F How to Deploy Cisco Catalyst Center 2.3.7 on AWS Using Global Launchpad 2.0 - The Network DNA: Networking, Cloud, and Security Technology Blog
Home / AWS / Cisco / Cisco DNAC / Cloud / How to Deploy Cisco Catalyst Center 2.3.7 on AWS Using Global Launchpad 2.0

How to Deploy Cisco Catalyst Center 2.3.7 on AWS Using Global Launchpad 2.0

April 06, 2026 , , ,

Cloud & Network Automation

A complete step-by-step guide — from prerequisites to a fully running Catalyst Center Virtual Appliance on Amazon Web Services.

 www.thenetworkdna.com  |  ⏱ 10 min read  |  ⚙️ Version 2.3.7.x

Managing enterprise networks at cloud scale demands powerful, intelligent tools. Cisco Catalyst Center — formerly Cisco DNA Center — is Cisco's flagship network management and automation platform. With version 2.3.7.x, Cisco supports fully automated deployment directly on Amazon Web Services (AWS), eliminating on-premises hardware while retaining enterprise-grade capabilities.

The recommended path is Cisco Global Launchpad 2.0 — a Docker-based orchestration tool that automates provisioning of the entire required AWS infrastructure: VPCs, IPsec VPN tunnels, transit gateways, security groups, and the Catalyst Center EC2 instance. This guide covers every stage of the process.

Cisco DNA Center

 What Is Cisco Global Launchpad?

Cisco Global Launchpad is a Docker-containerized deployment tool that lets network teams provision Catalyst Center on AWS without manually configuring CloudFormation templates or Marketplace parameters. It also provides a unified dashboard for managing multiple Virtual Appliance (VA) pods across AWS regions.

 Table of Contents

  1. Automated Deployment Workflow Overview
  2. Prerequisites & Requirements
  3. Installing Cisco Global Launchpad via Docker
  4. Verifying TAR File Authenticity
  5. Accessing the Hosted Launchpad via Cisco DNA Portal
  6. Creating a New VA Pod
  7. Manually Configuring TGW Routing (Existing Attachments)
  8. Creating the Catalyst Center Virtual Appliance
  9. Deployment Troubleshooting Quick Reference

1. Automated Deployment Workflow Overview

Before diving into configuration steps, it helps to understand the high-level sequence that Global Launchpad follows from start to finish.

Step 1 — Meet Prerequisites

Confirm your AWS account, Docker CE installation, and AWS Marketplace BYOL subscription are all in order.

Step 2 — Install or Access Global Launchpad

Either run it locally via Docker containers, or access the Cisco-hosted version through the Cisco DNA Portal.

Step 3 — Create a VA Pod

Provision the full AWS hosting environment: VPC, subnets, TGW, VPN gateway, security groups, and backup storage.

Step 4 — Deploy the Catalyst Center VA

Launch the Catalyst Center AMI as an EC2 instance and configure DNS, FQDN, CLI password, and network access.

2. Prerequisites & Requirements

Meeting every prerequisite before starting is the single most important step toward a smooth deployment. Requirements fall into three categories.

⚙️ Global Launchpad Requirements

Docker Community Edition (CE) must be installed and actively running on your machine. Global Launchpad supports Docker CE on Mac, Windows, and Linux. Refer to the official Docker documentation for platform-specific instructions.

️ Catalyst Center Instance Requirements

Component Catalyst Center VA Backup Instance
Instance Type r5a.8xlarge (only supported size) t3.micro
vCPUs 32 2
RAM 256 GB 1 GB
Storage 4 TB (EBS-gp3) · 2,500 IOPS · 180 MBps 500 GB

⚠️ Important

Catalyst Center on AWS supports only the r5a.8xlarge instance size. No alternative instance types are supported. Note that this size is also unavailable in certain AWS availability zones — consult the Cisco Global Launchpad Release Notes for the full list before selecting your region.

☁️ AWS Account Requirements

  • Valid AWS credentials with access to the target account.
  • The account must be a child/sub-account to maintain resource isolation from other production environments.
  • The account must be subscribed to Cisco Catalyst Center Virtual Appliance — BYOL on AWS Marketplace.
  • Admin users must have the Administrator Access IAM policy attached directly to their user account — not inherited through a group, as Global Launchpad does not enumerate group policies.
  • Sub-users must be added to the Cisco DNA Center IAM user group, which is auto-created on first admin login and includes all required policies: AmazonEC2FullAccess, AWSCloudFormationFullAccess, AmazonS3FullAccess, AmazonDynamoDBFullAccess, CloudWatchFullAccess, and more.

3. Installing Cisco Global Launchpad via Docker

With Docker Desktop installed and running, follow these steps to download, load, and verify the Launchpad containers.

Step 1 — Download the TAR Files

From the Cisco Software Download portal (VA Launchpad 2.0.1), download both files:

Launchpad-desktop-client-2.0.1.tar.gz
Launchpad-desktop-server-2.0.1.tar.gz

Step 2 — Verify the TAR Files

Before loading anything, verify authenticity using SHA512 and OpenSSL (see Section 4 for full steps). Only proceed if you see Verified OK.

