Cisco Software-Defined Access (SD-Access) is an intent-based networking solution for the enterprise that is built on the foundation of Cisco Digital Network Architecture (DNA). The SD-Access solution provides automated end-to-end segmentation for users and devices from the edge of the network to applications. SD-Access leverages Cisco DNA Center to provide the design settings, policy definition, and automated provisioning of network devices, along with assurance analytics for both wired and wireless networks.
The following are some of the key benefits of SD-Access:
- Automation: Automation simplifies deployment of network devices and enables consistent management of both wired and wireless network configurations.
- Policy: Automated configuration enables group-based security policies and network segmentation.
- Assurance: Contextual insights enable quick issue resolution and capacity planning.
- Integration: SD-Access is open and programmable for third-party integrated solutions.
Two main components make up SD-Access architecture:
- Cisco DNA Center: Cisco DNA Center has a rich set of features and benefits that are grouped into these core areas: automation, design, policy, provision, and assurance.
- SD-Access fabric: The SD-Access fabric consists of the physical and logical network infrastructure.
Figure 10-1 illustrates SD-Access with Cisco DNA Center at the top providing network services to the physical and logical infrastructure below it.

Figure 10-1 SD-Access Architecture Overview
SD-Access Fabric
Two different layers make up the SD-Access fabric:
- Underlay: This layer is responsible for physical devices and traffic forwarding.
- Overlay: This is a logical layer that consists of wired and wireless users where services and policies are applied.
The layered separation between the overlay and underlay allows for one or more logical networks to be provisioned to meet the design intent without changing anything on the underlay.
The use of overlay and fabric has been around for quite some time. Networks that are built with MPLS, GRE, and DMVPN are examples of technologies that use tunneling to create overlay networks. SD-WAN is another example of a WAN technology that creates overlay networks over physical transports using Internet and MPLS circuits.
Underlay
The underlay network is a collection of physical switches and routers running a dynamic Layer 3 routing protocol used as the underlying transport for the SD-Access network. The underlay implementation uses a deterministic Layer 3 routed design to ensure resiliency, performance, and scalability. Client traffic and endpoints are not part of the underlay network; instead, they are part of the configured overlay networks.
Each network device used in the underlay network needs to establish IPv4 connectivity with neighboring devices. Technically, any routing protocol can be used in the underlay network, but the use of a link-state protocol is highly recommended to ensure good performance, scalability, and resiliency.
Using a routed access design prevents the need to run STP, VTP, and FHRP in the underlay network. Instead, you can use a logical fabric over the top of the underlay, which provides routing protocol benefits such as multipath routing, fast convergence, and ease of management.
Cisco DNA Center has a feature called LAN automation for automatically provisioning switch configurations for the underlay network based on best practices. However, underlay network switch configurations can also be done manually. LAN automation can provision the CLI/SNMP credentials for the switches and upgrade the device to the desired software version. In addition, LAN automation can configure MTU, loopbacks, routed point-to-point links, ECMP, BFD, and routed access for the fabric nodes.
The Cisco DNA Center LAN automation feature uses the Intermediate System-to-Intermediate System (IS-IS) routing protocol; however, OSPF can also be used with manual configurations. IS-IS and OSPF are used for underlay switch configuration for reasons such as the following:
- IS-IS and OSPF are standards-based link-state routing protocols.
- IS-IS is used in large service provider networks and is the protocol of choice for fabric-based networks.
- OSPF is used in enterprise and campus environments.
- Link-state routing protocols converge more quickly than distance vector routing protocols.
- Link-state routing protocols use areas and advertise information about the network topology instead of advertising the complete routing table.
- Link-state routing protocols use the SPF routing algorithm to find the shortest path to each node in the routing topology.