How to prevent CC to login Switches when MAC-Flaps or Port UP/Downs

O.K. · ‎01-13-2025

Hello Everybody,

We are slowly adopting a customer environment to Catalyst Center.

There are ~500 switches across the world.

Our pain point is that Catalyst Center tries to connect to the switches and collect insights at every event, specifically MAC-Flap and Port UP/DOWN events.

These events happen hundreds of times every day (MAC-Flaps are confirmed clients that roam between APs), if not thousands.

We suspect that Catalyst Center sometimes causes “Authentication failures” for users who want to directly connect to switches via CLI.

Is there any halfway logical method to prevent Catalyst Center from logging in and collecting information in case of Port UP/DOWN or MAC-Flap?

Preston Chilcote · ‎01-13-2025

There are optimizations coming in 2.3.7.9 that will have Cat Center stop logging back into a device that it recently logged into due to port flap. That will hopefully significantly reduce the number of total logins across the network. But I think it could be even smarter when it comes to an access port flap by simply getting all the info it needs from the SNMP trap itself and possibly not logging in at all. If anyone still sees a lot of logins in 2.3.7.9, I encourage you to open a TAC case and/or submit a Make a Wish to bring it to the attention of Product Management.

There is a method to prevent the triggered resyncs by applying a specific tag to the device in inventory, but I discourage using that because it will prevent ALL triggered resyncs, not just for port flaps, which means Cat Center will lose the ability to report certain issues in Assurance in real time.

O.K. · ‎01-24-2025

Hello @Preston Chilcote ,

Thank you for your answer and information.

In some cases I can follow and understand (if there is a port-flap or mac-flap) why Catalyst Center logs into switches, but sometimes Catalyst Center logging into a switch hundreds of times and in the events section I can't see anything else than 3–4 events.

If I disable the setting “Use Cisco DNA Center as SNMP trap server” under Design/Network Settings/Telemetry would it help to reduce login counts?

Preston Chilcote · ‎01-24-2025

@O.K. I don't recommend that setting because you will lose a bunch of useful assurance features. It also won't prevent all the logins because Cat Center will do a regular sync every 24 hours, which includes a bunch of logins.

The best thing you can do is upgrade to 2.3.7.9. If this is causing any actual network impact, please let us know. I don't think it's likely the cause of any user's being denied access to the devices. If there are 15 vty's configured, there should be plenty of room for a human (or two) and Cat Center to play together nicely. Also, I don't think "Authentication Failed" is the error you'd see if the VTY's were filled up.

O.K. · ‎01-27-2025

@Preston Chilcote Thank you once again.

We are suspecting that Catalyst Center causes too much traffic, and therefore we are experiencing such problems. We have a backup solution which is running nightly and if CC is running failed backup counts over the nights are rising dramatically.
I want to somehow reduce those logging counts from CC and observe if anything get better.

You have mentioned the version 2.3.7.9 but as far as I can see latest release is 2.3.7.7. Am I missing here something?

Regards.