Traditional Campus Interoperating with SD-Access
Traditional Campus networks and SD-Access (Software-Defined Access) represent two different architectural paradigms that often need to coexist in enterprise environments. Understanding their interoperability is crucial for CCNP Enterprise candidates. Traditional Campus architecture relies on hiera… Traditional Campus networks and SD-Access (Software-Defined Access) represent two different architectural paradigms that often need to coexist in enterprise environments. Understanding their interoperability is crucial for CCNP Enterprise candidates. Traditional Campus architecture relies on hierarchical design with core, distribution, and access layers. It uses protocols like STP for loop prevention, VLANs for segmentation, and traditional routing protocols. Network policies are configured device-by-device, making scalability and management complex. SD-Access, conversely, leverages software-defined networking principles through Cisco's fabric architecture. It uses VXLAN encapsulation, LISP-based routing, and centralized policy management via Cisco DNA Center. SD-Access provides better scalability, simplified operations, and enhanced security through micro-segmentation. When these two architectures must interoperate, several key considerations emerge: First, the transition typically occurs gradually. Border nodes act as gateways between traditional and SD-Access domains, translating between different protocols and forwarding mechanisms. These devices bridge VXLAN encapsulation with traditional VLAN-based forwarding. Second, routing protocols must be compatible. Traditional IGPs like OSPF or EIGRP need to interact with SD-Access LISP, requiring careful configuration at interconnection points. Third, policy enforcement differs significantly. Traditional networks use access control lists per device, while SD-Access uses centralized DNA Center policies. Organizations must maintain consistency across both domains. Fourth, VLANs in traditional campus must map appropriately to SD-Access Virtual Networks, ensuring proper segmentation and security zone alignment. Finally, management complexity increases during coexistence. Administrators must maintain expertise in both traditional and software-defined technologies until complete migration occurs. Successful interoperability requires detailed planning, proper border node configuration, and phased migration strategies to minimize disruption while gradually modernizing the network infrastructure toward full SD-Access deployment.
Traditional Campus Interoperating with SD-Access: Complete CCNP ENCOR Guide
Why This Topic Is Important
Understanding how traditional campus networks interoperate with Software-Defined Access (SD-Access) is critical for modern network architects and engineers. As organizations transition from legacy network architectures to intent-based networking, the ability to design and maintain hybrid environments is essential. This knowledge is tested on the CCNP ENCOR exam because:
- Many enterprises still operate traditional campus networks while gradually adopting SD-Access
- Network professionals must design solutions that integrate both architectures seamlessly
- Proper interoperability prevents network segmentation failures and security breaches
- It demonstrates understanding of both legacy and modern network paradigms
What Is Traditional Campus Interoperating with SD-Access?
Traditional Campus Network Architecture refers to the conventional three-tier design consisting of access, distribution, and core layers. These networks typically use:
- Standard VLAN-based segmentation
- Traditional spanning tree protocols for loop prevention
- Static routing or dynamic routing protocols like OSPF and EIGRP
- Device-centric management with per-device configuration
- Access Control Lists (ACLs) for security policies
SD-Access (Software-Defined Access), also known as Cisco's DNA Center-based approach, introduces:
- Intent-based networking where policies are defined by business intent rather than individual device commands
- Fabric-based architecture with overlay and underlay networks
- Micro-segmentation through group-based access control
- Centralized policy management and automation
- Network virtualization and programmability
Interoperability occurs when these two distinct architectures must communicate and coexist within the same network infrastructure. This is a practical reality in many organizations undergoing digital transformation.
