Study Guide: Chapter 9 — Cisco Catalyst Center: Architecture and Day 0 Provisioning

Pre-Check — Section 9.1: Architecture and APIs

1. What does the term "Intent-Based Networking" mean in the context of Catalyst Center?

A. Engineers write device-specific CLI and the controller distributes it automatically B. You declare the desired business outcome and the controller derives the per-device configuration C. The network uses machine learning exclusively to configure itself without human input D. Intent-Based Networking is a marketing term with no technical distinction from traditional management

2. Which Catalyst Center API plane is used by external automation tools to issue configuration commands?

A. Southbound plane B. Eastbound plane C. Northbound Intent API D. Westbound Integration API

3. How long is a Catalyst Center authentication token valid by default?

A. 15 minutes B. 30 minutes C. 1 hour D. 24 hours

4. When a Catalyst Center mutating operation (POST/PUT/DELETE) returns HTTP 202, what does the response body contain?

A. The fully rendered configuration that was pushed to the device B. A taskId that must be polled to determine the operation outcome C. A list of all devices affected by the change D. An empty body — success is implied by the 202 status code

5. Which HTTP header must every Catalyst Center Intent API request include after authentication?

A. Authorization: Bearer <token> B. X-Auth-Token: <token> C. Cookie: token=<token> D. X-API-Key: <token>

9.1.1 From DNA Center to Catalyst Center: Intent-Based Networking

Cisco Catalyst Center — formerly DNA Center — is Cisco's flagship Intent-Based Networking (IBN) controller. The exam treats "DNA Center" and "Catalyst Center" as synonymous. Traditional management works bottom-up: engineers configure each device with CLI. IBN inverts the relationship — you declare the outcome and the controller derives the per-device configuration.

Catalyst Center delivers IBN through three capabilities: Design (sites, IP pools, network settings), Policy (SD-Access segmentation, group-based policy), and Assurance (telemetry, AI/ML analytics, root-cause analysis).

9.1.2 Platform Architecture and Communication Planes

Catalyst Center exposes four communication planes. The southbound interface is hidden from automation engineers — you call the Northbound Intent API, and Catalyst Center translates that intent into NETCONF, SSH, SNMP, or OpenConfig as needed per device type.

Plane	Interface	Protocol	Purpose
Northbound	Intent API	REST/HTTPS + JSON	External automation, orchestration
Southbound	Device Connectivity	NETCONF/YANG, SSH, SNMP, OpenConfig	Configure and monitor managed devices
Eastbound	Events & Notifications	WebSocket, Webhooks	Real-time event streaming
Westbound	Integration API	REST	ITSM integrations (ServiceNow, BMC)

Communication Planes at a Glance

Automation Tools

→

Catalyst
Center

→

Switches / Routers

ITSM (ServiceNow)

↔

→

Access Points

Event Consumers

←

→

WLCs

→ Northbound (Intent API)
↔ Westbound (Integration)
← Eastbound (Events)
→ Southbound (Device)

flowchart TD subgraph External["External Systems"] AUTO["Automation / Orchestration"] ITSM["ITSM (ServiceNow, BMC)"] MON["Event Consumers"] end subgraph CC["Catalyst Center Controller"] NB["Northbound — Intent API\nREST/HTTPS + JSON"] WB["Westbound — Integration API\nREST"] EB["Eastbound — Events\nWebSocket / Webhooks"] SB["Southbound — Device Connectivity\nNETCONF · SSH · SNMP · OpenConfig"] end subgraph Devices["Managed Devices"] SW["Switches"] RT["Routers"] AP["Access Points"] WLC["Wireless Controllers"] end AUTO -->|"X-Auth-Token"| NB ITSM <-->|"ServiceNow integration"| WB EB -->|"Real-time events"| MON SB --> SW & RT & AP & WLC

9.1.3 The Intent API: Structure and Authentication

The Intent API exposes over 1,000 operations organized into functional domains. All calls use the base path /dna/intent/api/v1/ (v2 for some newer endpoints) and require an X-Auth-Token header.

