Have a network design question…. I’m often being directed to follow traditional networking design approaches, one of which is always creating VLANs on the core rather that steering more to moving them to the edge and using a layer 3 approach, especially when wanting to use NAC in a particular way. There are going to be reasons for either or, but my focus is on using layer 3 at the edge for the use of NAC for a specific end goal.
My view is that in the past switches where less capable, but now this really isn’t so much of a concern, so possibly pushing layer 3 to edge for the specific use of NAC makes better sense, perhaps even to do as the norm?
Often one of the end sight goals is to have NAC dynamically assign a user to their respective VLAN wherever they may connect on the network.
Using the approach of creating all the subnets on the core means you equally have a different VLAN ID’s for each of the /24 subnets that might exist at the edge. This means to reach that final goal the rule engine in NAC could end up getting pretty big and arguably messy i.e. the rules might be for a data subnet, to assign the HR department profile based on where they connect in the network as such:
• If connecting from location A then contain to VLAN 10, HR AD User, assign profile HR
• If connecting from location B then contain to VLAN 22, HR AD User, assign profile HR
• If connecting from location C then contain to VLAN 33, HR AD User, assign profile HR
Now if you push layer 3 out to the edge then the data VLAN, a self-contained /24 subnet, each could then have the same VLAN ID, say 100 for all Data subnets throughout the network. Now the three rules could be replaced with one:
• If HR AD User, contain to VLAN 100, HR AD User, assign profile HR
So progressively, especially with a lot of switches this becomes very much simpler.
My question is, would in this example moving layer 3 to the edge make most sense or is there a better way to simplify the rules in the previous approach?
Many thanks in advance.