Installing, Configuring, Monitoring, and Troubleshooting Cisco SD-Access (CT-SDA)

In this 5-day In-Depth Cisco SD-Access course, provides a comprehensive, hands-on exploration of Cisco Catalyst Center and Intent-Based Networking within enterprise campus environments. Students design, deploy, secure, automate, and troubleshoot a full fabric architecture using real-world implementation workflows. The course covers underlay and overlay design, LISP control-plane operations, VXLAN data-plane forwarding, segmentation using Virtual Networks and Scalable Group Tags, fabric wireless integration, multicast, distributed campus design, external connectivity, assurance analytics, and API-driven programmability. Through structured labs and production-based scenarios, participants gain the skills required to deploy scalable, policy-driven, resilient campus networks aligned with modern security and operational requirements.

How You Will Benefit

This course delivers practical, production-ready skills — not just configuration exposure.

Participants will: 

• Design scalable underlay and overlay architectures using IS-IS, LISP, and VXLAN
• Deploy complete SD-Access fabrics, including Edge, Border, and Control Plane nodes
• Implement macro segmentation with Virtual Networks (VRFs)
• Enforce micro segmentation using Scalable Group Tags (SGTs) and TrustSec
• Integrate Cisco ISE for identity-driven policy and dynamic onboarding
• Configure Fabric-Enabled Wireless with consistent wired and wireless enforcement
• Design external connectivity using IP Transit, Fusion routers, SD-WAN transit, and WAN integration
• Deploy multicast within fabric environments
• Migrate legacy Layer 2 environments using L2 Border strategies
• Troubleshoot underlay, overlay, policy, wireless, multicast, and control-plane issues
• Use Cisco Catalyst Center Assurance for health monitoring, path trace, and root cause analysis
• Automate fabric provisioning and policy using REST APIs

By the end of the course, you will confidently deploy and support scalable, secure, policy-driven campus networks in real-world enterprise environments.

Why Attend with Current Technologies CLC

Current Technologies Computer Learning Center (CTCLC) delivers Cisco training from an engineering and deployment perspective. This is not a theory-based overview — it is an implementation-focused experience built around real operational scenarios.

When you attend with CTCLC, you receive:

• Instruction from experienced enterprise engineers actively deploying Cisco solutions
• Real-world lab scenarios, including distributed campus and multi-site designs
• Structured troubleshooting exercises where fabrics are intentionally broken and restored
• Deep coverage of border design, fusion integration, WAN breakout, and external services
• Advanced Cisco ISE integration and policy troubleshooting workflows
• API-based automation labs reflecting modern Infrastructure-as-Code practices
• Design guidance for high availability, redundancy, and scaling

Our focus is operational mastery — ensuring you understand how SD-Access behaves in production environments under load, failure, and migration scenarios.

Who Should Attend

This course is designed for experienced networking professionals responsible for enterprise campus design, automation, and segmentation.

Ideal attendees include:

• Network Administrators
• Enterprise Network Engineers
• Network Architects
• Infrastructure Engineers deploying Cisco Catalyst Center
• Security Engineers integrating Cisco ISE
• NOC Engineers supporting SD-Access fabrics
• Consulting Engineers implementing distributed campus designs
• IT professionals transitioning from traditional VLAN-based networks to intent-based architectures
• IT Managers looking to understand SD-Access Fundamentals and Fabrics

Participants should have a solid understanding of routing, switching, and Cisco enterprise networking fundamentals prior to attending.

