Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
474
Views
0
Helpful
2
Replies

Catalyst Center and external devices

tomoljokal
Level 1
Level 1

‎08-22-2025 07:22 AM

Greetings.

We are a primarily Cisco shop. My team is struggling with upgrading external devices using Catalyst Center. These are the switches and routers that exist outside of our firewall boundaries. We have 3 sites with devices in this position. We have a double-NAT setup through our FPR firewalls to support SNMP to our NMS on-prem collectors and Catalyst Center.

Upgrades require HTTPS or SCP connectivity inbound to the Catalyst Center, but our Cybersecurity Team has said "No, can't do that." They're also not a fan of our double-NAT setup and would like us to move away from it.

Wondering how other organizations deal with this type of setup (if they have/do).

10.0.0.0.1 192.168.1.254
Labels:
0 Helpful
2 Replies 2

Enes Simnica
Level 5
Level 5

‎08-22-2025 07:52 AM

gDay @tomoljokal This is a pretty common challenge when managing devices outside the firewall perimeter. Catalyst Center does need HTTPS/SCP initiated from the device back to Dnac or vice versa, depending on the workflow, which usually doesn’t sit well with strict security teams. A few approaches I’ve seen other organizations take are these:

  1. Outbound-initiated upgrades
  2. Dedicated management VPN / VRF
  3. Staging images locally
  4. And check nat also....

So long story short, other orgs either use a secure mgmt tunnel or outbound initiated fetch from a local repo, instead of opening indbound paths. 

hope it helps and PEACE!

 

-Enes

more Cisco?!
more Gym?!



If this post solved your problem, kindly mark it as Accepted Solution. Much appreciated!
0 Helpful

Stefan Mihajlov
Level 1
Level 1

‎08-22-2025 10:29 AM

@tomoljokal 

We had a similar challenge with devices outside the firewall during a school network project. Catalyst Center upgrades require the device to pull the image over HTTPS/SCP directly from DNAC, so if inbound connectivity is blocked, it won’t work.

Typical approaches I’ve seen:

  • Use a satellite DNAC/Catalyst Center node or staging server in the DMZ that external devices can reach, then sync with your main cluster.

  • Or, pre-stage images on those routers/switches using manual TFTP/SCP from a host inside the site, and just let DNAC handle the upgrade workflow “logically.”

  • Some organizations skip DNAC for those external devices and manage them with traditional methods if security policy doesn’t allow inbound connections.

If your security team won’t allow inbound HTTPS/SCP, you’ll likely need to either place a jump host/DMZ repo or fall back to manual image staging.

0 Helpful
Customers Also Viewed These Support Documents