Cisco SD-Access (SDA) replaces the traditional campus stack — spanning tree, HSRP, manual VLAN trunking — with a three-plane overlay fabric. If you've ever wondered how LISP, VXLAN, and TrustSec fit together at the packet level (instead of just clicking through Catalyst Center), this deep dive is for you.
The Problem: Why Traditional Campus Designs Hit a Wall
Classic three-tier campus networks (access → distribution → core) carry a lot of baggage:
- Spanning tree across every VLAN — blocking redundant paths, unpredictable failovers
- HSRP/VRRP at distribution — 50% of gateway capacity wasted on standby
- Manual VLAN trunking — extending L2 domains creates broadcast storms and kills mobility
- Static ACLs for segmentation — thousands of lines tied to IPs that change when endpoints move
SDA eliminates all of this with a Layer 3 routed access model. The default gateway lives at the fabric edge (access switch). Every link is routed with IS-IS. Spanning tree becomes irrelevant — there are no L2 loops in the underlay.
| Feature | Traditional Campus | SDA Fabric |
|---|---|---|
| Forwarding | L2 switched (STP) | L3 routed underlay (IS-IS) |
| Gateway | Distribution pair (HSRP) | Fabric edge anycast gateway |
| Segmentation | VLANs + static ACLs | TrustSec SGTs + SGACL matrix |
| Mobility | Re-auth, new IP, new VLAN | Same SGT, same policy, any port |
| Provisioning | Manual CLI per switch | Catalyst Center automation |
| Wireless | WLC centralized switching | Fabric AP → local edge switching |
The real value: a user plugs into any port on any floor and gets the same policy, gateway, and segmentation — without anyone touching the switch.
Plane 1: LISP Control Plane — DNS for Your Campus
LISP (Locator/ID Separation Protocol) is the overlay control plane. It tracks where every endpoint lives by separating identity from location:
- EID (Endpoint Identifier) — the endpoint's IP or MAC address
- RLOC (Routing Locator) — the loopback IP of the fabric edge switch
The Control Plane Node (CPN) runs LISP Map-Server/Map-Resolver. Think of it as DNS for your campus — mapping endpoint addresses to switch locations.
Registration Flow
- Endpoint authenticates (802.1X or MAB via ISE)
- Fabric edge sends LISP Map-Register → "EID 10.10.10.50 (SGT=5) is behind RLOC 172.16.1.10"
- CPN stores the mapping, sends Map-Notify ack
- When another fabric node needs that endpoint → Map-Request to CPN
- CPN responds with Map-Reply containing the RLOC
! Verify LISP registrations on the control plane node
show lisp site
show lisp instance-id * ipv4 server
show lisp instance-id * ethernet server
! Verify on fabric edge
show lisp instance-id * ipv4 database
show lisp instance-id * ethernet database
Key detail: LISP is off-path. The CPN is NOT in the data forwarding path. After the initial lookup, the edge caches the RLOC and forwards directly via VXLAN. The CPN never becomes a traffic bottleneck.
Why IS-IS for the Underlay?
The underlay runs IS-IS (not OSPF) because:
- Runs directly over L2 (not IP) — avoids recursive routing issues
- Better multi-topology routing support
- Simpler ECMP behavior for parallel fabric links
- Catalyst Center auto-provisions IS-IS adjacencies via LAN Automation
Plane 2: VXLAN Data Plane — The Actual Packet Path
VXLAN carries endpoint traffic across the routed IS-IS underlay. SDA uses VXLAN-GPO (Group Policy Option) — a VXLAN extension that embeds the SGT tag in the header.
Packet Walk: Client → Server
1. Client (10.10.10.50, SGT=5) → Server (10.20.20.100)
2. Fabric Edge receives frame
3. Edge does LISP Map-Request → CPN returns Border Node RLOC
4. Edge encapsulates in VXLAN:
Outer IP: Src=172.16.1.10 (Edge) → Dst=172.16.1.1 (Border)
VXLAN Header: VNI=8188 (L3 VN), SGT=5 (GPO extension)
Inner IP: Src=10.10.10.50 → Dst=10.20.20.100
5. Packet routes across IS-IS underlay
6. Border decapsulates, checks SGT against SGACL policy
7. Border forwards to external network
The VNI maps to a Virtual Network → VRF. Two VNI ranges:
- L2 VNI (per VLAN segment) — intra-subnet traffic
- L3 VNI (per VN/VRF) — inter-subnet traffic across the fabric
! Verify VXLAN tunnels
show vxlan tunnel
show vxlan vni
show nve peers
show nve vni
Anycast Gateway: The HSRP Killer
Every fabric edge advertises the same gateway IP and MAC for each subnet. No active/standby — every edge IS the gateway.
