Will 802.1x increase your security for the wired network?

Perhaps. This depends primarily on the way you set up your trust domains and the mobility of your users. Chapter 9 discusses this in more detail. The three primary reasons to deploy 802.1x for basic wired authentication are a lack of physical security controls, a requirement for subnet consistency as your users move from place to place, and to help with attack source trace back on large networks.

Wouldn't going to L3 at the user access layer increase security?

Again, it might. Just now are switches starting to hit the price points that allow some organizations to consider deploying L3 at the first point of user connect. This is generally done out of a desire to avoid spanning tree. Based on my experience, I would stick with the established best practices in this area, which are L2 at the user access layer and L3 at the distribution layer. Using L3 at the access layer requires more management and does not provide a significant security benefit.

Where will your management network connect in these designs?

The management networks, discussed in Chapter 16, "Secure Network Management and Network Security Management," connect off of a dedicated segment in the medium and high-end campus designs and directly connect in the small network design. This increases the security risk, though, because a successful sniffing attack can lead to the capture of management information.

Where will the multiple paths available in the high-end resilient design come into play with security considerations?

The firewalls and NIDS are the affected devices because they are the only devices using state-aware security in the network. Among other things, flow-based rather than packet-based load balancing should be used. A number of other considerations around this asymmetric routing problem are discussed in Chapter 6.

Based on your understanding of this chapter, which campus design is currently closest to your own network?

Which changes would be needed to get your network to the level of security provided by these designs?

Looking at the design most similar to the design you envision for your own network, find at least one place where you disagree with the layout or function of the design. How and why would you do it differently?