conflict or overlap with any other subnet in use in the
enterprise network, including the Cluster Services Subnet. The minimum size of the subnet is 21 bits. The Services Subnet
must conform with the IETF RFC1918 specification for private networks (for details, see RFC1918, Address Allocation for Private Internets, and the Wikipedia article "Private network"). An example of a conformant Services Subnet would be 10.10.10.0/21.
Cluster Services Subnet (Required): Identifies one dedicated IP subnet for Cisco DNA Center to use in managing and getting IPs for communications among its infrastructure services, such as database access, the message
bus, and so on. The dedicated IPv4 Cluster Services subnet must not conflict or overlap with any other subnet in use in the
enterprise network, including the dedicated Cisco DNA Center Services Subnet. The minimum size of the subnet is 21 bits. The Cluster Services Subnet must conform with the IETF RFC1918
specification for private networks (for details, see RFC1918, Address Allocation for Private Internets, and the Wikipedia article "Private network"). An example of a conformant Cluster Services Subnet would be 172.16.10.0/21. If you were to specify 10.10.10.0/21 as your
Services Subnet, you could also specify a Cluster Services Subnet of 10.0.8.0/21, since these two subnets do not overlap.
Also note that the Configuration Wizard will detect any overlap between these subnets and will prompt you to correct the overlap.
The recommended total IP address space for the two Services and Cluster Services subnets contains 4,096 addresses, broken
down into two /21 subnets of 2,048 addresses each. The two /21 subnets must not overlap. IP addresses in this space are assigned
to NICs, VIPs, Calico and BGP routing, BGP Route Reflectors (RR), and Kubernetes nodes, pods and services.
One reason Cisco DNA Center requires this amount of address space is to maintain system performance. Because it uses internal routing and tunneling technologies
for east-west (inter-node) communications, using overlapping address spaces would force Cisco DNA Center to run Virtual Routing and Forwarding FIBs internally. This would lead to multiple encaps/decaps for packets going from one
service to another, causing high internal latency at a very low level, with cascading impacts at higher layers.
Another reason is the product's Kubernetes design. Cisco DNA Center uses the IP addresses in this space per Kubernetes K8 node. Multiple nodes can make up a single service. Currently, Cisco DNA Center supports more than 100 services, each requiring several IP addresses, and new features and corresponding services are added
all the time. The address space requirement is purposely kept large at the start to ensure that Cisco can add new services
and features to Cisco DNA Center without either running out of IPs or requiring customers to re-allocate contiguous address spaces simply to upgrade their
The services supported over these subnets are also enabled at Layer 3. The Cluster Services space, in particular, carries
data between application and infrastructure services, and is heavily used.
The RFC1918 requirement is due to Cisco DNA Center's need to download packages and updates from the cloud. If the selected IP ranges do not conform with RFC1918, this can quickly
lead to problems with public IP overlaps.
Required Internet URLs and FQDNs
Cisco DNA Center requires secure access to the following table of Uniform Resource Locators (URLs) and Fully Qualified Domain Names (FQDNs).
The table describes the features of Cisco DNA Center that make use of each URL/FQDN. You must configure either your network firewall itself, or a proxy server, so that IP traffic
can travel to and from Cisco DNA Center and these resources. If you cannot provide this access for any listed URL/FQDN, the associated Cisco DNA Center features will be impaired or inoperable.
Customers who want to avoid wildcards can specify these URLs instead:
Integrate with Cisco Meraki
Customers who want to avoid wildcards can specify these URLs instead:
Integrate with Cisco.com and Cisco Smart Licensing
Customers who want to avoid wildcards can specify these URLs instead:
Render accurate information in Cisco DNA Center's site and location maps
*.tiles.mapbox.com/* :443. For a proxy, the destination is *.tiles.mapbox.com/*
1 Cisco owns and maintains ciscoconnectdna.com and its subdomains. The Cisco Connect DNA infrastructure meets Cisco's Security
and Trust guidelines and undergoes continuous security testing. It is robust, with built-in load balancing and automation
capabilities, and is monitored and maintained by a cloud operations team to ensure 24x7x365 availability.
Provide Secure Access to the Internet
By default, Cisco DNA Center is configured to access Cisco.com and other URLs via the Internet, in order to download Cisco DNA Center software updates, licenses, and device software, as well as provide up-to-date map information, user feedback, and so on.
Providing Internet connections for these purposes is a mandatory requirement.
Using an HTTPS proxy server is a reliable way to access remote URLs securely. Cisco recommends that you use an HTTPS proxy
server to provide Cisco DNA Center with the access it needs to the URLs listed in Required Internet URLs and FQDNs. During Cisco DNA Center installation, you will be prompted to enter the URL and port number of the proxy server you want to use for this purpose,
along with the proxy's login credentials (if the proxy requires them).
As of this release, Cisco DNA Center supports communication with proxy servers over HTTP only. You may locate the HTTPS proxy server anywhere within your network.
The proxy server can communicate with the Internet using HTTPS, while Cisco DNA Center communicates with the proxy server via HTTP. For these reasons, you will want to be sure to specify the proxy's HTTP port
when configuring the proxy during Cisco DNA Center configuration.
If for any reason you need to change the Cisco DNA Center proxy setting after configuration, you can do so via the Cisco DNA Center GUI interface.
Required Network Ports
The following tables list the well-known network service ports that the appliances use. You must ensure that these ports are
open for traffic flows to and from the appliances, whether you open them via firewall settings or a proxy gateway.
Additional ports, protocols, and types of traffic must be accommodated if you are deploying the appliance in a network that
employs SDA infrastructure. For details, see Required SD-Access Ports and Protocols.
