Educause Security Discussion mailing list archives
Re: How do you implement VLAN segmentation in your buildings?
From: Bruce Curtis <bruce.curtis () NDSU EDU>
Date: Wed, 9 May 2007 17:24:03 -0500
We have layer 2 switches in the buildings and route in our core but we also prefer the location based segmentation, and for similar reasons. It makes administration much easier. Trying to map people to VLANs results in either one of two problems. Either you need to make every VLAN appear in every building so that a person can join VLAN x whenever he goes to a meeting in another building. Or for example you need to have a bunch of different English VLANs, one for each building or group of buildings. In the first case if anyone in the network happens to create a loop the problem propagates throughout the VLAN, which is through the whole campus. In the second case you end up with the number of buildings times the number of departments/groups of VLANs. In our case with around 80 buildings if we had 100 groups that would be 8,000 VLANs. Also a VLAN can only follow a person around while they are on campus and nowadays a significantly large number of laptops go off campus every night and then return. Also if it were vital for every department to have a separate VLAN then shouldn't every department have a separate wireless SSID? Also there are always people that cross boundaries like a Professor that is in both the CS and EE departments, with an office in each. Or students who are also employees, or administrators who also teach classes. One of the main drivers of VLAN segmentation is really to try to limit or map a group of users that should have access to server x and to be able to enforce that in the network. But the network does a poor job of doing that mapping. On the other hand a tool like IPsec does a wonderful job of implementing the desired mapping, with the added benefit that it works from anywhere on the Internet, not just on campus. Microsoft calls using IPsec this way Domain Isolation and Microsoft has been using IPsec for Domain Isolation on 208,000 of their computers. Also at least a couple of Universities have implemented it also. http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=49636 http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=49593 http://www.microsoft.com/technet/itshowcase/content/ipsecdomisolwp.mspx On May 9, 2007, at 10:56 AM, Tristan RHODES wrote:
Greetings, We are discussing various ways to segment traffic using VLANS. How are other universities doing this? We have a pair of layer-3 switches in most buildings that serve as the distribution layer. The question is, how many networks do you create for a building? Do you: 1) Segment based on security level? (guest/kiosks, students/labs, faculty/staff, facility management, network management) 2) Segment based on department/college? (accounting, finance, human resources) 3) Segment based on location? (first floor, second floor, third floor) 4) Or do you follow Cisco best practices which promote the idea of one unique vlan/network for every switch? I do not like the high-level of maintenance in models 1 and 2. For example, when people move or if their roles change how will we be notified so that we can change their VLAN? I prefer the location based segmentation due to its simplicity. To provide security segmentation, something like NAC + Mcafee EPO can be used to enforce firewall policies on end-hosts. Thanks for your input. Tristan Rhodes
--- Bruce Curtis bruce.curtis () ndsu edu Certified NetAnalyst II 701-231-8527 North Dakota State University
Current thread:
- How do you implement VLAN segmentation in your buildings? Tristan RHODES (May 09)
- <Possible follow-ups>
- Re: How do you implement VLAN segmentation in your buildings? Julian Y. Koh (May 09)
- Re: How do you implement VLAN segmentation in your buildings? David Gillett (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Cal Frye (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Lee Weers (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Br. Kenneth Arnold (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Bruce Curtis (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Rob Whalen (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Bruce Curtis (May 10)
- Re: How do you implement VLAN segmentation in your buildings? John Hoffoss (May 16)
- Re: How do you implement VLAN segmentation in your buildings? Cal Frye (May 16)