- No HSRP/VRRP/GLBP — 100% uplink utilization
- Local switching — nearest edge handles routing, no hair-pinning
- Seamless mobility — same gateway regardless of which edge the endpoint connects to
interface Vlan100
ip address 10.10.10.1 255.255.255.0
mac-address 0000.0c9f.f001 ! same on EVERY edge
ip helper-address 10.1.1.50
lisp mobility dynamic
Plane 3: TrustSec Policy — Zero Trust Segmentation
TrustSec is what makes SDA a zero trust architecture.
SGT Propagation via VXLAN-GPO
In standalone TrustSec, SGTs travel via CMD headers or SXP. In SDA, the SGT rides inside the VXLAN-GPO header:
- No SXP needed — SGT propagates automatically with every VXLAN frame
- No inline tagging hardware dependency — any VXLAN-capable switch carries SGTs
- Consistent enforcement — SGT available at both source and destination edge
Two Segmentation Layers
Macro-segmentation (Virtual Networks/VRFs):
- Separate VNs for corporate, IoT, guest
- Full VRF isolation — no cross-VN traffic without fusion router or border extranet policy
Micro-segmentation (SGTs within a VN):
- Finance (SGT 20) reaches finance servers but not HR
- Contractors (SGT 10) get internet but no internal resources
! Verify SGT assignment
show cts role-based sgt-map all
show authentication sessions interface Gi1/0/5 details
! Verify SGACL enforcement
show cts role-based permissions
show cts role-based counters
Cross-VN Shared Services
How do IoT devices in a separate VN reach DNS/DHCP/NTP? Three options:
- Fusion router — routes between VNs with firewall inspection
- Extranet policy on border — selective route leaking via Catalyst Center (preferred in 2026)
- Shared services VN — dedicated VN reachable by all others via policy
Common Deployment Gotchas
1. Underlay MTU (The #1 Issue)
VXLAN adds 50-54 bytes of overhead. If your underlay MTU is 1500, encapsulated frames get fragmented or dropped. Set underlay MTU to at least 9100.
2. Point-to-Point Underlay Links
IS-IS underlay must use point-to-point links (no shared segments), equal-cost paths for ECMP, and loopback interfaces for RLOC addressing.
3. VN Scale Planning
5 VNs × 200 edge switches = 1,000 VRF instances. Plan for:
- TCAM capacity (Cat 9300 vs 9500 limits)
- Route table size per VRF
- DHCP relay per VRF per subnet
4. Wireless: Not What You Think
Fabric-mode APs don't tunnel data to the WLC. The AP switches client traffic directly to the local fabric edge via VXLAN. The WLC only handles:
- CAPWAP control plane
- Client auth coordination with ISE
- LISP Map-Register on behalf of wireless clients
Wireless clients get the same SGT enforcement and anycast gateway as wired — true unified policy.
FAQ
Q: Can you run TrustSec without full SDA?
Yes. TrustSec SGTs work standalone with ISE on Catalyst switches. SDA automates provisioning via Catalyst Center, but TrustSec is independent.
Q: What switches support SDA fabric roles?
Catalyst 9300/9400/9500/9600 for edge and border. CPN typically on 9500 or 9600. Older 3850/4500 can be extended nodes only.
Q: Why not OSPF for the underlay?
IS-IS runs over L2 directly (avoiding recursive routing issues), has better multi-topology support, and integrates cleanly with Catalyst Center's LAN Automation.
Originally published at FirstPassLab. For more deep dives on enterprise networking and data center fabrics, visit firstpasslab.com.
🤖 AI Disclosure: This article was adapted from the original with AI assistance. Technical content has been reviewed for accuracy.
Top comments (0)