Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: How do you implement VLAN segmentation in your buildings?

From: Bruce Curtis <bruce.curtis () NDSU EDU>
Date: Wed, 9 May 2007 17:24:03 -0500
  We have layer 2 switches in the buildings and route in our core
but we also prefer the location based segmentation, and for similar
reasons. It makes administration much easier.

  Trying to map people to VLANs results in either one of two
problems.  Either you need to make every VLAN appear in every
building so that a person can join VLAN x whenever he goes to a
meeting in another building.  Or for example you need to have a bunch
of different English VLANs, one for each building or group of
buildings.  In the first case if anyone in the network happens to
create a loop the problem propagates throughout the VLAN, which is
through the whole campus.  In the second case you end up with the
number of buildings times the number of departments/groups of VLANs.
In our case with around 80 buildings if we had 100 groups that would
be 8,000 VLANs.

  Also a VLAN can only follow a person around while they are on
campus and nowadays a significantly large number of laptops go off
campus every night and then return.

  Also if it were vital for every department to have a separate VLAN
then shouldn't every department have a separate wireless SSID?

  Also there are always people that cross boundaries like a
Professor that is in both the CS and EE departments, with an office
in each.  Or students who are also employees, or administrators who
also teach classes.

  One of the main drivers of VLAN segmentation is really to try to
limit or map a group of users that should have access to server x and
to be able to enforce that in the network.  But the network does a
poor job of doing that mapping.  On the other hand a tool like IPsec
does a wonderful job of implementing the desired mapping, with the
added benefit that it works from anywhere on the Internet, not just
on campus.

  Microsoft calls using IPsec this way Domain Isolation and
Microsoft has been using IPsec for Domain Isolation on 208,000 of
their computers.  Also at least a couple of Universities have
implemented it also.


http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=49636

http://www.microsoft.com/casestudies/casestudy.aspx?casestudyid=49593


http://www.microsoft.com/technet/itshowcase/content/ipsecdomisolwp.mspx



On May 9, 2007, at 10:56 AM, Tristan RHODES wrote:


Greetings,

We are discussing various ways to segment traffic using VLANS.  How
are
other universities doing this?

We have a pair of layer-3 switches in most buildings that serve as the
distribution layer.  The question is, how many networks do you create
for a building? Do you:

1) Segment based on security level?  (guest/kiosks, students/labs,
faculty/staff, facility management, network management)

2) Segment based on department/college? (accounting, finance, human
resources)

3) Segment based on location? (first floor, second floor, third floor)

4) Or do you follow Cisco best practices which promote the idea of one
unique vlan/network for every switch?

I do not like the high-level of maintenance in models 1 and 2.  For
example, when people move or if their roles change how will we be
notified so that we can change their VLAN?

I prefer the location based segmentation due to its simplicity.  To
provide security segmentation, something like NAC + Mcafee EPO can be
used to enforce firewall policies on end-hosts.

Thanks for your input.

Tristan Rhodes




---
Bruce Curtis                         bruce.curtis () ndsu edu
Certified NetAnalyst II                701-231-8527
North Dakota State University
Previous By Date Next
Previous By Thread Next

Current thread: