Enterprises and other organizations implement network access control in order to control the ability of endpoint devices to communicate on a computer network. For example, enterprises may designate separate virtual local area networks (VLANs) for different endpoints. Each VLAN provides connections between devices assigned to the VLAN. Each of the VLANs may essentially be treated as an independent layer two (L2) network. A device assigned to one VLAN can communicate with other devices on that VLAN but may be unable to communicate with devices on a separate VLAN. Packets for different VLANs may be correctly forwarded within a network by appending a VLAN tag to the packets to designate the VLAN to which each packet belongs. In some cases, a single network link may support traffic for multiple VLANs; such a network link is referred to as a “trunk” or “trunk link.”
A policy server may be used to control access for the endpoint devices to the VLANs. Upon initial access to the network, the policy server may assign an endpoint to a particular VLAN based on certain characteristics, such as a particular user and the health posture of the endpoint. A physical layer-two (L2) switch may connect the endpoint devices to the policy server and to the VLAN based upon an assignment from the policy server. In some cases, a given endpoint may be assigned to one of any number of different L2 networks depending on a variety of factors at the time network access is initiated.