If you’ve started exploring Cisco’s Software-Defined Access (SD-Access), you’ve probably noticed it’s like a high-tech orchestra: multiple components, each playing a specific role, and all perfectly timed.
But who plays what?
Let’s break down four key areas of the SD-Access architecture and match them to the protocols that drive them. Understanding these protocol mappings isn’t just exam gold—it’s essential for designing, deploying, and troubleshooting real SD-Access environments.
1. Fabric Data Plane → VXLAN
When packets fly across the SD-Access fabric, they’re encapsulated and carried using VXLAN (Virtual Extensible LAN). VXLAN creates the virtual overlay that allows devices across the fabric to communicate, regardless of their underlying IP subnets.
Real-world use:
Think of VXLAN as the transport container for your traffic—it tunnels Layer 2 frames over Layer 3 infrastructure, enabling things like host mobility and segmentation.
2. Fabric Control Plane → LISP
Under the hood, the Locator/ID Separation Protocol (LISP) is doing the smart stuff—mapping endpoints (identity) to their location (IP address). LISP is what enables seamless mobility in SD-Access.
Real-world use:
When a laptop moves from one access switch to another, LISP updates the control plane, ensuring that traffic still reaches the correct destination, no matter where it’s connected.
3. Fabric Security Policy → CTS
Cisco TrustSec (CTS) handles security inside the fabric. It doesn’t rely on IP addresses—instead, it uses Security Group Tags (SGTs) to enforce policies between users, devices, or applications.
Real-world use:
Want to block guests from accessing your finance systems, regardless of where they are? CTS uses tags to make that happen—policy follows the user, not the IP.
4. External Connectivity from Fabric → BGP
To get traffic in and out of the SD-Access fabric, Border nodes typically use BGP (Border Gateway Protocol). It enables route exchange between the fabric and external networks, like your traditional data center or WAN.
Real-world use:
Say your internal users need access to the internet or a cloud provider. BGP on your fabric border node ensures routes are learned and shared effectively.
TL;DR: Protocol Match Chart
| SD-Access Function | Protocol |
|---|---|
| Fabric Data Plane | VXLAN |
| Fabric Control Plane | LISP |
| Fabric Security Policy | CTS |
| External Connectivity from Fabric | BGP |
Final Thoughts
Cisco SD-Access is all about automation, scalability, and segmentation—and it works because these protocols each do their job perfectly. If you’re prepping for your ENCOR exam or stepping into SD-Access deployment, these mappings are your cheat sheet to understanding how the fabric lives and breathes.
Got a fabric in the lab? Try tracing a ping and see how each of these protocols plays a part behind the scenes. You’ll see it’s more than just traffic—it’s orchestration at its best.