Featured image

Table of Contents Link to heading

Software-Defined Access (SD-Access) Link to heading

Traditional NAC:

  • Fixed VLANs, IP addresses, and ACLs.
  • Users must connect to the physical port where they are assigned specific VLANs/subnets.

SD-Access NAC:

  • Traffic flow security is based on user identity, not physical location and IP address.
  • Users log in from and can move to any physical location in the network.
Warning
SD-Access = Campus Fabric solution + DNA Centre management

The campus fabric is an overlay solution that includes all of the features and protocols (control plane, data plane, management plane, and policy plane) to operate the network infrastructure.

When the campus fabric solution is managed via the Cisco DNA Centre, the solution is considered to be SD-Access,

SD-Access Architecture Link to heading

Physical Layer Link to heading

Info
The physical refers to the actual hardware devices in the fabric: switches, routers, WLCs, and APs.
  • The access layer switches become fabric edge nodes that connects endpoints into the SDA fabric.

Network Layer Link to heading

Info
The network layer is the logical fabric overlay (a virtual network, or VN) that runs on top of an underlay network (the physical infrastructure).

Underlay Network Link to heading

  • Definition: The physical infrastructure — switches, routers, cabling, IP routing.
  • Role: Provides basic connectivity between network devices.
  • Protocols: Traditional routing protocols (OSPF, EIGRP, BGP) ensure reachability.

Manual Underlay Link to heading

  • Configured and managed manually via CLI or API.
  • Allow customisation (such as using OSPF rather than IS-IS).
  • Allow legacy (or third-party) IP-based network.

Automatic Underlay Link to heading

  • All aspects of the under lay network are configured and managed by the Cisco DNA Centre LAN Automation feature.
  • The LAN Automation feature creates an IS-IS routed access campus design and uses the Cisco Network Plug and Play features to deploy both unicast and multicast routing configuration in the underlay to improve traffic delivery efficiency for SD-Access.

Overlay Network (Fabric) Link to heading

  • Definition: A virtual, tunnelled network that virtually interconnects all of the network devices forming a fabric of interconnected nodes.
  • Role: Creates a logical connections between devices, regardless of the physical topology.
  • Protocols: VXLAN, LISP, CTS.
  • Fully automated regardless of the underlay network model. However, if manually configure the overlay, the solution becomes a campus fabric, not SD-Access.

Control Plane, based on Locator/ID Separation Protocol (LISP) Link to heading

Info
LISP resolves the destination to decide where the packets should go.

LISP separates identity (endpoint IP address) from location (network edge/border router IP address).

This is done by using a simple EID (Endpoint Identifier) to RLOC (Routing Locator) mapping system, stored in a centralised mapping database called LISP MS (map server).

Routers don’t need a full routing table. It only manages its local routes and queries the MS to locate destination EIDs.

Example

LISP Resolution Example

  1. Host Identity (EID)
  • Host A has an EID = 10.1.1.10 (its endpoint IP address).
  • This EID represents the host’s identity, which does not change even if the host moves.
  1. Host Location (RLOC)
  • At Site 1, Host A connects through its ITR (Ingress Tunnel Router) with RLOC = 192.0.2.1.
  • Later, Host A moves to Site 2, where it connects through ETR (Egress Tunnel Router) with RLOC = 198.51.100.1.
  • Notice: The EID stays the same (10.1.1.10), but the RLOC changes depending on location.
  1. Control Plane Resolution
  • When another host (Host B) wants to reach Host A:
    • Host B sends traffic to EID = 10.1.1.10.
    • The local router queries the LISP Map Server.
    • The Map Server replies: “EID 10.1.1.10 is currently at RLOC 198.51.100.1.”
  1. Data Plane Forwarding
  • The router encapsulates the packet with the RLOC of Site 2.
  • The packet travels across the network to R2.
  • R2 decapsulates and delivers the original packet to Host A.