Module 1: Introduction to Cisco CatalystCenter (v3:1:5)

Lesson 1: Platform Evolution and Architecture Positioning

• Transition from Cisco DNA Center branding to Catalyst Center
• Alignment with Cisco’s Intent-Based Networking (IBN) strategy
• Centralized control for campus and branch fabrics
• Controller-based architecture vs traditional CLI-based management
• Integration point for SD-Access, SD-WAN, and Assurance
• Role in policy abstraction and automation workflows

Lesson 2: System Architecture and Microservices

• Modular microservices architecture
• Northbound REST APIs for orchestration platforms
• Southbound protocols (NETCONF, SNMP, SSH, HTTPS)
• Internal services bus for inter-process communication
• Elasticsearch for telemetry indexing
• Cassandra/Postgres databases for state persistence

Lesson 3: Appliance Models and Sizing

• Physical appliance options (small, medium, large)
• Throughput and device-scale guidance
• VM deployment on ESXi
• CPU core allocation requirements
• RAM sizing recommendations
• Storage IOPS considerations

Lesson 4: Deployment Models

• Single-node deployment (lab/POC)
• 3-node cluster design
• Horizontal scaling model
• Cluster quorum and resiliency
• Inter-node communication ports
• Backup and restore architecture

Lesson 5: Installation and Initial Configuration

• Pre-install checklist (DNS, NTP, certificates)
• ISO-based installation workflow
• Maglev configuration wizard
• Admin credential creation
• Smart Licensing registration
• System patching and upgrade lifecycle

Lesson 6: Core Functional Pillars

• Design workflows
• Policy abstraction
• Provision automation
• Assurance analytics
• Image lifecycle management
• Role-based access control (RBAC)

Module 2: Introduction to Cisco SD-Access

Lesson 1: Need for SD-Access

• Traditional Network Challenges
• How SDA simplifies the network
• SDA zero-trust workplace
• Controller-based orchestration

Lesson 2: Fabric Architecture Fundamentals

• Underlay IP transport
• Overlay VXLAN encapsulation
• LISP control-plane separation

Lesson 3: SD-Access Roles

• Catalyst Center controller
• Cisco ISE for identity services
• Fabric edge nodes
• Fabric control-plane nodes
• Fabric border nodes
• Fabric wireless integration
• Extended Nodes
• Transit Control Plane node

Lesson 4: Fabric Construct

• Virtual Networks –Layer 3 and Layer 2
• Layer 3 and Layer 2 handoff
• Security Group Tag
• Host Pools
• Anycast gateway

Lesson 5: Fabric Fundamentals – Control Plane

• LISP introduction and fundamentals
• Host Registration and resolution
• LISP in SDA
• Advantages of using LISP

Lesson 6: Fabric Fundamentals – Data Plane

• VXLAN data-plane encapsulation
• VXLAN header
• VXLAN in SDA

Lesson 7: Fabric Fundamentals – Policy Plane

• Security Group Tag
• Macro and micro segmentation
• Access Control Policies
• Group-Based Access Control Policy

Lesson 8: Cisco SD-Access Use Cases

• Different use cases with benefits

Module 3: SDA – Discovery and Design

Lesson 1: Device Discovery

• SNMP-based discovery
• CLI-based collection
• NETCONF-based provisioning
• Credential profiles
• Inventory validation
• Reachability testing

Lesson 2: LAN Automation

• Seed device designation
• DHCP-based PnP onboarding
• Automated IS-IS configuration
• Loopback provisioning
• IP pool consumption
• Underlay validation

Lesson 3: Network Design Models

• Greenfield deployment
• Brownfield migration
• Underlay protocol selection (IS-IS)
• MTU planning
• Loopback allocation
• IP pool segmentation

Lesson 4: Site Hierarchy

• Global site configuration
• Area definitions
• Building segmentation
• Floor-level mapping
• Policy inheritance
• Location-based analytics

Lesson 5: IP Address Management

• Internal IP pool creation
• Underlay vs overlay pools
• DHCP server integration
• IPAM external integration
• Address reservation logic
• Pool scaling considerations

Lesson 6: Software Image Management

• Golden image designation
• Image compliance monitoring
• Upgrade scheduling
• Maintenance windows
• Device compatibility checks
• Rollback procedures

Module 4: SDA – Policy

Lesson 1: Virtual Networks (Macro Segmentation)