Authentication uses a POST to /dna/system/api/v1/auth/token with Basic credentials encoded in Base64. The response contains a JWT-like token valid for 1 hour. The catalystcentersdk handles refresh automatically.

sequenceDiagram participant Client as Automation Client participant CC as Catalyst Center participant API as Intent API Client->>CC: POST /dna/system/api/v1/auth/token
Authorization: Basic base64(user:pass) CC-->>Client: 200 OK {"Token": "eyJhbGci..."} Note over Client: Token valid for 1 hour Client->>API: GET /dna/intent/api/v1/network-device
X-Auth-Token: eyJhbGci... API-->>Client: 200 OK [device list] Client->>API: POST .../pnp-device/site-claim
X-Auth-Token: eyJhbGci... API-->>Client: 202 Accepted {"taskId": "abc-123"} Note over Client: Poll taskId — re-auth after 60 min

9.1.4 The Asynchronous Task Pattern

All mutating operations (POST, PUT, DELETE) are asynchronous. The response returns immediately with a taskId. You must poll GET /dna/intent/api/v1/task/{taskId} until endTime is set, then check isError and failureReason. Think of it like a delivery tracking number — you check the portal periodically rather than standing at the loading dock.

flowchart TD A["POST / PUT / DELETE"] --> B["202 Accepted\n{taskId: 'abc-123'}"] B --> C["GET /task/abc-123"] C --> D{endTime set?} D -- No --> E["Wait interval (5s)"] E --> F{Max attempts?} F -- No --> C F -- Yes --> G["Raise TimeoutError"] D -- Yes --> H{isError true?} H -- Yes --> I["Raise RuntimeError\nLog failureReason"] H -- No --> J["Operation Successful"]

Post-Check — Section 9.1: Architecture and APIs

1. An automation script POSTs to /dna/intent/api/v1/image/distribution and receives a 202 response. What should the script do next?

A. Declare success and proceed — 202 means the operation completed B. Retry the POST until it returns 200 OK C. Extract the taskId and poll /dna/intent/api/v1/task/{taskId} until endTime is populated D. Wait 60 seconds, then query the device inventory for the updated image version

2. Which Catalyst Center plane is used for ServiceNow ITSM integration?

A. Northbound B. Southbound C. Eastbound D. Westbound

3. What is the correct endpoint to obtain a Catalyst Center authentication token?

A. POST /dna/intent/api/v1/token B. GET /dna/system/api/v1/auth/token C. POST /dna/system/api/v1/auth/token D. POST /api/v1/login

4. A task poll returns {"endTime": 1700000000, "isError": true, "failureReason": "Device unreachable"}. What does this mean?

A. The task is still running and failureReason is a warning only B. The task completed but failed; the automation script should log the failure reason and handle the error C. The task completed successfully; isError refers to an unrelated audit log entry D. The endTime being set means success regardless of the isError field

5. Why does Catalyst Center hide the southbound interface from automation engineers?

A. To prevent engineers from making unauthorized changes to devices directly B. To provide a single, protocol-agnostic API surface — the controller selects the appropriate southbound protocol per device type C. The southbound interface is not hidden; automation tools can call NETCONF directly on managed devices D. Because southbound protocols are proprietary and cannot be used by third-party tools

9.2 Controller-Based Day 0 Provisioning

Pre-Check — Section 9.2: Day 0 Provisioning

1. What is the primary DHCP option used to redirect a PnP-capable device to Catalyst Center?

A. DHCP Option 66 (TFTP server) B. DHCP Option 43 with the Cisco PnP redirect string C. DHCP Option 82 (relay agent information) D. DHCP Option 150 (Cisco TFTP)

2. Which PnP device state means the device contacted Catalyst Center but no admin action has been taken?

A. Planned B. Onboarding C. Unclaimed D. Provisioned

3. What is the correct order of the five Day 0 PnP provisioning steps?

A. Import Device → Create Template → Claim Device → Create Network Profile → Assign Site B. Create Template → Create Network Profile → Assign Sites → Import Device → Claim Device C. Claim Device → Import Device → Assign Sites → Create Network Profile → Create Template D. Create Network Profile → Assign Sites → Create Template → Claim Device → Import Device

4. Which API endpoint triggers the actual provisioning push during PnP Day 0?

A. POST /dna/intent/api/v1/onboarding/pnp-device/import B. POST /dna/intent/api/v1/onboarding/pnp-device/site-claim C. POST /dna/intent/api/v1/template-programmer/template/version D. POST /api/v1/siteprofile

5. A Cisco IOS-XE device boots with no persistent configuration. What mechanism activates PnP discovery?

A. The device sends a Syslog message to Catalyst Center B. An engineer must manually trigger discovery from the Catalyst Center GUI C. A factory-default PnP IOS Agent in the bootstrap startup config activates and attempts to locate a PnP server D. The device broadcasts a CDP frame that Catalyst Center receives

9.2.1 Plug and Play Zero-Touch Provisioning

PnP allows a technician to unbox a device, connect cables, and walk away. Catalyst Center handles the rest. Every Cisco IOS-XE device ships with a PnP IOS Agent in its bootstrap startup config. When the device boots with no persistent configuration, the agent activates and discovers the controller via one of three methods:

Method	Mechanism	Best For
DHCP Option 43	Device sends Option 60 "ciscopnp"; DHCP server returns controller IP in Option 43	Preferred method; most reliable
DNS Resolution	Device resolves `pnpserver.<domain>` A record pointing to controller VIP	When DHCP scopes cannot be modified
Cisco PnP Connect	Device contacts `devicehelper.cisco.com`; org registers controller in Smart Account portal	Large-scale greenfield; no DHCP/DNS changes possible

PnP Discovery Sequence

Device boots with no configFactory PnP IOS Agent activates automatically

DHCP DISCOVER with Option 60 "ciscopnp"Device signals it is PnP-capable to the DHCP server

DHCP OFFER with Option 43Server returns: 5A1D;B2;K4;I<CC-IP>;J443

Device connects to Catalyst Center HTTPSPnP agent opens TLS session to controller VIP:443

Device appears as "Unclaimed" in Catalyst CenterAdmin or automation claims device → provisioning begins

9.2.2 PnP Device States

stateDiagram-v2 [*] --> Planned : Admin pre-registers\nby serial number [*] --> Unclaimed : Device boots and contacts\nCatalyst Center Planned --> Unclaimed : Device contacts CC;\nmatched to pre-staged record Unclaimed --> Onboarding : Admin or automation\nclaims the device Onboarding --> Provisioned : Image push + template\napplied successfully Onboarding --> Error : Image or config\npush fails Error --> Onboarding : Admin resolves error;\nre-triggers claim Provisioned --> [*] : Device enters\nmanaged inventory

9.2.3 The Five-Step Day 0 Provisioning Workflow

flowchart TD S1["Step 1: Create Day 0 Template\nPOST .../template-programmer/project/{id}/template\nPOST .../template-programmer/template/version (commit)"] S2["Step 2: Create Network Profile\nPOST /api/v1/siteprofile\nAssociate template with device type"] S3["Step 3: Assign Sites to Network Profile\nPOST /api/v1/siteprofile/{profile_id}/site/{site_id}"] S4["Step 4: Import Device into PnP Inventory\nPOST .../onboarding/pnp-device/import\nPre-stage by serial number"] S5["Step 5: Claim the Device\nPOST .../onboarding/pnp-device/site-claim\nSite + template + variables → triggers push"] EXEC["Catalyst Center Executes:\n1. Image deployment (if needed)\n2. Template rendering with variables\n3. Configuration push\n4. Device registered in managed inventory"] S1 --> S2 --> S3 --> S4 --> S5 --> EXEC

The claim step (Step 5) is the trigger. Its payload bundles site ID, device ID, template ID, and per-device variable values (hostname, management IP, gateway, etc.). Catalyst Center executes image upgrade (if needed), renders the template, pushes the config, and adds the device to managed inventory — all asynchronously via a taskId.

Pre-staging (Step 4 done before the device ships) is a best practice: register the serial number in the PnP inventory so the device transitions directly from Unclaimed to Onboarding when it makes first contact, with zero human intervention required on-site.

Post-Check — Section 9.2: Day 0 Provisioning

1. What additional action must be taken on a Day 0 template before it can be referenced in a site-claim payload?

A. The template must be assigned to a device type in the GUI before API use B. The template must be exported to a YAML file and uploaded to the PnP inventory C. The template must be committed (versioned) via POST .../template-programmer/template/version D. No additional action is needed — a draft template can be used in a claim operation immediately

2. A branch device contacts Catalyst Center and was pre-staged by serial number. What state will it be in when first contact is made?

A. Onboarding — pre-staging causes immediate template push B. Unclaimed — the device matched its pre-staged record and now waits to be claimed C. Planned — the device remains in Planned until the administrator reviews it D. Provisioned — the controller automatically provisions pre-staged devices on first contact

3. A network team cannot modify DHCP scopes at a new branch site but controls the DNS server. Which PnP discovery method should they configure?

A. DHCP Option 43 — this is the only reliable method B. DNS — create an A record for pnpserver.<domain> pointing to Catalyst Center's VIP C. Cisco PnP Connect — register the device in the cloud portal at software.cisco.com D. Manual PnP — a technician must connect via console and enter the controller IP

4. In the site-claim payload, what is the purpose of the configParameters array?

A. It specifies which VLAN the device should use for management after provisioning B. It provides the per-device variable substitution values for the Day 0 template (e.g., hostname, IP, gateway) C. It lists the credentials Catalyst Center should use to authenticate to the device D. It defines which software image should be installed during the PnP process

