Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Cisco Software-Defined Access: Introducing an Entirely New Era in Networking Solution Overview

Networking Solution Solution Overview

Available Languages

Download Options

  • PDF
    (409.4 KB)
    View with Adobe Reader on a variety of devices
Updated:December 22, 2020

Available Languages

Download Options

  • PDF
    (409.4 KB)
    View with Adobe Reader on a variety of devices
Updated:December 22, 2020


Introducing an entirely new era in networking

What if you had deep visibility into all endpoints on your network and how they were interacting with each other and network resources? What if you could use that information to define and author access control policies? What if you could segment and let the network enforce these policies dynamically and automatically?

Cisco® Software-Defined Access (SD-Access) is a solution within Cisco Digital Network Architecture (Cisco DNA) which is built on intent-based networking principles. Cisco SD-Access provides visibility-based, automated end-to-end segmentation to separate user, device, and application traffic without redesigning the underlying physical network. Cisco SD-Access automates user-access policy so organizations can make sure the right policies are established for any user or device with any application across the network. This is accomplished by applying unified access policies across LAN and WLAN, which creates a consistent user experience anywhere without compromising on security.


     Enhance visibility by using advanced analytics for user and device identification and compliance. Employ artificial intelligence and machine learning techniques to classify similar endpoints into logical groups.

     Leverage policy analytics by a thorough analysis of traffic flows between endpoint groups and use it to define the right group-based access policies. Define, author, and enforce these policies using a simple and intuitive graphical interface.

     Segment to secure by automatically setting up all wired and wireless network devices for granular two-level segmentation for complete zero-trust security and regulatory compliance.

     Exchange operating policies and ensure consistency by utilizing Cisco’s intent-based networking multidomain architecture for enforcement throughout the access, WAN, and multicloud data center networks.

Cisco SD-Access overview

Figure 1.               

Cisco SD-Access overview

Cisco SD-Access solution overview

Cisco SD-Access enables IT transformation by improving visibility, defining and applying group-based access policies, segmenting network to isolate traffic, reduce risk, and contain threats, and achieving consistency in policy over the entire enterprise from users to applications. Building this next-generation solution involves some key foundational elements, including:

     Controller-based architecture

     Network fabric

     Programmable infrastructure

Controller-based architecture: Traditional networking focuses on per-device management, which takes time and creates many complexities. This approach is prone to human errors. Cisco SD-Access uses Cisco DNA Center, the command and control center for the Cisco DNA–based network, to drive business intent into the orchestration and operation of network elements. This includes the day-0 configuration of devices and policies associated with users, devices, and endpoints as they connect to the network.

The controller provides a network abstraction layer to arbitrate the specifics of various network elements. Additionally, Cisco DNA Center exposes northbound Representational State Transfer (REST)-based APIs to facilitate third-party or in-house development of meaningful services on the network.

Network fabric: With a controller element in place, you can consider building the network in logical blocks called fabrics. The Cisco SD-Access Fabric leverages Virtual Network Overlays in order to support mobility, segmentation and programmability at very large scale. The Virtual Network Overlay leverages a control plane to maintain the mapping of endpoints to their network location up to date as endpoints move around the network. Separation of the control plane from the forwarding plane reduces complexity, improves scale and convergence over traditional networking techniques. The Cisco SD-Access Fabric enables several key capabilities, such as the host mobility regardless of volume of moves and size of the network, Layer 2 and Layer 3 segmentation, and wireless integration. Other capabilities include intelligent services for application recognition, traffic analytics, traffic prioritization and steering for optimum performance and operational effectiveness.

Programmable infrastructure: To build a modern infrastructure, Cisco is equipping its existing and future devices with advanced capabilities to enable full lifecycle management while being open, standards-based and extensible. These key technologies include (1) automated device provisioning, incorporating well-known functions such as zero-touch provisioning, and Plug and Play; (2) open API interface; (3) granular visibility, using telemetry capabilities such as NetFlow; and (4) seamless software upgrades with live software patching.

The pace of change exceeds human scale

Figure 2.               

The pace of change exceeds human scale

These challenges are deeply rooted within network and security operations as noted below:

Network operations

     Without adequate knowledge of who and what is on the network and how they are using it, network administrators cannot create endpoint inventories or map traffic flows, leaving them unable to properly control the network.

     Networks cannot respond quickly to evolving business needs if changes need to be done manually. Such modifications take a long time and are error prone.

Security operations

     Securing the network without deep visibility and insights into endpoint identity, composition, location, and behavior, is impossible. Obtaining this level of information on who and what is on the network requires deep analysis of the endpoint and its interactions.

