Updated: June 19, 2026
A ransomware infection at a Pune university began on one laptop in a hostel and, within an hour, was scanning servers in the administration block. Nothing stopped it on the way. The campus ran one flat network, segmented by a few VLANs and a thick stack of access-control lists nobody had fully understood since the engineer who wrote them left. The malware did not need to defeat the segmentation. There was barely any to defeat.
This is the problem Cisco SD-Access was built to solve. A traditional campus trusts a device because of where it plugs in. A zero-trust campus trusts a device because of who or what it is and lets it talk only to what its role allows. The difference sounds philosophical until an infected endpoint tries to move sideways and finds every door already shut.
If you run a campus network and the words "fabric", "overlay" and "SGT" have stayed comfortably abstract, this guide makes them concrete, and shows where SD-Access earns its cost and where it does not.
Cisco SD-Access, short for Software-Defined Access, is Cisco's architecture for building and running a campus network as a single automated fabric with security built in. Instead of configuring each switch by hand, you define your network and your policy centrally, and a controller programs the devices to match.
It rests on three planes. Cisco TrustSec carries the security policy, using group tags rather than IP addresses. LISP runs the control plane, tracking where every endpoint is. VXLAN moves the traffic, carrying each packet and its security identity across the fabric (Cisco SD-Access design guide). You do not configure these protocols line by line. You express intent in the controller, and the fabric implements it. That shift, from device-by-device commands to network-wide intent, is the whole point.
The difference is what your network trusts. A traditional campus ties identity to location: a port belongs to a VLAN, a VLAN maps to a subnet, and a device gets access to whatever it plugs into. Move the device, and the policy breaks. Add a rule, and you edit access-control lists on many switches, hoping the order is right. Segmentation is real work, so most networks have very little of it.
SD-Access decouples policy from the network address. A user or device carries its access rights with it, expressed as a group, wherever it connects. The controller pushes a change once, and the fabric applies it everywhere. The contrast looks like this:
| Traditional campus | SD-Access fabric | |
|---|---|---|
| Basis of access | Port, VLAN, IP subnet | Identity and group, independent of location |
| Segmentation | VLANs and manual ACLs | Virtual networks plus group tags, centrally defined |
| Configuration | Switch by switch, by hand | Central intent in Catalyst Center, automated |
| Moving a user | Re-cable or reconfigure | Policy follows the user automatically |
| Containing a threat | Hard; flat networks let malware spread | Lateral movement blocked by default policy |
| Visibility | Per-device, fragmented | Single view of endpoints and policy |
The practical upshot for the Pune University is that an infected hostel laptop, placed in a student group, has no path to the administration servers. The policy does not depend on someone having written the right ACL. It is the default state of the fabric.
SD-Access is a small number of parts playing clear roles. Two manage the network; the rest carry the traffic.
Cisco Catalyst Center, formerly Cisco DNA Center, is the controller. It is where you design the fabric, define policy and automate the switches, and where you watch the network once it runs. Cisco ISE, the Identity Services Engine, is the policy and identity brain. It decides who a device is, checks its posture, and assigns the group tag that governs its access (Cisco SD-Access design guide).
Inside the fabric, switches take on roles:
| Fabric role | What it does |
|---|---|
| Edge node | The access switch endpoints connect to; registers them and encapsulates their traffic into the fabric |
| Control plane node | Runs the LISP map server; tracks which endpoint is where, so any node can find any device |
| Border node | The fabric's exit to the outside: WAN, internet, data centre and shared services |
| Fabric wireless | Wireless controllers and access points that join the same fabric, so wireless gets the same policy as wired |
A small site can collapse several roles into one switch, a design Cisco calls Fabric in a Box. A large campus spreads them across many devices. Either way, the roles are the same, which is what makes the model scale from a branch to a multi-building campus.
Two layers sit on top of each other, and keeping them separate in your mind is the trick to understanding SD-Access. The underlay is the ordinary IP-routed network between your switches, the physical wiring and routing that Catalyst Center can build for you automatically. The overlay is the fabric itself, a virtual network running over that underlay using VXLAN.
When a device sends traffic, its edge switch wraps the packet in a VXLAN header and carries it across the underlay to the right exit. The control plane, LISP, answers the question "where is this endpoint right now?", so the fabric never floods the network looking for a device. The security identity, the group tag, travels inside that header with the packet. So location, delivery and policy are handled as one motion. The endpoint does not know any of this is happening. It just connects, as it always did.
In two layers, coarse then fine, and this is where the security value lives. Macro-segmentation uses virtual networks, each one a separate routing domain, much like a VRF. Put your corporate users, your guest Wi-Fi and your building IoT in three virtual networks, and they cannot reach each other at all unless traffic passes through a firewall you control. One fabric, several networks that behave as if they were physically apart (Cisco SD-Access segmentation guide).
Micro-segmentation works inside a virtual network, using Scalable Group Tags. ISE tags each endpoint by role: an HVAC controller, a CCTV camera, a finance laptop, and a group-based policy decides which tags may talk to which. Cameras can reach the recorder and nothing else. A compromised camera cannot scan the finance machines beside it. This is zero trust made operational: never trust by default, grant only the access a role needs, and enforce it in the network rather than hoping each device defends itself. Ask yourself how far a single infected device could travel on your campus tonight. On a fabric, the honest answer is "almost nowhere".
Mostly no, but be clear-eyed about the prerequisites. SD-Access runs on Cisco Catalyst 9000 switches with the right software tier, alongside Catalyst Center and ISE, so if your access layer is older, the fabric is a reason and a deadline to refresh it. You do not convert the whole campus in a weekend. Most organisations start with one building or one site, prove the design, then extend it.
The cost is real: the switches, the controller, the ISE deployment and the licences. So is the saving, though it arrives as fewer breaches contained, less manual configuration, faster moves and adds, and an answer to the auditor who asks how you segment a network carrying personal data. The right question is not "can we afford the fabric?" but "what does another flat-network incident cost us, and when?"
It makes sense when segmentation matters and scale makes manual work painful: large campuses, universities, hospitals, manufacturing sites with mixed IT and OT, and any organisation under real pressure to prove zero-trust controls. The more endpoints and the more device types you run, the more a fabric earns its place.
It makes less sense for a small, simple, single-site office where a few VLANs and a good firewall already do the job, and where the controller and licensing overhead would outweigh the benefit. A serious partner will tell you which camp you are in rather than selling you fabric you do not need. The goal is the right segmentation for your risk, not the most architecture for your budget.
SD-Access sits exactly where networking and security meet, which is also where most projects stumble, because the two are often bought from two different people who never speak.
Proactive Data Systems is a 35-year-old system integrator with more than 1,500 customers, and a Cisco Preferred Partner in Networking, Security, Collaboration, Cloud and AI, and Services. We hold both practices under one roof, so the same team that designs your Catalyst 9000 fabric also designs the ISE policy and the group structure that makes it zero trust, then runs it from a 24x7 NOC in India with CCIE-led design behind it. We start where you are, phase the migration, and tell you honestly when a simpler design serves you better.
Wondering whether SD-Access fits your campus, or how far an infected device could really travel on your network today? Ask Proactive for a campus segmentation assessment. We will map your risk before we map your fabric.
Proactive, Enterprise Networking Team
We'll get back to you shortly.