5. What network prerequisite is required on the upstream switch port connected to a new PnP device?

A. The port must be configured as an access port on VLAN 1 B. The port must be configured as an 802.1Q trunk, with pnp startup-vlan specifying the management VLAN C. The port must have spanning-tree portfast disabled to ensure PnP DHCP packets are forwarded D. No special configuration is needed; the PnP agent negotiates the correct VLAN automatically

9.3 Network Design Automation

Pre-Check — Section 9.3: Network Design and SWIM

1. What are the four levels of the Catalyst Center site hierarchy in order?

A. Global → Region → Site → Device B. Global → Area → Building → Floor C. Organization → Campus → Building → Room D. Root → Domain → Location → Zone

2. What does the SWIM distribute-then-activate two-phase approach achieve?

A. It verifies the image integrity during distribution before copying it to the device B. It allows image staging during business hours and defers the device reload to a maintenance window, minimizing downtime risk C. It distributes the image to a staging server before pushing it to the device D. It requires manual approval between the distribute and activate steps to prevent accidental upgrades

3. Which endpoint retrieves a list of all sites in the Catalyst Center hierarchy?

A. GET /dna/intent/api/v1/network-device B. GET /dna/intent/api/v1/site C. GET /api/v1/siteprofile D. GET /dna/intent/api/v1/topology/site-topology

9.3.1 Site Hierarchy: The Organizing Principle

The site hierarchy is the primary key linking devices to configuration policies, IP pools, templates, and network settings. Every provisioning workflow requires resolving the correct siteId UUID first. The hierarchy follows four levels:

Global
└── Area          (geographic region, country, or logical grouping)
    └── Building  (physical facility)
        └── Floor (specific floor within a building)

Example: Global / US / San-Jose / HQ-Building-1 / Floor-2

The catalystcentersdk makes hierarchy creation straightforward. Call catalyst.sites.create_site(type="area" | "building" | "floor", site={...}) for each level, using parentName to position the node correctly.

9.3.2 Network Settings and IP Pools

Each site can have per-site DNS, NTP, DHCP, and AAA settings configured via POST /dna/intent/api/v1/network, plus IP address sub-pools reserved via POST /dna/intent/api/v1/reserve-ip-subpool. These settings propagate to all devices provisioned at that site, ensuring branch-wide consistency without per-device manual configuration.

9.3.3 Software Image Management (SWIM)

SWIM manages the full software image lifecycle: import approved images, tag a "golden" image per device platform, distribute to device flash, and activate. All SWIM operations are asynchronous.

Operation	Endpoint	Description
Import	`POST .../image/importation/source/url`	Pull image from URL into CC repository
Query	`GET .../image/importation`	List images; filter by platform
Tag Golden	`POST .../image/importation/golden`	Mark image as standard for a device family
Distribute	`POST .../image/distribution`	Copy image to device flash (no reload)
Activate	`POST .../image/activation/device`	Reload device to boot from distributed image

The distribute → activate split is key: distribute during business hours (device keeps running the old image), then activate (reload) during the maintenance window. This cuts the risk window from hours to the reload time only.

Post-Check — Section 9.3: Network Design and SWIM

1. A SWIM distribution task returns a taskId. The task completes with isError: false. What must happen next before the device runs the new image?

A. Nothing — the device automatically reboots after a successful distribution B. The engineer must SSH to the device and manually issue a reload command C. A separate activation operation (POST .../image/activation/device) must be triggered, which reloads the device D. The image must be tagged as golden before it can be activated

2. Why is resolving the siteId UUID the first step in virtually every Catalyst Center automation workflow?

A. The siteId is required by the authentication token endpoint to scope API permissions B. The site hierarchy is the primary key that ties devices, IP pools, templates, and policies together — most API operations reference it C. The siteId must be included in every HTTP request header alongside the X-Auth-Token D. The siteId is required only for wireless provisioning workflows, not for switching

3. An automation script creates a site hierarchy using catalyst.sites.create_site(). When creating a Building node, which field specifies where it sits in the hierarchy?

A. siteId — the UUID of the parent Area node B. parentName — the full path string, e.g., Global/US/San-Jose C. parentType — set to "area" to indicate the parent is an Area node D. hierarchyPath — a dot-separated path like Global.US.San-Jose

9.4 Practical Catalyst Center API Automation

Pre-Check — Section 9.4: SDK and Automation

1. What are the two package names for the Cisco Catalyst Center Python SDK?

A. cisco-cc-sdk and catalyst-sdk B. dnacentersdk (legacy) and catalystcentersdk (current) C. ciscosdk and networkautomation D. netdevops and intentapi

2. What environment variable configures the Catalyst Center base URL for the SDK?

A. DNAC_URL B. CC_BASE_URL C. CATALYST_CENTER_BASE_URL D. CISCO_CC_HOST

9.4.1 The catalystcentersdk Python Library

The SDK (pip install catalystcentersdk or legacy pip install dnacentersdk) is the primary automation interface for ENAUTO 300-435. Both packages are functionally equivalent; the legacy name persists due to broad adoption.

