Layer 2 Versus Layer 3 Client Adjacency Overview

Layer 2 Adjacency means that NAC Appliance Server is a Layer 2 hop from hosts on its untrusted networks side. This allows NAC Appliance Server to see the real MAC address of every client it is controlling. In Layer 2 mode, a host's unique identity is defined using its MAC address only.

Layer 3 Adjacency means NAC Appliance Server is one or more Layer 3 network hops from the hosts on its untrusted networks side. In this mode, NAC Appliance Server cannot see the real MAC address of the host. In Layer 3 mode, a host's unique identity is defined using its IP address only. When using OOB mode, the client's MAC address is forwarded to NAC Appliance Server using either Clean Access Agent or the ActiveX or Java web login applet. However, this MAC address is not used by NAC Appliance to determine a host s identity; it is used only to determine the switch port a client resides on. Layer 3 OOB mode will be discussed in more detail later.

Using Layer 3 mode allows you more flexibility in your placement of NAC Appliance Servers. The drawback is it can be more complex to deploy. Deploying in Layer 3 mode behind a VPN device or wireless controller is simple and straightforward. However, deploying in a nontunneled environment, such as T1 attached branch offices, can add complexity. For some network areas, having a NAC Appliance Server be Layer 2 adjacent to the hosts it is controlling would not be possible. Some examples include VPN tunnel clients and clients coming from networks you don't control, such as business partner extranet clients. In some cases, it is not cost effective to deploy NAC Appliance Server in Layer 2 mode. In Layer 2 mode, if you have 80 small branch offices with only ten people each, you would have 80 NAC Appliance Servers—one NAC Appliance Server located at each site. In Layer 3 mode, you could have one NAC Appliance Server at the central site that posture assesses all hosts at the 80 branch offices.

Was this article helpful?

0 0

Post a comment