How Traditional Campus Interoperates with SD-Access
1. Edge Connections and Integration Points
The primary integration occurs at the fabric edge nodes. Traditional campus networks connect to SD-Access fabric through designated edge devices that act as bridges between the two architectures:
- Fabric Edge Nodes: Devices running SD-Access that act as gateways to traditional networks
- Border Nodes: Devices that sit at the boundary and perform protocol translation and policy enforcement
- VLAN to VN Mapping: Virtual Networks (VNs) in SD-Access correspond to VLANs in traditional networks
2. Protocol Translation and Conversion
Interoperability requires conversion between traditional networking concepts and SD-Access concepts:
- Traditional VLAN segments map to Virtual Networks (VNs) in the fabric
- Traditional Access Control Lists (ACLs) translate to Security Group Tags (SGTs) and Group-Based Policies (GBPs)
- Traditional routing protocols (OSPF, EIGRP) operate at the underlay level in SD-Access
- BGP may be used for inter-fabric communication and traditional network connections
3. Underlay and Overlay Separation
Underlay Network: The physical network infrastructure that supports both traditional and SD-Access operations. This typically uses standard IP routing and is independent of the overlay:
- Provides connectivity between all devices
- Uses traditional routing protocols
- Remains relatively unchanged during SD-Access adoption
Overlay Network: The SD-Access fabric that runs on top of the underlay:
- Implements Virtual Extensible LAN (VXLAN) for encapsulation
- Uses centralized control plane (APIC-EM or DNA Center)
- Provides policy-driven segmentation and connectivity
4. Control Plane Integration
The DNA Center acts as the centralized management and control platform for SD-Access:
- Defines and pushes network policies
- Manages fabric devices and their roles
- Provides assurance and monitoring capabilities
- Communicates with traditional network management systems through APIs and integrations
5. Data Plane Path Selection
Traffic between traditional campus and SD-Access fabric follows specific paths:
- Traditional-to-Fabric traffic ingresses through edge nodes
- Traffic is classified based on source/destination and security policy
- VXLAN encapsulation may be applied for fabric traversal
- At fabric exit points, traffic is decapsulated back to traditional format
6. Key Devices and Their Roles
| Device Type | Role in Interoperability |
| Fabric Border Node | Connects fabric to traditional network, translates policies |
| Fabric Edge Node | Integrates traditional devices at network edge |
| DNA Center | Central control and policy management |
| ISE (Identity Services Engine) | Identity and access management, SGT assignment |
Detailed Interoperability Scenarios
Scenario 1: Connecting Traditional VLANs to SD-Access Virtual Networks
When a traditional VLAN needs to communicate with devices in an SD-Access Virtual Network:
- User connects to access switch in traditional campus
- Traffic is tagged with VLAN ID
- VLAN is mapped to a Virtual Network at the fabric edge node
- Fabric edge node performs VLAN-to-VN translation
- Traffic enters the fabric, possibly encapsulated in VXLAN
- Fabric routes traffic based on policy, not VLAN
- At destination fabric edge node, traffic is decapsulated
- Destination device receives traffic in its appropriate VN/VLAN
Scenario 2: Security Policy Enforcement Across Boundaries
Policies must be consistently enforced whether traffic stays in traditional network or traverses to SD-Access:
- Traditional network uses ACLs on network devices
- SD-Access uses Group-Based Policies and Security Group Tags
- ISE provides identity-based grouping (SGTs) for both environments
- Policy enforcement occurs at network edge, regardless of architecture
- Centralized policy from DNA Center overrides device-level rules
Scenario 3: Hybrid Wired and Wireless Access
Organizations often have traditional wired campuses alongside newer wireless SD-Access implementations:
- Wireless controller integrates with DNA Center
- User authentication handled by ISE in both environments
- Mobility is supported across traditional and SD-Access domains
- Policy follows the user, not the access method
Technical Implementation Details
VXLAN Encapsulation
Virtual Extensible LAN is used within the SD-Access fabric:
- VXLAN Header: Adds 50-byte overhead to packets within the fabric
- VNI (VXLAN Network Identifier): 24-bit identifier mapping to VLANs or VNs
- Tunnel Endpoints (VTEPs): Fabric nodes that add/remove VXLAN encapsulation
- Traditional network traffic ingresses unencapsulated; fabric applies encapsulation only within fabric boundaries
BGP Integration
BGP plays a crucial role in interoperability:
- Underlayuses BGP for scalable routing between fabric nodes
- Border nodes can advertise routes to traditional network via BGP
- Traditional networks can advertise routes back to fabric
- BGP prevents routing loops and ensures optimal path selection
Identity and Access Control
ISE integration is critical for consistent security:
- User authentication is centralized through ISE
- Security Group Tags (SGTs) are assigned based on identity, not network location
- SGT values are propagated through traditional networks via TrustSec
- Group-Based Access Control Lists (GBACLs) enforce policy based on SGT
Common Challenges in Interoperability
Challenge 1: VLAN Scalability Limits
Problem: Traditional networks are limited to 4094 VLANs, but SD-Access VNs can be significantly more numerous.
Solution: Careful VLAN-to-VN mapping strategy and consolidation of underutilized segments
Challenge 2: Policy Enforcement Inconsistency
Problem: Different policy enforcement mechanisms between traditional ACLs and fabric policies
Solution: Centralize policy definition in DNA Center and ISE; audit both environments regularly
Challenge 3: Routing Complexity
Problem: Multiple routing protocols operating at different layers can cause suboptimal traffic flow
Solution: Design routing hierarchy: BGP for inter-fabric, IGP for underlay, policy-based routing overlay
Challenge 4: Troubleshooting Difficulty
Problem: Diagnosing issues requires understanding both traditional and SD-Access architectures
Solution: Use DNA Center assurance tools; maintain detailed documentation of mappings and policies
How to Answer Exam Questions on This Topic
Exam Tip 1: Understand the Distinction Between Architectures
Exam questions often test whether you understand what traditional campus is versus what SD-Access is. Look for keywords:
- Traditional: VLANs, ACLs, device-centric, per-switch configuration, spanning tree
- SD-Access: VNs, policies, intent-based, centralized management, fabric, overlay/underlay
When answering, clearly distinguish which architecture is being discussed.