Ensure that proper protections exist in your network for accessing port 2222. For example, you can configure a proxy gateway
or secure subnets to access this port.
Table 3. Ports: Incoming Traffic
Protocol (TCP or UDP)
Table 4. Ports: Outgoing Traffic
Protocol (TCP or UDP)
SSH (to the network devices)
Telnet (to the network devices)
Port 80 may be used for an outgoing proxy configuration.
Additionally, other common ports such as 8080 may also be used when a proxy is being configured by the configuration wizard
(if a proxy is already in use for your network).
To access Cisco supported certificates and trust pools, you can configure your network to allow for outgoing IP traffic from
the appliance to Cisco addresses at the following URL:
The following table lists the ports that permit incoming IP traffic to the appliance:
Table 5. Ports: IP Traffic
Protocol (TCP or UDP)
Additionally, you can configure your network to allow for outgoing IP traffic from the appliance to Cisco addresses at the
following URL: https://www.cisco.com/security/pki/. The appliance uses the IP addresses listed at the above URL to access Cisco-supported certificates and trust pools.
Required SD-Access Ports and Protocols
This topic details the ports, protocols and types of traffic native to a typical SDA fabric deployment like the one shown
in the figure below.
If you have implemented SDA in your network, use the information in the following tables to plan firewall and security policies
that secure your SDA infrastructure properly while providing Cisco DNA Center with the access it requires to automate your network management.
Linux User Name: This is maglev. This user name is the same on all Cisco DNA Center appliances in a cluster, including both the master node and add-on nodes, and cannot be changed.
Linux Password : Identifies the password for the Linux User Name maglev. This password ensures secure access to each appliance's Maglev database root and clients via the Linux command line. Access
to the Maglev root and clients requires this password. If you choose to do so, you can assign a different Linux Password for
each maglev Linux User Name on each appliance in a cluster.
You must create the Linux Password because there is no default. The password must meet the following requirements:
Eight character minimum length.
Does NOT contain a tab or a line break.
Does contain characters from at least three of the following categories:
Special characters (for example, ! or #)
The Linux password is encrypted and hashed in the Cisco DNA Center database. If you are deploying a multi-node cluster, you will also be prompted to enter the master node's Linux Password
on each of the add-on nodes.
Password Generation Seed (Optional): Instead of inventing the Linux Password, you can enter a seed phrase and press Generate Password. The Maglev Configuration Wizard will generate a random and secure password using that seed phrase. You can further edit
the generated password using the Auto Generated Password field.
Administrator Passphrase: Identifies the password used for web access to Cisco DNA Center in a cluster. This is the password for the superuser account admin, which you use to log in to Cisco DNA Center for the first time (see Log In For the First Time). You will be prompted to change this password when you log in for the first time, to ensure it is secure.
You must create this password because there is no default. The Administrator Passphrase must meet the same requirements as
the Linux Password described above.
CIMC User Password: Identifies the password used for access to the CIMC graphic user interface. The factory default is password, but you will be prompted to change it when you first set up CIMC for access via Web browser (see Enable Browser Access to CIMC).
The CIMC User password must meet the same requirements as the Linux Password described above. It can be changed back to password only by a reset to factory defaults.
Master Node IP Address: Required only when you are installing add-on nodes in a cluster. This is the IP address of the Cluster Port on the master
node (see Required Interface Cable Connections).
Required First-Time Setup Information
Once you have completed configuration of your appliances, you will log into Cisco DNA Center for the first time and complete essential setup tasks. During this first-time setup, you will need to have the following
New Admin Superuser Password: You will be prompted to enter a new password for the Cisco DNA Center admin superuser. Resetting the superuser password enhances operational security. This is especially important if, for example,
the enterprise staff who installed and configured the Cisco DNA Center appliance will not be Cisco DNA Center users or administrators.
Cisco.com Credentials: The Cisco.com user ID and password that your organization uses to register software downloads and receive system communications
Cisco Smart Account Credentials: The Cisco.com Smart Account user ID and password your organization uses for managing your device and software licenses.
IP Address Manager URL and Credentials: The host name, URL, admin user name and admin password of the third-party IP address manager (IPAM) server you plan to use
with Cisco DNA Center. The current release supports InfoBlox or Bluecat.
Proxy URL, Port and Credentials: The URL (host name or IP address), port number, user name and user password of the proxy server you plan to use with Cisco DNA Center in order to get updates to the Cisco DNA Center software, manage device licenses, and retrieve other downloadable content.
Cisco DNA Center Users: User names, passwords, and privilege settings for the new Cisco DNA Center users you will be creating. Cisco recommends that you always use one of these new user accounts for all your normal Cisco DNA Center operations. Avoid using the admin superuser account for anything but reconfiguring Cisco DNA Center and other operations where superuser privileges are explicitly required.
For details about how to launch and respond to the first-time setup wizard that prompts you for this information, see Log In For the First Time
You will also need the following information to complete the remaining setup tasks, which can be done after your first login:
ISE Server IP and Credentials: You will need the Cisco Identify Services Engine (ISE) server IP address, administrative user name, and password. These
are needed to log in to and configure your organization's ISE server to share data with Cisco DNA Center, as explained in Integrate Cisco ISE With Cisco DNA Center.
Authorization and Policy Server Information: If you are using Cisco ISE as your authentication and policy server, you will need the same information as for the ISE integration
above, plus the ISE CLI user name, CLI password, server FQDN, a subscriber name (such as dnac) , the ISE SSH key (optional), the protocol choice (RADIUS or TACACS), the authentication port, the accounting port, and
If you are using a different authorization and policy server, you will need that server's IP address, protocol choice (RADIUS
or TACACS), authentication port, accounting port, and retry/timeout settings.