Feature	Behavior
Token management	Obtains token on instantiation; silently refreshes on expiry
Rate-limit handling	Catches HTTP 429, retries with automatic backoff
Dot-notation access	JSON fields accessible as Python object attributes
IDE autocompletion	Method namespaces mirror API domain names
Custom caller	Covers API endpoints not yet wrapped in named methods
Env var support	Reads credentials from `CATALYST_CENTER_*` env vars

9.4.2 SDK Instantiation and Version Compatibility

Always instantiate using environment variables to avoid hard-coded credentials. Pin the SDK version in requirements.txt to match the controller deployment version — mismatches cause silent method signature failures.

from catalystcentersdk import api

# Zero hard-coded credentials (reads CATALYST_CENTER_* env vars)
catalyst = api.CatalystCenterAPI()

# Explicit instantiation for multi-controller scripts
catalyst = api.CatalystCenterAPI(
    username="devnetuser",
    password="Cisco123!",
    base_url="https://sandboxdnac.cisco.com:443",
    version="3.1.3.0",
    verify=False   # use True in production
)

9.4.3 Core Automation Patterns

Every Catalyst Center automation workflow follows the same pattern:

Resolve UUIDs (site, template, device) by querying existing resources
Execute the mutating operation (claim, distribute, discover, etc.)
Extract the returned taskId
Poll until endTime is set
Check isError — raise/log if true, continue if false

The custom_caller pattern handles endpoints not yet wrapped in named SDK methods:

catalyst.custom_caller.add_api(
    "get_global_credentials",
    lambda cred_type: catalyst.custom_caller.call_api(
        "GET",
        "/dna/intent/api/v1/global-credential",
        params={"credentialSubType": cred_type}
    ).response
)

netconf_creds = catalyst.custom_caller.get_global_credentials("NETCONF")

9.4.4 Production Error Handling Principles

Principle	Implementation
Never assume tasks succeed	Always poll `taskId`; check `isError` and `failureReason`
Validate resources first	Check site/template/device existence before claim operations
Use environment variables	Never hard-code credentials; use `CATALYST_CENTER_*` env vars or secrets manager
Pin SDK versions	Version mismatches cause silent method signature failures
Log task IDs	Always log `taskId` values for debugging failed automation runs

Key Points — Section 9.4

catalystcentersdk (current) and dnacentersdk (legacy) are functionally equivalent; both are exam-relevant
SDK reads credentials from CATALYST_CENTER_USERNAME, CATALYST_CENTER_PASSWORD, CATALYST_CENTER_BASE_URL, etc.
Always pin the SDK version in requirements.txt to match the controller — use catalystcentersdk==3.1.3.0.x for CC 3.1.3.0
Use custom_caller for endpoints not yet wrapped in named SDK methods — provides full API coverage
Core pattern: resolve UUIDs → execute mutating operation → extract taskId → poll → check isError

Post-Check — Section 9.4: SDK and Automation

1. An automation script uses catalystcentersdk version 2.3.7.6 against a Catalyst Center 3.1.3.0 appliance. What is the most likely outcome?

A. The SDK automatically detects the version mismatch and upgrades itself B. All SDK methods work normally because the API is fully backwards compatible C. Method signature errors or missing endpoints may occur; the SDK version must match the controller version D. The script fails immediately on instantiation with an explicit version error

2. A development team wants to avoid hard-coding Catalyst Center credentials in their CI/CD pipeline scripts. What is the recommended approach?

A. Encrypt credentials using base64 and store them in the source code B. Store credentials in environment variables (CATALYST_CENTER_USERNAME, etc.) and use api.CatalystCenterAPI() with no arguments C. Create a dedicated read-only Catalyst Center user account and hard-code those credentials instead D. Pass credentials as command-line arguments to the script at runtime

3. The SDK's custom_caller pattern is used when:

A. The automation needs to call an API endpoint that has not yet been wrapped in a named SDK method B. The token has expired and the SDK cannot automatically refresh it C. The script needs to bypass Catalyst Center and call NETCONF directly on a device D. Multiple Catalyst Center controllers need to be targeted in parallel

Chapter 9: Cisco Catalyst Center — Architecture and Day 0 Provisioning

Learning Objectives

9.1 Catalyst Center Architecture and APIs