The SD-Access fabric control plane node operates using the Locator/ID Separation Protocol (LISP), Map-Server(MS) and Map-Resolver(MR) functionality combined on a single node. The control plane node’s database tracks all endpoints in the fabric site and associates the endpoints to fabric nodes, decoupling the endpoint IP address or MAC address from the location of the closest router in the network.

Control Plane node enables the following functions:

• Host Tracking Database

• Endpoint identifiers (EID)

• Map-Server (MS)

• Map-Resolver (MR)

The fabric border nodes serve as the gateway between the SD-Access fabric site and the networks external to the fabric. The border node is responsible for network virtualization interworking and SGT propagation from the fabric to the rest of the network.

Border nodes can implement the following functions:

• Advertisement of Anycast Layer 3 Gateway subnets

• Fabric site exit point

• Network virtualization extension to the external world

• Policy mapping

• VXLAN encapsulation/de-encapsulation

The SD-Access fabric edge nodes are the equivalent of an access layer switch in a traditional campus LAN design. The edge node functionality is based on the Ingress and Egress Tunnel Routers (xTR) in LISP. The edge nodes must be implemented using a Layer 3 routed access design.

Fabric Edge nodes support the following functions:

• Register the endpoint in the local database and the control plane

• Create Layer 3 Access Gateway

• Mapping of users to virtual networks

• Authentication and authorization of endpoint in concert with ISE

• VXLAN encapsulation and de-encapsulation

Intermediate nodes are part of the Layer 3 network that interconnects devices operating in fabric roles, such as connections between border nodes and edge nodes. These nodes provide IP reachability, physical connectivity, and support the increased MTU requirements needed to accommodate larger IP packets encapsulated with fabric VXLAN information. However, it is important to note that Intermediate Nodes do not have overlay capabilities or participate in overlay functions.

The diagram below highlights the key components involved in an SD-Access fabric deployment and shows their respective positions within an SD-Access network:

For an ITES company, enhancing security measures, mitigating risks, and ensuring compliance with regulatory standards can be achieved by implementing robust security protocols, conducting regular risk assessments, and adhering to industry-specific regulations and standards. Cybersecurity threats pose the greatest concern for an ITES company's Chief Information Security Officer (CISO). The rapid shift to hybrid work and the evolution of digital business services for customers have significantly increased the attack surface vectors available to cybercriminals. Unchecked, these malicious actors can exploit vulnerabilities, leading to substantial losses both financially and in terms of reputation. The CISO group regularly reviews fundamental security practices and processes.

For an ITES company, compliance with regulatory standards is paramount to maintain trust, security, and legality in their operations. These companies are often entrusted with handling sensitive data and providing critical services to clients across various industries. Thus, adherence to compliance regulations is essential to ensure the confidentiality, integrity, and availability of data. Non-compliance not only exposes ITES companies to legal repercussions but also risks damaging their reputation and losing valuable client trust. Therefore, a proactive approach to compliance is crucial for the success and sustainability of ITES companies in today's regulatory landscape.

For ITES companies, network uptime is paramount to smooth operations and achieving business goals. Since ITES networks are mission-critical, the ultimate goal is to get as close to 100% availability as possible. Five-nines availability (99.999% uptime) represents a significant step towards this objective, allowing only 5 minutes and 16 seconds of downtime annually. Seamless and uninterrupted services are essential for ITES customer productivity and business success. By implementing automation, monitoring, load balancing, and failover mechanisms, ITES firms can achieve or even surpass the five-nines availability target.

Operational expenses are a major focus for ITES businesses. Streamline expenses and boost earnings through the automation of deployment across thousands of sites while minimizing the need for on-site network operations whenever feasible. Large-scale multisite deployments are common in the ITES sector, often encompassing hundreds of Offshore Development Centers (ODCs) distributed across extensive geographic areas. Managing such networks box-by-box or site-by-site with onsite teams poses significant challenges

To address the complex requirements of ITES, a solution is required to quickly set up any site or Offshore Development Center (ODC) in any location and manage it remotely. This enables ITES organizations to maintain an efficient IT staff. Achieving this entails implementing network automation and monitoring to streamline deployment and troubleshooting procedures.

