Overlay Networking

Cisco SD-Access Architecture: Fabric, Control Plane, and Policy

Cisco SD-Access mapped onto LISP and VXLAN with macro and micro segmentation
In: Overlay Networking

SD-Access is Cisco's intent-based campus fabric, and it is where the two protocols from earlier in this cluster stop being academic. LISP is its control plane, VXLAN is its data plane, and Catalyst Center is the automation and policy layer that operates the whole thing so you never touch the underlying CLI. If you understand LISP and VXLAN, you already understand most of how SD-Access works; the rest is the policy model and the operational shift.

This article explains the SD-Access architecture, its roles, and how the pieces fit. It is a concept article by necessity (SD-Access cannot be built in a lab without Catalyst Center), and it extends the Network Virtualization cluster guide.

The Problem SD-Access Addresses

A traditional campus is a pile of VLANs, subnets, access lists, and manual per-switch configuration. Segmentation is done with VLANs and ACLs that must be maintained by hand on every device. Moving a user or a device between floors often means re-IPing. Applying a security policy consistently across a large campus is genuinely hard, and proving it was applied is harder.

SD-Access changes the model in three ways:

Location-independent identity
A user keeps their access and policy wherever they plug in, because the fabric decouples identity from location (this is the LISP EID/RLOC split).
Policy by group, not subnet
Security is expressed between groups of users (SGTs), not between IP subnets, so it survives IP changes and moves.
Automated operation
Catalyst Center provisions the fabric from intent. You describe what you want; it renders the device configuration.

The Two Planes You Already Know

Strip away the branding and SD-Access is LISP plus VXLAN:

Control plane = LISPThe fabric maps each endpoint (EID) to the fabric edge switch it lives behind (RLOC), exactly as in the LISP article. Endpoint moves update the mapping, not the address.
Data plane = VXLANTraffic between fabric nodes is VXLAN-encapsulated, carrying the segment (VNI) and the group tag (SGT) across the fabric.

The one genuinely new ingredient is the policy plane: Scalable Group Tags (SGTs) from Cisco TrustSec, carried inside the VXLAN header, that let the fabric enforce group-based policy independent of IP addressing. That is the piece that makes "policy by group, not subnet" work.

The Fabric Roles

SD-Access defines a handful of node roles. Map them onto the LISP roles you already know and they stop being jargon:

Fabric Edge Node
The access switch users plug into. It is a LISP xTR: it registers endpoints and does VXLAN encap/decap. The anycast gateway lives here.
Control Plane Node
The LISP map-server / map-resolver. Holds the endpoint-to-edge mapping database for the whole fabric.
Border Node
The edge of the fabric, connecting to the outside world (WAN, data centre, internet) and translating between fabric and non-fabric.
Catalyst Center
The controller. Provisions every role from intent, and provides assurance and analytics. Not in the data path.

An endpoint connects to a Fabric Edge, which registers it with the Control Plane node. When another endpoint wants to reach it, its edge queries the Control Plane node for the mapping (LISP map-request), gets the destination edge's RLOC, and VXLAN-encapsulates the traffic to it. This is the exact behaviour captured in the LISP lab, operating at campus scale under Catalyst Center's control.

Two Levels of Segmentation

SD-Access segments the network at two levels, and understanding the difference is key:

Macro-segmentation (VN)Virtual Networks are separate VRFs, carried as separate L3VNIs. Complete isolation - a guest VN and a corporate VN cannot reach each other at all. This is VRF isolation at fabric scale.
Micro-segmentation (SGT)Within a VN, Scalable Group Tags enforce policy between groups (e.g. "contractors cannot reach finance servers") without subnetting. Enforced by group-based ACLs, independent of IP.

Macro-segmentation is the coarse cut (separate virtual networks, no leakage). Micro-segmentation is the fine cut (group policy inside a virtual network). Together they replace the sprawling VLAN-and-ACL model with something expressed in terms of identity and intent, and enforced consistently by the fabric rather than device by device.

Why This Is a Concept Article

Being honest about the boundary: SD-Access cannot be labbed without Catalyst Center, which is not available in a standard CML environment and is not something you configure by CLI. The fabric roles are provisioned by Catalyst Center; you do not hand-configure a Fabric Edge the way you configure a switch. That is the entire operational premise.

What you can lab, and what this cluster does lab, are the underlying protocols: LISP with real map-cache captures and VXLAN with a real byte-level encapsulation. Understanding those is understanding the fabric's mechanics. The Catalyst Center layer on top is an operational and API story, covered from the automation angle in the Network Automation cluster. No fabricated show fabric output appears here, because that output only exists on a Catalyst Center-provisioned fabric.

Is It Worth It?

SD-Access is a large commitment: Catalyst Center licensing, ISE for identity, capable hardware (Catalyst 9000), and a real operational shift from CLI to controller. It pays off for large campuses with strong segmentation and mobility requirements, particularly where group-based policy and consistent enforcement matter (healthcare, finance, large enterprise). For a small or mid-size network with modest segmentation needs, the traditional model, or a straightforward VXLAN-EVPN fabric without the full SD-Access stack, is often the better fit. The migration and interoperability article covers how to bridge the two worlds when you do adopt it.

FAQ

What is the control plane of SD-Access?

LISP. The Control Plane node is a LISP map-server/map-resolver, and Fabric Edge nodes are LISP xTRs. Endpoint mobility is the LISP EID-stays-put, RLOC-changes behaviour.

What is the data plane?

VXLAN, carrying both the segment (VNI) and the group tag (SGT) across the fabric.

What is an SGT?

A Scalable Group Tag: a group identifier (from TrustSec) carried in the VXLAN header, used to enforce policy between groups of users independent of their IP addresses. This is micro-segmentation.

Can I build SD-Access in CML?

No. It requires Catalyst Center to provision the fabric. You can lab the underlying LISP and VXLAN protocols, which is what this cluster does with real captures.

Do I still need ISE?

For the full identity-and-policy model (dynamic SGT assignment, group-based access control), yes. ISE is the identity engine that maps users to groups. Without it you have the fabric but not the intent-based policy.

Key Takeaways

  • SD-Access is LISP (control plane) + VXLAN (data plane) + Catalyst Center (automation/policy). Learn LISP and VXLAN and you understand the mechanics.
  • Roles map onto LISP: Fabric Edge = xTR, Control Plane node = map-server/resolver, Border = fabric exit, Catalyst Center = controller (not in the data path).
  • Two segmentation levels: macro (Virtual Networks = VRFs = complete isolation) and micro (SGTs = group policy inside a VN, independent of IP).
  • The value is location-independent identity, group-based policy, and automated consistent operation, replacing the VLAN-and-ACL sprawl.
  • It cannot be labbed without Catalyst Center, so this is a concept article. The underlying LISP and VXLAN are labbed with real captures elsewhere in this cluster.
  • It is a large commitment (Catalyst Center, ISE, Catalyst 9000). Worth it for large campuses with strong segmentation/mobility needs; overkill for small networks.

Next: SD-Access and the traditional campus, or the Network Virtualization cluster guide.

Written by
More from Ping Labz
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Ping Labz.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.