Wireless Integration with SD-Access
Wireless Integration with SD-Access
Introduction
Wireless connectivity is a critical component of any modern campus network, and integrating it into an SD-Access fabric introduces unique requirements around control plane registration, endpoint onboarding, and high availability. In a traditional Cisco Unified Wireless Network (CUWN) deployment, wireless controllers and access points operate independently from the wired switching fabric. SD-Access changes that by bringing wireless endpoints into the same overlay fabric as wired devices, providing consistent policy enforcement and segmentation across both mediums.
In this lesson, you will learn how wireless endpoints are onboarded into the SD-Access fabric, how the Fabric WLC interacts with LISP control plane nodes and edge nodes during that process, and how to plan a migration from a traditional CUWN deployment to SD-Access wireless. You will also examine the two WLC redundancy models available in fabric mode -- N+1 stateless redundancy and SSO stateful redundancy -- and understand the role of Fabric Zones in scaling wireless deployments. By the end, you will be able to describe the full wireless onboarding flow with specific control plane interactions, compare redundancy options, and apply migration best practices.
Key Concepts
Fabric WLC and Its Role
The Fabric WLC is a wireless LAN controller dedicated to SD-Access. Unlike a traditional WLC that handles both control and data plane traffic from access points, the Fabric WLC in SD-Access maintains CAPWAP control plane tunnels to the APs while the actual client data traffic is encapsulated in VXLAN by the fabric edge nodes. This separation is fundamental: the WLC manages AP associations, RF policies, and client authentication, but it does not carry user data traffic directly. Instead, it registers wireless endpoint MAC addresses into the LISP control plane so the fabric can forward traffic natively through the overlay.
LISP Instance IDs and Wireless Endpoints
Every wireless endpoint that associates with a Fabric SSID is tracked using a LISP Layer 2 Instance ID (IID). The WLC registers the endpoint MAC address against the RLOC (Routing Locator) of the edge node where the AP is connected. This registration ensures the fabric control plane knows exactly which edge node is responsible for that wireless client, enabling proper VXLAN data plane forwarding.
Fabric Zones
Fabric Zones are child sites within a parent fabric site. They provide granular control over IP pool provisioning scope. Before Catalyst Center release 2.2.3.x, the provisioning scope of an IP pool covered the entire fabric site. Fabric Zones allow administrators to assign specific VNs and IP pools to individual zones within a site, improving both security and scalability.
| Attribute | Fabric Site | Fabric Zone |
|---|---|---|
| Hierarchy | Parent | Child of a fabric site |
| Node types supported | All fabric roles | Edge nodes only (EN, EX, PEN) |
| IP pool scope | Entire site | One or more selected zones |
| L3VN assignment | Assigned at site level first | Inherited from parent, then assigned to zone |
| Collocated roles (EN+B, EN+Embedded WLC) | Supported | Not supported |
| Minimum Catalyst Center release | N/A | 2.2.3.x |
Important: L3VNs and IP pools must be assigned to the parent fabric site before they can be assigned to any Fabric Zone. Additionally, EX and PEN nodes must reside in the same Fabric Zone as their parent edge node.
How It Works
Wireless Endpoint Onboarding Flow
The wireless onboarding process in SD-Access involves a precise sequence of interactions between the endpoint, the Fabric WLC, the control plane nodes, and the edge node. The reference topology uses the following devices:
| Role | Device | Address |
|---|---|---|
| Border Node 1 | BN1 | 192.168.8.1 |
| Border Node 2 | BN2 | 192.168.8.2 |
| Control Plane 1 | CP1 | 172.31.216.36 |
| Control Plane 2 | CP2 | 172.31.216.37 |
| DHCP Server | DHCP | 172.31.24.31 |
| Fabric WLC | WLC | 10.67.33.64 |
| Edge Node 2 | EN2 | 172.31.216.71 |
| Wireless Endpoint | EP2 | MAC: bcec.4341.d25f |
The onboarding proceeds through four steps:
Step 1 -- Wireless Authentication. The wireless endpoint (EP2) authenticates to a Fabric SSID. At this stage, the AP to which the client connects maintains a CAPWAP control tunnel back to the Fabric WLC at 10.67.33.64.
