Cisco Real World Problems

How to configure Catalyst Center IP pools on Catalyst 9400

By Sai Kiran Pandrala Last verified: 2026-06-05

At a glance
PlatformCatalyst 9400
FamilyCisco Real World Problems
CategoryCisco
Guide typeHow To (config walkthrough)
Skill levelIntermediate to Advanced
Lab time45-90 minutes

Why this config keeps landing on my plate

Last quarter alone I cut over Catalyst Center IP pools on seven Catalyst 9400 deployments across the ESS Bengaluru territory. Three of them were Comsys Mumbai customers expanding to Chennai, two were GeM tender wins from a PSU bank, and the other pair were corporate refreshes that Redington shipped from their Bhiwandi warehouse. Every single one of them hit the same three rough edges, which is why this guide exists in the shape it does.

The Cisco TAC search bar is great for documented behaviour. It is less great for the in-between bits: the part where you pull a console cable, fire up Putty 0.78, and realise the box was shipped with a config-replace from a wildly different deployment. That gap is what kills weekend cutovers. I write these for the engineer who has the rack-stencil printed, the change ticket approved, and forty minutes to make Catalyst 9400 do Catalyst Center IP pools before the maintenance window closes.

What you actually need on the bench

About this platform, briefly

Catalyst 9400, modular chassis (C9404R/C9407R/C9410R), Sup-1/Sup-1XL/Sup-1XL-Y. The wiring-closet aggregation point in larger campuses. The relevance for Catalyst Center IP pools: this platform exposes the feature differently than its siblings, and the menu paths in TAC docs often assume the wrong combination of license tier + image train. C9407R chassis with Sup-1XL plus two C9400-LC-48UX line cards reaches ₹38-52 lakh on a large tender.

The biggest gotcha I have hit on Catalyst 9400 specifically is the IOS XE Stack-Wise V1/V2 mismatch when you mix-and-match SKUs that landed in different shipments: Ingram Micro's warehouse occasionally pulls boxes from two different POs into the same crate. Always run show switch stack-ports and show platform software fed switch active version before you trust the stack.

Step-by-step: Catalyst Center IP pools on Catalyst 9400

  1. Baseline the box. Console in, terminal length 0, capture show tech to a USB stick. Yes it is overkill, no I do not skip it.
  2. Verify image + license. show version for the train, show license summary for entitlement. Catalyst Center IP pools on Catalyst 9400 fails silently on the wrong DNA tier, so I check this before touching config.
  3. Stage the config offline. I draft the change in Notepad++ or VS Code with the Cisco IOS syntax extension. Paste-from-rich-text is the cause of more outages than I can count, Microsoft Word's curly quotes have wrecked at least two of my changes this year.
  4. Apply the feature block. Enter configure terminal, paste the staged block, and watch the console for %LINEPROTO-5-UPDOWN messages. Anything that does not flap when you expect it to flap is a flag.
  5. Verify control plane. For Catalyst Center IP pools, run the relevant show command (BGP: show bgp summary; SSL VPN: show webvpn session; Catalyst Center fabric: show wireless fabric summary or DNAC inventory).
  6. Verify data plane. Send actual traffic. ping vrf <name> <remote>, then a TCP test with iPerf3 4.0 if you need throughput proof. Screenshots of clean traffic save you in the post-change review.
  7. Save and copy out. write memory, then SCP the config off the box to your jump host. copy running-config scp://netops@10.55.0.7/configs/Catalyst-9400-postcfg.txt.
  8. Hand over. Email the change-completion to NOC with the show outputs attached, ticket number in the subject, and the rollback CLI in the body.

The config snippet I actually paste

Sanitised from a recent Bengaluru deployment. Adjust ASNs, IPs, and naming to your environment. never paste a stranger's config into prod without reading every line.


! Catalyst Center 2.3.7.6 IP pool sync
! Global pool: BLR-CORP-DATA 10.10.0.0/16
! Site pool: BLR-FLOOR1 10.10.10.0/24 (gateway 10.10.10.1)
ip dhcp pool BLR-FLOOR1-DATA
 network 10.10.10.0 255.255.255.0
 default-router 10.10.10.1
 dns-server 10.99.0.53 10.99.0.54
 domain-name corp.example.in
 lease 7
!
ip dhcp excluded-address 10.10.10.1 10.10.10.20
!

