What Is Cisco SD-Access in Networking?
Also known as: Cisco SD-Access, SD-Access definition, SD-Access vs SD-WAN, LISP VXLAN, CCNP ENCOR SD-Access
On This Page
Quick Definition
Cisco SD-Access is a way to manage a network using software rather than manual configuration. It treats the entire network as one system that can be controlled from a single dashboard. This makes it faster to set up and more secure because policies follow users and devices wherever they connect.
Must Know for Exams
Cisco SD-Access is a major topic in the Cisco CCNP Enterprise certification track, especially in the ENCOR (350-401) exam. The ENCOR exam objectives specifically include SD-Access architecture, control and data plane protocols like LISP and VXLAN, and policy enforcement mechanisms such as TrustSec and SGTs. Candidates are expected to understand the roles of fabric edge nodes, border nodes, and control plane nodes.
The exam often tests knowledge of how endpoints register with the fabric, how traffic flows from a source to a destination within the same site, and how policies are applied based on group tags. You may also see questions about the difference between traditional VLAN-based segmentation and SD-Access group-based segmentation. The ENCOR exam includes multiple-choice, drag-and-drop, and simulation questions that require you to interpret a topology and identify which fabric node performs a specific function.
For example, you might be asked: Which component in SD-Access is responsible for mapping an endpoint's identity to its location? The correct answer is the control plane node using LISP. Another common topic is understanding how VXLAN tunneling works and why it is used for data plane encapsulation.
The exam also covers the role of Cisco DNA Center in SD-Access as the centralized management and policy engine. To pass, you must know not only the buzzwords but also how the protocols interact. Understanding the step-by-step process of a device connecting to an SD-Access fabric, from authentication to policy enforcement, is essential.
Many practice questions present a scenario where a user cannot access a resource, and you must troubleshoot which policy or mapping is incorrect. SD-Access appears in the CCNP Enterprise Design (ENSLD) and Advanced Routing (ENARSI) exams as well, but the ENCOR exam is where the foundational knowledge is tested.
Simple Meaning
Think of a traditional network like a manual library system where every book must be checked in and out by a librarian who writes everything down on paper. If a book needs to move to a different shelf, someone has to physically update the records. Now imagine a smart library where each book has a digital tag, and the entire catalog updates automatically the moment a book is moved.
Security guards at the doors know exactly who is allowed in based on the digital tags, and they can even block specific people from certain sections without changing locks. That is what Cisco SD-Access does for a computer network. Instead of network engineers manually plugging in cables and typing commands to set up each switch, a central software controller does all the work.
Users and devices get a digital identity or tag, and that tag tells the network what they are allowed to access. If a laptop moves from one office to another, the network automatically gives it the same permissions without anyone reconfiguring switches. The system uses three main planes: the management plane where the controller lives, the control plane that decides how traffic flows, and the data plane that carries the actual traffic.
Each device gets a unique identity, so the network can enforce security policies based on who or what is connecting. This is much simpler and more secure than older networks where every switch had to be individually programmed.
Full Technical Definition
Cisco SD-Access is built on a fabric architecture that separates the network into three planes: the management plane, the control plane, and the data plane. The management plane is handled by Cisco DNA Center, which acts as the central controller and provides a graphical interface for designing, provisioning, and applying policies. The control plane uses Locator/ID Separation Protocol, or LISP, to map each endpoint to its current location in the network.
LISP separates the identity of a device, its IP address, from its location, the switch or router it is connected to. This allows a device to move without changing its IP address, making mobility seamless. The data plane uses Virtual Extensible LAN, or VXLAN, to encapsulate traffic and carry it across the fabric.
VXLAN creates logical tunnels between switches that can carry many different virtual networks over a single physical infrastructure. The policy plane uses Cisco TrustSec and Group-Based Policies, or GBP, to enforce access rights based on the identity of the user or device. Every endpoint gets a Scalable Group Tag, or SGT, which acts like a badge code.
Switches use the SGT to decide whether to allow or block traffic. Authentication is handled by 802.1X, MAC Authentication Bypass (MAB), or web authentication. The fabric itself consists of three node types: fabric edge switches (where endpoints connect), fabric border nodes (that connect to the rest of the network or the internet), and control plane nodes (that run LISP and manage endpoint mappings).