Enhance user and application experiences by strategically utilizing modern technologies that support essential business capabilities. Beyond security, compliance, and availability concerns, a network with inconsistent or slow Quality of Service (QoS) can lead to poor customer satisfaction and financial losses. In environments such as time-sensitive operations, where delays are critical, low latency and consistent QoS are crucial to meet organizational requirements.

Information Technology Enabled Services (ITES) sector faces significant security challenges due to its complex and dynamic environments, such as increased attack surfaces, data breaches, insider threats, regulatory compliance, sophisticated cyber attacks, and the security of remote work. Cisco’s Software-Defined Access (SD-Access) framework addresses these challenges through a comprehensive set of tools and capabilities:

• Macro Segmentation

• Micro Segmentation

• TrustSec Models

• Group-Based Policy Analytics (GBPA)

• AI (Artificial Intelligence) Endpoint Analytics

• Endpoint Security with Zero-Trust Solution

• Isolation of Guest Users

Compliance regulations refer to the set of rules and standards that organizations must adhere to operate lawfully within a particular industry or jurisdiction. These technologies aid in ensuring compliance by automating regulatory processes, enhancing data security, and providing real-time monitoring and reporting capabilities to meet regulatory requirements effectively. Staying compliant with industry regulations can be a complex task. Cisco SD-Access offers several features that can simplify this process:

• Role-Based Access Control (RBAC)

• Audit Logs

• Configuration Compliance

• Configuration Drift

Operational efficiency is vital for ITES businesses, directly enhancing productivity, cost-effectiveness, and service quality. This efficiency enables them to maximize employee output, streamline digital transformation efforts, and ultimately, enhance their reputation and brand value. SD-Access addresses the following key aspects of operational efficiency.

• High Availability

• System Resiliency

• Reports

• Efficient Troubleshooting

Catalyst Center's Reports feature provides a comprehensive suite of tools for deriving actionable insights into your network's operational efficiency. This feature enables data generation in multiple formats, with flexible scheduling and configuration options, allowing for tailored customization to meet your specific operational needs.

The Reports feature supports various use cases that includes the following:

• Capacity Planning: Understanding device utilization within your network.

• Pattern Change Analysis: Tracking changes in usage patterns, including clients, devices, bands, and applications.

• Operational Reporting: Reviewing reports on network operations, such as upgrade completions and provisioning failures.

• Network Health Assessment: Evaluating the overall health of your network through detailed reports.

By leveraging Catalyst Center's reporting capabilities, you can significantly enhance your network's operational efficiency, ensuring a smooth-running, high-performing network environment.

For detailed information on Reports, see the Cisco Catalyst Center Platform User Guide.

Efficient troubleshooting is a critical component to support business operations for ITES customers. Catalyst Center offers comprehensive debugging ability features designed to meet these needs effectively. These features empower IT administrators to quickly identify, diagnose, and resolve Catalyst Center issues, ensuring continuous and optimal performance of the network infrastructure. The following tools help with troubleshooting:

• Validation Tool: Before Catalyst Center 2.3.5.x, the Audit and Upgrade Readiness Analyzer (AURA) tool assessed the upgrade readiness of a cluster. With the restricted shell fully implemented in 2.3.5.x, most of the AURA upgrade checks are now implemented in Catalyst Center. The Validation Tool tests both Catalyst Center appliance hardware and connected external systems and identifies any issues that need to be addressed before they seriously impact your network.

  For details on the Catalyst Center Validation Tool, see the following links:

  • Validate Cisco DNA Center Upgrade Readiness

  • Use the Validation Tool

• System Analyzer: To address troubleshooting needs, the System Analyzer tool provides efficient log file retrieval. The System Analyzer performs comprehensive assessments and diagnostics to ensure the optimal functioning and reliability of Catalyst Center and its connected network components. By leveraging the System Analyzer capabilities for monitoring, diagnostics, and performance optimization, organizations can enhance operational efficiency, ensure compliance with security standards, and deliver reliable ITES services.