• VRF instantiation
• Business unit isolation
• Traffic separation
• Inter-VN communication controls
• External VRF handoff
• Routing table segmentation

Lesson 2: Scalable Groups (Micro Segmentation)

• SGT assignment
• Role-based classification
• Endpoint identity mapping
• Tag propagation
• TrustSec enforcement
• Policy scalability

Lesson 3: Policy Matrix Model

• SG-to-SG contracts
• Allow/Deny semantics
• Directional enforcement
• Logging policies
• Contract granularity
• Enforcement location

Lesson 4: Access Control Integration

• 802:1X authentication
• MAB fallback
• Dynamic SGT assignment
• ISE authorization profiles
• RADIUS communication
• Endpoint profiling

Lesson 5: Application Policy

• NBAR2 classification
• QoS marking
• DSCP rewriting
• Application prioritization
• Traffic shaping
• Business application SLAs

Lesson 6: Enforcement Mechanisms

• Edge node enforcement
• Border enforcement
• Wireless enforcement
• SGT inline tagging
• VXLAN policy metadata
• Policy audit verification

Module 5: SDA – Provision

Lesson 1: Device Role Assignment

• Edge designation
• Border role selection
• Control-plane node assignment
• Fabric site association
• Device personality conversion
• Validation checks

Lesson 2: Template-Based Provisioning

• Day-0 templates
• Day-N templates
• Variable binding
• Template version control
• Compliance enforcement
• Rollback support

Lesson 3: Fabric Enablement

• Underlay validation
• Overlay configuration push
• LISP configuration
• VXLAN enablement
• Anycast gateway provisioning
• Policy activation

Lesson 4: Device Validation

• Reachability checks
• Control-plane adjacency validation
• VXLAN tunnel verification
• SGT enforcement validation
• Telemetry streaming validation
• Fabric membership confirmation

Module 6: SDA – Fabric Provisioning

Lesson 1: Fabric Domains

• Logical grouping of sites
• Shared control-plane services
• Policy scope definition
• Domain scaling limits
• Resource allocation
• Inter-site communication

Lesson 2: Adding Fabric Nodes

• Edge onboarding workflow
• Border node configuration
• Control-plane deployment
• Loopback assignment
• Anycast gateway enablement
• Policy push validation

Lesson 3: IP Transit Options

• IP-based transit
• SD-Access transit
• Transit control-plane role
• Route redistribution design
• Underlay reachability
• Scaling implications

Lesson 4: External Connectivity

• Fusion router integration
• BGP/OSPF redistribution
• VRF handoff
• NAT considerations
• Internet breakout design
• DMZ integration

Lesson 5: Micro and Macro Segmentation

• VRF isolation
• SGT contracts
• Identity mapping
• Policy enforcement location
• Contract logging
• Audit validation

Lesson 6: ISE Dynamic Onboarding

• Endpoint profiling
• Posture validation
• Dynamic SGT mapping
• Authorization policies
• Certificate trust chain
• pxGrid integration

Module 7: SDA – Fabric External Connectivity

Lesson 1: Border Node Design

• Single vs dual border
• Active/active deployment
• ECMP considerations
• High availability design
• North-south flow optimization
• Scaling thresholds

Lesson 2: LISP Pub/Sub Model

• Map-server role
• Map-resolver role
• EID-to-RLOC mapping
• Control-plane scaling
• Route convergence
• Failure detection mechanisms

Lesson 3: Fusion Router Role

• External VRF mapping
• Policy enforcement boundary
• Route leaking
• Firewall integration
• Service insertion
• Legacy interconnect

Lesson 4: High Availability

• Dual control-plane
• Border redundancy
• Underlay ECMP
• Overlay failover
• ISE redundancy
• Controller clustering

Lesson 5: Traffic Engineering

• Path optimization
• QoS enforcement
• Policy-based routing
• WAN breakout design
• Redundant transit
• Application prioritization