Step 3 — Load the Docker Images

docker load -i Launchpad-desktop-client-2.0.1.tar.gz
docker load -i Launchpad-desktop-server-2.0.1.tar.gz

Step 4 — Run the Server Container

Port 9090 is used in this example — choose any available port:

docker run -d -p 9090:8080 -e DEBUG=true --name server <server_image_id>

Step 5 — Run the Client Container

Important: The REACT_APP_API_URL port must match the server port (9090 here).

docker run -d -p 90:80 -e CHOKIDAR_USEPOLLING=true
  -e REACT_APP_API_URL=http://localhost:9090
  --name client <client_image_id>

Step 6 — Verify Both Containers Are Running

docker ps -a

Both entries should show Up in the STATUS column. Then open http://localhost:90/valaunchpad to reach the login window.

Note: It can take a few minutes for the client window to appear while both containers finish loading their artifacts.

4. Verifying TAR File Authenticity

Cisco strongly recommends confirming that every downloaded file is a genuine Cisco file before loading it into Docker. This two-part check uses an SHA512 checksum followed by OpenSSL signature verification.

SHA512 Checksum Verification:

sha512sum <tar-file>           # Linux
shasum -a 512 <tar-file>   # macOS
certutil -hashfile <file> sha256   # Windows

OpenSSL Signature Verification (Mac & Linux):

openssl dgst -sha512 -verify cisco_image_verification_key.pub \
  -signature <signature-file.sig> <tar-file.tar.gz>

A response of Verified OK confirms authenticity. If that message does not appear, do not load or install the file — contact Cisco TAC immediately. On Windows, install OpenSSL from the official OpenSSL Downloads site before running the verification command.

5. Accessing the Hosted Launchpad via Cisco DNA Portal

If you prefer the cloud-hosted version of Global Launchpad instead of running it locally via Docker, access it through Cisco DNA Portal at dna.cisco.com. You will need both a Cisco account and a Cisco DNA Portal account.

New Users — Create Accounts First

  1. Visit dna.cisco.com and click Create a new account.
  2. Click Create a Cisco account, fill in the required fields, and click Register.
  3. Open the activation email from Cisco and click Activate Account.
  4. Return to dna.cisco.com, click Log In With Cisco, and authenticate.
  5. Name your DNA Portal organization account, agree to the terms, and click Create Account.

Returning Users — Log In Directly

  1. Visit dna.cisco.com and click Log In With Cisco.
  2. Enter your Cisco account email and password.
  3. If you have multiple DNA Portal accounts, click Continue for the correct one.
  4. The Cisco DNA Portal home page is displayed — navigate to Global Launchpad from there.

6. Creating a New VA Pod

A VA Pod is the complete AWS hosting environment for your Catalyst Center VA. Each pod bundles together the EC2 instance, Amazon EBS volumes, an NFS backup server, security groups, routing tables, CloudWatch logs, SNS notifications, and either a VPN Gateway or Transit Gateway. Each VA Pod supports exactly one Catalyst Center deployment.

VPC Quota Note: Each region defaults to a maximum of five VPCs, and each VA Pod consumes one. VPCs used by other resources in your account also count toward this cap. Request a Service Quota increase from AWS Support if you need additional pods per region.

Key configuration decisions during VA Pod creation:

  • Region & Availability Zone: Choose the AWS region closest to your enterprise network.
  • VPC CIDR: Use a /25 block. The last octet must be 0 or 128. Must not overlap with your corporate subnet.
  • Transit Gateway option: Choose VPN GW (single VA pod), New VPN GW + New TGW (multiple VA pods or VPCs), or Existing TGW (if a TGW already exists in the region).
  • Customer Gateway (CGW): The public IP of your on-premises enterprise firewall or router. Note that Barracuda, Sophos, Vyatta, and Zyxel are not supported VPN vendors.
  • Backup Target: Choose Enterprise backup (on-premises NFS) or Cloud backup (AWS-hosted). For cloud backup, record your SSH IP, port 22, server path, username (maglev), and dynamic password. The password is the first 4 characters of the VA pod name + the backup server IP without dots (e.g., pod name DNAC-SJC and IP 10.0.0.1 yields password DNAC10001).

After submitting the configuration, click Start configuring AWS infrastructure. This process takes approximately 20 minutes. You may navigate elsewhere in the app and the process continues in the background — but closing or refreshing the tab will pause it.

Once the AWS infrastructure is configured, download the on-premises VPN configuration file and forward it to your network administrator. They will apply it to your enterprise firewall or router to bring up the IPsec tunnel. The tunnel must show green in Global Launchpad before you can proceed.

7. Manually Configuring TGW Routing (Existing Attachments)

If you selected Existing TGW + Existing Attachments as your connectivity option, Global Launchpad automatically creates and attaches a new VPC to your TGW — but you must manually configure the TGW routing table so traffic flows correctly between your new VA Pod VPC and your existing on-premises network.

