Networking

SD-Access Design Questions: Where Fabrics Fit and Where They Don't

SD-Access design - the decision framework for when a fabric fits and when it does not
In: Networking, CCIE

Not every network should be a fabric. SD-Access is a genuinely powerful architecture, but it is also a big commitment - a controller, an identity service, compatible hardware, and a operational model your team has to learn. The most valuable thing a senior engineer can do with SD-Access is know when not to deploy it. This article is the honest design conversation the vendor slide decks skip.

It closes the SD-Access series. For the mechanics, see the earlier articles; this one is about judgement. For the wider context, see the network virtualization pillar.

What SD-Access is genuinely good at

Give the architecture its due - where it fits, it fits well:

  • Large campuses with a strong segmentation requirement. If you need to separate guests, IoT, corporate, and contractors consistently across thousands of ports and enforce it by identity, SD-Access does this better than any pile of VLANs and ACLs. This is its home turf.
  • Environments where users and devices move. The anycast gateway and LISP roaming mean policy follows people between buildings without re-configuration. For a hospital, a university, a large corporate campus, this is real value.
  • Organisations that already run ISE and want to extend identity-based policy into the network fabric itself. If you have made the TrustSec investment, SD-Access is the natural extension.
  • Greenfield builds at scale where you can design the underlay, choose compatible hardware, and adopt the operational model from day one - rather than retrofitting.

Where a fabric does not fit

And now the part the design guides underplay:

1
Small sites. A branch with two switches and forty users does not need LISP, VXLAN, and a controller. The operational overhead dwarfs the benefit. Fabric-in-a-box exists, but for a genuinely small site a well-configured traditional access layer is simpler, cheaper, and easier to troubleshoot.
2
No segmentation requirement. If your security model does not actually need identity-based micro-segmentation, the single biggest reason to adopt SD-Access is absent. Much of the complexity buys you segmentation you are not going to use.
3
Incompatible or mixed-vintage hardware. SD-Access needs fabric-capable switches. A campus full of older or mixed gear means a forklift, and the cost of the hardware refresh often dominates the business case.
4
A team without the skills or appetite. SD-Access changes how you operate - you drive the network through Catalyst Center, troubleshoot LISP and VXLAN, and depend on the controller. A team that is not ready for that will fight the fabric, and a fabric fought is worse than a traditional network run well.
5
Simple, stable networks that already work. "If it ain't broke" is a legitimate engineering position. A traditional campus that meets its requirements, that the team understands, and that is stable does not automatically benefit from being rebuilt as a fabric.

The honest cost of a fabric

Every SD-Access deployment carries costs that are easy to underweight in the planning phase and impossible to ignore once you are live:

  • The controller is a dependency. Catalyst Center provisions and operates the fabric. It needs to be sized, made redundant, backed up, patched, and understood. It is another critical system, and when it has a problem, your ability to change the network has a problem.
  • Troubleshooting is different, and initially harder. "Why can't this host reach that host" now involves LISP map-caches, VXLAN encapsulation, SGT policy, and the controller's view - not just a routing table and a MAC table. The skills transfer, but there is a learning curve, and it lands during outages.
  • You are more locked in. A fabric is a Cisco architecture end to end. That is fine if it is a deliberate choice, but it is a choice, and it narrows your options.
  • The underlay still has to be right. All the fabric magic sits on an IGP with correct MTU and fast convergence. Get the boring part wrong and the clever part fails in confusing ways.

The alternatives SD-Access competes with

SD-Access is not the only way to get segmentation and identity-based policy:

Traditional + TrustSec
Run a conventional campus but layer TrustSec/SGTs on top for identity-based segmentation, without the full fabric. You get much of the security benefit with far less architectural change.
VXLAN/EVPN fabric
A standards-based fabric (BGP EVPN) gives you the overlay benefits with more vendor flexibility and a control plane many teams already know from the data centre - at the cost of the turnkey campus automation.
Well-run traditional
A conventional design with good VLAN hygiene, 802.1X, and ACLs is entirely adequate for a great many networks, and it is what most of your team already knows.

The middle option is the one most under-considered: traditional access plus TrustSec gives you identity-based segmentation - the main reason to want SD-Access - without the controller, the LISP, or the hardware refresh. For an organisation whose real requirement is "segment by identity" rather than "automate the campus", it is often the better fit. And it is built on the real TrustSec technology PingLabz has captured standalone.

The decision framework

Ask these five questions, in order:

  1. Do you have a real, funded segmentation requirement? If no, most of the reason for SD-Access is gone - stop here and consider a traditional design.
  2. Is it a large campus with mobility? If yes, SD-Access's strengths align. If it is a handful of small sites, they do not.
  3. Is the hardware compatible, or is a refresh funded? If not, the business case has to justify a forklift.
  4. Does the team have the skills, or a plan and appetite to build them? A fabric run by a team that resents it is a liability.
  5. Have you considered traditional + TrustSec as the middle path? If your real need is segmentation, this may deliver it with far less change.

If you answer yes to the first four and have genuinely weighed the fifth, SD-Access is a strong choice and its complexity is buying you something real. If you are reaching for it because it is new, or because a vendor slide was compelling, pause. The best network is the one that meets the requirement with the least complexity your team can operate well - and sometimes that is a fabric, and sometimes it very much is not.

Key takeaways

  • SD-Access fits large campuses with a real segmentation requirement, user mobility, an existing ISE investment, and compatible hardware. There it is genuinely strong.
  • It is a poor fit for small sites, networks with no segmentation need, incompatible hardware, teams without the skills, and simple stable networks that already work.
  • The honest costs: the controller is a critical dependency, troubleshooting is different and initially harder, you are more locked in, and the underlay still has to be right.
  • The most under-considered alternative is traditional access + TrustSec - identity-based segmentation without the full fabric, on real technology.
  • Decide with a framework: real segmentation need → scale and mobility → hardware → team readiness → whether traditional+TrustSec is the better middle path.
  • The best network meets the requirement with the least complexity the team can operate well. Sometimes that is a fabric; often it is not - and knowing the difference is the expert skill.

That closes the SD-Access series - an honest concept-and-components treatment of the 12.5% of the CCIE EI blueprint that cannot be labbed without Catalyst Center, grounded throughout in the real LISP, VXLAN, and TrustSec technology PingLabz has captured standalone. The full cluster index lives on the network virtualization pillar.

Written by
More from Ping Labz
Great! You’ve successfully signed up.
Welcome back! You've successfully signed in.
You've successfully subscribed to Ping Labz.
Your link has expired.
Success! Check your email for magic link to sign-in.
Success! Your billing info has been updated.
Your billing was not updated.