Educause Security Discussion mailing list archives

Re: How do you implement VLAN segmentation in your buildings?

From: Lee Weers <weersl () CENTRAL EDU>
Date: Wed, 9 May 2007 13:02:53 -0500

On our resnet 2 summers ago I implement a vlan for every 12 ports in our
large residence halls.  This summer I hope to accomplish it for the rest
of resnet.  While do this I created 2 additional vlans.  1 for gaming
and the other for guests.  For the xboxes, they didn't like crossing the
router to play head to head.  So the gaming devices that get registered
in Campus manager are automatically assigned to that vlan, and have
internet access.  The unregistered gaming devices just play head to head
in the registration vlan.

The reasoning for the 12 port vlan's is to enable the content filtering
(virus throttling) on our Procurve 5300's. 

-----Original Message-----
From: Tristan RHODES [mailto:tristanrhodes () WEBER EDU] 
Sent: Wednesday, May 09, 2007 10:56 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] How do you implement VLAN segmentation in your
buildings?

Greetings,

We are discussing various ways to segment traffic using VLANS.  How are
other universities doing this? 

We have a pair of layer-3 switches in most buildings that serve as the
distribution layer.  The question is, how many networks do you create
for a building? Do you:

1) Segment based on security level?  (guest/kiosks, students/labs,
faculty/staff, facility management, network management)

2) Segment based on department/college? (accounting, finance, human
resources)

3) Segment based on location? (first floor, second floor, third floor)

4) Or do you follow Cisco best practices which promote the idea of one
unique vlan/network for every switch?

I do not like the high-level of maintenance in models 1 and 2.  For
example, when people move or if their roles change how will we be
notified so that we can change their VLAN?

I prefer the location based segmentation due to its simplicity.  To
provide security segmentation, something like NAC + Mcafee EPO can be
used to enforce firewall policies on end-hosts. 

Thanks for your input.

Tristan Rhodes

Current thread:

How do you implement VLAN segmentation in your buildings? Tristan RHODES (May 09)
- <Possible follow-ups>
- Re: How do you implement VLAN segmentation in your buildings? Julian Y. Koh (May 09)
- Re: How do you implement VLAN segmentation in your buildings? David Gillett (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Cal Frye (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Lee Weers (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Br. Kenneth Arnold (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Bruce Curtis (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Rob Whalen (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Bruce Curtis (May 10)
- Re: How do you implement VLAN segmentation in your buildings? John Hoffoss (May 16)
- Re: How do you implement VLAN segmentation in your buildings? Cal Frye (May 16)