A network architect is designing a Cisco SD-Access fabric for a university campus that requires segmentation between student, faculty, and guest traffic. The design must use Cisco TrustSec for scalable security group tags (SGTs) and integrate with Cisco ISE for policy enforcement. Which fabric component should the architect use to enforce SGT-based policies at the access layer?
The fabric edge switch enforces SGT-based policies by applying SGACLs based on the SGT assigned by ISE during authentication.
Why this answer
The fabric edge node is the correct component because it is the access-layer switch in Cisco SD-Access that performs SGT-based enforcement. It receives SGT-to-SGT policy from Cisco ISE via the control plane node and applies the corresponding security ACLs (SGACLs) at the port level, ensuring segmentation between student, faculty, and guest traffic at the point of entry.
Exam trap
Cisco often tests the misconception that the fabric border node or control plane node enforces policies, when in fact the fabric edge node is the only device that applies SGT-based access control at the access layer.
How to eliminate wrong answers
Option A is wrong because the fabric border node connects the SD-Access fabric to external networks (e.g., WAN, data center) and handles SGT propagation between fabrics or to non-fabric devices, but it does not enforce SGT policies at the access layer. Option B is wrong because the fabric control plane node manages LISP overlay mappings and distributes SGT-to-IP bindings, but it does not perform inline policy enforcement on user traffic. Option D is wrong because the Wireless LAN Controller (WLC) manages CAPWAP tunnels and wireless client mobility, but in SD-Access, SGT-based enforcement at the access layer is handled by the fabric edge node (wired or wireless via the fabric-enabled WLC acting as a wireless edge), not the standalone WLC.