1.4 Explain the working principles of the Cisco SD-Access solution
📘CCNP Encore (350-401-ENCORE-v1.1)
What is Cisco SD-Access? (Quick Reminder)
Cisco SD-Access (Software-Defined Access) is Cisco’s enterprise campus networking solution.
It uses centralized control, automation, and policy-based access to manage wired and wireless users in a secure and scalable way.
SD-Access separates the network into planes:
- Control Plane → Decides where traffic should go
- Data Plane → Forwards actual user traffic
This separation makes the network easier to manage, more secure, and more scalable.
SD-Access Plane Overview
| Plane | Purpose |
|---|---|
| Control Plane | Learns and shares endpoint locations |
| Data Plane | Forwards user traffic using encapsulation |
| Policy Plane | Applies security and access rules (covered in another section) |
| Management Plane | Centralized configuration (Cisco DNA Center) |
This topic focuses only on the Control Plane and Data Plane.
1️⃣ SD-Access Control Plane
What is the Control Plane?
The control plane is responsible for:
- Knowing where endpoints (users/devices) are located
- Sharing that location information with other devices
- Ensuring traffic reaches the correct destination
In SD-Access, this is done using LISP (Locator/ID Separation Protocol).
Key Control Plane Components
1. LISP (Locator/ID Separation Protocol)
LISP separates:
- Who the endpoint is → Identity (IP address)
- Where the endpoint is → Location in the network
Why LISP is Important
- Endpoints can move without changing IP addresses
- The network always knows where each endpoint is located
- Traffic is forwarded correctly without flooding the network
2. Endpoint ID (EID)
- The EID is the endpoint’s IP address
- Represents the identity of the user or device
- Used for communication between endpoints
Example in IT terms:
- A laptop gets an IP address from DHCP
- That IP address becomes the EID
3. Routing Locator (RLOC)
- The RLOC represents the network location
- Usually the loopback IP of the edge or border device
- Used to reach the device that hosts the endpoint
4. Control Plane Node (CPN)
- A Control Plane Node is a device that runs the LISP control plane
- Typically a Cisco Catalyst 9300/9400/9500
Responsibilities
- Maintains a mapping database of EID-to-RLOC
- Answers queries about endpoint locations
- Does NOT forward user traffic
5. LISP Map-Server / Map-Resolver
These functions are performed by the Control Plane Node.
| Component | Function |
|---|---|
| Map-Server | Stores EID-to-RLOC mappings |
| Map-Resolver | Answers lookup requests |
How the Control Plane Works (Simplified Flow)
- An endpoint connects to the network
- The edge device learns the endpoint’s IP (EID)
- The edge device registers the EID with the Control Plane Node
- The Control Plane Node stores the mapping
- Other devices can query this mapping when needed
✔ No flooding
✔ No unnecessary broadcasts
✔ Centralized endpoint tracking
2️⃣ SD-Access Data Plane
What is the Data Plane?
The data plane is responsible for:
- Forwarding actual user traffic
- Carrying packets securely across the SD-Access fabric
- Using encapsulation instead of traditional routing
In SD-Access, the data plane uses VXLAN.
Key Data Plane Components
1. VXLAN (Virtual Extensible LAN)
- VXLAN encapsulates traffic inside UDP packets
- Creates an overlay network on top of the physical network (underlay)
Why VXLAN is Used
- Supports large-scale networks
- Isolates traffic between users and groups
- Works across Layer 3 networks
2. VXLAN Network Identifier (VNI)
A VNI identifies traffic groups inside the fabric.
| VNI Type | Purpose |
|---|---|
| L2 VNI | Used for Layer 2 segments |
| L3 VNI | Used for Layer 3 communication |
3. Fabric Edge Node
- Where endpoints connect (access switches)
- First and last point of traffic encapsulation
Responsibilities
- Assigns VNIs
- Encapsulates traffic using VXLAN
- Communicates with Control Plane Node
4. Fabric Border Node
- Connects the SD-Access fabric to external networks
- Handles traffic entering or leaving the fabric
Responsibilities
- VXLAN encapsulation/decapsulation
- Route exchange with external networks
5. Fabric Underlay
- Traditional IP network
- Uses OSPF or IS-IS
- Must be stable and reachable
The underlay does not know users or policies — it only transports packets.
How the Data Plane Works (Simplified Flow)
- Endpoint sends traffic
- Fabric Edge Node checks destination
- Edge queries Control Plane for location
- Traffic is encapsulated with VXLAN
- Packet travels over the underlay
- Destination Edge Node decapsulates traffic
- Traffic reaches the destination endpoint
✔ Secure
✔ Scalable
✔ Efficient
Control Plane vs Data Plane (Exam Comparison)
| Feature | Control Plane | Data Plane |
|---|---|---|
| Protocol | LISP | VXLAN |
| Purpose | Endpoint location tracking | Traffic forwarding |
| Main Device | Control Plane Node | Edge & Border Nodes |
| Handles User Traffic | ❌ No | ✔ Yes |
| Encapsulation | ❌ No | ✔ Yes |
Exam Key Points to Remember
✔ SD-Access uses LISP for control plane
✔ SD-Access uses VXLAN for data plane
✔ Control Plane tracks EID-to-RLOC mappings
✔ Data Plane encapsulates traffic using VNIs
✔ Edge nodes connect endpoints
✔ Border nodes connect to external networks
✔ Underlay is simple IP routing
One-Line Exam Summary
In Cisco SD-Access, the control plane uses LISP to track endpoint locations, while the data plane uses VXLAN to securely forward traffic across the fabric.
