Before beginning the installation, you must ensure that your network has sufficient IP addresses available to assign to each
of the appliance ports that you plan on using. Depending on whether you are installing the appliance as a single-node cluster
or as a primary or add-on node in a three-node cluster, you will need the following appliance port (NIC) addresses:
Enterprise Port Address (Required): One IP address with subnet mask.
Cluster Port Address (Required): One IP address with subnet mask.
Management Port Address (Optional): One IP address with subnet mask.
Cloud Port Address (Optional): One IP address with subnet mask. This is an optional port, used only when you cannot connect to the cloud using the Enterprise
port. You do not need an IP address for the Cloud port unless you must use it for this purpose.
CIMC Port Address (Optional, but strongly recommended): One IP address with subnet mask.
All of the IP addresses called for in these requirements must be valid IPv4 addresses with valid IPv4 netmasks. Ensure that
the addresses and their corresponding subnets do not overlap. Service communication issues can result if they do.
You will also need the following additional IP addresses and dedicated IP subnets, which are prompted for and applied during
configuration of the appliance:
Cluster Virtual IP Address (Required): One IP address with subnet mask for a VIP used for all traffic between the appliance cluster and your enterprise network.
As this is a virtual IP, it is stored as part of the primary node configuration.
If you are installing the appliance as standalone primary node, this is technically optional. However, you will be prompted
for it during configuration and it is required in order to add nodes and create a multi-node cluster configuration. For these
reasons, Cisco strongly recommends that you choose and assign the cluster VIP address during configuration of the primary
Default Gateway IP Address (Required): The IP address for your network's preferred default gateway. If no other routes match the traffic, traffic will be routed
through this IP address. The default gateway IP must be in the same subnet as the Enterprise Port Address.
DNS Server IP Addresses (Required): The IP address and subnet mask for one or more of your network's preferred DNS servers. During configuration, you can specify
multiple DNS server IP addresses and netmasks by entering them as a space-separated list. Note that, due to an unresolved
bug, customers currently cannot change the list of DNS servers after configuration. If you find that you must change the list
of DNS server IPs after configuration, contact the Cisco Technical Assistance Center (TAC).
Static Route Addresses (Optional): The IP addresses, subnet masks and gateways for one or more static routes. During configuration, you can specify multiple
static-route IP addresses, netmasks and gateways by entering them as a space-separated list.
You can set one or more static routes for any interface on the appliance. You should supply static routes when you want to
route traffic in a specific direction other than the default gateway. Each of the interfaces with static routes will be set
as the "device" the traffic will be routed through in the IP route command table. For this reason, it is important to match
the static route directions with the interface though which the traffic will be sent.
Static routes are not recommended in network device routing tables such as those used by switches and routers. Dynamic routing
protocols are better for this. However, you should add them where needed to allow the Cisco DNA Center appliance access to particular parts of the network that can be reached no other way.
NTP Server IP Addresses (Required): The DNS-resolvable hostname, or IP address and subnet mask, for at least one Network Time Protocol (NTP) server.
During configuration, you can specify multiple NTP server IPs/masks or hostnames by entering them as a space-separated list.
For a production deployment, Cisco recommends that you configure a minimum of three NTP servers.
You will specify these servers during pre-flight hardware synchronization and again during configuration of the Cisco DNA Center software on each appliance in the cluster. Time synchronization is critical to the accuracy of Cisco DNA Center data and coordination of processing across a multi-host cluster. Before deploying Cisco DNA Center in production, make sure that the time on the appliance system clock is current and that the Network Time Protocol (NTP)
servers you specified are keeping accurate time. If you are planning to integrate Cisco DNA Center with Cisco Identity Services Engine (ISE), you should also ensure that ISE is synchronizing with the same NTP servers as
Cisco DNA Center.
Services Subnet (Required): Identifies one dedicated IP subnet for Cisco DNA Center to use in managing and getting IPs for communications among its internal application services, such as Assurance, inventory
collection, and so on. The dedicated IPv4 Services Subnet must not conflict or overlap with any other subnet in use in the
enterprise network, including the Cluster Services Subnet. The minimum size of the subnet is 21 bits. The Services Subnet
must conform with the IETF RFC1918 specification for private networks (for details, see RFC1918, Address Allocation for Private Internets). An example of a conformant Services Subnet would be 10.10.10.0/21.
Cluster Services Subnet (Required): Identifies one dedicated IP subnet for Cisco DNA Center to use in managing and getting IPs for communications among its infrastructure services, such as database access, the message
bus, and so on. The dedicated IPv4 Cluster Services subnet must not conflict or overlap with any other subnet in use in the
enterprise network, including the dedicated Cisco DNA Center Services Subnet. The minimum size of the subnet is 21 bits. The Cluster Services Subnet must conform with the IETF RFC1918
specification for private networks (for details, see RFC1918, Address Allocation for Private Internets). An example of a conformant Cluster Services Subnet would be 172.16.10.0/21. If you were to specify 10.10.10.0/21 as your
Services Subnet, you could also specify a Cluster Services Subnet of 10.0.8.0/21, since these two subnets do not overlap.
Also note that the Configuration Wizard will detect any overlap between these subnets and will prompt you to correct the overlap.
The recommended total IP address space for the two Services and Cluster Services subnets contains 4,096 addresses, broken
down into two /21 subnets of 2,048 addresses each. The two /21 subnets must not overlap. IP addresses in this space are assigned
to NICs, VIPs, Calico and BGP routing, BGP Route Reflectors (RR), and Kubernetes nodes, pods and services.
One reason Cisco DNA Center requires this amount of address space is to maintain system performance. Because it uses internal routing and tunneling technologies
for east-west (inter-node) communications, using overlapping address spaces would force Cisco DNA Center to run Virtual Routing and Forwarding FIBs internally. This would lead to multiple encaps/decaps for packets going from one
service to another, causing high internal latency at a very low level, with cascading impacts at higher layers.
Another reason is the product's Kubernetes design. Cisco DNA Center uses the IP addresses in this space per Kubernetes K8 node. Multiple nodes can make up a single service. Currently, Cisco DNA Center supports more than 100 services, each requiring several IP addresses, and new features and corresponding services are added
all the time. The address space requirement is purposely kept large at the start to ensure that Cisco can add new services
and features to Cisco DNA Center without either running out of IPs or requiring customers to re-allocate contiguous address spaces simply to upgrade their
The services supported over these subnets are also enabled at Layer 3. The Cluster Services space, in particular, carries
data between application and infrastructure services, and is heavily used.
The RFC1918 requirement is due to Cisco DNA Center's need to download packages and updates from the cloud. If the selected IP ranges do not conform with RFC1918, this can quickly
lead to problems with public IP overlaps.