  1. In the AWS Console, go to VPC Service → Transit Gateways → Transit Gateway Route Tables and select your existing TGW route table.
  2. Under the Associations tab, click Create association and choose your existing CGW or direct-connect attachment.
  3. Under the Propagations tab, click Create propagation for the new VPC attachment that Global Launchpad created.
  4. Under the Routes tab, click Create static route to define the static route between the new VPC CIDR and your VPN.
  5. Update your on-premises router to route traffic for the new CIDR ranges through the correct tunnel interface.

Example on-premises route entry: route tunnel-int-vpn-0b57b508d80a07291-1 10.0.0.0 255.255.0.0 192.168.44.37 200

8. Creating the Catalyst Center Virtual Appliance

Once your VA Pod is active and the connectivity indicators are green, you are ready to deploy the actual Catalyst Center instance. This is the final major deployment step.

  1. In the Dashboard, locate your VA Pod card and click Create/Manage Catalyst Center(s).
  2. Click + Create a new Catalyst Center.
  3. Select the Catalyst Center version from the dropdown.
  4. Enter your Enterprise DNS IP address. It must be reachable from inside the VA Pod's IPsec tunnel — do not use a public DNS address. After deployment, the DNS server cannot be changed through Global Launchpad (use the AWS Console instead).
  5. Enter the FQDN for the Catalyst Center VA as registered on your DNS server. You will need to create an A record in your enterprise DNS mapping this FQDN to the static IP assigned by Global Launchpad.
  6. Configure your HTTPS proxy preference: no proxy, unauthenticated proxy (provide URL + port), or authenticated proxy (URL, port, username, password).
  7. Set a strong CLI password. Requirements: 9–64 characters, must include characters from at least three of — uppercase letters, lowercase letters, numbers, or special characters. The username is always maglev. Record this password securely.
  8. Enter the Customer CIDR block of your local network gateway that should be allowed to reach the Catalyst Center VA. Use 0.0.0.0/0 only if your organization's security policy permits it.
  9. Click Validate to check the DNS server, proxy, and FQDN. If only FQDN or proxy validation fails, you may still proceed — but DNS failure blocks creation entirely.
  10. Review the configuration Summary, then click Generate PEM key file and immediately click Download PEM key file. This key is never stored anywhere — if you lose it, you cannot access your Catalyst Center VA.
  11. Click Start Catalyst Center configuration. The process takes 45 to 60 minutes. The status ring cycles: outer ring gray → amber when port 2222 is validated → full green when port 443 is validated and the VA is ready.

✅ Deployment Complete

When both rings turn green, your Catalyst Center VA is fully operational. Log in using the FQDN you configured and the maglev CLI password. If the configuration fails and shows an amber outer ring with a red inner ring, delete the Catalyst Center VA and recreate it.

9. Deployment Troubleshooting Quick Reference

Global Launchpad is built to minimize manual intervention — and Cisco strongly advises against making direct changes to Launchpad-managed resources through the AWS Console, as this creates configuration drift that the tool cannot resolve. If you encounter issues not covered below, open a case with Cisco TAC.

Error / Issue Category Resolution
port is already in use Docker Use a different available port number for the server or client container that reports the conflict.
Invalid credentials Login Re-enter your AWS access key ID and secret access key carefully and retry.
You don't have enough access Login Admins: verify Administrator Access is attached directly (not via group). Sub-users: confirm Cisco DNA Center group membership.
AMI ID not available for region VA Pod The Catalyst Center AMI is not yet available in your chosen region. Contact Cisco TAC for assistance.
AWS infrastructure failed VA Pod Delete the failed VA Pod from the Dashboard and create a new one. Do not attempt to fix it manually in the AWS Console.
VPN vendor unsupported VA Pod Barracuda, Sophos, Vyatta, and Zyxel are not supported. Delete the instance and create a new one using a supported VPN vendor.
Environment Setup failed Catalyst Center VA Return to the VA Pod dashboard, delete the failed Catalyst Center VA, and create a fresh one.
TGW attachment in "modifying" state TGW Wait for the state to change from Modifying to Complete in the AWS Console before continuing VA Pod creation.
Cannot ping or SSH Catalyst Center VA Network Verify the on-premises CGW configuration is correct and that the IPsec tunnel is actively up.
Rate exceeded (Hosted Launchpad RCA) Hosted Increase the API request limit via AWS Service Quotas, or retry the operation after a few seconds.

 Final Takeaways

Deploying Cisco Catalyst Center 2.3.7 on AWS using Global Launchpad 2.0 is one of the most streamlined paths to enterprise-grade network automation in the cloud. The tool abstracts away the complexity of CloudFormation templates and manual EC2 configuration, letting your network team focus on operating the network rather than building infrastructure from scratch.

Key things to remember: use only the r5a.8xlarge instance type, subscribe to the BYOL listing on AWS Marketplace before you begin, download and store your PEM key file immediately (it cannot be regenerated), and never modify Launchpad-managed AWS resources directly through the AWS Console.

Tags:

Cisco Catalyst Center AWS Deployment Global Launchpad 2.0 Network Automation Cisco DNA Center Cloud VA Pod Setup IPsec VPN AWS

Content synthesized from the official Cisco Catalyst Center 2.3.7.x on AWS Deployment Guide (updated January 2026). Always refer to the latest Cisco documentation and Release Notes before deploying in a production environment.