  For more information, see Use the System Analyzer Tool.

  Overall, the Catalyst Center Validation Tool and System Analyzer are invaluable assets for ITES network administrators. These tools promote proactive maintenance, efficient troubleshooting, and enhanced network stability, significantly boosting operational efficiency for ITES delivery.

Automation and monitoring are essential components of modern IT infrastructure management. Automation can include tasks such as software deployment, configuration management, system provisioning, and workflow orchestration. By automating repetitive and time-consuming tasks, organizations can improve efficiency, reduce errors, and free up human resources to focus on more strategic activities. Monitoring, on the other hand, involves continuously observing and analyzing the performance and health of IT systems, networks, applications, and services. Below is an overview of how to implement these strategies for the following components:

• LAN Automation

• Plug and Play (PnP) and Return Material Authorization (RMA)

• Software Image Management (SWIM)

• Intelligent Capture (iCAP)

• Assurance and Visibility

IP Address Management (IPAM) Integration in Catalyst Center streamlines the process of managing IP addresses within a network. This integration provides a centralized platform to automate and simplify IP address allocation, tracking, and management. In SD-Access deployments, IPAM integration provides Catalyst Center access to existing IP address scopes. When configuring new IP address pools in Catalyst Center, it automatically updates the IPAM server, reducing the IP address management tasks.

Two third-party integration modules are included in Catalyst Center, one for IPAM provider Infoblox and one for Bluecat. Other IPAM providers may be configured for use with Catalyst Center by providing an IPAM provider REST API service that meets the Catalyst Center IPAM provider specification.

For details on the IPAM integration with Catalyst Center, see Configure an IP Address Manager.

IT Service Management (ITSM) refers to the implementation and management of quality IT services that meet the needs of a business. ServiceNow is a popular ITSM platform that provides a suite of applications to help organizations automate and streamline their IT services.

Catalyst Center and ServiceNow integration supports the following capabilities:

• Integrating Catalyst Center into ITSM processes of incident, event, change, and problem management.

• Integrating Catalyst Center into ITSM approval and preapproval chains.

• Integrating Catalyst Center with formal change and maintenance window schedules.

The scope of the integration is mainly to check your network for assurance and maintenance issues and for events requiring software image updates for compliance, security, or any other operational triggers. Details about these issues are then published to an ITSM (ServiceNow) system or any REST endpoint. For details, see the Cisco Catalyst Center ITSM Integration Guide.

SD-Access Extension is a critical capability that allows organizations to extend the reach of their SD-Access fabric, ensuring consistent policy enforcement, enhanced security, simplified management, and improved network performance across a broader range of environments and devices.

An extended node connects to the SD-Access in Layer 2 mode, facilitating the connection of IoT endpoints but does not support fabric technology. Using Catalyst Center, the extended node can be onboarded from a factory reset state through the PnP method, enabling security controls on the extended network and enforcing fabric policies for endpoints connected to the extended node.

To implement SD-Access Extension, enterprise administrators can deploy extended nodes, which are available in three different types:

• Extended Node (EX)

  Extended Node is a Layer 2 switch that connects to a fabric edge node in a Cisco SD-Access network. It provides connectivity for IoT endpoints and other devices that do not support full SD-Access capabilities. Extended nodes are typically managed and configured through a centralized controller like Catalyst Center. They rely on the fabric edge for advanced network functions like LISP, VXLAN, and SGACL enforcement.

• Policy Extended Node (PEN)

  Policy Extended Node is a specific type of extended node that offers additional capabilities. It can perform 802.1X/MAB authentication, dynamically assign VLANs and SGTs to endpoints, and enforce SGACLs. This type of node provides a more granular level of policy control compared to a standard extended node, allowing for more flexible network segmentation and security.

• Supplicant-Based Extended Node (SBEN)

  Supplicant-Based Extended Node is an extended node that undergoes a stricter onboarding process. It requires an IEEE 802.1X supplicant configuration and completes a full authentication and authorization process before being allowed into the SD-Access network. This approach enhances security by ensuring that only authorized devices can access the network. SBENs are often used in environments with heightened security requirements.

