Re: How do you implement VLAN segmentation in your buildings?

["Br. Kenneth Arnold" <bkarnold () CBU EDU>]

For the most part we use a separate vlan for each building but there
are exceptions.  Some buildings have a separate vlan for different
floors if there is a high concentration of network devices.  Some
vlans apply to more than one building if there is a low concentration
of network devices in the buildings.  In one case a building has two
different vlans because the building serves two entirely different functions.


At 10:56 AM 5/9/2007, you wrote:
> Greetings,
>
> We are discussing various ways to segment traffic using VLANS.  How are
> other universities doing this?
>
> We have a pair of layer-3 switches in most buildings that serve as the
> distribution layer.  The question is, how many networks do you create
> for a building? Do you:
>
> 1) Segment based on security level?  (guest/kiosks, students/labs,
> faculty/staff, facility management, network management)
>
> 2) Segment based on department/college? (accounting, finance, human
> resources)
>
> 3) Segment based on location? (first floor, second floor, third floor)
>
> 4) Or do you follow Cisco best practices which promote the idea of one
> unique vlan/network for every switch?
>
> I do not like the high-level of maintenance in models 1 and 2.  For
> example, when people move or if their roles change how will we be
> notified so that we can change their VLAN?
>
> I prefer the location based segmentation due to its simplicity.  To
> provide security segmentation, something like NAC + Mcafee EPO can be
> used to enforce firewall policies on end-hosts.
>
> Thanks for your input.
>
> Tristan Rhodes

Brother Kenneth Arnold, FSC
Director of Network Systems
Christian Brothers University
Information Technology Services
(901) 321-4333