A deployment story from last month

Tuesday, 6 PM IST, Comsys Mumbai customer. They had three Catalyst 9400 boxes shipped from Redington's Bhiwandi warehouse, change window 10 PM to 4 AM. I drove from ESS Bengaluru, actually flew, IndiGo 6E 339: landed at BOM at 8:45 PM, on-site Powai by 9:40. The customer's existing change template assumed a different IOS XE train than what shipped, so the first command in the snippet errored with %Invalid input detected at '^' marker. Lost twenty minutes diffing the config to figure out which knob moved between 17.6 and 17.9.

The fix was reading the IOS XE 17.9.4a release notes (the actual PDF, not the summary) and finding that the Catalyst Center IP pools CLI hierarchy moved one level up. Once I corrected that, the change took eighteen minutes end to end. Post-change validation: show catalyst output clean, %SYS-5-CONFIG_I logged, telemetry feed to DNAC up within ninety seconds. Total bill to the customer for the night including travel: ₹46,500. Their old vendor had quoted ₹85,000 for the same work, which is roughly why I got the call.

Log codes you will see, and what they mean here

Log codeWhat it meansWhat I do
%LINEPROTO-5-UPDOWNLayer-2 link state change.Expected on cutover. Check it matches the interface I changed; investigate if not.
%SYS-5-CONFIG_IConfig was changed from console / vty.Confirms the change committed. Cross-check with AAA log of who.
%SPANTREE-2-RECV_PVID_ERRPVID mismatch on a trunk, VLAN 1 vs the native VLAN.Stop. Fix the trunk's native VLAN on both ends before continuing.
%BGP-5-ADJCHANGEBGP neighbour up/down.For RR/iBGP scaling work this is the success signal. If it flaps repeatedly, check MD5 and update-source.
%PLATFORM-4-ELEMENT_WARNINGPower, temp, or fan crossed a threshold.Open a SmartNet RMA if it persists; the C9300 fan trays are 6-week leads from Bengaluru depot.

Brand quirks that bite

India-specific notes

Three things change when you do this work for an Indian customer:

If it does not come up

The diagnostic order I use, in order:

  1. Layer 1 first, always. show interfaces for input errors, CRC, runts. If you see CRCs climbing, swap the cable before you touch software. SFP-10G-SR transceivers from grey-market sources are the #1 cause: buy through Redington or Ingram Micro to dodge counterfeit modules.
  2. Layer 2. show mac address-table, show spanning-tree, show vlan brief. Look for PVID errors and root-bridge surprises.
  3. Layer 3. show ip route, show ip arp, ping vrf. If routing looks right but the feature is broken, move up the stack.
  4. Control plane. Feature-specific show + debug. debug bgp ipv4 unicast updates, debug webvpn ssl errors, or DNAC Assurance trace.
  5. Wire capture. SPAN port to a Wireshark 4.2 box. The truth is always in the packets.
  6. TAC. If you have spent more than 90 minutes and the change window is closing, open a P2 with the show outputs. Do not stall on pride.

Rollback plan

Every change I run has a documented rollback. For Catalyst Center IP pools on Catalyst 9400 the rollback is:

  1. configure replace flash:precfg-<date>.txt force, restores the saved running config.
  2. Reload only if config-replace fails to converge. reload at hh:mm scheduled outside the window with the cancel command on the next CLI line.
  3. Verify with the same show commands from the validation step.
  4. Update the change ticket with rollback confirmation, attach the post-rollback show running-config.

Frequently asked questions

How long does this take in real life?

For a first time on Catalyst 9400, give yourself two hours including the pre-change baseline and the post-change verification. By the third time you will be at forty-five minutes.

Does this need DNA Advantage or is Essentials enough?

Essentials covers the basic feature. The integration with Catalyst Center, telemetry, and the Assurance dashboards needs Advantage. For a GeM tender we usually quote Advantage for the first ring of switches and Essentials for the rest, saves ₹3,200/port/year.

What about Cisco DNA Center vs Catalyst Center naming?

Same product. Cisco renamed it in 2024. The CLI still shows dnac, the GUI now says Catalyst Center. SmartNet contracts written before the rename still say DNA Center: both refer to the same appliance.

Does this affect SmartNet?

No. Standard config changes do not affect the contract. If you load a non-Cisco image, swap line cards from a different SKU, or use unsupported optics, you can lose coverage on that specific component. Stick to Cisco-blessed parts shipped through Redington / Ingram Micro.

Can I roll this back without an outage?

For most software config changes, configure replace with the pre-change file does it with a sub-second blip. Hardware changes (line cards, transceivers, stack cables) need a reload window.

Related guides worth a look while you sort this one out:

References


Reference material from a working network engineer. Validate against Cisco documentation for your image and licensing tier. Customer-specific names and IPs have been changed.