Key points to remember:

• Extended Nodes provide connectivity for endpoints that cannot directly participate in SD-Access.

• Policy Extended Nodes offer enhanced policy enforcement capabilities.

• Supplicant-Based Extended Nodes implement stricter security measures through 802.1X authentication.

The diagram below illustrates the extended enterprise network utilizing Extended Node (EX), Policy Extended Node (PEN), and Supplicant-Based Extended Node (SBEN).

For more details, see the "Extended Node Design" section of the Cisco SD-Access Solution Design Guide.

For further details on Extended Nodes and Policy Extended Nodes, see the Connected Communities Infrastructure - General Solution Design Guide.

Quality of Service (QoS) refers to a network's capability to prioritize or differentiate service for selected types of network traffic. Configuring QoS ensures that network resources are utilized efficiently while meeting business objectives, such as ensuring enterprise-grade voice quality or delivering a high Quality of Experience (QoE) for video. Catalyst Center facilitates QoS configuration in your network through application policies.

These policies include the following core parameters:

• Application Sets

  Groups of applications with similar network traffic requirements. Each application set is categorized into business relevance groups (business relevant, default, or business irrelevant) that determine the priority of their traffic. QoS parameters for each group are defined according to Cisco Validated Design (CVD), and adjustments can be made to align with specific business goals.

• Site Scope

  Defines the scope to which an application policy applies. For example, a wired policy applies to all wired devices within the specified site scope, while a wireless policy applies to devices using a specific Service Set Identifier (SSID) within the defined scope.

Application visibility is a feature that allows network administrators to see which applications are running on their network, monitor their performance, and understand how network resources are being utilized. This is crucial for maintaining optimal network performance, ensuring security, and improving the user experience.

Catalyst Center empowers you to manage and gain insights into applications traversing your network. This includes identifying built-in applications, custom applications, and categorizing network traffic. The application visibility service, hosted as an application stack within Catalyst Center, enables the Controller-Based Application Recognition (CBAR) function on a specific device to classify thousands of networks, home-grown applications, and network traffic.

Application visibility is achieved through a combination of deep packet inspection, flow analysis, and application recognition technologies, providing a comprehensive view of network activity and application performance. By implementing CBAR, organizations can ensure that their critical applications perform optimally, enhancing overall productivity and user satisfaction.

You can install the following packages:

• Application Policy: allows you to automate QOS policies across LAN, WAN, and wireless within your campus and branch.

• Application Registry: allows you to view, manage, and create applications and application sets.

• Application Visibility Service: provides application classification using Network-Based Application Recognition (NBAR) and CBAR techniques.

An ITES organization needs to conduct regular employee training sessions across multiple branch offices located in different regions. These training sessions include live video broadcasts of presentations, demonstrations, and interactive Q&A sessions. To efficiently distribute the video content to all branches simultaneously without overloading the network, the organization utilizes multicast technology.

Such multicast data can be streamed from various sources, including regional data centers and corporate data centers. The Cisco SD-Access architecture provides the flexibility for end-to-end seamless multicast data traffic to flow from anywhere within the larger enterprise network to any location globally. Cisco SD-Access supports both headend replication and native multicast modes, offering the flexibility to assign Multicast RP (Rendezvous Points) nodes either within the SD-Access fabric or externally.

SD-Access supports two different transport methods for forwarding multicast traffic: one uses the Overlay, referred to as Head-End Replication, and the other uses the Underlay, known as Native Multicast.

• Head-End Replication

  Head-End Replication (or Ingress Replication) is performed either by the multicast first-hop router (FHR) when the multicast source is in the fabric overlay, or by the border nodes when the source is outside the fabric site.

• Native Multicast

  Native Multicast does not require the ingress fabric node to perform unicast replication. Instead, the entire underlay, including intermediate nodes, is used to handle the replication. To support Native Multicast, the first-hop routers (FHRs), last-hop routers (LHRs), and all network infrastructure components between them must be enabled.

