Information Technology Reference
In-Depth Information
Access Control
Access needs to be controlled to ensure that users and devices are identified and author-
ized for entry to their assigned network segment. Security at the access layer is critical for
protecting the network from threats, both internal and external.
Path Isolation
Path isolation involves the creation of independent logical network paths over a shared
network infrastructure. MPLS VPN is an example of path-isolation technique where de-
vices are mapped to a VRF to access the correct set of network resources. Other segmen-
tation options include VLANs and VSANs, which logically separate LANs and SANs. The
main goal when segmenting the network is to improve the scalability, resiliency, and secu-
rity services as with non-segmented networks.
Services Edge
The services edge refers to making network services available to the intended users,
groups, and devices with an enforced centralized managed policy. Separate groups or de-
vices occasionally need to share information that may be on different VLANs, each with
corresponding group policies. For example, traffic from the sales VLAN might need to
talk to the engineering VLAN, but it needs to go through the firewall to permit the traffic
and might even be tied to certain hours of the day. In such cases, the network should have
a central way to manage the policy and control access to the resources. An effective way
to address policy enforcement is to use an FWSM in a Cisco Catalyst 6500 series switch
providing firewall services for the data center.
Key
To p i c
Ta ble 4 - 5 describes network virtualization considerations.
Ta b l e 4 - 5
Network Virtualization Design Considerations
Network Virtualization
Consideration
Description
Access control
Ensures users and devices are recognized, classified, and
authorized for entry to their assigned network segments
Path isolation
Provides independent logical traffic paths over shared net-
work
Services edge
Ensures the right services are accessible the intended users,
groups, or devices
Module 3 (Designing Basic Campus and Data Center Networks)—Designing for Cisco In-
ternetwork Solution Course (DESGN) 2.1.
Cisco Design Zone for Data Centers,
www.cisco.com/en/US/netsol/ns743/