A wireless LAN controller can act as a fabric wireless controller to extend the fabric to wireless clients. The entire system relies on Cisco DNA Center for automation, assurance, and policy management. In a real environment, an engineer uses DNA Center to define a policy that says managers can access the HR server and interns cannot.
The software then pushes that policy to all switches automatically, regardless of where those users connect. This eliminates the need for VLANs, ACLs, and manual configurations on each device. The network becomes much easier to manage and much harder to break.
Real-Life Example
Imagine a large office building with multiple floors and hundreds of employees. Each employee gets a badge that contains a chip with their name, job title, and department. When you enter the building, you swipe your badge at the front door.
The system checks your badge and lets you in if you are an employee. Now suppose you work on the third floor in the finance department. Your badge also gives you access to the finance office, but not to the IT server room or the CEO's private office.
If you get promoted and move to the fifth floor, the HR department updates your badge in the central database. The next day, your badge now opens the door on the fifth floor, and you no longer have access to the old finance floor. You do not need a new badge; the system just changes your permissions in the central computer.
That is exactly how Cisco SD-Access works. Each user and device gets a digital badge called a Scalable Group Tag (SGT). The central controller, DNA Center, is like the HR database that stores everyone's permissions.
When you plug your laptop into a switch on any floor, the switch reads your SGT and knows exactly what you are allowed to access. If you are in sales, you can reach the CRM server but not the payroll database. If you move to a conference room, the network automatically applies the same policies.
You do not need a different VLAN or a new IP address. The network reconfigures itself because the policy follows you, not the physical port. This is far more efficient than the old way, where a network engineer had to manually assign VLANs and ACLs to each switch port, and update them whenever someone moved desks.
Why This Term Matters
In real IT work, managing a traditional network is slow and error prone. Every time a user changes desks, a new device arrives, or a new security threat appears, network engineers must log into switches, create VLANs, write ACLs, and hope nothing gets misconfigured. A single typo can block all traffic to a critical server.
Cisco SD-Access eliminates this manual labor by centralizing configuration and policy. When a new employee joins, the IT team simply creates their user profile in DNA Center. The network automatically applies the correct policies to whatever switch port they plug into.
This reduces deployment time from hours to minutes. SD-Access also improves security because policies are based on identity, not IP addresses. An attacker cannot simply plug a rogue laptop into a wall port and gain access to sensitive systems unless their device is authorized and tagged.
Users cannot accidentally access resources they should not see because the network enforces policy at every switch. From a troubleshooting perspective, DNA Center provides assurance features that monitor network health, detect anomalies, and suggest fixes. If a wireless client cannot connect, the system can show exactly why, whether it is a bad cable, a misconfigured policy, or a DHCP failure.
For businesses with hundreds or thousands of endpoints, this automation saves significant time and reduces downtime. SD-Access also supports IoT devices, guest access, and voice traffic with the same policy framework, so IT does not need to manage separate networks for different device types. In summary, SD-Access makes networks faster to deploy, more secure, and easier to troubleshoot, which directly impacts business productivity and reduces operational costs.
How It Appears in Exam Questions
Exam questions about Cisco SD-Access typically fall into four categories: architecture, protocol mechanics, policy enforcement, and troubleshooting. In architecture questions, you might see a diagram showing fabric edge, border, and control plane nodes. The question could ask: Which node type performs the encapsulation and de-encapsulation of VXLAN traffic?
The answer is the fabric edge node. Another common pattern presents a list of features and asks which ones belong to SD-Access versus traditional networking. Protocol mechanics questions often test LISP operations.
For example: When a host sends its first packet, how does the fabric edge node learn where to forward it? The correct answer involves the edge node sending a map request to the control plane node, which returns the location of the destination endpoint. Data plane questions focus on VXLAN: understanding that VXLAN uses UDP encapsulation and a 24-bit network identifier (VNI) to segment traffic.
Policy enforcement questions ask about Scalable Group Tags (SGTs) and how they are used to apply access control. A typical scenario: A user in the marketing department (SGT 50) tries to reach a server in the finance department (SGT 100). Which component decides whether to allow the traffic?
The answer is the fabric edge or border node that enforces the policy based on the SGT-to-SGT matrix. Troubleshooting questions present a real-world scenario: A laptop connects to a switch port but cannot get an IP address. You must identify whether the issue is with authentication (802.
1X), DHCP, or the LISP mapping. Another common trap: The learner confuses the role of the border node with the control plane node. Border nodes connect the fabric to external networks, while control plane nodes handle endpoint mappings.
