Software Defined Access Network Fabric Roles

Cisco Software Defined Access (SDA) fabric requires various device roles with specific responsibilities. The SDA-enabled devices are configured with one or more roles, and it is critical to understand the fabric roles to identify the most appropriate network devices for each role.


SD-Access Fabric Roles

The Cisco Software Defined Access fabric overlay has five main device roles:

  1. Fabric Control Plane Node

This node is a LISP MS/MR with SDA-enhanced functionalities. It manages and provides the settings, protocols, and mapping tables required to map the fabric overlay’s endpoint-to-location (EID-to-RLOC) host-tracking database.

The control plane’s host database is capable of numerous EID lookup types, and it maps all EID locations to the current SD-Access fabric border or edge node. The control plane receives the registrations for known EID prefixes from wired clients and fabric mode Wireless LAN Controllers (WLCs) for wireless clients.

It also provides RLOC information to fabric border and edge nodes. The node must be a Cisco router or a switch that operates inside or outside the SD-WAN fabric and must have adequate hardware and software fabric scalability.


  1. Fabric Border Node

The fabric border node is a LISP Proxy Tunnel Router (PxTR) that connects external Layer 3 networks to the SD-Access fabric. It converts policy and reachability information, such as SGT and VRF information, from one domain to another.

There are three types of border nodes, which are the following:

  • Internal Border (Rest of Company) – connects to the recognized areas of the organization, such as WLC, firewall, and data center.
  • Default Border (Outside) – connects to unknown areas outside the organization. It is set with a default route to communicate with unknown external networks.
  • Internal + Default Border (Anywhere) – connects transit and well-known areas of the organization. It incorporates the internal and default borders’ functions into a single node.  


  1. Fabric Edge Node

This node can be a Cisco access layer or distribution layer router or switch in the fabric overlay that connects wired endpoints to the SD-Access fabric. It offers onboarding and mobility solutions for fabric-connected wired users and devices, including fabric-enabled WLCs and Access Points (APs).

The edge node is a LISP Tunnel Router (xTR) that provides the anycast gateway, endpoint authentication, and assignment to overlay host pools along with group-based policy enforcement for traffic to fabric endpoints. It verifies and authenticates wired endpoints using 802.1x before adding them to a host pool and scalable group. The EID host address is then registered with the control plane node. It also offers a single Layer 3 anycast gateway for its connected endpoints, and it encapsulates and de-encapsulates host traffic.


  1. Fabric Wireless Controller (WLC)

A fabric WLC connects wireless endpoints and APs to the SD-Access fabric. It is located outside the fabric and linked to the SD-Access fabric via an internal border node. It also offers onboarding and mobility features for wireless users and endpoints connected to the SDA fabric.

The fabric WLC is the fabric edge for wireless clients as it conducts PxTR registrations to the fabric control plane on behalf of the fabric edges. The control plane node maps the host EID to the current fabric AP and fabric edge node location where the AP is connected. The wireless control plane is centralized, but the data plane is distributed directly from fabric APs through VXLAN.

Furthermore, SGT and VRF-based policies for wireless users on fabric SSIDs are implemented at the fabric edge. Wireless clients also use standard host pools for traffic and policy enforcement, and the fabric WLC registers client EIDs with the control plane node.


  1. Intermediate Node

The intermediate node can be an intermediate router or extended switch that only provides underlay services in the Software Defined Access fabric.


SD-Access Fabric Concepts

The following fabric concepts describe how the various Cisco’s SD-Access technology solutions operate and interact:

Virtual Network (VN)

It supports device-level virtualization by employing Virtual Routing and Forwarding (VRF) instances to build Layer 3 routing tables and to enable IP address segmentation. LISP instance IDs are used in the control plane to maintain independent VRF instances, and edge nodes on the data plane add a VXLAN VNID to the fabric encapsulation.


Host Pool

A host pool is a group of endpoints assigned statically or dynamically to an IP pool subnet in the fabric. It has a Switched Virtual Interface (SVI) from the fabric edge nodes that endpoints and users can utilize as their default gateway. The SDA fabric advertises the host pools via EID mappings.


Scalable Group

A scalable group is a group of endpoints with similar policies, and it can be assigned either statically or dynamically with Cisco ISE. These can be configured in Cisco DNA Center and Cisco ISE. The SD-Access policy plane designates every endpoint to a scalable group utilizing SGT tags.

Host pools and scalable groups have a direct one-to-one relationship, and scalable groups operate inside a VN by default. The VXLAN header SGT tag IDs are included in the fabric edge and border nodes carried throughout the fabric data plane. Each scalable group is separated while enabling Security Group Access Control Lists (SGACLs) policy and enforcement.


Anycast Gateway

It offers a prevalent Layer 3 default gateway, with the exact SVI IP and MAC address provided on every edge node, extending the IP subnet across the SD-Access fabric. The subnet will be distributed across all of the fabric’s edge nodes, and an endpoint in that subnet can be transported to any edge node within the fabric without changing its IP address or default gateway.

The fabric acts like a logical switch that spans multiple buildings, where an endpoint can be unplugged from one port and plugged into another port on a different building and appear connected to the same logical switch. The other endpoints and the same SVI within the same VLAN are still reachable.

Download our Free CCNA Study Guide PDF for complete notes on all the CCNA 200-301 exam topics in one book.

We recommend the Cisco CCNA Gold Bootcamp as your main CCNA training course. It’s the highest rated Cisco course online with an average rating of 4.8 from over 30,000 public reviews and is the gold standard in CCNA training: