Educause Security Discussion mailing list archives
Re: How do you implement VLAN segmentation in your buildings?
From: Bruce Curtis <bruce.curtis () NDSU EDU>
Date: Thu, 10 May 2007 12:55:19 -0500
On May 9, 2007, at 6:01 PM, Rob Whalen wrote:
Greetings, We have VLAN'ed our resnet to the jack (each jack gets five working addresses)and are working on doing the same for the staff, which are now subnetted by building. Rob Whalen Network Analyst
As I mentioned before I prefer one VLAN per building or group of buildings but to be fair you didn't mention on of the advantages of one VLAN per port as you are implementing, it prevents arp-poisoning man-in-the-middle attacks. For IPv6 do you plan to give each jack/vlan a /64?
Br. Kenneth Arnold wrote:For the most part we use a separate vlan for each building but there are exceptions. Some buildings have a separate vlan for different floors if there is a high concentration of network devices. Some vlans apply to more than one building if there is a low concentration of network devices in the buildings. In one case a building has two different vlans because the building serves two entirely different functions. At 10:56 AM 5/9/2007, you wrote:Greetings, We are discussing various ways to segment traffic using VLANS. How are other universities doing this? We have a pair of layer-3 switches in most buildings that serve as the distribution layer. The question is, how many networks do you create for a building? Do you: 1) Segment based on security level? (guest/kiosks, students/labs, faculty/staff, facility management, network management) 2) Segment based on department/college? (accounting, finance, human resources) 3) Segment based on location? (first floor, second floor, third floor) 4) Or do you follow Cisco best practices which promote the idea of one unique vlan/network for every switch? I do not like the high-level of maintenance in models 1 and 2. For example, when people move or if their roles change how will we be notified so that we can change their VLAN? I prefer the location based segmentation due to its simplicity. To provide security segmentation, something like NAC + Mcafee EPO can be used to enforce firewall policies on end-hosts. Thanks for your input. Tristan RhodesBrother Kenneth Arnold, FSC Director of Network Systems Christian Brothers University Information Technology Services (901) 321-4333
--- Bruce Curtis bruce.curtis () ndsu edu Certified NetAnalyst II 701-231-8527 North Dakota State University
Current thread:
- How do you implement VLAN segmentation in your buildings? Tristan RHODES (May 09)
- <Possible follow-ups>
- Re: How do you implement VLAN segmentation in your buildings? Julian Y. Koh (May 09)
- Re: How do you implement VLAN segmentation in your buildings? David Gillett (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Cal Frye (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Lee Weers (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Br. Kenneth Arnold (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Bruce Curtis (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Rob Whalen (May 09)
- Re: How do you implement VLAN segmentation in your buildings? Bruce Curtis (May 10)
- Re: How do you implement VLAN segmentation in your buildings? John Hoffoss (May 16)
- Re: How do you implement VLAN segmentation in your buildings? Cal Frye (May 16)