Lesson 6: External Service Integration

• Internet breakout
• MPLS integration
• SD-WAN interconnect
• Firewall insertion
• IDS/IPS integration
• Cloud connectivity

Module 8: Fabric-Enabled Wireless

Lesson 1: Wireless Challenges

• Central tunneling bottlenecks
• Policy inconsistency
• Roaming complexity
• Guest isolation issues
• Latency concerns
• Operational overhead

Lesson 2: Fabric Wireless Architecture

• WLC fabric integration
• VXLAN encapsulation
• Control-plane mapping
• AP integration
• Wireless SGT tagging
• SSID-to-VN binding

Lesson 3: Policy Consistency

• Unified SGT enforcement
• Wired/wireless parity
• Dynamic identity mapping
• Guest policy isolation
• BYOD onboarding
• Role-based access

Lesson 4: Traffic Flow

• Local breakout
• Central breakout
• East-west wireless flow
• Roaming within VN
• Roaming across sites
• Mobility anchoring

Lesson 5: Deployment

• WLC configuration
• SSID creation
• Fabric enablement
• AP placement
• RF tuning
• Policy validation

Lesson 6: Troubleshooting

• Client onboarding failures
• SGT misassignment
• VXLAN tunnel issues
• WLC communication faults
• Roaming failures
• Assurance validation

Module 9: SD-Access Multicast

Lesson 1: Multicast Fundamentals

• PIM operation
• RP selection
• IGMP snooping
• Source trees
• Shared trees
• Multicast scaling

Lesson 2: Fabric Multicast Architecture

• VXLAN replication
• LISP control-plane integration
• Multicast group mapping
• Overlay replication
• Underlay PIM requirements
• RP placement

Lesson 3: Deployment Steps

• Enable multicast in fabric
• Configure RP
• Assign group ranges
• Validate replication
• Monitor traffic
• Test failover

Lesson 4: Verification

• PIM neighbor checks
• Multicast routing table
• LISP mapping
• VXLAN encapsulation validation
• RP reachability
• Client subscription checks

Lesson 5: Design Considerations

• Scale planning
• RP redundancy
• Traffic engineering
• WAN multicast
• Border replication
• Control-plane scaling

Lesson 6: Troubleshooting

• RP misconfiguration
• Overlay replication failure
• IGMP join issues
• LISP mapping failure
• Underlay adjacency failure
• Border multicast filtering

Module 10: L2 Border

Lesson1: L2 Border Fundamentals

• VLAN extension
• L2 flooding domain
• ARP handling
• VXLAN bridging
• Legacy adjacency
• STP considerations

Lesson 2: Migration Strategies

• Phased VLAN migration
• Hybrid coexistence
• Incremental VN mapping
• Brownfield integration
• Downtime minimization
• Rollback strategy

Lesson 3: Traffic Flow Considerations

• East-west forwarding
• North-south routing
• ARP suppression
• MAC learning
• Broadcast containment
• Loop avoidance

Lesson 4: Design Constraints

• Scale limitations
• VLAN mapping rules
• Policy enforcement impact
• Border redundancy
• L2 loop prevention
• Failure domains

Lesson 5: Operational Verification

• MAC table validation
• VXLAN bridge checks
• ARP table verification
• Policy validation
• Path trace testing
• Endpoint mobility testing

Lesson 6: High Availability

• Dual L2 borders
• ECMP uplinks
• Rapid convergence
• Redundant links
• Anycast gateway stability
• Failure testing

Module 11: Distributed Campus Design

Lesson 1: Distributed Campus Architecture

• Multi-site fabrics
• Centralized policy
• Distributed control-plane
• Transit integration
• Policy consistency
• Scale-out design

Lesson 2: Transit Types

• IP-based transit
• SD-Access transit
• SD-WAN transit
• BGP integration
• Route advertisement
• Failure detection

Lesson 3: Fabric Domains

• Policy scope
• Site isolation
• Control-plane sharing
• Resource allocation
• Domain scaling
• Inter-domain connectivity

