Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

SD-Access

A physical network can host a variety of logical networks.

Requires gear to support the overlay, Catalyst Center, and sometimes ISE.

Terms

BUM — Broadcast, Unknown Unicast, Multicast

Traffic types that aren’t great at being point-to-point.

Types

Layer 2 Overlay

  • Anycast gateway enabled

    • Flooding is disabled

  • No anycast gateway

    • Flooding cannot be disabled
    • Used if the gateway is outside the fabric

Flooding uses a multicast p2mp tunnel.

Layer 3 Overlay

Stretched subnets, with Anycast gateways.

Terms

Underlay

Physical gear, configured with IPs either by hand or automatically.

The Layer 3 network VXLAN-GPO travels thru.

No VRFs, no features. Just lots of /31 links.

Typically deployed with IS-IS since it’s v4 and v6 agnostic.

This part can be automated.

VXLAN-GPO

Cisco extended the VXLAN header to include SGTs (Now called Scalable Group Tags)

VN

VN – Virtual Network

  • VRF
  • Anycast Gateway
  • LISP Instance ID
  • This is the tag field in VXLAN-GPO

Communication between VNs must go to a fusion router or a firewall.

SD Access Nodes

Control Plane

  • LISP MS/MR databases Endpoint-to-location, or EID-to-RLOC
  • Each node contains the full database
  • Key Lookup
    • IPv4
    • IPv6
    • MAC Address

Fabric Edge

  • AKA FE.
  • Identifies and Auths wired endpoints.
  • Wireless OTT, registers v4/v6 endpoint ID.
  • Is the Layer 3 anycast gateway.
  • Provides VN for wireless clients
  • Onboards APs into the fabric, forms VXLAN tunnels with APs
  • Provides the guest functionality for wireless guest.
  • Is a LISP xTR, with an anycast gateway, with overlay host protocols, (like DHCP).

Fabric Border

  • Connects other L3 networks to SDA fabric.

Fabric Border Nodes Types

  • Border: Known Destinations: datacenter, private cloud.
  • Default Border: Unknown traffic, Internet
  • Anywhere Border: Both.

The border nodes do context changes, going from one VRF to another.

Fabric Intermediate

Only does IP transport

  • Routing
  • Multicast

Fabric Edge Onboarding

  • (Method 1) Open Auth or MAB, user connects to a port -> host pool.
  • (Method 2) 802.1x authenticates the device -> host pool.
  • Host pool has a SGT, SVI and VRF instance.
  • SVI is the anycast gateway (same IP address and MAC for that SVI & VRF) on all edge nodes.
  • Host address is now an EID (MAC, /32 IPv4, /128 IPv6), that can be registered with the control plane node.
  • Control plane signaling is LISP, dataplane is managed via VXLAN-GPO.

Fusion Device

Lets devices talk between VNs.

Policy Management

SGACLs, via ISE.

Site Size

SizeEndpointsWLCsAPsIP PoolsVNsBNsCPsENsNotes
Fabric IAB1,00050111
Small10,00025001003222100External WLC needed
Medium50,00022,5003006422-6500FEW requires 2 CP nodes
Large100,000210,0005006442-612003-tier network. FEW requires 2 CP nodes

References

Cisco Live - SD-Access Solution Fundamentals - Jerome Dolphin - BRKENS-2810

Cisco Live - SD-Access Best Practices - Ashley Burton - BRKENS-2502

Cisco Software-Defined Access Solution Design Guide

SD-Access Deployment Using Cisco Catalyst Center - Cisco

Cisco - SD-Access Wireless Design and Deployment Guide - Cisco DNA center 2.1.1

Cisco SD-Access Fabric Resources - Cisco Community

Last Modified • Monday, June 15, 2026. 6:16 am UTC+00:00 • Commit: 589791e