Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

L2 or L3 better for Access-layer switch for NAC and 802.1x?

Right now we have our access-layer vlans as L3 vlans. In other words the gateways for the access-layer vlans (both data and voice) are on the access switches (4500s and 6500s) and we uplink our access-layer switches to the distribution layer with with two L3 /30 uplinks for redundancy.

We segment PCI traffic using vrf-lite and run it's traffic through an ASA firewall on the distribution layer.

Eventually we want to install NAC, 802.1x access controls, and other segmentation for medical equipment and other security concerns. It has been suggested that we change our access-layer to L2 and trunk all vlans up to our distribution layer where the gateways and firewalling will be. If we use a trunked port channel for the uplink (for redundancy) then we will not fall into spanning tree blocking one of the uplinks.

Simple question:

Is L2 or L3 best at the access-layer for the implementation of NAC, 802.1x, and other segmentation purposes?

Everyone's tags (6)