Solved: Catalyst Center - Default GW when using Enterprise AND Internet port

Cainam · ‎06-04-2024

Hello everyone,

In the near future, we will be deploying a physical 32-core Catalyst Center appliance in a customer network for the first time.
After reading both the Third-Generation Appliance Installation Guide and the User Guide (both release 2.3.7 in our case) many times, most of the steps have become clear, however I keep tripping over the maglev configuration portion during the initial installation of Catalyst Center.

This customer's production network sits in an air gapped environment, so it seems logical to us to use both the Enterprise port for internal (air gapped) traffic and the optional Internet port for DMZ traffic (Catalyst Center application upgrades, images, licensing, etc.).

What I've also found is that, despite having multiple physical interfaces, the CC appliance uses a single routing table that only allows one default gateway (both from engineers who've deployed this in the past and some random internet forums, I can't find confirmation about this in the documentation).

If that's the case, is my configuration below correct (using mock subnets to illustrate)?

Air Gapped production subnet: 10.0.10.0/24
DMZ subnet: 10.0.20.0/24 with GW 10.0.20.254 to internet

Enterprise Port configuration:
IP: 10.0.10.1
Mask: 255.255.255.0
Default Gateway: LEAVE BLANK (we can only configure one)
Static Routes: LEAVE BLANK (or does this need a 0.0.0.0 0.0.0.0/0 route to the internet port IP 10.0.20.1?)
DNS: LEAVE BLANK (I assume DNS is only needed to resolve Cisco addresses on the internet port? Or can I configure separate DNS servers for different interfaces/subnets?)

Internet Port configuration:
IP: 10.0.20.1
Mask: 255.255.255.0
Default Gateway: 10.0.20.254
Static Routes: LEAVE BLANK
DNS: Internal DNS proxy server or public DNS like 1.1.1.1, 8.8.8.8, 9.9.9.9 if reachable from this port

Additionally, how does CC choose the source interface for NTP, does it just use the Internet Port?

Whatever the case, thank you for reading!

EDIT: I have just noticed there is a separate forum for Catalyst Center, my sincere apologies for asking this question in the wrong place. If anyone could move/delete this?

maflesch · ‎06-28-2024

If you are using an airgapped deployment then you should probably be using an airgap image for the Catalyst Center, that would make the most sense to me.

As for the routing, NTP uses the route table to find which interface has the most specific route. For instance:

NTP - 172.16.1.100
Enterprise - 192.168.100.100/24
Internet - 10.10.10.10/24 -- Has the GW defined

Since the NTP address is not part of a subnet that is defined by any interface, it is going to look for a route via the routing table. However, since there is no specified route, it will use the GW, which exists on the Internet port. However, if we had something link:

NTP - 172.16.1.100
Enterprise - 192.168.100.100/24 -- Has static route of 172.16.0.0/255.240.0.0/192.168.100.1
Internet - 10.10.10.10/24 -- Has the GW defined

Because there is a more specified route for this subnet in the routing table, the NTP communication is now going to use the Enterprise port.

With that said, yes you can only have a GW on one interface. Any other interface will need a static route if you plan to have traffic outside of that interfaces subnet. But no, you do not want to put a 0.0.0.0 route as a static route because then it will complete and most times override the GW. So for the Enterprise, you need to define the static routes for each subnet you want to go out the Enterprise port.

View solution in original post

andy!doesnt!like!uucp · ‎06-04-2024

if you production network is isolated on such n extent that there is no way to escape it via FW/PROXY/OtherSecurityAppliance chain, the best option for u to enable connectivity to CX cloud is to use Internet port: https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/dna-center/2-3-3/install_guide/2ndgen/b_cisco_dna_center_install_guide_2_3_3_2ndGen/m_plan_deployment_2_3_3_2ndgen.html#:~:text=(Optional)%201%2DGbps/10%... . u'd define default route via the DGW behind it to use it as exit point.
u would use more specific static routes toward your production network via DW behind Enterprise port.
dont forget u need to reach DNAC for mgmt (Enterprise port or Management port) & CIMC
i assume u dont deploy cluster :0)

Gioacchino · ‎06-22-2024

Hi@Cainam

I'm facing the same "issue".

In my case it's the VM 2.3.7. The installation procedure is a bit clumsy in the way that it is open to many ways of configuring.

What's true is that DNAC uses just one routing instance, hence there can be only one def gw, regardless out of which interface.

Gio

maflesch · ‎06-28-2024

If you are using an airgapped deployment then you should probably be using an airgap image for the Catalyst Center, that would make the most sense to me.

As for the routing, NTP uses the route table to find which interface has the most specific route. For instance:

NTP - 172.16.1.100
Enterprise - 192.168.100.100/24
Internet - 10.10.10.10/24 -- Has the GW defined

Since the NTP address is not part of a subnet that is defined by any interface, it is going to look for a route via the routing table. However, since there is no specified route, it will use the GW, which exists on the Internet port. However, if we had something link:

NTP - 172.16.1.100
Enterprise - 192.168.100.100/24 -- Has static route of 172.16.0.0/255.240.0.0/192.168.100.1
Internet - 10.10.10.10/24 -- Has the GW defined

Because there is a more specified route for this subnet in the routing table, the NTP communication is now going to use the Enterprise port.

With that said, yes you can only have a GW on one interface. Any other interface will need a static route if you plan to have traffic outside of that interfaces subnet. But no, you do not want to put a 0.0.0.0 route as a static route because then it will complete and most times override the GW. So for the Enterprise, you need to define the static routes for each subnet you want to go out the Enterprise port.

Cainam · ‎06-29-2024

Thank you for this clear response (the example really helps)!

Gioacchino · ‎07-03-2024

I don't know if NTP has a different meaning than Network Time Protocol and why it has such a relevance in you answer @maflesch (I mean, NTP is as important as DNS and other network services).

For me, what halped a lot was using "MKS [Mouse Keyboard Screen??] Advanced mode" installation, where I could tune each settings, making sure the overall configuration adhered to what DNAC expected.

Gio

maflesch · ‎07-03-2024

Gio,

I used NTP because that was part of the original ask by the creator of this thread:

"Additionally, how does CC choose the source interface for NTP, does it just use the Internet Port?"

I did not give it such importance, I merely answered the question. As for NTP, yes that means Network Time Protocol, it is important in deploying and utilizing Catalyst Center so knowing what interface the traffic is going to go out of versus what is the intended interface can make the difference in the deployment finishing or not successfully.

As a final note, you should not be using the MKS (Maglev Kubernetes System) Advanced mode. You should be using Cisco Catalyst Center Installer as the option when deploying the product, as per the installation guide:

https://www.cisco.com/c/en/us/td/docs/cloud-systems-management/network-automation-and-management/catalyst-center/2-3-7/install_guide/b_cisco_catalyst_center_install_guide_237x_3rdgen/m_prepare_the_appliance_for_configuration_2_x_x_3rdgen.html#task_m6...

Gioacchino · ‎07-04-2024

Thanks for your explanation @maflesch ,

unfortunately, the only way to get out pof the many interfaces options, for me, was to use the advance mode.

I've done just for a POC, hence I didn't bother that much.

Thanks anyway for your remarks.

Gio