Lesson 4: WAN Integration

• MPLS handoff
• Internet breakout
• Dual WAN design
• QoS preservation
• Route summarization
• SLA monitoring

Lesson 5: Fabric-in-a-Box

• Collapsed control-plane
• Single-node fabric
• Branch deployment
• Small campus design
• Scaling constraints
• Deployment workflow

Lesson 6: High Availability in Distributed Campus

• Redundant borders
• Dual transit
• ISE redundancy
• Controller clustering
• Overlay convergence
• WAN failover testing

Module 12: Troubleshooting

Lesson 1: Underlay Validation

• IS-IS adjacency
• MTU consistency
• Loopback reachability
• IP pool exhaustion
• Routing convergence
• ECMP validation

Lesson 2: Overlay Validation

• VXLAN tunnel status
• LISP database check
• EID-to-RLOC mapping
• SGT propagation
• VRF routing table
• Endpoint mobility test

Lesson 3: Control-Plane Issues

• Map-server status
• Pub/Sub sync
• LISP registration failures
• Policy mismatch
• Controller communication
• Certificate trust issues

Lesson 4: Layer 2 Issues

• Host onboarding failure
• ARP suppression errors
• MAC duplication
• SGT inline tag errors
• VLAN/VN mismatch
• Port authentication failure

Lesson 5: Multicast Issues

• RP down
• Group mapping errors
• Overlay replication failure
• IGMP timeout
• PIM neighbor loss
• Border filtering

Lesson 6: Wireless Issues

• Fabric SSID misconfig
• WLC-VXLAN failure
• Roaming failure
• SGT mismatch
• AP join issues
• RADIUS timeout

Module 13: SDA Assurance

Lesson 1: Telemetry Collection

• NetFlow ingestion
• SNMP polling
• gRPC telemetry
• Wireless analytics
• Application performance metrics
• Health scoring engine

Lesson 2: Health Monitoring

• Device health
• Client health
• Application health
• Network path health
• Wireless experience
• WAN experience

Lesson 3: Path Trace

• Forward path visualization
• Reverse path verification
• Policy validation
• SGT enforcement visibility
• Latency measurement
• Drop location identification

Lesson 4: Root Cause Analysis

• AI-driven correlation
• Event timeline
• Anomaly detection
• Historical trend comparison
• Suggested remediation
• Alert prioritization

Lesson 5: Policy Verification

• Contract validation
• Enforcement location
• Log correlation
• Deny hit analysis
• Compliance monitoring
• Audit export

Lesson 6: Operational Dashboards

• Executive summary view
• NOC monitoring
• SLA tracking
• Custom reports
• Historical analytics
• API-based data extraction

Module 14: SDA Programmability

Lesson 1: API Architecture

• REST endpoints
• Token-based authentication
• API rate limits
• Pagination
• Versioning
• Error handling

Lesson 2: Automation Use Cases

• Automated site creation
• VN provisioning
• Policy matrix creation
• Image upgrade scheduling
• Device inventory extraction
• Compliance auditing

Lesson 3: Fabric Provisioning via API

• Create fabric site
• Assign device roles
• Enable fabric
• Configure transit
• Push policy
• Validate deployment

Lesson 4: Integration with External Systems

• ITSM ticket automation
• Orchestration platform integration
• Ansible playbooks
• Python scripting
• Webhook notifications
• CI/CD pipelines

Lesson 5: Security and Governance

• API RBAC
• Audit logs
• Token expiration
• Role scoping
• Secure transport (HTTPS)
• Certificate validation

Lesson 6: Advanced Automation Strategy

• Infrastructure-as-Code model
• Git-based version control
• Automated rollback
• Scheduled health checks
• Event-driven automation
• Closed-loop remediation

LAB OUTLINE

Lab 1: Cisco Catalyst Center dashboard walkthrough

Lab 2: Cisco Catalyst Center and ISE integration using PxGrid

Lab 3: Design Workflow

• Create site hierarchy
• Configure network settings
• Configure device credentials – CLI and SNMP
• Configure IP pools at the global level
• Reserve IP pools at the area/building level
• Configure telemetry settings