Questions may also ask about the difference between SD-Access and SD-WAN. SD-Access is for campus networks, while SD-WAN is for wide area networks connecting multiple sites. Expect a few questions that compare the two.
Study encor
Test your understanding with exam-style practice questions.
Example Scenario
A mid-sized company with three floors in one building has 500 employees and 1,000 devices including laptops, printers, and IoT sensors. The IT team used to maintain separate VLANs for each department: one for sales, one for engineering, one for finance, and one for the guest network. Whenever an employee moved desks, an IT technician had to reconfigure the switch port to the correct VLAN.
This took hours every week. The company decides to implement Cisco SD-Access. The IT team installs Cisco DNA Center on a server and upgrades their existing Cisco switches to support fabric mode.
They define three user groups: employees, guests, and IoT devices. Each employee gets a Scalable Group Tag based on their department. The IT team creates a policy that says finance users can access the accounting server, but sales users cannot.
When a new sales representative joins and plugs into a port in the finance area, the switch performs 802.1X authentication and learns the user's SGT from the identity services engine (ISE). The switch then applies the correct policy, giving the user access only to sales resources, not the finance server.
The network automatically captures the user's location via LISP and maps it to the fabric edge. If the user moves to another building, the same policy applies. The guest network uses a separate SGT that allows only internet access and blocks all internal resources.
IoT sensors get a tag that allows them to send data only to the IoT server. The entire setup takes a few hours to configure in DNA Center, and ongoing moves involve zero manual switch changes.
Common Mistakes
Thinking SD-Access is the same as SD-WAN.
SD-Access is designed for campus and branch networks within a single location or multiple sites connected by a private WAN. SD-WAN is for connecting geographically separate sites over the internet or MPLS. They solve different problems and use different technologies.
Remember that SD-Access focuses on automating access policies and segmentation inside a building or campus. SD-WAN focuses on routing traffic between buildings. They can work together but are not the same.
Believing that VXLAN in SD-Access replaces routing.
VXLAN is an overlay encapsulation that carries Layer 2 traffic over a Layer 3 network. It does not replace routing; it depends on an underlying IP network. Routing still happens at the border nodes and when traffic leaves the fabric.
Understand that VXLAN creates tunnels for Layer 2 frames, but the fabric itself still uses IP routing for transport. The underlay network is IP-based, and VXLAN rides on top of it.
Assuming that DNA Center is required only during initial setup.
DNA Center is not just for design and provisioning. It also provides continuous assurance, monitoring, and analytics. If you unplug DNA Center, the network still works, but you lose the ability to make changes, monitor health, and apply new policies centrally.
Think of DNA Center as the brain that directs the network. The fabric can operate without it for a while, but all policy changes and monitoring require it. It is essential for ongoing operations, not just setup.
Confusing the control plane node with the border node.
The control plane node runs LISP and stores endpoint ID-to-location mappings. The border node connects the fabric to external networks like the internet or a data center. They are separate functions, though a single device can serve both roles in smaller deployments.
Ask yourself: Does this node handle mappings? That is control plane. Does it connect to outside networks? That is border. In larger networks, they are different devices.
Thinking that SD-Access eliminates the need for VLANs entirely.
SD-Access uses VXLAN VNIs for segmentation, which are similar to VLANs but more scalable. Underneath, VLANs still exist on the physical switches for port-level configuration and management access. The concept of VLANs is abstracted, not removed.
Understand that SD-Access replaces VLANs for policy segmentation but still uses VLANs for local switching and management. The user does not see VLANs, but they are still present in the underlay.
Exam Trap — Don't Get Fooled
In an exam question, you are asked which protocol in SD-Access carries the user data traffic across the fabric. The options include LISP, VXLAN, OSPF, and BGP. Many learners pick LISP because they associate it with SD-Access, but LISP is the control plane protocol, not the data plane protocol.
Memorize the plane separation: LISP is the control plane that maps endpoints to locations. VXLAN is the data plane that encapsulates the actual user traffic in UDP tunnels across the fabric. When the question mentions data traffic, think VXLAN.
When it mentions mapping or location, think LISP.
Commonly Confused With
SD-WAN is designed to connect multiple branch offices to each other and to the cloud over wide area links like MPLS, broadband, or 4G/5G. SD-Access is for campus and local area networks inside a building or site. SD-WAN optimizes WAN traffic and secures it with VPNs, while SD-Access automates local network access and segmentation.
