Before beginning the installation, you must ensure that your network has sufficient IP addresses available to assign to each
of the appliance ports that you plan on using. Depending on whether you are installing the appliance as a single-node cluster
or as a primary or secondary node in a three-node cluster, you will need the following appliance port (NIC) addresses:
-
Enterprise Port Address (Required): One IP address with a
subnet mask.
-
Cluster Port Address (Required): One IP address with a subnet mask.
-
Management Port Address (Optional): One IP address with a subnet mask.
-
Cloud Port Address (Optional): One IP address with a subnet mask. This is
an optional port, used only when you cannot connect to the cloud using the
Enterprise port. You do not need an IP address for the Cloud port unless you
must use it for this purpose.
-
CIMC Port Address (Optional, but strongly recommended): One IP address
with a subnet mask.
Note |
All of the IP addresses called for in these requirements must be valid IPv4 addresses with valid IPv4 netmasks. Ensure that
the addresses and their corresponding subnets do not overlap. Service communication issues can result if they do.
|
You will also need the following additional IP addresses and dedicated IP subnets, which are prompted for and applied during
configuration of the appliance:
-
Cluster Virtual IP Addresses: One virtual IP (VIP) address per configured
network interface per cluster. This requirement applies to three-node clusters
and single-node clusters that are likely to be converted into a three-node
cluster in the future. You must supply a VIP for each network interface you
configure. Each VIP should be from the same subnet as the IP address of the
corresponding configured interface. There are four interfaces on each appliance:
Enterprise, Cluster, Management, and Cloud. At a minimum, you must configure the
Enterprise and Cluster port interfaces, as they are required for Cisco DNA Center functionality. An interface is considered configured if you supply an IP
address for that interface, along with a subnet mask and one or more associated
gateways or static routes. If you skip an interface entirely during
configuration, that interface is considered as not configured.
Note the following:
-
If you have a single-node setup and do not plan to convert it into a three-node cluster in the future, you are not required
to specify a VIP address. However, if you decide to do so, you must specify a VIP address for every configured network interface
(just as you would for a three-node cluster).
-
If the intracluster link for a single-node cluster goes down, the VIP addresses associated with the Management and Enterprise
interfaces also go down. When this happens, Cisco DNA Center is unusable until the intracluster link is restored (because the Software Image Management [SWIM] and Cisco Identity Services Engine [ISE] integration is not operational and Cisco DNA Assurance data is not displayed because information cannot be gathered from Network Data Platform [NDP] collectors).
-
You cannot use a link-local IP address for a host interface.
-
Default Gateway IP Address: The IP address for your network's preferred default gateway. If no other routes match the traffic, traffic will be routed
through this IP address. Typically, you should assign the default gateway to the interface in your network configuration that
accesses the internet. For information on security considerations to keep in mind when deploying Cisco DNA Center, see the Cisco Digital Network Architecture Center Security Best Practices Guide.
-
DNS Server IP Addresses: The IP address for one or more of your network's
preferred Domain Name System (DNS) servers. During configuration, you can
specify multiple DNS server IP addresses by entering them as a space-separated
list.
-
(Optional) Static Route Addresses: The IP addresses, subnet masks, and gateways for one or more static routes. During configuration, you can specify multiple
static-route IP addresses, netmasks, and gateways by entering them as a space-separated list.
You can set one or more static routes for an interface on the appliance. You should supply static routes when you want to
route traffic in a specific direction other than the default gateway. Each of the interfaces with static routes will be set
as the device the traffic will be routed through in the IP route command table. For this reason, it is important to match the static route
directions with the interface though which the traffic will be sent.
Static routes are not recommended in network device routing tables such as those used by switches and routers. Dynamic routing
protocols are better for this. However, you should add static routes where needed, to allow the appliance access to particular
parts of the network that can be reached no other way.
-
NTP Server IP Addresses: The DNS-resolvable hostname or IP address for at least one Network Time Protocol (NTP) server.
During configuration, you can specify multiple NTP server IP addresses/masks or
hostnames by entering them as a space-separated list. For a production
deployment, we recommend that you configure a minimum of three NTP servers.
Specify these NTP servers during preflight hardware synchronization, and again during the configuration of the software on
each appliance in the cluster. Time synchronization is critical to the accuracy of data and the coordination of processing
across a multihost cluster. Before deploying the appliance in a production environment, make sure that the time on the appliance
system clock is current and that the NTP servers you specified are keeping accurate time. If you are planning to integrate
the appliance with ISE, you should also ensure that ISE is synchronizing with the same NTP servers as the appliance.
-
Container Subnet: Identifies one dedicated IP subnet for the appliance to use in managing and getting IP addresses for communications among
its internal application services, such as Assurance, inventory collection, and so on. By default, Cisco DNA Center configures a link-local subnet (169.254.32.0/20) for this parameter, and we recommend that you use this subnet. If you choose to enter another subnet, ensure that it does
not conflict with or overlap any other subnet used by Cisco DNA Center's internal network or any external network. Also ensure that the minimum size of the subnet is 21 bits. The subnet you specify
must conform with the IETF RFC 1918 and RFC 6598 specifications for private networks, which support the following address
ranges:
-
10.0.0.0/8
-
172.16.0.0/12
-
192.168.0.0/16
-
100.64.0.0/10
For details, see RFC 1918, Address Allocation for Private Internets, and RFC 6598, IANA-Reserved IPv4 Prefix for Shared Address Space.
Important |
-
Ensure that you specify a valid CIDR subnet. Otherwise, incorrect bits will be present in the 172.17.1.0/20 and 172.17.61.0/20
subnets.
-
After configuration of your Cisco DNA Center appliance is completed, you cannot assign a different subnet without first reimaging the appliance (see Reimage the Appliance for more information).
|
-
Cluster Subnet: Identifies one dedicated IP subnet for the appliance to use in managing and getting IPs for communications among its infrastructure
services, such as database access, the message bus, and so on. By default, Cisco DNA Center configures a link-local subnet (169.254.48.0/20) for this parameter, and we recommend that you use this subnet. If you choose to enter another subnet, ensure that it does
not conflict with or overlap any other subnet used by Cisco DNA Center's internal network or any external network. Also ensure that the minimum size of the subnet is 21 bits. The subnet you specify
must conform with the IETF RFC 1918 and RFC 6598 specifications for private networks, which support the following address
ranges:
-
10.0.0.0/8
-
172.16.0.0/12
-
192.168.0.0/16
-
100.64.0.0/10
For details, see RFC 1918, Address Allocation for Private Internets, and RFC 6598, IANA-Reserved IPv4 Prefix for Shared Address Space.)
If you were to specify 10.10.10.0/21 as your Container subnet, you could also specify a Cluster subnet of 10.0.8.0/21 since
these two subnets do not overlap. Also note that the configuration wizard detects overlaps (if any) between these subnets
and prompts you to correct the overlap.
Important |
-
Ensure that you specify a valid CIDR subnet. Otherwise, incorrect bits will be present in the 172.17.1.0/20 and 172.17.61.0/20
subnets.
-
After configuration of your Cisco DNA Center appliance is completed, you cannot assign a different subnet without first reimaging the appliance (see Reimage the Appliance for more information).
|
The recommended total IP address space for the two Container and Cluster subnets contains 4,096 addresses, broken down into
two /21 subnets of 2,048 addresses each. The two /21 subnets must not overlap. The Cisco DNA Center internal services require a dedicated set of IP addresses to operate (a Cisco DNA Center microservice architecture requirement). To accommodate this requirement, you must allocate two dedicated subnets for each
Cisco DNA Center system.
One reason the appliance requires this amount of address space is to maintain system performance. Because it uses internal
routing and tunneling technologies for east-west (inter-node) communications, using overlapping address spaces forces the
appliance to run Virtual Routing and Forwarding (VRF) FIBs internally. This leads to multiple encaps and decaps for packets
going from one service to another, causing high internal latency at a very low level, with cascading impacts at higher layers.
Another reason is the Cisco DNA Center
Kubernetes-based service containerization architecture. Each
appliance uses the IP addresses in this space for each Kubernetes K8 node. Multiple
nodes can make up a single service. Currently, Cisco DNA Center supports more than 100 services, each requiring several IP addresses, and new
features and corresponding services are being added all the time. The address space
requirement is purposely kept large at the start to ensure that Cisco can add new
services and features without running out of IP addresses or requiring customers to
reallocate contiguous address spaces simply to upgrade their systems.
The services supported over these subnets are also enabled at Layer 3. The Cluster space, in particular, carries data between
application and infrastructure services, and is heavily used.
The RFC 1918 and RFC 6598 requirement is because of the requirement by Cisco DNA Center to download packages and updates from the cloud. If the selected IP address ranges do
not conform with RFC 1918 and RFC 6598, this can quickly lead to problems with public IP
address overlaps.