Cisco’s opinion

Cisco does not suggest access controls be used at this level of the campus network,
but this information has been included to let you know that VACLs can be
configured at this layer. In Cisco’s opinion, the Access layer is not a legitimate
place for access control.
The Access layer can also implement VLANs to allow hosts to be on the same subnet without
requiring that they be connected to the same switch. The VLAN can span multiple Access layer
switches if you trunk it to the Distribution layer. The Distribution layer will allow intra-VLAN
traffic to be switched to the appropriate Access layer switch. Figure 11.3 shows how hosts on
different switches can belong to the same local VLAN.
With Cisco’s adoption of 802.1
x
, used to authenticate both wireless and wire line users, the
Access layer in the campus network can also offer authentication services for devices connecting
to the network. This requires the user to enter a username and password, which are checked
against an authentication server such as RADIUS or TACACS+, to gain access to the network.
You no longer need to worry about exposing your network to intruders who might connect
their laptops to the corporate network in the lobby or a training room, and it’s very useful for
keeping rogue wireless access points off the network.