A bank with 50 branches uses SD-WAN to connect all branches to the central data center securely. Inside each branch office, the local network uses SD-Access to allow tellers to access the banking app while blocking customers from internal systems.
In a traditional network, security and segmentation are done by assigning static VLANs to switch ports and writing ACLs to filter traffic between VLANs. In SD-Access, policies are based on user or device identity tags (SGTs) and are applied dynamically regardless of where the device connects. VLANs are replaced by VXLAN virtual networks.
In a traditional network, a printer on VLAN 10 can talk only to servers on VLAN 20 because of ACLs. If the printer moves to another port, an engineer must change the port VLAN. In SD-Access, the printer gets an SGT, and the network automatically applies the same policy wherever it plugs in.
ACI is a data center networking solution that focuses on automating policy for application workloads inside a data center. SD-Access is for campus and branch networks that connect users and devices. ACI uses a different set of protocols, such as VXLAN with a different control plane (COOP), and is managed by the APIC controller, not DNA Center.
A university uses SD-Access to manage network access for students and faculty across campus buildings. The same university uses ACI in its data center to manage traffic between the student database, email servers, and the learning management system.
Step-by-Step Breakdown
Physical infrastructure and underlay
First, you install the physical switches and routers that will form the network. These devices run a traditional routing protocol like IS-IS or OSPF to create an IP network underneath, called the underlay. The underlay provides basic connectivity between all switches in the fabric. This is the foundation on which the SD-Access overlay will be built.
Cisco DNA Center is deployed and the fabric is designed
You install Cisco DNA Center on a server and connect it to the network. Using the DNA Center GUI, you define the fabric site, add the switches as fabric devices, and assign roles (edge, border, control plane). You also create the virtual networks (VNIs) that will carry different types of traffic, such as data, voice, and guest.
Policy definitions are created in DNA Center
The network administrator defines groups of users or devices, called IP sets or SGT groups, in DNA Center or Cisco ISE. For example, you create a group called Employees and another called Guests. You then create access policies that specify which groups can talk to each other. For instance, Employees can access the internal server, but Guests can only reach the internet.
Endpoint authentication and device onboarding
When a user connects a laptop to a switch port, the switch sends an authentication request using 802.1X. The user's credentials are verified against Cisco ISE or Active Directory. Once authenticated, ISE returns the SGT for that user. The switch records this SGT and maps the user's IP and MAC address to it.
Endpoint mapping via LISP control plane
The fabric edge switch where the user is connected registers the endpoint's identity (IP address) and location (its own IP address) with the control plane node using LISP. The control plane stores this mapping in a database. Now, when any other switch wants to send traffic to this user, it asks the control plane for the location.
Traffic forwarding with VXLAN encapsulation
When a packet needs to travel from one endpoint to another in the fabric, the source fabric edge switch encapsulates the entire Ethernet frame inside a VXLAN packet. This VXLAN packet is routed through the underlay network using the destination fabric edge's IP address. The destination fabric edge de-encapsulates the packet and delivers it to the correct endpoint.
Policy enforcement at the fabric edge
At the moment of forwarding, the fabric edge switch checks the SGT of the source and destination endpoints. It compares this against the policy matrix downloaded from DNA Center or ISE. If the policy allows, the packet is forwarded. If not, it is dropped. This ensures security is enforced at every switch, not just at a central firewall.
Practical Mini-Lesson
To implement Cisco SD-Access, you need to understand the three planes and how they interact. In practice, you start with the underlay. This is the physical network of routers and switches that must be running a compatible IOS version and have IP reachability.
A common underlay design is a routed access layer where every switch connects to the spine switches. You do not need to run STP because the underlay uses Layer 3 routing. Once the underlay is stable, you enable LISP, VXLAN, and Cisco TrustSec on the devices.
DNA Center will push the necessary configurations to each switch, saving you from typing dozens of commands. The most critical part is the policy definition. You must plan your SGTs carefully.
For example, you might create SGTs for Employees (SGT 10), Contractors (SGT 20), Guests (SGT 30), and IoT devices (SGT 40). Then define which SGTs can communicate. Typically, Employees can reach all internal servers, Contractors can reach only specific applications, Guests have internet only, and IoT devices can talk only to their management server.