Exam Tip 2: Focus on Integration Points
Exam questions about interoperability typically ask about where and how the two architectures connect. Key integration points to remember:
- Fabric edge nodes (primary integration)
- Border nodes (translation and enforcement)
- VLAN-to-VN mapping
- DNA Center policies reaching traditional devices
If a question asks how traditional and SD-Access communicate, think about these boundary devices first.
Exam Tip 3: Recognize the Role of DNA Center and ISE
Many questions involve identifying which tool handles which function:
- DNA Center: Overall fabric orchestration, policy definition, assurance
- ISE: Identity-based access, SGT assignment, authentication/authorization
- Traditional Management: Device-level configuration management
A well-designed interoperable network uses all three for complete policy enforcement.
Exam Tip 4: Understand VLAN-to-VN Mapping
This is a frequently tested concept. Remember:
- One traditional VLAN can map to one Virtual Network (VN)
- Mapping occurs at fabric edge nodes
- Traffic crossing the boundary is translated, not passed through unchanged
- VXLAN may be applied within the fabric for the mapped VN
When asked about connectivity between traditional VLAN and SD-Access, first identify where the mapping occurs.
Exam Tip 5: Apply Layered Thinking
Always think in terms of layers when analyzing interoperability questions:
- Layer 1-2 (Physical/Data Link): Underlay network infrastructure
- Layer 3 (Network): Routing and IP addressing in both architectures
- Layer 4-7 (Transport/Application): Application-aware policies and services
- Management/Control Plane: DNA Center orchestration and ISE policies
Understanding at which layer a problem exists helps identify the correct solution.
Exam Tip 6: Scenario-Based Analysis
When presented with a scenario, ask yourself:
- Is this traffic staying within traditional campus, staying within SD-Access, or crossing boundaries?
- What policy enforcement mechanism applies (ACLs, SGTs, GBACLs)?
- How is the path determined (routing protocols, fabric optimization)?
- Where is the traffic classified and transformed?
Breaking down the scenario into these questions reveals the correct answer.
Exam Tip 7: Know the Forwarding Behavior
Understand how packets are treated in different scenarios:
- Traditional-to-Traditional: Standard VLAN forwarding, ACL checking, routing
- Fabric-to-Fabric: VXLAN encapsulation, policy-based forwarding, fabric-optimized paths
- Traditional-to-Fabric: VLAN-to-VN translation at edge node, VXLAN encapsulation, policy enforcement
- Fabric-to-Traditional: VXLAN removal, VN-to-VLAN translation, ACL checking at boundary
Questions about "what happens to this packet" require understanding these different forwarding paths.
Exam Tip 8: Security Group Tags (SGTs) Are Critical
SGTs bridge the two architectures from a security perspective:
- Assigned by ISE based on user identity or device characteristics
- Propagated through both traditional and SD-Access networks
- Used for policy enforcement via GBACLs in fabric and traditional networks
- Provide consistent security regardless of network architecture
If a question discusses "how security is enforced across both networks," SGTs are likely the answer.
Exam Tip 9: Recognize Configuration Requirements
Questions may ask what must be configured for interoperability. Key requirements:
- Fabric Edge Node: Must have VLAN-to-VN mappings configured
- Border Node: Must route between fabric and traditional network, enforce policies
- DNA Center: Must define policies for both traditional and fabric devices
- ISE: Must assign SGTs consistently across both architectures
- Traditional Devices: May need TrustSec configuration for SGT support
When a question asks "what needs to be configured," think about each device's role.
Exam Tip 10: Troubleshooting Methodology
For troubleshooting questions, follow this approach:
- Identify the architectural boundary: Is the issue within one architecture or crossing boundaries?
- Check the mapping: If crossing boundaries, verify VLAN-to-VN or VN-to-VLAN mapping
- Verify policy: Ensure policies are correctly defined in DNA Center and ISE
- Confirm routing: Check both underlay routing and fabric overlay routing
- Review logs: DNA Center assurance and ISE logs reveal policy enforcement issues
Following this methodology systematically eliminates troubleshooting guesswork.
Sample Exam Questions and Explanations
Sample Question 1
Question: A network administrator needs to allow a user in a traditional campus VLAN to access resources in an SD-Access Virtual Network. The user is authenticated through ISE and assigned a specific Security Group Tag. Which two devices are essential for this communication to occur?
