Traditional Campus Interoperating with SD-Access

Traditional Campus Interoperating with SD-Access: Complete CCNP ENCOR Guide

Why This Topic Is Important

Understanding how traditional campus networks interoperate with Software-Defined Access (SD-Access) is critical for modern network architects and engineers. As organizations transition from legacy network architectures to intent-based networking, the ability to design and maintain hybrid environments is essential. This knowledge is tested on the CCNP ENCOR exam because:

• Many enterprises still operate traditional campus networks while gradually adopting SD-Access
• Network professionals must design solutions that integrate both architectures seamlessly
• Proper interoperability prevents network segmentation failures and security breaches
• It demonstrates understanding of both legacy and modern network paradigms

What Is Traditional Campus Interoperating with SD-Access?

Traditional Campus Network Architecture refers to the conventional three-tier design consisting of access, distribution, and core layers. These networks typically use:

• Standard VLAN-based segmentation
• Traditional spanning tree protocols for loop prevention
• Static routing or dynamic routing protocols like OSPF and EIGRP
• Device-centric management with per-device configuration
• Access Control Lists (ACLs) for security policies

SD-Access (Software-Defined Access), also known as Cisco's DNA Center-based approach, introduces:

• Intent-based networking where policies are defined by business intent rather than individual device commands
• Fabric-based architecture with overlay and underlay networks
• Micro-segmentation through group-based access control
• Centralized policy management and automation
• Network virtualization and programmability

Interoperability occurs when these two distinct architectures must communicate and coexist within the same network infrastructure. This is a practical reality in many organizations undergoing digital transformation.

How Traditional Campus Interoperates with SD-Access

1. Edge Connections and Integration Points

The primary integration occurs at the fabric edge nodes. Traditional campus networks connect to SD-Access fabric through designated edge devices that act as bridges between the two architectures:

• Fabric Edge Nodes: Devices running SD-Access that act as gateways to traditional networks
• Border Nodes: Devices that sit at the boundary and perform protocol translation and policy enforcement
• VLAN to VN Mapping: Virtual Networks (VNs) in SD-Access correspond to VLANs in traditional networks

2. Protocol Translation and Conversion

Interoperability requires conversion between traditional networking concepts and SD-Access concepts:

• Traditional VLAN segments map to Virtual Networks (VNs) in the fabric
• Traditional Access Control Lists (ACLs) translate to Security Group Tags (SGTs) and Group-Based Policies (GBPs)
• Traditional routing protocols (OSPF, EIGRP) operate at the underlay level in SD-Access
• BGP may be used for inter-fabric communication and traditional network connections

3. Underlay and Overlay Separation

Underlay Network: The physical network infrastructure that supports both traditional and SD-Access operations. This typically uses standard IP routing and is independent of the overlay:

• Provides connectivity between all devices
• Uses traditional routing protocols
• Remains relatively unchanged during SD-Access adoption

Overlay Network: The SD-Access fabric that runs on top of the underlay:

• Implements Virtual Extensible LAN (VXLAN) for encapsulation
• Uses centralized control plane (APIC-EM or DNA Center)
• Provides policy-driven segmentation and connectivity

4. Control Plane Integration

The DNA Center acts as the centralized management and control platform for SD-Access:

• Defines and pushes network policies
• Manages fabric devices and their roles
• Provides assurance and monitoring capabilities
• Communicates with traditional network management systems through APIs and integrations

5. Data Plane Path Selection

Traffic between traditional campus and SD-Access fabric follows specific paths:

• Traditional-to-Fabric traffic ingresses through edge nodes
• Traffic is classified based on source/destination and security policy
• VXLAN encapsulation may be applied for fabric traversal
• At fabric exit points, traffic is decapsulated back to traditional format

6. Key Devices and Their Roles

Detailed Interoperability Scenarios

Scenario 1: Connecting Traditional VLANs to SD-Access Virtual Networks

When a traditional VLAN needs to communicate with devices in an SD-Access Virtual Network:

