The term “Defense-in-Depth” refers to leveraging the defensive capability of every device in the network from the border of the network through the core, distribution, and access portions of the network and into the host itself.
This can be done by combining the following capabilities:
Firewall/IDS at the border to ward of threats before they enter the network
Network virtualization to segregate the physical network into multiple virtual networks to support multiple security levels and services
Network Access Control to authenticate user/hosts onto the network, check their security posture, and place them into the network that matches their requirements
Hosts that do not support the mechanisms can be dealt with in various ways (external scanning, web authentication, etc.), but in general garner a lower level of trust and can be segregated from the general population
Because of their very nature, Research and Education networks have a number of hosts (upwards of 25%) that do not fit a supported configuration
There must be a credible option for these hosts, otherwise, you diminish much of the effect of implementing NAC in the first place
PVLANs allow segregating broadcast segment into a non-broadcast multi-access-like segment.
Traffic that comes to a switch from a promiscuous port is able to go out on all the ports that belong to the same primary VLAN.
Traffic that comes to a switch from a port mapped to a secondary VLAN (it can be either an isolated, a community, or a two-way community VLAN) can be forwarded to a promiscuous port or a port belonging to the same community VLAN.
IP source guard prevents IP spoofing by allowing only the IP addresses that are obtained through DHCP snooping on a particular port.
This process restricts the client IP traffic to those source IP addresses that are obtained from the DHCP server; any IP traffic with a source IP address other than that in the PACLs permit list is filtered out
DHCP Server DHCP Responses Trusted Untrusted DHCP Snooping Unauthorized DHCP Response DHCP Requests I’m your GW: 10.1.1.1 Not by my Port ACL