Configuring, Monitoring and Troubleshooting Cisco SDWAN for IOT

This course provides a deep, hands-on examination of Cisco Catalyst SD-WAN as applied to industrial and operational technology (OT) environments. Participants learn to design, deploy, secure, monitor, and troubleshoot SD-WAN fabrics built around Cisco's ruggedized Industrial Router and Industrial Switch portfolio. The course covers both the legacy template-based configuration model (UX 1.0) and the current Configuration Groups / Policy Groups / Topology Groups model (UX 2.0), reflecting the operational reality that most enterprises are migrating between the two. Significant emphasis is placed on OT-specific concerns: ruggedized hardware selection, edge compute and application hosting, OT asset visibility with Cisco Cyber Vision, remote access to industrial assets through Secure Equipment Access, and the security, segmentation, and high-availability patterns required to protect converged IT/OT networks.

• Explain Cisco SD-WAN architecture and identify the role of each control- and data-plane component in an Industrial IoT deployment
• Select and justify the appropriate Cisco Catalyst Industrial Router or Switch platform for a given OT use case (substation, rail, mobile/fleet, oil & gas, water/wastewater)
• Onboard and provision IR-series routers using PnP, Zero Touch Provisioning, and Quick Connect
• Build and deploy configuration using both legacy Device/Feature Templates and current Configuration Groups / Feature Profiles
• Design and deploy Policy Groups, Topology Groups, and centralized/localized policy for application-aware routing, QoS, and security
• Implement OT-specific security: Cyber Vision asset visibility, Secure Equipment Access, NGFW/Embedded Security, and segmentation for converged IT/OT networks
• Monitor and troubleshoot the SD-WAN fabric and IOT WAN edge devices using SD-WAN Manager, CLI, ThousandEyes, and ANALYTICS
• Plan and execute software upgrades across controllers and IR-series routers/switches

Network Engineers

OT/IT Convergence Teams

SD-WAN Administrators

Cisco partners deploying or supporting Industrial IoT WAN edge environments

Working knowledge of routing/switching fundamentals (CCNA-level)

Basic familiarity with WAN Technologies

Prior SD-WAN exposure helpful but not required

OUTLINE

Module 0: Introductions and Industrial IoT Foundations

Lesson 1: Getting Started

• General Administration and Course Logistics
• WebEx Basics for Virtual Delivery
• Participant Introductions and Use-Case Discussion
• Common Questions Companies Ask About SD-WAN

Lesson 2: SD-WAN and Industrial IoT Fundamentals

• What Is Cisco SD-WAN?
• How Does Cisco Define SD-WAN? (Orchestration, Management, Control, and Data Planes)
• What Are Industrial Routers and Industrial Switches, and How Do They Differ from Enterprise Platforms?
• OT vs. IT Networking: Ruggedization, Environmental Ratings, and Lifecycle Differences
• Desired Business and Technical Benefits of SD-WAN for Industrial IoT

Lesson 3: OT Security Preview

• Secure Equipment Access - Why Remote OT Access Is Different
• Cisco Cyber Vision Overview - Visibility into the OT Asset Layer

Module 1: Cisco Catalyst SD-WAN Platform Overview

Lesson 1: SD-WAN Architecture Overview

• Orchestration Plane (Cisco SD-WAN Validator)
• Management Plane (Cisco SD-WAN Manager)
• Control Plane (Cisco SD-WAN Controller)
• Data Plane (Cisco IOS XE Catalyst SD-WAN Edge Devices, including IR-series)

Lesson 2: Cisco SD-WAN Solution Overview

• Cloud-Delivered vs. On-Premises Controller Deployment
• Fabric Overlay Concepts as Applied to Distributed OT Sites

Lesson 3: New Features by Version

• Feature Timeline Across Recent IOS XE Catalyst SD-WAN and SD-WAN Manager Releases
• NEW: Current release alignment: Cisco IOS XE 17.15.x–17.18.x and Cisco Catalyst SD-WAN Manager 20.15–20.18

Lesson 4: Licensing for Cisco SD-WAN

• Cisco Smart Licensing Using Policy
• DNA/Network Essentials, Advantage, and Premier Tiers as They Apply to IR-Series Platforms

Lesson 5: SD-Routing Overview

• SD-Routing vs. SD-WAN Controller Mode
• When to Use SD-Routing for Lightweight, Cloud-Managed IOT Sites

Module 2: Cisco SD-WAN Controllers

Lesson 1: Cisco SD-WAN Controller Architecture

• Validator, Controller, and Manager Roles and Communication Flows
• On-Premises vs. Cloud-Hosted Controller Considerations for OT Environments

Lesson 2: Cisco Catalyst SD-WAN Portal

• Navigating the Cloud-Hosted Controller Portal
• Tenant and Account Management Basics

Lesson 3: Verifying the Control Plane

• Validating Controller Reachability and Certificate Status
• Confirming Control Connections from IR-Series Edge Devices

Module 3: Cisco SD-WAN Allow Lists and Certificates

Lesson 1: Certificate Fundamentals

• PKI Concepts as Applied to SD-WAN Trust

Lesson 2: SD-WAN Certificates

• Enterprise CA vs. Cisco-Signed (Symantec/DigiCert) Certificates

Lesson 3: Certificate Configuration

• Installing and Rotating Certificates on Controllers and Edge Devices

Lesson 4: Certificate Validity

• Expiration Monitoring and Renewal Planning

Lesson 5: Monitoring and Troubleshooting Certificates

• Common Certificate Failures and Resolution Steps

Module 4: Catalyst SD-WAN Industrial Platforms

This module provides expanded platform-by-platform coverage of the Cisco Catalyst Industrial Router and Industrial Switch portfolio used across Industrial IoT deployments.

Lesson 1: SD-WAN Platform Overview

• Controller Mode vs. Autonomous Mode on IOS XE
• Universal Image Strategy Across the Catalyst Portfolio

Lesson 2: SD-WAN Industrial Router Portfolio

• Catalyst IR1100 / IR1101 Rugged Series — Modular Mobile and Fixed Edge Router
• Catalyst IR1800 Rugged Series — IP67, 5G/Wi-Fi 6, Modular Pluggable Design
• Catalyst IR8300 / IR8340 Rugged Series — Integrated Routing, Switching, and Security for Substation and Trackside
• Catalyst IR8140H Heavy Duty Series — IP67 Outdoor, Four Module Slots
• NEW: Use-case mapping: oil & gas, utility substation, rail/trackside, intersection/roadway, mobile fleet, and renewable energy sites
• NEW: Time synchronization for substation use cases: PTP, IRIG-B, PRP, and IEC 61850 / IEEE 1613 compliance on IR8300/IR8340

Lesson 3: SD-WAN Industrial Switch Portfolio

• NEW: Cisco Catalyst IE3x00 and IE4000 Rugged Series Switches — extending SD-WAN-managed segmentation to the OT access layer
• NEW: Resilient Ethernet Protocol (REP) and Parallel Redundancy Protocol (PRP) for ring and substation topologies
• NEW: Switch onboarding and management through Secure Equipment Access and Cyber Vision

Lesson 4: Supported Pluggable Modules

• Cellular (4G LTE / 5G), Wi-Fi 6 (WIM), and Ethernet SFP Modules
• GNSS/GPS Modules for Location-Aware and Mobile Deployments

Lesson 5: Catalyst 8000 Series Router Overview

• Catalyst 8000V, 8200, and 8300 as Aggregation/Headend Platforms for IOT Overlays

Lesson 6: SD-WAN WAN Edge High Availability

• Dual-Router and Dual-WAN Site Designs
• Power Supply Redundancy Considerations for Field-Deployed IR Platforms

Module 5: Cisco SD-WAN Industrial Router WAN Edge Deployments

Lesson 1: Adding a Device to the PnP Portal

• Plug and Play Connect Workflow
• Bulk Device Import for Large-Scale IOT Rollouts

Lesson 2: Device Initial Bootup and Image Selection

• Choosing Autonomous vs. Controller-Mode Images on First Boot

Lesson 3: SD-WAN Zero Touch Provisioning with IOT Routers

• ZTP Workflow End to End
• Field Considerations for Cellular-Only and Low-Bandwidth Sites

Lesson 4: SD-WAN Quick Connect

• Rapid Day-Zero Onboarding for Single-Router Sites

Lesson 5: Manually Provisioning SD-WAN Industrial Routers

• CLI Bootstrap for Air-Gapped or Pre-Staged Deployments

Lesson 6: Verifying SD-WAN WAN Edge Configuration

• Verifying Control Connections
• OS Package Files and Image Management

Module 6: Configuring Cisco SD-WAN Manager

Lesson 1: Dashboard Overview and UX 2.0 Changes

• NEW: Modernized landing page with customizable widgets for device health, alarms, and application performance