1. User connects to access switch in traditional campus
2. Traffic is tagged with VLAN ID
3. VLAN is mapped to a Virtual Network at the fabric edge node
4. Fabric edge node performs VLAN-to-VN translation
5. Traffic enters the fabric, possibly encapsulated in VXLAN
6. Fabric routes traffic based on policy, not VLAN
7. At destination fabric edge node, traffic is decapsulated
8. Destination device receives traffic in its appropriate VN/VLAN

Scenario 2: Security Policy Enforcement Across Boundaries

Policies must be consistently enforced whether traffic stays in traditional network or traverses to SD-Access:

• Traditional network uses ACLs on network devices
• SD-Access uses Group-Based Policies and Security Group Tags
• ISE provides identity-based grouping (SGTs) for both environments
• Policy enforcement occurs at network edge, regardless of architecture
• Centralized policy from DNA Center overrides device-level rules

Scenario 3: Hybrid Wired and Wireless Access

Organizations often have traditional wired campuses alongside newer wireless SD-Access implementations:

• Wireless controller integrates with DNA Center
• User authentication handled by ISE in both environments
• Mobility is supported across traditional and SD-Access domains
• Policy follows the user, not the access method

Technical Implementation Details

VXLAN Encapsulation

Virtual Extensible LAN is used within the SD-Access fabric:

• VXLAN Header: Adds 50-byte overhead to packets within the fabric
• VNI (VXLAN Network Identifier): 24-bit identifier mapping to VLANs or VNs
• Tunnel Endpoints (VTEPs): Fabric nodes that add/remove VXLAN encapsulation
• Traditional network traffic ingresses unencapsulated; fabric applies encapsulation only within fabric boundaries

BGP Integration

BGP plays a crucial role in interoperability:

• Underlayuses BGP for scalable routing between fabric nodes
• Border nodes can advertise routes to traditional network via BGP
• Traditional networks can advertise routes back to fabric
• BGP prevents routing loops and ensures optimal path selection

Identity and Access Control

ISE integration is critical for consistent security:

• User authentication is centralized through ISE
• Security Group Tags (SGTs) are assigned based on identity, not network location
• SGT values are propagated through traditional networks via TrustSec
• Group-Based Access Control Lists (GBACLs) enforce policy based on SGT

Common Challenges in Interoperability

Challenge 1: VLAN Scalability Limits

Problem: Traditional networks are limited to 4094 VLANs, but SD-Access VNs can be significantly more numerous.

Solution: Careful VLAN-to-VN mapping strategy and consolidation of underutilized segments

Challenge 2: Policy Enforcement Inconsistency

Problem: Different policy enforcement mechanisms between traditional ACLs and fabric policies

Solution: Centralize policy definition in DNA Center and ISE; audit both environments regularly

Challenge 3: Routing Complexity

Problem: Multiple routing protocols operating at different layers can cause suboptimal traffic flow

Solution: Design routing hierarchy: BGP for inter-fabric, IGP for underlay, policy-based routing overlay

Challenge 4: Troubleshooting Difficulty

Problem: Diagnosing issues requires understanding both traditional and SD-Access architectures

Solution: Use DNA Center assurance tools; maintain detailed documentation of mappings and policies

How to Answer Exam Questions on This Topic

Exam Tip 1: Understand the Distinction Between Architectures

Exam questions often test whether you understand what traditional campus is versus what SD-Access is. Look for keywords:

• Traditional: VLANs, ACLs, device-centric, per-switch configuration, spanning tree
• SD-Access: VNs, policies, intent-based, centralized management, fabric, overlay/underlay

When answering, clearly distinguish which architecture is being discussed.

Exam Tip 2: Focus on Integration Points

Exam questions about interoperability typically ask about where and how the two architectures connect. Key integration points to remember:

• Fabric edge nodes (primary integration)
• Border nodes (translation and enforcement)
• VLAN-to-VN mapping
• DNA Center policies reaching traditional devices

If a question asks how traditional and SD-Access communicate, think about these boundary devices first.

