Re: How do you implement VLAN segmentation in your buildings?

[Cal Frye <cjf () CALFRYE COM>]

Tristan RHODES wrote:
> I do not like the high-level of maintenance in [assigning VLANs by policy].  For
> example, when people move or if their roles change how will we be
> notified so that we can change their VLAN?
>
> I prefer the location based segmentation due to its simplicity.  To
> provide security segmentation, something like NAC + Mcafee EPO can be
> used to enforce firewall policies on end-hosts.
There are many advantages to one big flat LAN. How many of your users
roam with laptops? Changing IP addresses every time they go up a floor,
or to the classroom in the next building, is really rather obnoxious
from the user's perspective.

Assigning VLANs based on user role and security access not only
preserves user mobility, but it adds depth to your security posture. A
NAC could be used to make the VLAN assignment automatically, if you
would find that helpful.

--
Regards,
-- Cal Frye, Network Administrator, Oberlin College

   www.calfrye.com,  www.pitalabs.com

"If most of us are ashamed of shabby clothes and shoddy furniture, let
us be more ashamed of shabby ideas and shoddy philosophies." -- Albert
Einstein.