Step 2 -- WLC Registers MAC in LISP L2 IID. After successful authentication, the Fabric WLC registers the wireless endpoint MAC address (bcec.4341.d25f) against the RLOC of the edge node (EN2, 172.31.216.71) in LISP L2 Instance ID 8189. This tells the control plane which edge node serves that wireless client.
Step 3 -- Control Plane Notifies Edge Node. The control plane node notifies EN2 about the new endpoint MAC address. On the edge node, three things happen simultaneously:
- A L2 LISP database entry is created for the MAC address
- The MAC address table is populated with the entry learned via the control plane (CP_LEARN)
- A Device Tracking L2 entry is created for the endpoint
Step 4 -- Edge Node Registers MAC to Control Plane. EN2 completes the process by formally registering the endpoint MAC address back to the control plane. At this point, the wireless client L2 EID is fully registered, and the fabric can forward traffic to and from this endpoint through VXLAN data plane encapsulation.
Data Plane After Onboarding
Once the onboarding is complete, user data traffic from the wireless endpoint flows through the VXLAN data plane via the edge node -- not through the WLC. The WLC continues to maintain the CAPWAP control tunnel to the AP for management purposes, but the data path is handled entirely within the fabric overlay. Border nodes provide external connectivity using per-VRF EBGP peering, and the underlay uses IGP routing to maintain RLOC reachability.
Configuration Example
Verifying Wireless Endpoint Registration on the Edge Node
After a wireless client onboards, you can verify its presence on the edge node using the following commands.
To check the MAC address table on EN2:
EN2#show mac address-table vlan 1022
Mac Address Table
-------------------------------------------
Vlan Mac Address Type Ports
---- ----------- -------- -----
...
1022 bcec.4341.d25f CP_LEARN Ac1
Total Mac Addresses for this criterion: 3
Total Mac Addresses installed by LISP: REMOTE: 0
The Type column shows CP_LEARN, confirming the MAC address was learned through the LISP control plane rather than through traditional MAC learning on a physical port. The Ports column shows Ac1, representing the access interface associated with this endpoint through the fabric.
To verify the LISP Ethernet database entry for the same endpoint:
EN2#show lisp instance-id 8189 ethernet database
LISP ETR MAC Mapping Database for LISP 0 EID-table Vlan1022 (IID 8189), LSBs: 0x1
Entries total 3, no-route 0, inactive 0, do-not-register 2
...
bcec.4341.d25f/48, dynamic-eid Auto-L2-group-8189, inherited from default locator-set
rloc_00b55af7-fbfe-481a-91fe-e8fd56ae3dc0
Uptime: 00:15:02, Last-change: 00:15:02
Domain-ID: local
Service-Insertion: N/A
Locator Pri/Wgt Source State
172.31.216.71 10/10 cfg-intf site-self, reachable
This output confirms several important details:
- The endpoint MAC
bcec.4341.d25fis mapped to VLAN 1022 in LISP Instance ID 8189 - The dynamic-eid group name
Auto-L2-group-8189was automatically assigned - The Locator is 172.31.216.71 (EN2 itself), with priority 10 and weight 10
- The state shows
site-self, reachable, confirming the edge node owns this endpoint registration
Note: The LISP database entry on the edge node is created after the control plane notification in Step 3 of the onboarding process. If this entry is missing, verify that CAPWAP connectivity between the AP and the Fabric WLC is healthy, and that the WLC successfully registered the MAC in Step 2.
Real-World Application
Migrating from Traditional CUWN to SD-Access Wireless
Most enterprise environments do not deploy SD-Access wireless on a greenfield basis. Instead, they migrate from an existing CUWN deployment. The recommended migration approach involves the following steps:
-
Deploy a dedicated WLC for SD-Access. Add a new Fabric WLC specifically for SD-Access and configure it with the same SSIDs as the existing CUWN WLC. This ensures wireless clients can connect to either controller without reconfiguration.