Exam Tip 3: Recognize the Role of DNA Center and ISE

Many questions involve identifying which tool handles which function:

• DNA Center: Overall fabric orchestration, policy definition, assurance
• ISE: Identity-based access, SGT assignment, authentication/authorization
• Traditional Management: Device-level configuration management

A well-designed interoperable network uses all three for complete policy enforcement.

Exam Tip 4: Understand VLAN-to-VN Mapping

This is a frequently tested concept. Remember:

• One traditional VLAN can map to one Virtual Network (VN)
• Mapping occurs at fabric edge nodes
• Traffic crossing the boundary is translated, not passed through unchanged
• VXLAN may be applied within the fabric for the mapped VN

When asked about connectivity between traditional VLAN and SD-Access, first identify where the mapping occurs.

Exam Tip 5: Apply Layered Thinking

Always think in terms of layers when analyzing interoperability questions:

• Layer 1-2 (Physical/Data Link): Underlay network infrastructure
• Layer 3 (Network): Routing and IP addressing in both architectures
• Layer 4-7 (Transport/Application): Application-aware policies and services
• Management/Control Plane: DNA Center orchestration and ISE policies

Understanding at which layer a problem exists helps identify the correct solution.

Exam Tip 6: Scenario-Based Analysis

When presented with a scenario, ask yourself:

1. Is this traffic staying within traditional campus, staying within SD-Access, or crossing boundaries?
2. What policy enforcement mechanism applies (ACLs, SGTs, GBACLs)?
3. How is the path determined (routing protocols, fabric optimization)?
4. Where is the traffic classified and transformed?

Breaking down the scenario into these questions reveals the correct answer.

Exam Tip 7: Know the Forwarding Behavior

Understand how packets are treated in different scenarios:

• Traditional-to-Traditional: Standard VLAN forwarding, ACL checking, routing
• Fabric-to-Fabric: VXLAN encapsulation, policy-based forwarding, fabric-optimized paths
• Traditional-to-Fabric: VLAN-to-VN translation at edge node, VXLAN encapsulation, policy enforcement
• Fabric-to-Traditional: VXLAN removal, VN-to-VLAN translation, ACL checking at boundary

Questions about "what happens to this packet" require understanding these different forwarding paths.

Exam Tip 8: Security Group Tags (SGTs) Are Critical

SGTs bridge the two architectures from a security perspective:

• Assigned by ISE based on user identity or device characteristics
• Propagated through both traditional and SD-Access networks
• Used for policy enforcement via GBACLs in fabric and traditional networks
• Provide consistent security regardless of network architecture

If a question discusses "how security is enforced across both networks," SGTs are likely the answer.

Exam Tip 9: Recognize Configuration Requirements

Questions may ask what must be configured for interoperability. Key requirements:

• Fabric Edge Node: Must have VLAN-to-VN mappings configured
• Border Node: Must route between fabric and traditional network, enforce policies
• DNA Center: Must define policies for both traditional and fabric devices
• ISE: Must assign SGTs consistently across both architectures
• Traditional Devices: May need TrustSec configuration for SGT support

When a question asks "what needs to be configured," think about each device's role.

Exam Tip 10: Troubleshooting Methodology

For troubleshooting questions, follow this approach:

1. Identify the architectural boundary: Is the issue within one architecture or crossing boundaries?
2. Check the mapping: If crossing boundaries, verify VLAN-to-VN or VN-to-VLAN mapping
3. Verify policy: Ensure policies are correctly defined in DNA Center and ISE
4. Confirm routing: Check both underlay routing and fabric overlay routing
5. Review logs: DNA Center assurance and ISE logs reveal policy enforcement issues

Following this methodology systematically eliminates troubleshooting guesswork.

Sample Exam Questions and Explanations

Sample Question 1

Question: A network administrator needs to allow a user in a traditional campus VLAN to access resources in an SD-Access Virtual Network. The user is authenticated through ISE and assigned a specific Security Group Tag. Which two devices are essential for this communication to occur?