Lab 4: Device Discovery and Provision

• Discover the core switch manually
• Assign the core switch to the building level and provision shared resources
• Verify shared resources on the core switch
• Discovery edge switch using LAN automation at the building level
• Verify the ISIS neighborship between the core and edge switch

Lab 5: Configure Virtual Networks and SGT

• Migrate existing SGT’s from ISE to Catalyst Center
• Configure Employee, Contractor, and Guest VN on catalyst center and verify on ISE
• Configure two SGT’s under Employee VN and one SGT under each contactor and guest VN

Lab 6: Configure Fabric

• Configure SDA fabric at the building level
• Configure IP-based transit
• Define 9300 as the control plane/border node
• Enable L3 handoff along with IP-based transit and extend Employee, Contractor, and Guest VN
• Define 3850 as an edge switch
• Deploy control plane/border node and edge node
• Configure Anycast gateways and map IP pools and SGTS
• Verify output for anycast gateways on the edge switch

Lab 7: External Connectivity Configuration – Fusion Router

• Configure fusion router interfaces for different VN’s for employees, contractor and guest traffic
• Configure BGP on the fusion device for IPv4 and VPNv4 address families
• Configure route leaking of shared resources like DHCP, DNS, and ISE on Fusion for different VRFs
• Verify BGP neighborship on both fusion and border devices
• Perform route redistribution between BGP and underlay ISIS on the border device

Lab 8: Host Onboarding

• Configure authorization profiles on ISE for employees, contractors, and guest users
• Configure authorization policies on ISE for employees, contractors, and guest users

Lab 9: Micro-Segmentation Testing

• Connect fabric user 1 part of employee VN and finance domain SGT
• Connect fabric user 2 part of employee VN and HR domain SGT
• Test connectivity between two fabric users part of the same VN but different SGT’s
• Configure access contracts to block traffic for certain applications
• Configure group-based policies with an access contract inside it to block unidirectional traffic between two SGT’s but part of the same VN

Lab 10: Macro Segmentation Testing

• Connect fabric user 1 part of employee VN and finance domain SGT
• Connect fabric user 2 part of contractor VN and external staff domain SGT
• Test connectivity between two fabric users part of different VN
• Configure route leaking on the fusion device to ensure different VN users can talk to each other:

Lab 11: Fabric-Enabled Wireless

• Discovery C9800 controller and assign it to the building
• Configure fabric-enabled Employee and Guest SSID
• Configure network profile and map SSIDs to it
• Deploy shared services, including SSIDs to the C9800 controller
• Assign C9800 with wireless role as part of Fabric
• Configure anycast gateway for Infra VN and map AP pool with it
• Test fabric-enabled wireless for both employee and guest SSIDs

Lab 12: SDA Multicast

• Enable PIM in underlay
• Configure RP
• Enable multicast in fabric
• Test multicast stream
• Validate overlay replication
• Simulate RP failure

Lab 13: L2 Border Migration

• Enable L2 border
• Map VLAN to VN
• Validate ARP suppression
• Migrate legacy VLAN
• Test coexistence
• Validate broadcast containment

Lab 14: Distributed Campus

• Deploy second fabric site
• Configure SD-Access transit
• Validate policy propagation
• Test multi-site roaming

Lab 15: Troubleshooting

• Break IS-IS adjacency
• Remove SGT contract
• Misconfigure IP pool
• Disable LISP registration
• Break RADIUS authentication
• Restore full functionality

Lab 16: Assurance

• Perform path trace
• Validate health scores
• Identify root cause
• Review anomaly detection
• Export report
• Automate alert generation

Lab 17: Programmability

• Generate API token
• Create VN via API
• Push policy via API
• Retrieve inventory
• Automate site creation
• Integrate with ITSM webhook