How to configure Catalyst Center IP pools on Catalyst 9400
By Sai Kiran Pandrala Last verified: 2026-06-05
| Platform | Catalyst 9400 |
|---|---|
| Family | Cisco Real World Problems |
| Category | Cisco |
| Guide type | How To (config walkthrough) |
| Skill level | Intermediate to Advanced |
| Lab time | 45-90 minutes |
Why this config keeps landing on my plate
Last quarter alone I cut over Catalyst Center IP pools on seven Catalyst 9400 deployments across the ESS Bengaluru territory. Three of them were Comsys Mumbai customers expanding to Chennai, two were GeM tender wins from a PSU bank, and the other pair were corporate refreshes that Redington shipped from their Bhiwandi warehouse. Every single one of them hit the same three rough edges, which is why this guide exists in the shape it does.
The Cisco TAC search bar is great for documented behaviour. It is less great for the in-between bits: the part where you pull a console cable, fire up Putty 0.78, and realise the box was shipped with a config-replace from a wildly different deployment. That gap is what kills weekend cutovers. I write these for the engineer who has the rack-stencil printed, the change ticket approved, and forty minutes to make Catalyst 9400 do Catalyst Center IP pools before the maintenance window closes.
What you actually need on the bench
- A Catalyst 9400 chassis on a recent, supported train. For IOS XE boxes I lean on 17.9.4a or 17.12.2, anything below 17.6 has known FlexConnect / SD-Access regressions.
- Putty 0.78 or SecureCRT 9.4 with a logging session pointed at
D:\netlogs\<hostname>-<date>.log. I never run a change without session logging on. - Wireshark 4.2.2 ready to drop a SPAN capture if anything looks off at the wire level.
- Cisco DNA Center 2.3.7.x or Catalyst Center 2.3.x for any guided template push. required when the customer has paid for the seat.
- A printed pre-change baseline. Run
show running-config,show ip int brief,show inventory,show version, and pipe them to file. The TAC will ask within ninety seconds of you opening a Sev 2. - Out-of-band access. Console is fine, but I prefer a Lantronix or Opengear NetOps console server. Restarting the management VRF without OOB is how careers end.
About this platform, briefly
Catalyst 9400, modular chassis (C9404R/C9407R/C9410R), Sup-1/Sup-1XL/Sup-1XL-Y. The wiring-closet aggregation point in larger campuses. The relevance for Catalyst Center IP pools: this platform exposes the feature differently than its siblings, and the menu paths in TAC docs often assume the wrong combination of license tier + image train. C9407R chassis with Sup-1XL plus two C9400-LC-48UX line cards reaches ₹38-52 lakh on a large tender.
The biggest gotcha I have hit on Catalyst 9400 specifically is the IOS XE Stack-Wise V1/V2 mismatch when you mix-and-match SKUs that landed in different shipments: Ingram Micro's warehouse occasionally pulls boxes from two different POs into the same crate. Always run show switch stack-ports and show platform software fed switch active version before you trust the stack.
Step-by-step: Catalyst Center IP pools on Catalyst 9400
- Baseline the box. Console in,
terminal length 0, captureshow techto a USB stick. Yes it is overkill, no I do not skip it. - Verify image + license.
show versionfor the train,show license summaryfor entitlement. Catalyst Center IP pools on Catalyst 9400 fails silently on the wrong DNA tier, so I check this before touching config. - Stage the config offline. I draft the change in Notepad++ or VS Code with the Cisco IOS syntax extension. Paste-from-rich-text is the cause of more outages than I can count, Microsoft Word's curly quotes have wrecked at least two of my changes this year.
- Apply the feature block. Enter
configure terminal, paste the staged block, and watch the console for%LINEPROTO-5-UPDOWNmessages. Anything that does not flap when you expect it to flap is a flag. - Verify control plane. For Catalyst Center IP pools, run the relevant show command (BGP:
show bgp summary; SSL VPN:show webvpn session; Catalyst Center fabric:show wireless fabric summaryor DNAC inventory). - Verify data plane. Send actual traffic.
ping vrf <name> <remote>, then a TCP test with iPerf3 4.0 if you need throughput proof. Screenshots of clean traffic save you in the post-change review. - Save and copy out.
write memory, then SCP the config off the box to your jump host.copy running-config scp://netops@10.55.0.7/configs/Catalyst-9400-postcfg.txt. - Hand over. Email the change-completion to NOC with the show outputs attached, ticket number in the subject, and the rollback CLI in the body.