     Effective network segmentation, a well-recognized security best practice, can be exceptionally difficult to achieve in a complex network with a variety of users and devices requiring different access privileges. Traditional IP-address-based methods with firewalls, VLANs, and Access Control Lists (ACLs) do not scale and are not efficient in responding to real-time needs.

     Complying with regulations requires that granular access controls be applied to users and devices and block any unauthorized access. Without an effective segmentation strategy that reduces risk and the scope, cost, and difficulty of compliance assessments and controls, verification of compliance will be extremely hard.

Solution components

The core components that make up the SD-Access solution are:

     Cisco DNA Center

     Cisco Identity Services Engine (ISE)

     Wired and wireless networking infrastructure




Why Cisco SD-Access?

There are many challenges today in managing the network because of manual configuration and fragmented tool offerings.

Manual operations are slow and error-prone, and these issues are exacerbated due to the constantly changing environment with more users, devices and applications. With the growth of users and different devices types coming into the network, configuring user credentials and maintaining a consistent policy across the network is more complex. If your policy is not consistent, there is the added complexity of maintaining separate policies between wired and wireless. As users move around the network, locating the users and troubleshooting issues also become more difficult. The bottom line is that the networks of today do not address today’s network needs.

Cisco Services

Accelerate your journey to a digital-ready network with Cisco Software-Defined Access services.

Cisco Services provide expert guidance to help you achieve a streamlined operational model across wired and wireless environments at a lower cost. With proven experience, best practices, and innovative tools, Cisco Services work with you to easily manage, scale, and secure your Cisco SD-Access solution. By choosing from a comprehensive lifecycle of services – including advisory, implementation, optimization, and technical services – you can move to a secure and automated unified network with ease and confidence. Learn more.

Cisco SD-Access use cases

Building on the foundation of industry-leading capabilities, Cisco SD-Access can now deliver key business-driven use cases that truly realize the promise of a digital enterprise while reducing the total cost of ownership (Table 1).

Table 1.           Cisco SD-Access use cases

Use case



Increase visibility

  Use Deep Packet Inspection (DPI), telemetry, and other sources to identify endpoints and their attributes
  Use AI and ML techniques to classify like endpoints based on shared attributes into logical groups
  Build a detailed inventory of previously unknown endpoints
  Ensure that endpoints on your network are compliant to policies regarding OS, patch levels, etc.

Determine network policies

  Obtain visual representation of traffic flows between endpoint groups with details such as protocols, ports used, etc.
  Use the visual flows to get insights into network usage and set policies to permit or deny these interactions or add new ones

Secure through group and policy-based segmentation

  Onboard users with 802.1X, Active Directory, and static authentication
  Group users with Scalable Group Tags (SGTs)
  Automate VRF configuration (lines of business, departments, etc.) and create virtual networks
  Use Encrypted Traffic Analytics (ETA) to further enhance analysis of traffic through AVC and NetFlow
  Author and enforce granular access and communication policies between groups
  Reduce time needed to provision network segmentation and user groups
  Segment the network at two levels – a “macro” level that separates larger logical blocks such as lines of businesses, and a “micro” level that permits or denies communication between groups at a protocol and port level
  Provide a foundation to enforce network security policies
  Be able to detect and intercept threats at line rate (not from samples) from the center throughout the network, including all devices on the network edge

Zero trust security for the workplace

  Provide just the level of access required by the user or device according to their role
  Protect users and devices against lateral spread of malware
  Mitigate the risk of unauthorized access
  Proactively contain breaches
  Respond to and reduce risks
  Enhance regulatory compliance

User mobility

  Single point of definition for wired and wireless users
  Seamless roaming for wireless
  Distributed data plane for wireless access
  Simplified guest provisioning for wireless
  Management of wired and wireless networks and users from a single interface (Cisco DNA Center)
  Ability to offload wireless data path to network switches (reduce load on controller)
  Scalable fabric-enabled wireless with seamless roaming across campus
  Simplified policy provisioning
  Time savings when provisioning policies

Guest access

  Define specific groups for guest users
  Create policy for guest users’ resource access (such as Internet access)
  Simplified policy provisioning
  Time savings when provisioning policies

IoT integration

  Segment and group IoT devices
  Define policies for IoT group access and management
  Device profiling with flexible authentication options
  Simplify deployment of IoT devices
  Reduce network attack surface with device segmentation