These policies are stored in a downloadable Access Control List (dACL) format or as SGT-based contracts. A common mistake in production is forgetting to allow necessary traffic like DHCP, DNS, and ARP discovery. Without explicit policies for these, endpoints may not get IP addresses or resolve names.
You must pre-define policies for infrastructure services. Another practical consideration is redundancy. DNA Center and ISE should be deployed as clusters. If the control plane node fails, the fabric continues forwarding traffic because edge switches cache endpoint mappings, but new endpoint registrations will fail.
Always have a backup control plane node. For border nodes, use at least two to connect to the external network. When troubleshooting, use the show lisp session command to verify control plane connectivity.
Use show vxlan tunnel to see active tunnels. The DNA Center assurance dashboard is great for getting a high-level view of network health, but for granular troubleshooting, CLI is still faster. Many engineers also integrate SD-Access with Cisco ISE for advanced identity management, including posture checks that ensure devices have antivirus and updates before granting access.
Overall, SD-Access is powerful but requires careful upfront design and a solid understanding of the underlying protocols. Once deployed, it makes day-to-day operations much simpler.
Memory Tip
LISP maps endpoints like a GPS maps cars to streets. VXLAN tunnels carry the traffic like an armored truck carries valuables. DNA Center is the central command. SGTs are the badges that open doors.
Covered in These Exams
Related Glossary Terms
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
An A record is a DNS record that maps a domain name to the IPv4 address of the server hosting that domain.
5G is the fifth generation of cellular network technology, designed to deliver faster speeds, lower latency, and support for many more connected devices than previous generations.
Frequently Asked Questions
Do I need to replace all my switches to use SD-Access?
No, but you need switches that support the required features like LISP and VXLAN. Many Cisco Catalyst 9000 series switches support SD-Access. Older switches may need a software upgrade or may not be compatible at all.
What is the difference between SD-Access and a traditional VLAN network?
In a VLAN network, segmentation is based on static VLAN assignments to ports. Security is done with ACLs. In SD-Access, segmentation is based on user identity (SGTs) and is dynamic. Devices can move anywhere and keep the same policies without manual reconfiguration.
Can SD-Access work without Cisco ISE?
Yes, but with limited identity features. ISE provides dynamic authentication and group assignment. Without ISE, you can still use static SGT assignments on the switch port, but you lose the ability to assign policies based on user credentials or device posture.
Is SD-Access only for wired networks?
No, SD-Access also supports wireless. A fabric-enabled wireless LAN controller (WLC) can join the fabric. Wireless clients get the same SGTs and policies as wired clients. The WLC acts as a fabric edge node for wireless traffic.
What happens if DNA Center goes down?
The fabric continues to forward traffic because the switches have cached mappings and policies. However, you cannot make any configuration changes, apply new policies, or see the assurance dashboard until DNA Center is restored. It is not a single point of failure for traffic, but it is critical for management.
Do I need to know how to configure LISP and VXLAN manually for the ENCOR exam?
The ENCOR exam expects you to understand how LISP and VXLAN work conceptually and how they fit into the SD-Access architecture. You do not need to memorize the exact CLI commands, but you should be able to identify which protocol does what and interpret a simple configuration snippet.
What is the role of the border node in SD-Access?
The border node connects the SD-Access fabric to external networks, such as the corporate data center, the internet, or a WAN. It translates internal VXLAN traffic to regular IP traffic and applies policy for traffic leaving or entering the fabric.
Summary
Cisco SD-Access is a modern approach to enterprise networking that automates the way users and devices connect to the network and how policies are enforced. Instead of relying on manual VLAN configuration and static ACLs, SD-Access uses a fabric architecture built on LISP, VXLAN, and Cisco TrustSec to separate identity from location and to enforce policies based on group tags. The central brain is Cisco DNA Center, which provides a unified management interface for designing, deploying, and monitoring the entire network.
For learners preparing for Cisco certification exams, especially the CCNP ENCOR exam, understanding the roles of fabric edge, border, and control plane nodes, as well as how LISP maps endpoints and VXLAN carries traffic, is essential. The difference between SD-Access and SD-WAN or traditional networking is also frequently tested. By mastering these concepts, you will be ready to answer scenario-based questions and troubleshooting challenges.
Remember that SD-Access is not just buzzword; it is a practical technology that reduces operational overhead and improves security. The key to exam success is to focus on the separation of planes, the role of each protocol, and the central role of DNA Center and ISE in policy management.