By leveraging multicast technology within the SD-Access framework, the ITES organization can effectively conduct large-scale employee training sessions, enhancing communication and learning across all branch offices.

In deployments with physical locations, you can use different templates for each of the different site types such as a large branch, a regional hub, headquarters, or small remote office. The underlying design challenge is to look at the existing network deployment and wiring, and propose a method to layer SD-Access fabric sites in these areas. This process can be simplified and streamlined by creating templates of the reference models. The templates help in understanding the common site designs by offering reference categories based on the multidimensional design elements along with the endpoint count to provide design guidelines for sites of similar size. The numbers are used as guidelines only and do not necessarily match the maximum specific scale and performance limits for devices within a reference design.

Each fabric site includes a supporting set of control plane nodes, edge nodes, border nodes, and wireless LAN controllers, sized appropriately from the listed categories. ISE Policy Service Nodes (PSN) are also distributed across the sites to meet survivability requirements.

Common types of fabric site reference models include the following:

• Very Small Site (Fabric in a Box)

• Small Site

• Medium Site

• Large Site

• Extra Large Site

Note	These reference models offer valuable guidance. Adjustments may be necessary based on your specific network requirements and constraints. To ensure optimal deployment of your SD-Access fabric, we recommend that you consult with a network design professional.

For details on fabric site reference models, see the Cisco SD-Access Solution Design Guide.

Designing wireless solutions within Cisco's SD-Access framework requires configuring and integrating multiple components to ensure smooth operation and management. ITES organizations utilizing an SD-Access fabric for their wired network have two choices for incorporating wireless access:

• SD-Access Wireless Architecture

• Cisco Unified Wireless Network Wireless Over-the-Top (OTT)

Cisco SD-Access for distributed campus is a solution designed for metro-area connectivity, linking multiple independent fabric sites while maintaining consistent security policies, such as Virtual Routing and Forwarding (VRF) and Scalable Group Tags (SGT), across these sites. Although SD-Access has supported multisite environments for some time, there has not been a simple, automated method to synchronize policies between sites. Previously, at each site’s fabric border node, fabric packets were de-encapsulated into native IP. While policy extension between sites was possible, it required a manual process, relied on SXP for policy propagation, and involved complex configurations of IP to SGT bindings within ISE.

With SD-Access transit for distributed campus, SXP is no longer needed, configurations are automated, and the complex mappings are simplified. This solution enables inter-site communication with consistent, end-to-end automation and policy across the metro network.

SD-Access transit for distributed campus uses control plane signaling from the LISP protocol and maintains VXLAN encapsulation of packets between fabric sites. This preserves the macro and micro-segmentation policy constructs of VRFs and SGTs, respectively, between fabric sites. The original Ethernet header of the packet is retained to enable the Layer-2 overlay service of SD-Access wireless. The result is a network that is address-agnostic because policy is maintained through group membership.

For further information on distributed site design and deployment, see Cisco SD-Access Distributed Campus Deployment Guide and Cisco SD-Access Distributed Campus Design.

Multisite remote border (MSRB) centralizes the routing of untrusted traffic within the fabric network to a designated location such as a firewall or DMZ (demilitarized zone). For example, in a scenario where a guest virtual network spans multiple sites, all guest traffic can be directed through a remote border located at the DMZ, effectively isolating it from enterprise traffic.

In a multisite network deployment, a designated multisite remote border manages traffic to and from a specific virtual network extended across multiple sites. This configuration enables the deployment of a virtual network across multiple fabric sites while maintaining a unified subnet across these locations. Consistently maintaining subnets across multiple fabric sites helps optimize IP address utilization. It establishes a centralized entry and exit point for that virtual network, providing several advantages:

• Centralized control: You can designate a common border switch, called the anchor border, to handle all traffic for a particular virtual network across various sites. This simplifies management and policy enforcement.

• Subnet consistency: Multisite remote border enables you to use the same subnet for the virtual network across all sites. This eliminates the need to manage different subnets at each location, saving IP address space and simplifying configuration.

