Summary

This chapter covered virtualized access layer design. The major impact of virtualization concerns authentication and authorization. Users are identified using either clientless or client-based solutions and bound to a VLAN.

Clientless authentication is based on MAC addresses in Layer 2 solutions. This has the advantage of being universal but is difficult to deploy efficiently on anything but the smallest network. Clientless Layer 3 solutions also exist, sometimes using web portals.

Our preference is to use 802.1x. The link to RADIUS is powerful and allows dynamic peruser policy instantiation, centralized management, accounting data, and more. The 802.1x protocol itself promises strong authentication, but the access layer should continue to use the fullest range of protection available to it to protect against spoofing, denial-of-service attacks, and excessive traffic from viruses.

We concentrated our discussion on a Layer 2 access layer for four reasons. First, that is the most deployed scenario. Second, migration to virtualized networks is easy because the wiring closet needs minimal change. Third, access switches do not offer the same features or performance as distribution devices, so turning them into PEs is not obviously beneficial. And, fourth, increasing the number of PEs in the network has an operational cost. The rest of the access layer feature set, which we reviewed in the first section, is unaffected by virtualization (or was already virtualized).

The design example at the end of the chapter showed how to implement network policy at the access layer and how to interact with the rest of the virtualized network.

We hope that you have found the information in this and previous chapters helpful as you choose what is best suited for your network.