Data Plane, based on Virtual Extensible LAN (VXLAN) Link to heading

Info
VXLAN carries the actual packet across the fabric once LISP has resolved the destination.

VXLAN encapsulates L2 Ethernet frames inside L3 UDP packets (overlay over underlay).

  • Overlay = the logical L2 network created by VXLAN. Hosts think they’re on the same LAN, even if they’re far apart.
  • Underlay = the physical L3 IP network that transports VXLAN packets. It provides routing, forwarding, and connectivity between VTEPs.

VNI (VXLAN Network Identifier), a 24-bit identifier, supports up to 16 million VNIs (compared to 4096 VLANs).

VTEP (VXLAN Tunnel Endpoint) is a gateway that encapsulates and decapsulates VXLAN traffic.

Example

VXLAN Packet Flow Example

  1. Host Sends a Frame
  • Host A sends a normal L2 Ethernet frame destined for Host B.
  • From the host’s perspective, it looks like a simple LAN communication.
  1. VTEP Encapsulation
  • The local VTEP receives the frame.
  • It encapsulates the Ethernet frame inside a VXLAN header, then wraps it in:
    • UDP header (transport)
    • IP header (underlay routing)
  1. Underlay Transport
  • The encapsulated packet travels across the underlay L3 network.
  • Routers in the underlay don’t care about the original Ethernet frame — they just forward based on the outer IP header.
  1. Remote VTEP Decapsulation
  • The packet arrives at the remote VTEP.
  • The VTEP strips off the IP/UDP/VXLAN headers.
  • The original Ethernet frame is recovered.
  1. Host Receives Frame
  • Host B receives the Ethernet frame exactly as if it came from the same LAN.
  • Neither Host A nor Host B knows about VXLAN — they just see normal L2 communication.

Policy Plane, based on Cisco TrustSec (CTS) Link to heading

Info
CTS Decides whether the packet is permitted to move between groups.

Cisco TrustSec (CTS) is a next-generation NAC solution performs network enforcement by using Security Group Tags (SGTs) instead of IP addresses and ports.

SGTs are assigned to authenticated groups of users or end devices. RBAC is enforced using SGACLs (Security Group ACLs), which match based on SGTs rather than IPs.

Controller Layer Link to heading

Info
The controller layer provides all of the management subsystems for the management layer, and this is all provided by Cisco DNA Centre and Cisco ISE.

Network Control Platform (NCP) Link to heading

Info
NCP automates underlay and fabric orchestration for physical and network layers.
  • Integrated into DNA Centre.
  • Configures/manages devices using NETCONF/YANG, SNMP, SSH/Telnet.
  • Reports automation status and network information to the management layer.

Network Data Platform (NDP) Link to heading

Info
NDP provides data collection, analytics, and assurance.
  • Integrated into DNA Centre.
  • Correlates events from sources like NetFlow, Syslogs, SPAN.
  • Identifies historical trends and shares contextual info with NCP and ISE.
  • Supplies operational status to the management layer.

Identity Services Engine (ISE) Link to heading

Info
ISE provides identity and policy services for endpoints and groups.
  • Enforces NAC using 802.1X, MAC Authentication Bypass (MAB), Web Authentication (WebAuth).
  • Uses contextual info from NDP/NCP and external systems (e.g., AD, AWS).
  • Maps endpoints into scalable groups and host pools.
  • Programs group‑based policies onto network devices.
  • Enables the management layer to define and manage policies.

Management Layer Link to heading

Info
The management layer provides a user interface to manage and operate the entire Cisco DNA network.

Cisco DNA Centre workflows:

  1. Design: Define the network hierarchy (sites, buildings, floors).
  2. Policy: Create group‑based access policies (using SGT).
  3. Provision: Discover devices automatically (via SNMP, NETCONF, CLI).
  4. Assurance: Collect telemetry (NetFlow, SNMP, model‑driven telemetry).