Overview of Policy Enforcement
Campus networks have transitioned from simple, shared segments interconnected by bridges and routers into a series of complex and interdependent switches (Layer 2 and Layer3). Many things have changed in campus network design in recent years, such as the introduction of individual segments for users and intelligent wire speed Layer 2 switches in the wiring closets. Overall, these changes have improved the performance and throughput of networks; however, many things have remained the same in campus networking, such as the enforcement of security at the L3 device beyond the wiring closet (see Figure 1).
Figure 1 Distribution Switch: InterVLAN Routing & Policy Enforcement
The problem with this form of security is twofold. First, all packets must travel across the connection between the wiring closet and the distribution switch to be checked and, if they are denied an administratively prohibited (ICMP) message, must be sent back across the same link. This results in lost resources for that link because it could have been sending user traffic, but it was dealing with packets that were doing nothing to transport production traffic. The second problem is the cost of doing a security check on individual packets. Depending on the L3 device in question here (assume it's a router, RSFC, or RSM and that the L3 device is not performing multilayer switching), it will have to perform a lookup for each packet that passes through the router. Now, if the distribution switch is running MLS, the security process is improved, but only for packets that have established a flow in the cache, which is temporary and would have to be periodically re-established. Also, it is important to mention that these flow-cache resources are limited.