Lesson 2: SD-WAN Manager Monitoring Dashboard

• Key Widgets, Alarms, and Quick-Access Panels

Lesson 3: SD-WAN Manager Configuration Menu

• Navigating Configuration in UX 1.0 vs. UX 2.0

Lesson 4: SD-WAN Manager Tools

• Built-In Diagnostic and Operational Tools

Lesson 5: SD-WAN Manager Maintenance

• Backup, Restore, and Database Maintenance Tasks

Lesson 6: Administrative Settings

• Validator and Controller Registration
• Organization and Cluster Settings

Lesson 7: Resource Groups

• Scoping Devices and Access by Resource Group

Lesson 8: Users and Groups

• Role-Based Access Control for Configuration Groups and Policy Groups

Lesson 9: RADIUS and TACACS+

• Centralized Authentication for SD-WAN Manager and Devices

Lesson 10: Single Sign-On / IDP Management

• SAML-Based SSO Integration

Lesson 11: License Management

• Smart Licensing Status and Reporting

Lesson 12: Network Wide Path Insight

• End-to-End Path Visibility for Application Flows

Module 7: SD-WAN Software Upgrades

Lesson 1: Upgrading the SD-WAN Environment

Lesson 2: Upgrading SD-WAN Controllers

Lesson 3: Upgrading Industrial Routers and Switches via SD-WAN Manager

Lesson 4: Upgrading Industrial Routers and Devices via CLI

Module 8: SD-WAN OMP and Fabric

Lesson 1: SD-WAN Fabric Overview and Terminology

Lesson 2: SD-WAN Segmentation

• VPNs/VRFs for IT/OT Separation

Lesson 3: OMP, TLOCs, and Routes

Lesson 4: SD-WAN BFD

Lesson 5: On-Demand Tunnels

• Bandwidth-Conscious Tunnel Strategies for Cellular-Backed IOT Sites

Lesson 6: Multi-Region Fabric

• NEW: Core (Region 0) and Access Region Design for Large, Geographically Distributed OT Networks
• NEW: Border Router and Edge Router Roles

Lesson 7: SD-WAN Fabric Verification

Module 9: SD-WAN QoS and Quality of Experience

Lesson 1: QoE / QoS Challenges in Industrial Networks

Lesson 2: Quality of Experience (QoE) and Quality of Service (QoS)

Lesson 3: Per-Tunnel QoS

Lesson 4: Adaptive QoS

Lesson 5: Per-VPN QoS

Lesson 6: Application Quality of Experience (AppQoE)

Lesson 7: Forward Error Correction (FEC) and Packet Duplication

Lesson 8: TCP Optimization

Lesson 9: Data Redundancy Elimination (DRE) and Lempel-Ziv (LZ) Compression

Module 10: SD-WAN Security and SASE

Lesson 1: Security Overview

• Defense-in-Depth Across the SD-WAN Fabric

Lesson 2: Secure Equipment Access for OT/IOT Devices

• Clientless Remote Access to Field Assets Without Exposing the OT Network

Lesson 3: SD-WAN Fabric Security

• Control- and Data-Plane Encryption

Lesson 4: SD-WAN Security Options

Lesson 5: SD-WAN Integrated Security and NGFW

• NEW: NGFW (formerly Embedded Security): Application Firewall, IPS/IDS, URL Filtering, AMP, and TLS Proxy

Lesson 6: SD-WAN Security Configuration

• Configuring Security via Configuration Groups and Policy Groups

Lesson 7: Secure Access Service Edge (SASE)

• Cisco Secure Access Integration with the SD-WAN Fabric

Lesson 8: DNS Security and SIG/SSE

• NEW: Cloud-Delivered DNS Layer Security for Branch and IOT Sites

Module 11: SD-WAN Templates and Configuration Groups

Lesson 1: Legacy Template Model (UX 1.0)

• Template Overview — Using Templates to Simplify Management
• Feature Templates — Configure Per-Feature Settings
• Device Templates — Apply Complete Configurations
• CLI Templates — Freeform CLI Input
• Creating Device Templates by Combining Feature Templates for Reuse
• Attaching Devices to a Template

Lesson 2: Current Model (UX 2.0): Configuration Groups

• Configuration Groups Overview — Reusable Configuration Bundles
• Feature Profiles and Parcels — the Building Blocks of a Configuration Group
• Creating Configuration Groups — Guided Workflow vs. Single-Window Creation
• NEW: Single-window creation and contextual feature addition (Cisco IOS XE Catalyst SD-WAN 17.15.1a+)
• Deploy Configuration Group Workflow — Deploying Changes with Review
• Viewing and Editing Configuration Groups Over Time
• NEW: Device Tagging and Automated Rules for Bulk Configuration Group Association
• Configuration Catalog — Browsing and Reusing Configuration Items
• NEW: Dual-Router and Dual-Device Site Configuration Groups

