A wireless LAN controller that is fabric enabled can connect access points and wireless endpoints to the SD-Access fabric.
The wireless LAN controller is external to the fabric and connects to the SD-Access fabric through an internal border node.
The WLC node provides onboarding and mobility services for wireless users and endpoints connected to the SD-Access fabric.
The fabric WLC performs tunnel ingress/egress registrations to the fabric control plane on behalf of the fabric edges.
The control plane will map the host endpoint identifier to the current fabric access point and the fabric edge node location the access point is attached too.
In a normal wireless deployment the wireless LAN controller is normally centralised, and all control plane and data traffic is tunnelled to the wireless LAN controller from the access points.
In SD-Access, the wireless control plane remains centralised but the data plane is distributed with VXLAN directly from the SD-Access enabled access points.
SD-Access wireless access points establish a VXLAN tunnel to the fabric edge to transport wireless client data through a VXLAN tunnel rather than a CAPWAP one.
The access point must be connected directly to a fabric edge or fabric extended node for this to work
By utilising a VXLAN tunnel instead of a CAPWAP one, performance is increased as the traffic does not need to route all the way back to the wireless LAN controller via CAPWAP.
Policies set in VRF and SGT are applied at the fabric edge in the same way that it is applied for wired device users.