I'm aware of that as I posted originally but the associated project got delayed. I should have referenced that post and clearly stated that I'm after any updated best practises or practical examples/feedback from the community. 

Have you implemented any multisite deployments, and if so did you opt to go with BGP handoff in the underlay or just used OSPF/ISIS? There are lots of design documents on cisco.com and on cisco live that provide details of multisite deployments, but nothing that details the options and considerations for the underlay with pros/cons

i did with case similar to yours. i used single L2 ISIS underlay though as SDA-transit links were manually configured to summarize non-RLOC prefixes across transit. 

Thanks. This is where my understanding lacks slightly. So if all of your fabric sites where part of a single L2 ISIS underlay, how do INFRA_VN subnets get advertised outside of the fabric, such as IP pools for APs? Typically these get advertised into BGP on the BNs in the GRT, but if you dont have BGP peering out anywhere, how are AP subnets reached from outside the fabric?

though INFRA_VN is merged with GRT in Fabric its prefixes dont populate underlay IGP. Instead their endpoints are EIDs of lisp like below:
instance-id 4097
remote-rloc-probe on-route-change
dynamic-eid AP-IPV4
database-mapping 10.X.Y.128/25 locator-set <rloc-set>
exit-dynamic-eid
service ipv4
eid-table default
On the BN lisp gets redistributed in ipv4 unicast for GRT (it's automatically done by CatC with BGP)
For IS-IS it's not done automatically.

Ok so if we used a single L2 IS-IS underlay we would need to manually configure the BNs to redistribute LISP into IS-IS to allow the APs pools to be reachable outside of the fabric (which is needed for DHCP and if the WLCs are located centrally)?

correct. but be aware that with any non-automated option which are 2 last u'll need to pay much more manual configuration.

Thanks for the response @jedolphi - So if we went with option 2, communication to/from the AP subnets at each of the spoke sites will be carried through LISP/SD-Access transit, entering and exiting through the hub site's BGP IP transit, and not nativley in the underlay via the spoke sites WAN links. Is that correct? Also what is the use case to inject the non-LISP prefixes (loopback0 ranges) into BGP at the hub site? I'm not quite following the need to do that. Thanks 

" if we went with option 2, communication to/from the AP subnets at each of the spoke sites will be carried through LISP/SD-Access transit"
communications to/from the AP subnets (ed. population) will be carried via VXLAN across SDA-transit. LISP is for signalling/control-plane only.
"Also what is the use case to inject the non-LISP prefixes (loopback0 ranges) into BGP at the hub site? I'm not quite following the need to do that."
i assume u asks for RLOCs IPs. They are injected into BGP with network statement. if u have RLOCs IPs in the contiguous subnet. Otherwise there will be many /32 network statement. This is what CatC will automate for u. but can aggregate RLOCs with less specific subnet if your underlay IP-plan allows for this.
UPD: why is it needed? GRT behind BGP-peer on IP-transit preferably to know how to reach out to BNs at least from outside :0)

Thanks

I've tested option 2 with ISIS and OSPF on a spoke site's border nodes, and I had to redistribute ISIS into OSPF and then configure a summary in OSPF to advertise a summary of the spoke site's loopbacks to the core. I also had to redistribute OSPF back into to ISIS to advertise shared services subnets to the spoke site's fabric edge nodes (WLC subnet and /32s for multisite remote border nodes that we are planning on adding at a later phase). I had to put in extra controls to prevent issues with mutual/two-way redistribution between IS-IS and OSPF. This worked ok but required a bit of manual config.

I also tested by adding an AP pool to the spoke site, and as stated above, the AP pool was advertised by the hub site's IP transit (using BGP). What was interesting is that traffic to the spoke site's AP pool from outside of the fabric flows in via the hub's IP transit and VXLAN to the spoke site, however traffic back out from the the AP pool flows via the spoke site's WAN link in the underlay (following a default learnt via OSPF). Without the default in OSPF, the AP pool was unreachable. This didnt cause an issue with DHCP or allowing a test AP to join a central WLC, however it did create an asymetric flow, which I think based on the above was expected. To force AP traffic to flow via the spoke site directly in the underlay, I had to apply a filter to the IP transit as well as redistribute LISP into OSPF on the spoke site's border nodes.

In contrast, a lot less manual config with option 1 using BGP. ISIS was automatically advertised into BGP on the border nodes during LAN automation as well as the AP pool once provisioned. The only manual config needed was to redistribute shared services routes from BGP into ISIS in the underlay and to apply route filters on the core side of the BGP peers to only allow the site's respective border loopbacks, underlay summary and AP pool.

sounds good. though i dont really get where u put OSPF to play. i assumed we always say about scenario with IGP bw spoke fabric & aggregating BN in underlay with eBGP bw aggregating BN & non-LISP network. thus there is always one IGP proto in use.
nevertheless, good to know u managed to do what u needed.