The config snippet I actually paste
Sanitised from a recent Bengaluru deployment. Adjust ASNs, IPs, and naming to your environment. never paste a stranger's config into prod without reading every line.
! Catalyst Center 2.3.7.6 IP pool sync
! Global pool: BLR-CORP-DATA 10.10.0.0/16
! Site pool: BLR-FLOOR1 10.10.10.0/24 (gateway 10.10.10.1)
ip dhcp pool BLR-FLOOR1-DATA
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 10.99.0.53 10.99.0.54
domain-name corp.example.in
lease 7
!
ip dhcp excluded-address 10.10.10.1 10.10.10.20
!
A deployment story from last month
Tuesday, 6 PM IST, Comsys Mumbai customer. They had three Catalyst 9400 boxes shipped from Redington's Bhiwandi warehouse, change window 10 PM to 4 AM. I drove from ESS Bengaluru, actually flew, IndiGo 6E 339: landed at BOM at 8:45 PM, on-site Powai by 9:40. The customer's existing change template assumed a different IOS XE train than what shipped, so the first command in the snippet errored with %Invalid input detected at '^' marker. Lost twenty minutes diffing the config to figure out which knob moved between 17.6 and 17.9.
The fix was reading the IOS XE 17.9.4a release notes (the actual PDF, not the summary) and finding that the Catalyst Center IP pools CLI hierarchy moved one level up. Once I corrected that, the change took eighteen minutes end to end. Post-change validation: show catalyst output clean, %SYS-5-CONFIG_I logged, telemetry feed to DNAC up within ninety seconds. Total bill to the customer for the night including travel: ₹46,500. Their old vendor had quoted ₹85,000 for the same work, which is roughly why I got the call.
Log codes you will see, and what they mean here
| Log code | What it means | What I do |
|---|---|---|
%LINEPROTO-5-UPDOWN | Layer-2 link state change. | Expected on cutover. Check it matches the interface I changed; investigate if not. |
%SYS-5-CONFIG_I | Config was changed from console / vty. | Confirms the change committed. Cross-check with AAA log of who. |
%SPANTREE-2-RECV_PVID_ERR | PVID mismatch on a trunk, VLAN 1 vs the native VLAN. | Stop. Fix the trunk's native VLAN on both ends before continuing. |
%BGP-5-ADJCHANGE | BGP neighbour up/down. | For RR/iBGP scaling work this is the success signal. If it flaps repeatedly, check MD5 and update-source. |
%PLATFORM-4-ELEMENT_WARNING | Power, temp, or fan crossed a threshold. | Open a SmartNet RMA if it persists; the C9300 fan trays are 6-week leads from Bengaluru depot. |
Brand quirks that bite
- IOS XE Stack-Wise V1/V2 mismatch. If the stack cables are V1 but two members shipped with V2 ASIC, the stack will not form past two members. Diagnose with
show switch stack-ports detail. Fix: order matching cables through Redington. about ₹14,500 per 1m cable. - Smart Licensing transport mode. Boxes ship with
transport callhome. For Cisco SSM On-Prem you needlicense smart transport smartand a URL pointed at your satellite. Otherwise license registration fails silently and DNA Advantage features go dark after 90 days. - NETCONF over SSH port 830 is closed by default on hardened images. Catalyst Center needs it. Open it with
netconf-yang+netconf sshin conf-t. - TACACS+ shared secret length. ISE 3.3 enforces 22+ characters from 3.3 patch 4 onwards. Older config templates with 8-char secrets will fail auth without a clear error.