A) DNA Center and ISE
B) Fabric edge node and VXLAN tunnel endpoint
C) Fabric edge node and border node
D) DNA Center and traditional core switch

Correct Answer: C) Fabric edge node and border node

Explanation: The fabric edge node is where VLAN-to-VN mapping occurs, translating the traditional traffic into the SD-Access fabric format. The border node ensures proper routing and policy enforcement at the architectural boundary. While DNA Center and ISE are important for policy definition and identity management, they are not the devices that actually forward the traffic. VXLAN tunnel endpoints are used within the fabric but not specifically for traditional-to-fabric translation.

Sample Question 2

Question: When a packet from a traditional VLAN enters an SD-Access fabric through an edge node, what happens to its structure?

A) The VLAN tag is removed and replaced with a VN identifier in the IP header
B) The packet is encapsulated in VXLAN with a VNI corresponding to the mapped Virtual Network
C) The packet is converted to Layer 3 and routed using BGP
D) The packet's VLAN tag is preserved throughout the fabric

Correct Answer: B) The packet is encapsulated in VXLAN with a VNI corresponding to the mapped Virtual Network

Explanation: At the fabric edge node, the VLAN is mapped to a Virtual Network, and the packet is encapsulated in VXLAN format. The VXLAN Network Identifier (VNI) corresponds to the VN that the VLAN maps to. This provides isolation and enables policy-based forwarding within the fabric. Option A is incorrect because VN identifiers are not in the IP header. Option C is too broad; while BGP may be involved in overall routing, VXLAN encapsulation is the immediate transformation. Option D is incorrect because VLANs are not preserved through the fabric; they are translated to VNs.

Sample Question 3

Question: A company wants to implement consistent security policies across both its traditional campus network and SD-Access fabric. The policy should restrict access based on user identity, not just network location. Which component plays the central role in this implementation?

A) DNA Center policies
B) Security Group Tags (SGTs) and ISE
C) Border node routing policies
D) VLAN-to-VN mapping tables

Correct Answer: B) Security Group Tags (SGTs) and ISE

Explanation: SGTs and ISE enable identity-based access control across both architectures. ISE authenticates users, assigns SGTs based on identity or device characteristics, and these tags are propagated through both traditional (via TrustSec) and SD-Access (natively) networks. Group-Based Access Control Lists (GBACLs) then enforce policy based on SGT values. DNA Center policies are more suited to device and network management rather than identity-based access. Border nodes enforce policies but don't create the identity-based foundation. VLAN-to-VN mapping enables connectivity but not security enforcement.

Sample Question 4

Question: You are designing an interoperable network where traditional VLAN 100 needs to communicate with Virtual Network "Engineering" in the SD-Access fabric. At which point in the network is the VLAN-to-VN translation performed?

A) At the DNA Center control plane
B) At the fabric edge node where the traditional network connects
C) At the border node connecting the two architectures
D) At the core routing layer

Correct Answer: B) At the fabric edge node where the traditional network connects

Explanation: The fabric edge node (also called access node in some contexts) is where traditional devices are integrated into the SD-Access fabric. This is where VLAN-to-VN mapping is configured and applied. DNA Center defines the policies and mappings, but doesn't perform the actual translation in the data plane. The border node operates at a higher level, connecting entire fabric domains. The core layer operates above the edge devices.

Key Takeaways for Exam Success

• Understand both architectures independently: You cannot understand interoperability without firmly grasping traditional and SD-Access separately
• Focus on boundary devices: Edge nodes and border nodes are where most interoperability questions focus
• VLAN-to-VN mapping is fundamental: This concept appears in nearly every interoperability question
• DNA Center and ISE are not optional: These management platforms are essential for interoperability, not optional add-ons
• Security Group Tags bridge architectures: SGTs provide a consistent security model across both environments
• VXLAN enables fabric operation: Understanding VXLAN encapsulation and VNI mapping is critical
• Think in layers: Separating concerns by layer (underlay, overlay, control plane) simplifies problem-solving
• Practice scenario analysis: Real exam questions present scenarios; practice analyzing them systematically
• Know the tools: Understand which tool (DNA Center, ISE, traditional management) handles which function
• Review Cisco documentation: Use official Cisco documentation and white papers as authoritative sources