When you’re designing an SD-Access solution, in addition to the typical business requirements, there are a number of key technical factors that need to be considered before you develop your final design. This list is not exhaustive but should give you some design guidance to keep in mind:
- Greenfield or brownfield deployment
- Number of users
- Geographic location
- Shared services location
- Transit types
- Fusion routers
- WAN and Internet connectivity
- Security policy
- High availability
Overlay Design
The overlay network within the SD-Access fabric is used to transport all of the user traffic, including all VNs that are defined in the fabric. As the user traffic is transported via VXLAN encapsulation, additional SGT information contained inside the frames can be used to provide segmentation for users and devices within the fabric. Here are some design considerations to think about when designing virtual networks:
- Macrosegmentation: Use macrosegmentation when you want to group many like users or devices together. The outcome of macrosegmentation is the creation of a virtual network. Macrosegmentation provides path isolation at both the control and the data planes for a group of user traffic. To enable any inter-VN traffic communication, the use of an external firewall or fusion router is required.
- Microsegmentation: Use microsegmentation for data plane isolation within a VN using SGTs. This type of segmentation provides data plane isolation and provides a simple way to manage group-based policies between groups of endpoints in a VN.
- Reduce IP subnets: Larger IP subnets can be used since they do not have the same broadcast flooding issues common with standard large Layer 2 networks. This approach can reduce the number of DHCP scopes and simplify IP address management for the SD-Access fabric.
- Avoid overlapping IP subnets: Although using multiple VNs allows for overlapping IP subnets, you should try to avoid doing so because many deployments require shared services that need inter-VN communications.
Fabric Design
When you design SD-Access, each fabric site has its own set of control plane nodes, border nodes, and edge nodes.
Here are some key characteristics of a fabric site:
- An IP pool or subnet is part of a single fabric site.
- Layer 2/Layer 3 mobility within the single fabric site.
- Layer 2 extension/anycast gateways within a single fabric site.
- A fabric site that is separate from other fabrics that may exist externally.
Figure 10-7 shows an example of an SD-Access fabric site.

Figure 10-7 SD-Access Fabric Site