-
Move APs building by building. On the existing CUWN WLC, configure the APs in the target area (for example, Building 2) to join the new Fabric WLC. The APs re-establish CAPWAP tunnels to the Fabric WLC, and traffic from those APs now flows through the fabric overlay using VXLAN.
-
Accept the roaming limitation. WLCs in the CUWN domain and WLCs in the SD-Access domain must be placed in different Mobility Groups. This means there is no seamless roaming between fabric and non-fabric areas. A client moving from a non-fabric building to a fabric building will experience a brief disconnection as it re-associates.
-
Use the same RF Groups. Even though the WLCs are in separate Mobility Groups, configure them in the same RF Group so that radio resource management operates cohesively across both environments.
-
Maintain parallel management. Use Catalyst Center for managing SD-Access areas and the existing management platform for CUWN areas until migration is complete.
Building a Proof of Concept
Before migrating production traffic, build a proof-of-concept lab in an isolated, controlled environment. When you need to validate use cases that require connectivity to the production network, connect the PoC lab through a Fusion Router. The fusion router acts as the boundary between the lab SD-Access fabric and the external production network, providing controlled routing between the two domains.
WLC High Availability: N+1 vs. SSO
Choosing the right redundancy model for the Fabric WLC depends on your availability requirements.
| Feature | N+1 Stateless Redundancy | SSO Stateful Redundancy |
|---|---|---|
| WLC relationship | Independent controllers | Active/Standby pair seen as single entity |
| Control plane communication | Both WLCs communicate with CP nodes | Only Active WLC communicates with CP nodes |
| Failover behavior | CAPWAP tunnel breaks; APs rejoin Secondary WLC | APs and clients stay connected during failover |
| Post-failover action | APs and clients move to Secondary WLC | New Active WLC bulk-updates the CP node |
| AP rolling upgrade | Supported (Catalyst Center 2.1.2.0 onwards) | Supported (Catalyst Center 2.1.2.0 onwards) |
| Embedded Wireless (Catalyst 9000) | N/A | SSO via hardware stacking (9300/L) or redundant supervisors (9400, 9500 SVL) |
Best Practice: For sites that require uninterrupted wireless service during controller failover, SSO is the preferred model. For distributed deployments where a brief reconnection is acceptable, N+1 provides simpler operational management with two independent controllers.
Fabric Zones for Scalable Wireless
In large campus deployments spanning multiple buildings, Fabric Zones allow you to partition IP pool assignments within a single fabric site. For example, you can assign VN GREY with pool 192.168.10.0/24 to Fabric Zone 1 and VN BLUE with pool 192.168.30.0/24 to Fabric Zone 2, while both zones share the same control plane and border infrastructure at the parent site level. This prevents unnecessary IP pool stretching and limits the failure domain for each zone.
Summary
- Wireless onboarding in SD-Access follows a four-step process: endpoint authenticates to a Fabric SSID, the WLC registers the MAC in LISP L2 IID, the control plane notifies the edge node, and the edge node registers the MAC back to the control plane.
- The Fabric WLC handles CAPWAP control only -- user data traffic is encapsulated in VXLAN and forwarded through the fabric edge nodes, not through the WLC.
- Migration from CUWN to SD-Access requires a dedicated Fabric WLC with matching SSIDs and RF Groups, but different Mobility Groups, which means no seamless roaming between fabric and non-fabric areas.
- WLC redundancy can be N+1 (stateless, independent controllers) or SSO (stateful, single logical entity), with SSO keeping clients connected during failover and performing bulk updates to the control plane.
- Fabric Zones provide granular IP pool provisioning within a fabric site, available from Catalyst Center release 2.2.3.x onward.
In the next lesson, we will explore fabric border operations and how traffic is exchanged between the SD-Access fabric and external networks through border nodes and fusion routers.