Security Solutions
3-147
Designing Access Controls
Lay Out the Network
For example, in your private offices (a private wired zone), some employees
might bring along their laptops when meeting with colleagues and connect to
the network wirelessly (private wireless zone). In such cases, you have a
private wireless zone overlaid on a private wired zone. Both segments occupy
the same physical space, even though they operate differently. For this situa-
tion, you may be able to run the two segments from the same switch, as long
as the switch has the port capacity required.
Designing Adjacent and Overlapping Zones
You might select modular, flexible switches like the 5400zl for combining
zones; these switches can be easily reconfigured when the zones expand or
change.
In addition, you may want to mix authentication types in the same environ-
ment. For example, although your private office environment (private wired
zone and private wireless zone) ordinarily uses 802.1X authentication, that
access control method may not be feasible for “headless” devices like printers,
scanners, or fax machines because such devices may not be able to run
supplicant software. In these cases, you may serve the headless devices with
MAC-Auth ports in the same segment where computer users have 802.1X
ports.
Remember: even when you do find opportunities to combine zones on a single
switch, you should try to keep the ports from intermixing at random. If you
assign certain sets of ports for each zone, it will be easier to administer and
troubleshoot the network.