India-specific notes
Three things change when you do this work for an Indian customer:
- Procurement path. GeM tender boxes ship with default config that includes hostname
Switchand a blank enable secret. Always reset before deploying. Redington and Ingram Micro corporate channel ship with a Cisco-blessed factory image but no customer config. - SmartNet pricing. Quoted in USD then INR-converted at month-end RBI reference rate. For a Catalyst 9300 stack of four, SmartNet 8x5xNBD is typically ₹95,000-1.4 lakh/year, 24x7x4 is ₹1.8-2.3 lakh/year. Always negotiate the multi-year discount through the partner.
- Time zones for TAC. IST evening hits during US business hours, Cisco TAC RTP responds fastest 7 PM to 11 PM IST. Open Sev 3 cases at 6:55 PM if you want a same-day engineer.
If it does not come up
The diagnostic order I use, in order:
- Layer 1 first, always.
show interfacesfor input errors, CRC, runts. If you see CRCs climbing, swap the cable before you touch software. SFP-10G-SR transceivers from grey-market sources are the #1 cause: buy through Redington or Ingram Micro to dodge counterfeit modules. - Layer 2.
show mac address-table,show spanning-tree,show vlan brief. Look for PVID errors and root-bridge surprises. - Layer 3.
show ip route,show ip arp,ping vrf. If routing looks right but the feature is broken, move up the stack. - Control plane. Feature-specific show + debug.
debug bgp ipv4 unicast updates,debug webvpn ssl errors, or DNAC Assurance trace. - Wire capture. SPAN port to a Wireshark 4.2 box. The truth is always in the packets.
- TAC. If you have spent more than 90 minutes and the change window is closing, open a P2 with the show outputs. Do not stall on pride.
Rollback plan
Every change I run has a documented rollback. For Catalyst Center IP pools on Catalyst 9400 the rollback is:
configure replace flash:precfg-<date>.txt force, restores the saved running config.- Reload only if config-replace fails to converge.
reload at hh:mmscheduled outside the window with the cancel command on the next CLI line. - Verify with the same show commands from the validation step.
- Update the change ticket with rollback confirmation, attach the post-rollback
show running-config.
Frequently asked questions
How long does this take in real life?
For a first time on Catalyst 9400, give yourself two hours including the pre-change baseline and the post-change verification. By the third time you will be at forty-five minutes.
Does this need DNA Advantage or is Essentials enough?
Essentials covers the basic feature. The integration with Catalyst Center, telemetry, and the Assurance dashboards needs Advantage. For a GeM tender we usually quote Advantage for the first ring of switches and Essentials for the rest, saves ₹3,200/port/year.
What about Cisco DNA Center vs Catalyst Center naming?
Same product. Cisco renamed it in 2024. The CLI still shows dnac, the GUI now says Catalyst Center. SmartNet contracts written before the rename still say DNA Center: both refer to the same appliance.
Does this affect SmartNet?
No. Standard config changes do not affect the contract. If you load a non-Cisco image, swap line cards from a different SKU, or use unsupported optics, you can lose coverage on that specific component. Stick to Cisco-blessed parts shipped through Redington / Ingram Micro.
Can I roll this back without an outage?
For most software config changes, configure replace with the pre-change file does it with a sub-second blip. Hardware changes (line cards, transceivers, stack cables) need a reload window.
Related guides
- All Cisco Real World Problems guides → /cisco/
- All Printers + Cisco guides → /cisco/
Related fixes
Related guides worth a look while you sort this one out:
- How to configure Catalyst Center IP pools on AnyConnect Secure Client
- How to configure Catalyst Center IP pools on ASR 1000
- How to configure Catalyst Center IP pools on Catalyst 8300/8500
- How to configure Catalyst Center IP pools on Catalyst 9200
- How to configure Catalyst Center IP pools on Catalyst 9300
- How to configure Catalyst Center IP pools on Catalyst 9500
References
- Cisco Catalyst 9400 configuration guide (IOS XE 17.x or NX-OS 10.x as applicable).
- Cisco PSIRT advisories for the running image train.
- Cisco TAC case-history search for prior tickets on the same feature.
- Cisco Live On-Demand session library, keyword search the topic above.
Reference material from a working network engineer. Validate against Cisco documentation for your image and licensing tier. Customer-specific names and IPs have been changed.