How Cisco SDA Actually Works: LISP Control Plane + VXLAN Data Plane + TrustSec Policy in One Fabric

Cisco SD-Access (SDA) replaces the traditional campus stack — spanning tree, HSRP, manual VLAN trunking — with a three-plane overlay fabric. If you've ever wondered how LISP, VXLAN, and TrustSec fit together at the packet level (instead of just clicking through Catalyst Center), this deep dive is for you. The Problem: Why Traditional Campus Designs Hit a Wall Classic three-tier campus networks (access → distribution → core) carry a lot of baggage: Spanning tree across every VLAN — blocking redundant paths, unpredictable failovers HSRP/VRRP at distribution — 50% of gateway capacity wasted on standby Manual VLAN trunking — extending L2 domains creates broadcast storms and kills mobility Static ACLs for segmentation — thousands of lines tied to IPs that change when endpoints move SDA eliminates all of this with a Layer 3 routed access model . The default gateway lives at the fabric edge (access switch). Every link is routed with IS-IS. Spanning tree becomes irrelevant — there are no L2 lo