Monitoring and troubleshooting

  Multiple data points on network behavior (syslog, stats, etc.)
  Contextual data available per user and device
  Significantly reduce troubleshooting time
  Use rich context and analytics for decision making

Cloud/data center integration

  Identity federation allows exchange of identity between campus and data center policy controllers
  Share policies between SD-Access, SD-WAN, and multicloud data centers
  Administrator can define user-to-application access policy from a single interface
  End-to-end policy management for the enterprise
  Identity-based policy enforcement for optimized ACL utilization
  Flexibility when enforcing policy at campus or data center

Branch integration

  Create a single fabric across multiple regional branch locations
  Simplified provisioning and management of branch locations
  Enterprise-wide policy provisioning and enforcement

Giving IT time back with Cisco SD-Access

Cisco SD-Access gives IT time back by dramatically reducing the time it takes to manage and secure your network and improving the overall end-user experience.

Giving IT time back with Cisco SD-Access

Getting started with segmentation through Cisco SD-Access

Network segmentation begins with gaining visibility into what’s on the network, but the rapid growth and variety of IoT devices makes that challenging. AI endpoint analytics, a feature of Cisco DNA Center, uses multiple data sources to identify unknown devices based on their state. It then applies AI/ML techniques to intelligently monitor behavioral attributes and group like devices so policy can be applied to the group. This reduces or eliminates the first hurdle in many of our customers’ segmentation projects, overcoming a lack of visibility into what and how resources are connecting and applying the right policy that does not prevent the connection, disrupting business objectives.

Next, network segmentation requires knowing the expected, appropriate behavior of devices on the network. Group-based policy analytics, another feature of the Cisco DNA Center, collects and analyzes network traffic flows, models observed behavior based on device types, and then suggests solid segmentation policies. This reduces or eliminates the second hurdle in many of our customers’ segmentation projects, which is overcoming complexity in the network to identify and build secure access policies.

Network segmentation then requires some way to “program” the segmentation policy, historically though lines and lines of complex configuration code. Once policy analysis is complete, you may use Access Control Application, running within the Cisco DNA Center, to automatically configure new or update existing policies, dramatically cutting complexity and human error. Cisco ISE then applies these policies in the network infrastructure that enforce them.

Migrating an existing network to Cisco SD-Access

Organizations wishing to convert their existing networks to the simplicity, automation, and security that SD-Access offers can do so with minimum disruption to their users and connected devices. SD-Access offers a way in which network devices can be gradually migrated over to an SD-Access fabric, for example, as part of a hardware refresh cycle.

The three deployment models for SD-Access

Figure 3.               

The three deployment models for SD-Access

While the benefits of segmentation can be realized with no fabric, SD-Access enables the fabric to first be introduced at the distribution layer of the network topology. This is especially helpful to those who have existing Layer 2 access configurations and would prefer not to reconfigure immediately to Layer 3 access. Even without the fabric, SD-Access benefits such as endpoint and traffic visibility through AI Endpoint Analytics and group-based policy analytics, and Cisco DNA Center features such as Assurance, Automation, and security integrations can be realized.

Access layer switches may connect to the distribution switches as extended or policy-extended nodes. Policy-extended switches perform inline tagging and enforce access policies, but still provide Layer 2 connectivity to their endpoints. Endpoints connected to the access switches do not see any change and continue to function as usual in this hybrid setup.

Once the distribution layer has been migrated, access switches can then join the fabric in a controlled and gradual manner. Devices connected to such switches maintain interconnectivity to the devices and services that are yet to be migrated over, while providing the benefits of the fabric.

Cisco Capital

Flexible payment solutions to help you achieve your objectives

Cisco Capital makes it easier to get the right technology to achieve your objectives, enable business transformation and help you stay competitive. We can help you reduce the total cost of ownership, conserve capital, and accelerate growth. In more than 100 countries, our flexible payment solutions can help you acquire hardware, software, services and complementary third-party equipment in easy, predictable payments. Learn more.

Customer success stories

Cisco customers in every industry are changing the way they approach network and security operations in their networks with Cisco SD-Access. Take a look at the latest customer case studies to learn how customers are deploying Cisco SD-Access and the benefits they are experiencing. Read stories.

Next steps

     Read the Cisco SD-Access Technical Solution white paper.

     Build your solution with Cisco DNA Solution Builder.

     Follow the Cisco Validated Design Guides.

     Register to attend a live SD-Access demo.

How to buy

To view ordering and buying options and speak with a Cisco sales representative, refer to the Cisco SD-Access ordering guide or visit https://www.cisco.com/c/en/us/buy.


Learn more