Security Solutions
3-130
Designing Access Controls
Lay Out the Network
Start your network core design with central network resources—your net-
work’s servers, which might include:
■ Directory servers (Active Directory, eDirectory, or Lightweight Directory
Access Protocol [LDAP] servers) that can serve as the credential/policy
repositories
■ RADIUS servers (the PDPs)
Note As you learned in “Choose Which Devices Will Play the Role of PDP” on
page 3-79, your RADIUS servers might be instead built into edge devices.
■ Proxy servers and firewalls
■ ProCurve NAC 800 MSs
■ ProCurve NAC 800 ESs that enforce 802.1X quarantining or act as RADIUS
servers only
■ Web servers
■ Email servers
■ Video streaming server
■ Databases
Note that these central resources do not all have to be in the same location,
even if you define them as part of the network core segment. For example, if
you have multiple RADIUS servers to provide load balancing and redundancy,
you might place them in different buildings on your campus to minimize the
chance of fire or accident taking them all down at once.
Next, add the core switches. You need to provide high-capacity, Layer-3
switching to route traffic among the various VLANs. ProCurve offers several
types and capacities of core-grade switches, so your decision will depend on
your capacity needs. For example, you might choose the ProCurve Switch
8200zl for the central routing switches, and you might connect banks of
servers to the ProCurve Switch 5400zl.
Although all these servers might be part of the network core, they need not
be in the same VLAN. In the earlier planning steps, you designed server VLANs
that separate resources according to the users who need to access them. As
you connect servers to their switches, configure the switch ports for the
correct server VLAN.