Module 12: SD-WAN Policy Groups

Lesson 1: Policy Groups Fundamentals

• What Are Policy Groups? — Logical Grouping of Policies
• Groups of Interest (Policy Objects) — Reusable Building Blocks
• Application Priority and SLA — Defining Application Expectations
• NGFW — Next-Generation Firewall Control
• SIG/SSE and DNS Security — Secure Internet Gateway Integration

Lesson 2: Building and Deploying Policy Groups

• Policy Group Creation
• Associating and Deploying Policy Groups Across the Network
• NEW: Policy versioning — SD-WAN Manager retains the last 30 versions of a security policy for rollback

Module 13: Topology Groups and the UX 2.0 Operating Model

A new module addressing Topology Groups, a core UX 2.0 construct that was not separately covered in the prior outline.

Lesson 1: Topology Groups Overview

• NEW: Defining hub-and-spoke, full-mesh, and custom topologies as reusable, intent-based constructs
• NEW: Associating Topology Groups with Configuration Groups and Policy Groups

Lesson 2: UX 2.0 Topology and Network Hierarchy

• Sites, Regions, and Areas as Organizing Constructs
• Real-Time and Historical Topology Views with Health Overlays

Lesson 3: Migrating from UX 1.0 to UX 2.0

• Planning, Execution, Validation, and Rollback
• Operating in a Mixed UX 1.0 / UX 2.0 Environment During Phased Migration

Module 14: Cisco SD-WAN Integration with ThousandEyes

Lesson 1: ThousandEyes Introduction

Lesson 2: Architecture and SD-WAN Deployment

Lesson 3: Troubleshooting ThousandEyes SD-WAN Deployments

Lesson 4: ThousandEyes for Industrial Edge Assurance

• NEW: End-to-end visibility extended to the industrial edge on IR1800/IR8300 platforms

Module 15: Industrial IoT Device Integration with Cisco Cyber Vision

Lesson 1: Cyber Vision Overview

• OT Asset Discovery, Classification, and Behavioral Baselining

Lesson 2: Integrating Cyber Vision with SD-WAN

• Sensor Deployment Models: Network Sensor on IR/IE Hardware vs. Hardware Sensor

Lesson 3: Protecting Industrial Routers and Switches with Cyber Vision

• Adaptive Network Segmentation Driven by Discovered OT Communications Patterns

Lesson 4: Cyber Vision Risk Scoring and Vulnerability Management

• NEW: Mapping discovered assets to known vulnerabilities and prioritizing remediation

Module 16: Secure Equipment Access with Industrial Routers and Switches

Lesson 1: Secure Equipment Access (SEA) Overview

Lesson 2: Configuring Secure Equipment Access

Lesson 3: Using SEA to Access Industrial Ethernet Switches and Provision Networks Behind SD-WAN Routers

Lesson 4: SEA Audit, Logging, and Session Recording

• NEW: Tracking third-party and vendor remote sessions into OT assets for compliance

