Re: How do you implement VLAN segmentation in your buildings?

[John Hoffoss <John.Hoffoss () CSU MNSCU EDU>]

> > > On Wed, May 9, 2007 at 12:30 PM, Cal Frye <cjf () CALFRYE COM> wrote: 
> Tristan RHODES wrote:
> > I do not like the high- level of maintenance in [assigning VLANs by policy].  
> > For example, when people move or if their roles change how will we be
> > notified so that we can change their VLAN?

If people move, you could be notified the same way you are when you show up to move their PC and phone. Otherwise, as 
another person pointed out, a jack in a department stays in that department, even when the user moves/leaves.

> > I prefer the location based segmentation due to its simplicity.  To
> > provide security segmentation, something like NAC + Mcafee EPO can be
> > used to enforce firewall policies on end- hosts. 

Location-based VLANs don't address one of the, IMO, primary reasons to segment your network in the first place: data 
classification & security. If you mix students/labs with departments that handle sensitive data, you risk compromising 
that security. By moving student file servers into student VLANs, and servers containing private data into 
departmental/controlled VLANs, you limit who *could* access that private data in the first place, which adds a layer 
above your file-server ACLs.

> There are many advantages to one big flat LAN. How many of your users
> roam with laptops? Changing IP addresses every time they go up a floor,
> or to the classroom in the next building, is really rather obnoxious
> from the user's perspective.

Wireless should be a totally separate VLAN outside of any department or building, utilizing a VPN gateway or 802.1x and 
strong authentication to provide your users a secured path to sensitive data.

-jth