A) DNA Center and ISE
B) Fabric edge node and VXLAN tunnel endpoint
C) Fabric edge node and border node
D) DNA Center and traditional core switch
Correct Answer: C) Fabric edge node and border node
Explanation: The fabric edge node is where VLAN-to-VN mapping occurs, translating the traditional traffic into the SD-Access fabric format. The border node ensures proper routing and policy enforcement at the architectural boundary. While DNA Center and ISE are important for policy definition and identity management, they are not the devices that actually forward the traffic. VXLAN tunnel endpoints are used within the fabric but not specifically for traditional-to-fabric translation.
Sample Question 2
Question: When a packet from a traditional VLAN enters an SD-Access fabric through an edge node, what happens to its structure?
A) The VLAN tag is removed and replaced with a VN identifier in the IP header
B) The packet is encapsulated in VXLAN with a VNI corresponding to the mapped Virtual Network
C) The packet is converted to Layer 3 and routed using BGP
D) The packet's VLAN tag is preserved throughout the fabric
Correct Answer: B) The packet is encapsulated in VXLAN with a VNI corresponding to the mapped Virtual Network
Explanation: At the fabric edge node, the VLAN is mapped to a Virtual Network, and the packet is encapsulated in VXLAN format. The VXLAN Network Identifier (VNI) corresponds to the VN that the VLAN maps to. This provides isolation and enables policy-based forwarding within the fabric. Option A is incorrect because VN identifiers are not in the IP header. Option C is too broad; while BGP may be involved in overall routing, VXLAN encapsulation is the immediate transformation. Option D is incorrect because VLANs are not preserved through the fabric; they are translated to VNs.
Sample Question 3
Question: A company wants to implement consistent security policies across both its traditional campus network and SD-Access fabric. The policy should restrict access based on user identity, not just network location. Which component plays the central role in this implementation?
A) DNA Center policies
B) Security Group Tags (SGTs) and ISE
C) Border node routing policies
D) VLAN-to-VN mapping tables
Correct Answer: B) Security Group Tags (SGTs) and ISE
Explanation: SGTs and ISE enable identity-based access control across both architectures. ISE authenticates users, assigns SGTs based on identity or device characteristics, and these tags are propagated through both traditional (via TrustSec) and SD-Access (natively) networks. Group-Based Access Control Lists (GBACLs) then enforce policy based on SGT values. DNA Center policies are more suited to device and network management rather than identity-based access. Border nodes enforce policies but don't create the identity-based foundation. VLAN-to-VN mapping enables connectivity but not security enforcement.
Sample Question 4
Question: You are designing an interoperable network where traditional VLAN 100 needs to communicate with Virtual Network "Engineering" in the SD-Access fabric. At which point in the network is the VLAN-to-VN translation performed?
A) At the DNA Center control plane
B) At the fabric edge node where the traditional network connects
C) At the border node connecting the two architectures
D) At the core routing layer
Correct Answer: B) At the fabric edge node where the traditional network connects
Explanation: The fabric edge node (also called access node in some contexts) is where traditional devices are integrated into the SD-Access fabric. This is where VLAN-to-VN mapping is configured and applied. DNA Center defines the policies and mappings, but doesn't perform the actual translation in the data plane. The border node operates at a higher level, connecting entire fabric domains. The core layer operates above the edge devices.
Key Takeaways for Exam Success
- Understand both architectures independently: You cannot understand interoperability without firmly grasping traditional and SD-Access separately
- Focus on boundary devices: Edge nodes and border nodes are where most interoperability questions focus
- VLAN-to-VN mapping is fundamental: This concept appears in nearly every interoperability question
- DNA Center and ISE are not optional: These management platforms are essential for interoperability, not optional add-ons
- Security Group Tags bridge architectures: SGTs provide a consistent security model across both environments
- VXLAN enables fabric operation: Understanding VXLAN encapsulation and VNI mapping is critical
- Think in layers: Separating concerns by layer (underlay, overlay, control plane) simplifies problem-solving
- Practice scenario analysis: Real exam questions present scenarios; practice analyzing them systematically
- Know the tools: Understand which tool (DNA Center, ISE, traditional management) handles which function
- Review Cisco documentation: Use official Cisco documentation and white papers as authoritative sources
🎓 Unlock Premium Access
CCNP Enterprise (ENCOR) + ALL Certifications
- 🎓 Access to ALL Certifications: Study for any certification on our platform with one subscription
- 2873 Superior-grade CCNP Enterprise (ENCOR) practice questions
- Unlimited practice tests across all certifications
- Detailed explanations for every question
- ENCOR 350-401: 5 full exams plus all other certification exams
- 100% Satisfaction Guaranteed: Full refund if unsatisfied
- Risk-Free: 7-day free trial with all premium features!