Cisco SD-Access is Cisco’s software-defined access networking solution for building centralized, policy-based wired and wireless campus networks across users, devices, applications, IoT endpoints, and enterprise access environments. It is mainly built around Cisco Catalyst Center (formerly Cisco DNA Center), Cisco Identity Services Engine (ISE), Cisco Catalyst Switches, Cisco Catalyst access points and Cisco ISR and ASR platforms. License-dependent Cisco SD-Access components and related software features must be activated with the correct Cisco license, such as Smart License, including PLR License and SLR License.
Solution Highlights
- Build a centralized access network for wired users, wireless users, IoT devices, and campus environments
- Use Cisco Catalyst Center (formerly Cisco DNA Center) for automation, assurance, provisioning, and policy workflows
- Use Cisco ISE for identity, authentication, segmentation, and group-based access control
- Support Cisco Catalyst switches, Catalyst access points, and other supported Cisco access platforms
Cisco SD-Access At a glance
What it does : Cisco SD-Access helps organizations automate and secure campus access networks by applying centralized policy, segmentation, identity-based access, and consistent wired and wireless control.
Solution type : Cisco campus, branch access, wired, wireless, identity, segmentation, and automation solution, not a single hardware product.
Main Cisco software and controllers : Cisco SD-Access is mainly built around Cisco Catalyst Center (formerly Cisco DNA Center) for management and automation, and Cisco ISE for identity, authentication, and policy enforcement.
Related Cisco platforms : Cisco SD-Access can be used with Cisco Catalyst switches, Cisco Catalyst access points, Cisco ISR and ASR platforms industrial access switches, and other supported Cisco access devices.
Who needs it : Organizations that need centralized campus access control, user and device segmentation, wired and wireless consistency, identity-based policy, IoT access control, automation, and better operational visibility.
Cisco SD-Access Overview
Cisco SD-Access is designed to simplify how organizations manage enterprise access networks. In traditional campus networks, administrators often rely on VLANs, ACLs, manual switch configuration, and separate wired and wireless policies. Cisco SD-Access changes this approach by creating a centralized access fabric where policy, identity, segmentation, and automation are managed more consistently. The solution is different from Cisco ACI and Cisco SD-WAN. Cisco ACI is mainly focused on data center networking, Cisco SD-WAN is focused on WAN and branch connectivity, while Cisco SD-Access is focused on campus and access networks where users, endpoints, phones, printers, cameras, access points, and IoT devices connect.
At the center of Cisco SD-Access is Cisco Catalyst Center(formerly Cisco DNA Center). It provides the main platform for design, provisioning, automation, assurance, monitoring, and operational visibility. Cisco Catalyst Center helps administrators manage the access network from a central interface instead of configuring every switch or wireless device separately. Cisco ISE is also a key part of the SD-Access architecture. It provides identity services, user and device authentication, group-based policy, Security Group Tags, and access control decisions. This makes Cisco SD-Access useful for environments that need stronger segmentation and identity-based security.
The main value of Cisco SD-Access is that it helps organizations build a more automated, secure, and consistent campus access network. It is especially useful when the environment includes many users, wireless devices, IoT endpoints, departments, guest networks, and access security requirements.
How Cisco SD-Access Works
Cisco SD-Access works by creating a fabric-based access network across wired and wireless infrastructure. Instead of managing access switches, wireless controllers, user groups, VLANs, and security rules separately, SD-Access allows the campus network to operate through a centralized policy and automation model. This fabric helps users, devices, and IoT endpoints receive consistent access policies whether they connect through Ethernet or Wi-Fi. As a result, employees, guests, phones, cameras, printers, and wireless clients can be placed into the correct network segment and access group based on identity, device type, and business policy.
Cisco Catalyst Center (formerly Cisco DNA Center) : is used to design the network, provision devices, assign fabric roles, apply policies, and monitor health. It gives administrators a centralized way to manage the SD-Access environment.
Cisco ISE : identifies users and endpoints and helps decide which access policy should be applied. For example, employees, guests, cameras, IoT devices, and voice devices can be placed into different policy groups or virtual networks.
Cisco Catalyst switches : provide the wired access infrastructure for the SD-Access fabric. These switches can act as fabric edge nodes, border nodes, control-plane nodes, intermediate nodes, or other fabric roles depending on the design.
Cisco ISR and Cisco ASR : Can be used in some border or control-plane roles depending on design and compatibility.
Cisco Access Points : extend SD-Access policy into the wireless network. This helps users receive consistent access behavior whether they connect by cable or Wi-Fi.
In simple terms, Cisco SD-Access helps network teams define who or what is connecting, what access they should receive, and how that policy should follow them across the campus network.
Core technical flow
- Identify the campus access requirement, such as wired access, wireless access, user segmentation, IoT control, guest access, or identity-based policy.
- Deploy Cisco Catalyst Center as the main platform for SD-Access design, automation, provisioning, assurance, and operational visibility.
- Integrate Cisco ISE to provide identity, authentication, Security Group Tags, group-based policy, and access control.
- Add supported Cisco access platforms such as Cisco Catalyst switches, Cisco Catalyst access points, and other supported Cisco IOS XE devices.
- Assign fabric roles such as fabric edge node, border node, control-plane node, intermediate node, fabric wireless controller, or fabric access point.
- Configure virtual networks, segmentation, policy groups, user access rules, wireless integration, and campus network services.
- Validate endpoint access, policy behavior, wireless and wired connectivity, license status, device health, support coverage, and renewal timing after deployment.
Cisco Products Used with Cisco SD-Access
| Cisco products (Platforms) | Role in Cisco SD-Access environment | Why it matters |
|---|---|---|
| Cisco Catalyst Center (formerly Cisco DNA Center) | Acts as the main automation, assurance, management, and provisioning platform for Cisco SD-Access. | It is used to design the network, onboard devices, assign fabric roles, configure policies, monitor health, and manage campus operations. |
| Cisco ISE | Provides identity services, authentication, authorization, Security Group Tags, and group-based access policy. | It helps Cisco SD-Access apply the right access policy to users, devices, guests, IoT endpoints, and business groups. |
| Cisco Catalyst switches | Provide the wired switching infrastructure for the SD-Access fabric. | Catalyst switches can support fabric roles such as edge node, border node, control-plane node, intermediate node, or fabric-in-a-box depending on the design. |
| Cisco Access Points | Connect wireless users, mobile devices, and IoT endpoints into the access network. | Access points extend SD-Access policy into wireless environments and support consistent wired and wireless access behavior. |
| Cisco ISR / ASR platforms | Can be used in some border or control-plane roles depending on design and compatibility. | These platforms may be relevant when SD-Access needs to connect to WAN, external networks, or larger routing environments. |
Cisco Catalyst Center (formerly Cisco DNA Center)
Cisco Catalyst Center, formerly Cisco DNA Center, is the main management, automation, and assurance platform for Cisco SD-Access. It is used to design the campus network, provision supported devices, assign fabric roles, configure access policies, monitor network health, and manage assurance from a centralized interface. Instead of configuring every switch, wireless controller, network segment, or access policy manually, administrators can use Cisco Catalyst Center to automate many parts of the SD-Access deployment. This helps reduce repetitive configuration work, improve consistency across wired and wireless environments, and make network changes easier to control.
In a Cisco SD-Access architecture, Catalyst Center also helps translate business and security requirements into network behavior. For example, it can help define how users, devices, access points, switches, and fabric roles should operate inside the campus network. For Cisco SD-Access, Catalyst Center is not just a monitoring tool. It is the central platform that brings design, provisioning, policy, automation, visibility, and assurance together, allowing the campus network to operate as a more structured and policy-driven environment.
Cisco ISE
Cisco ISE is the identity and policy engine used with Cisco SD-Access to control how users, devices, guests, IoT endpoints, and other clients access the network. It helps the SD-Access environment identify who or what is connecting before applying the correct access policy. Through Cisco ISE, organizations can move beyond traditional VLAN-based or static ACL-based access control. Instead, access decisions can be based on identity, device type, user group, security posture, location, or business role. This makes the access network more flexible and easier to secure.
Cisco ISE can also use Security Group Tags to support group-based policy and micro-segmentation. This allows organizations to separate different types of traffic, such as employees, guests, cameras, phones, printers, contractors, and IoT devices, without depending only on complex manual ACL rules. In a Cisco SD-Access architecture, ISE plays a key role in connecting identity to network policy. In simple terms, Cisco ISE helps Cisco SD-Access understand who is connecting, what device they are using, and what level of access they should receive across the wired and wireless campus network.
Cisco Catalyst Switches
Cisco Catalyst switches provide the wired switching infrastructure for Cisco SD-Access. They connect users, IP phones, printers, cameras, access points, IoT devices, and other endpoint systems into the campus network, while also helping apply the policies created through Cisco Catalyst Center and Cisco ISE.
In an SD-Access design, Cisco Catalyst switches can perform different fabric roles depending on the platform model, software version, supervisor, and network architecture. Some switches may operate as fabric edge nodes for endpoint access, while others may support border node, control-plane node, intermediate node, or fabric-in-a-box roles.
Cisco SD-Access environments may include different Catalyst generations depending on the customer’s network. Legacy or brownfield environments may include Cisco Catalyst 3000 Series platforms such as Catalyst 3650 and Catalyst 3850 switches. Larger traditional campus environments may include Cisco Catalyst 6000 Series platforms such as Catalyst 6500 and Catalyst 6800 switches. Modern SD-Access deployments are most commonly built around Cisco Catalyst 9000 Series platforms, including Catalyst 9200, Catalyst 9300, Catalyst 9400, Catalyst 9500, and Catalyst 9600 switches.
The exact role of each switch should always be checked against the Cisco SD-Access compatibility matrix and the required software version, because not every Catalyst model supports every SD-Access fabric role. In general, Cisco Catalyst switches are one of the most important hardware layers in the SD-Access architecture because they connect endpoints to the access fabric and help enforce centralized network policy.
Cisco Catalyst Access Points
Cisco SD-Access can extend policy and segmentation into wireless environments through Cisco Catalyst wireless controllers and Cisco Catalyst access points. Cisco Catalyst 9800 wireless controllers can integrate wireless access into the SD-Access fabric, while Catalyst access points connect wireless users, mobile devices, and IoT endpoints. This helps organizations provide a more consistent access experience. Users can receive the right policy whether they connect through a wired port or a wireless network.
Cisco ISR and Cisco ASR
Cisco ISR and Cisco ASR platforms can be used in some Cisco SD-Access environments when the design requires routing, external connectivity, or integration with WAN and larger network services. They are not usually the primary access-layer devices like Cisco Catalyst switches, but they may support border, control-plane, or external routing roles depending on the platform model, software version, and SD-Access design. Cisco ISR is more commonly associated with branch and enterprise routing, while Cisco ASR is more suitable for larger routing, aggregation, and high-performance edge environments. In a Cisco SD-Access architecture, these platforms can help connect the campus fabric to external networks such as WAN, data center, internet, firewall, or traditional routing environments.
Features & Benefits
Cisco SD-Access helps organizations manage campus access networking with a more centralized, secure, and automated approach. One of the main benefits is centralized access control. Instead of configuring every access switch or wireless policy separately, administrators can use Cisco Catalyst Center to apply designs, provisioning, and policies across the campus environment.
Another important benefit is identity-based access. With Cisco ISE, the network can apply different policies based on users, devices, groups, or endpoint types. This is useful for employees, contractors, guests, phones, cameras, IoT devices, and business departments. Cisco SD-Access also improves segmentation. Different traffic types, departments, user groups, or device categories can be separated more cleanly without relying only on traditional VLAN and ACL designs.
Wireless and wired consistency is another strong advantage. Users can receive a similar policy experience whether they connect from a wired port or Wi-Fi. Operational visibility also improves. Cisco Catalyst Center can provide assurance, health monitoring, issue detection, client visibility, and infrastructure insights to help teams troubleshoot more quickly. Overall, Cisco SD-Access helps organizations reduce campus network complexity, improve access security, automate policy deployment, support IoT growth, and manage wired and wireless access from a more centralized operational model.
How deployment and activation works
Deploying Cisco SD-Access starts with preparing the main software components: Cisco Catalyst Center and Cisco ISE. These platforms handle automation, design, provisioning, assurance, identity, authentication, and access policy. After the software components are prepared, supported Cisco access platforms are added to the environment. These can include Cisco Catalyst switches, Cisco Catalyst 9800 wireless controllers, Cisco Catalyst access points, Cisco IOS XE platforms, industrial access switches, and other supported Cisco access devices.
Cisco Catalyst Center is then used to onboard devices, define network design, assign fabric roles, configure virtual networks, apply policies, and monitor campus health. Cisco ISE provides identity-based policy, user and device authentication, Security Group Tags, and group-based access control. License-dependent Cisco SD-Access components and related software features must be activated with the correct Cisco license, such as Cisco DNA or Catalyst software subscriptions, ISE licensing, and Smart License, including PLR License and SLR License where applicable. After deployment, administrators should validate device onboarding, fabric roles, endpoint authentication, segmentation, wired and wireless access, license status, system health, support coverage, and renewal timing.
Pricing factors + quote process
Pricing for Cisco SD-Access depends on the size of the campus environment, the Cisco platforms involved, the selected software subscriptions, the required ISE licensing, and the support or subscription term selected for the project. The main factors usually include the number of Catalyst switches, wireless controllers, access points, users, endpoints, IoT devices, Cisco Catalyst Center requirements, Cisco ISE requirements, segmentation needs, assurance features, and software subscription tier.
A small campus SD-Access deployment may need a different license and support scope than a larger enterprise environment with many buildings, many endpoints, wireless integration, IoT segmentation, guest access, and advanced assurance requirements. During the quote process, the Cisco SD-Access environment is reviewed first. Then the required Cisco platforms, software features, licensing model, support coverage, and activation requirements are mapped into the correct quote.
After you request a quote
- We review your Cisco SD-Access environment and campus access requirements
- Identify the required Cisco platforms, software features, and license scope
- Check Catalyst Center, ISE, Catalyst switches, wireless controllers, access points, and endpoint considerations
- Provide pricing, delivery details, and activation guidance