Module 17: Cisco Catalyst SD-WAN Analytics

Lesson 1: Analytics Overview

Lesson 2: Analytics Dashboards

Lesson 3: Analytics IDP Onboarding

Lesson 4: Analytics KPIs and Scores

Lesson 5: Cisco Analytics Troubleshooting

Lesson 6: Analytics Onboarding and Access Workflow

Module 18: Monitoring and Troubleshooting the SD-WAN Industrial IoT Fabric

Lesson 1: SD-WAN Troubleshooting Overview

Lesson 2: SD-WAN Technical Support Access

Lesson 3: Controller Failure Scenarios

Lesson 4: Troubleshooting Controllers

Lesson 5: Troubleshooting Industrial Router and Switch Control Connections

Lesson 6: Typical Control Connection Issues

Lesson 7: Troubleshooting the Data Plane

Lesson 8: Troubleshooting Routing

Lesson 9: Troubleshooting Centralized Policies

Lesson 10: Packet Forwarding Troubleshooting

Lesson 11: Device Configuration and Upgrade Failures

Lesson 12: vDiagnose - Diagnostic Tool for SD-WAN

Lesson 13: Troubleshooting Industrial IoT Devices in Harsh Environments

Lesson 14: Troubleshooting Using SD-WAN Manager

Lesson 15: Device-Level Troubleshooting

Lesson 16: Using the GUI CLI Show-Command Tool Under Troubleshooting > Real-Time

Lesson 17: CLI Troubleshooting

Lesson 18: NetFlow Collectors

Lesson 19: SNMP Overview

Lesson 20: SD-WAN Logs

Lesson 21: SD-WAN Reporting

Lesson 22: SD-WAN Manager APIs and Programmability

Hands-On Lab Outline

Labs are performed against a live, instructor-provided Cisco SD-WAN lab pod that includes on-premises controllers and physical or emulated Catalyst IR1101 and IE3300 hardware, reflecting real Industrial IoT field conditions.

Lab 1: Configure SD-WAN Controllers

• Deploy the SD-WAN Manager Controller
• Deploy the SD-WAN Validator (Orchestrator)
• Deploy the SD-WAN Controller
• Configure Certificate Settings

Lab 2: Deploy the IR1101 Router and IE3300 Switch

• Deploy WAN Edge Router and Industrial Switch
• Configure the WAN Edge Router
• Prepare the Edge Device for Zero Touch Provisioning

Lab 3: SD-WAN Manager Configuration

• Explore the Interface (UX 1.0 and UX 2.0)
• Add Controllers to the Allow List
• Add WAN Edge Devices to the Allow List
• BFD Tuning
• Create and Update Users
• Manage the Fabric

Lab 4: Upgrade SD-WAN Industrial Routers

• Stage and Validate a Software Image
• Upgrade via SD-WAN Manager
• Upgrade via CLI and Verify Post-Upgrade State

Lab 5: Create Industrial IoT Device Templates (UX 1.0)

• Build Feature Templates for a Representative IR-Series Device
• Combine into a Device Template and Attach to a Device

Lab 6: Create Industrial IoT Configuration Groups (UX 2.0)

• Build a Configuration Group Using Guided Workflow
• Add and Edit Feature Profiles
• Tag Devices and Apply Automated Association Rules
• Deploy the Configuration Group and Validate Sync Status

Lab 7: Create and Deploy a Local Policy to the IR1101

• Create a Local Control Policy
• Configure OSPF and BGP
• Create a Local Data Policy
• Create an ACL
• Create a Device Access Policy
• Configure QoS
• Configure an OSPF Route Policy

Lab 8: Create and Deploy a Centralized Policy

• Control Policy Lab
• Data Policy Lab
• Application-Aware Routing Policy Lab
• Create a cFlowd Policy

Lab 9: Application-Aware Routing

• Create a Centralized Policy for Application-Aware Routing
• Identify Application Groups (FTP / Microsoft 365 / Voice)
• Create Lists: Site Lists, Application Lists, Data Prefix Lists, VPN Lists
• Create SLA Classes
• Create Traffic Rules
• Apply Policies to Sites and VPNs

Lab 10: Policy Groups and Topology Groups (UX 2.0)

• Build a Policy Group with Application Priority and SLA
• Build a Topology Group and Associate It with a Configuration Group
• Deploy and Verify Using the Topology View

Lab 11: Integrating Cyber Vision in Industrial Routers and Switches

• Enable the Cyber Vision Network Sensor on an IR-Series Device
• Discover and Classify OT Assets
• Review Risk Scores and Build a Segmentation Policy from Discovered Traffic

Lab 12: Using Secure Equipment Access to Program Industrial Switches

• Configure SEA on an IR-Series Gateway
• Establish a Clientless Remote Session to an IE-Series Switch
• Review SEA Session Logs

Lab 13: Edge Application Hosting (NEW)

• Enable the Application Hosting Framework on a Supported IR-Series Device
• Install and Activate a Sample Hosted Application
• Monitor Resource Consumption and Application Health from SD-WAN Manager

Lab 14: Monitoring and Troubleshooting

• Explore SD-WAN Manager Dashboard Analytics
• Monitor Applications
• Monitor Loss, Latency, and Jitter
• Monitor an Individual Device
• Check System Status
• Check Control Connections
• Check OMP Status
• Check BFD Status
• Check Interfaces for Issues
• Use the CLI to View and Troubleshoot Debug Logs
• Troubleshoot BFD
• Troubleshoot OMP
• Use Troubleshooting Tools to Diagnose Issues (Ping, Traceroute, App Route Visualization)
• Simulate Traffic Flows and Capture Packets
• Troubleshoot Application-Aware Routing