• Traffic isolation: Multisite remote border is particularly useful for isolating untrusted traffic, such as guest Wi-Fi. All guest traffic across different sites can be tunneled to a central location, like a DMZ, for security purposes.

Here are some common terms that are used in the context of a multisite remote border:

• Anchor virtual network: A virtual network that exists across multiple fabric sites in a network. The associated IP subnet and segment are common across these multiple sites.

• Anchor site: The fabric site that hosts the common border and control plane for an anchor virtual network. anchor site handles the ingress and egress traffic for the anchor virtual network.

• Anchoring sites: Fabric sites other than the anchor site where the anchor virtual network is deployed.

• Anchor border node or multisite remote border: The fabric border node at the anchor site that provides the ingress and egress location for traffic to and from the anchor virtual network.

• Anchor control plane node: The fabric control plane node at the anchor site that accepts registrations and responds to requests for endpoints in the anchor virtual network.

In essence, multisite remote border simplifies network management, enhances security for isolated traffic, and optimizes IP address usage in Cisco SD-Access deployments with multiple sites.

The diagram below illustrates a multisite remote border deployment.

For additional details regarding multisite remote border, see LISP VXLAN Fabric Configuration Guide.

Note	It is crucial to consider the maximum transmission unit (MTU) across the entire path to accommodate the additional 50-byte VXLAN header overhead. This is particularly important as the reachability of the anchor site border node may involve traversing multiple IP networks.

LISP Publish and Subscribe (PubSub) model is a significant enhancement to traditional LISP architecture. It streamlines the distribution of endpoint location information across the network, ensuring that all nodes receive timely and accurate data. With its efficiency, scalability, and ability to manage dynamic environments, the LISP PubSub model is a crucial component in modern, large-scale network designs.

LISP PubSub design eliminates the need for an additional protocol to register the LISP site registration table to control plane nodes in the fabric. LISP PubSub feature is fully automated through Catalyst Center, which simplifies the deployment of an SD-Access fabric and removes the need for manual routing configuration.

LISP PubSub architecture is a building block for other features and capabilities, such as:

• LISP Dynamic Default Border Node

• LISP Backup Internet

• LISP Affinity-ID

• LISP Extranet

LISP PubSub uses a publish and subscribe model for routing information. Edge nodes subscribe to the default route, which includes the next-hop IP addresses of both border nodes. If a border node loses its upstream connection (and BGP peering), the default route is removed from the routing table for the affected VNs. The border node then updates the control plane to signal that it can no longer serve as the default route. As a result, the control plane informs all edge nodes subscribed to the default route, ensuring they stop using the failed route and instead rely on the default route toward the remaining active border node. This approach eliminates the need for BGP peering per VRF/VN between border nodes to maintain routing redundancy, thereby reducing manual configuration.

LISP PubSub design recommendations:

• LISP/BGP fabric sites and LISP PubSub fabric sites cannot co-exist with the same transit control plane nodes.

• Migration from one to another is not supported yet.

• LISP PubSub is recommended only for new network implementation.

Migrating to Cisco SD-Access involves a comprehensive approach encompassing assessment, design, implementation, and ongoing optimization. Leveraging Catalyst Center for automation and management ensures a streamlined and efficient migration process, ultimately resulting in a more secure, scalable, and manageable network environment.

Before beginning the migration of the existing network to Cisco SD-Access, consider the following aspects:

• Network: Maximum transmission unit (MTU), network topology, IP addressing for underlay and overlay, and location of shared services.

• Policy: Existing policy definition and enforcement points, virtual networks, and SGTs.

• Hardware platform: Switches, routers, wireless controllers, and access points that support SD-Access.

• Software platform: Catalyst Center, ISE, network data platform.

• Scale of deployment: Scale of hardware platforms on their role in the SD-Access architecture.

• Existing network design: Layer 2 access or routed access.

These are the primary approaches to migrate an existing network to SD-Access:

• Parallel Approach

  An SD-Access network is built alongside the existing brownfield network. Switches are migrated from the brownfield network to the SD-Access network by physically patching cables. This approach simplifies change management and rollback procedures. However, setting up the parallel network requires additional rack space, power, and cabling infrastructure beyond what the brownfield network currently uses.

• Incremental Approach

  This strategy involves migrating traditional switches from the brownfield network and converting them into SD-Access fabric edge nodes. The Layer 2 border handoff, discussed in the next section, facilitates this gradual migration. This approach is suitable for networks with existing equipment capable of supporting SD-Access or facing environmental constraints such as limited space and power.

For complete guidance and different options to migrate existing traditional networks to Cisco SD-Access, see the Migration to Cisco SD-Access chapter in the Cisco Software-Defined Access for Industry Verticals.

Establishing a secure Offshore Development Center (ODC) within an ITES organization necessitates the implementation of two Virtual Private Network (VPN) configurations:

• Site-to-Site VPN

• Client-to-Site VPN

• Bring up network infrastructure and integrate all features for greenfield campus.

• Automate and simplify network device and fabric provisioning.

• Monitor inventory and manage network devices using Catalyst Center.

• Integrate with Cisco ISE for authentication and authorization of device and client.

• Manage and deploy wireless controllers and access points using Catalyst Center.

• Onboard devices via plug and play for network devices and access points.

• Manage network settings for multiple sites using Cisco Catalyst for shared services.

• Deploy SD-Access multisite campus and manage traffic across campus.

• Upgrade multiple devices, such as switches, routers, and wireless controllers using Catalyst Center.

• Onboard new floors to existing fabric sites.

• Onboard new fabric nodes with wired and wireless clients.

• Replace brownfield APs from Wave2 to 11 Ax.

• Add small new sites using Fabric in a Box (FiaB) with an embedded wireless controller.

• Add small new fabric sites with another Flex Over-The-Top (OTT) deployment.

• Perform day-n credential changes such as, device password changes and network device updates.

• Allow VLAN on the Layer 2 and Layer 3 handoff link using a template.

  Note	The template must be reprovisioned after any operation that triggers the "switchport mode trunk" and “switchport trunk allowed vlan all” configuration for the uplink port.

• Implement virtual networks across the organization to achieve consistent macrosegmentation.

• Use group-based access policy for microsegmentation within a virtual network using SGTs.

• Ensure secure onboarding of wired and wireless clients using authentication.

• Enforce policy at different entry and exit traffic points in the fabric.

• Operational scenarios that include the addition of new segments and group-based access policies for devices and users.

• Apply and use trusted CA FQDN-based certificates with Catalyst Center.

• Create granular role-based users with external AAA authentication and use audit logging to check Catalyst Center activities.

• Monitor audit policy changes, deployment of policy changes, and status of these deployments.

• Onboard wireless clients using enterprise SSID for branch employees and users.

• Provide guest wireless access for users at branches using a Central Web Authentication (CWA) portal.

• Deploy wireless infrastructure with Catalyst 9800 Series Wireless Controller in HA mode and an embedded wireless LAN controller.

• Enforce guest SSID traffic policies on the firewall using multisite remote border.

• Recovery from device or link failure automatically with minimal impact on existing applications, traffic, and users.

• Catalyst Center in three-node HA mode. In case of services or node failure in Catalyst Center, the system should recover without user intervention.

• Cisco ISE distributed nodes failover with PSN, pxGrid node failover.

• Cisco Catalyst wireless LAN controller and access points failover.

• Failover scenarios with link and network device failure within the fabric.

• Back up Catalyst Center controller configuration and data either, one time or on schedule.

• Restore backup on a new Cisco Catalyst cluster and verify the ability to manage the devices.

• Longevity with churn in the network, policy, and device connectivity.

• Monitor the state of the network, wired users, and wireless users from a unified interface.

• Monitor severe, critical, and other ongoing issues with the network and devices and follow the suggested actions in Assurance to resolve the issues.

• Obtain a comprehensive view of individual devices, wired user, or wireless user and retrieve detailed information.

• Track detailed application data usage by users using application visibility.

• Multi-dimensional scale configuration with all solutions integrated and check for stability of the network.