VLANs and Access Control for the College Campus

Jesse BeckerLast Revised June 22nd 2011

So, what is a VLAN? A VLAN (or virtual LAN), is a logical segmentation of a

switch (or multiple switches) allowing grouped nodes to behave as if they exist on their own physical network.

Using VLAN allows: Group clients by function, location or workgroup. Separate nodes into separate broadcast domains. Consolidation of network equipment. Consolidation of network backbones. Separate nodes into separate security domains.

Physical Segmentation

Logical Segmentation

Functional VLANS Used to group nodes that have a similar function or

purpose. Examples include: Workgroups:

Departments Organizations Collocated Customers

Device Types: Computers Printers Telephones

Geographical VLANS Used to group nodes by location. Examples include any or a combination of:

Campus Building Floor Wing Lab

Hybrid Approach Utilizes a mix of functional and geographical VLANs. Mixed approach example:

Employee computers in building A are on a different VLAN than the Employee computers in building B.

Telephones in building A may be on a different VLAN than telephones in building B.

Wireless network is on the same VLAN in all buildings. We utilize both geographical and functional VLANs.

SUNY Ulster Geographical For each building, we have geographical VLANs setup for

employee data, student data and voice. We also have separate VLANs for each of our academic

computer labs.

32 Student / Lab VLANs 17 Employee VLANs 15 Voice VLANS

SUNY Ulster Functional SUNY Ulster also has 13 functional VLANS

Server VLANs VPN VLANs HVAC VLAN Ghosting VLAN Wireless VLANs Personally Owned Devices VLAN The “Outside” VLAN

VLAN Routing VLANs operate at the layer 2. Separate VLANs are unable to communicate each

other without the use of a router or layer 3 switch. VLAN routing is most commonly accomplished by

creating virtual VLAN routing interfaces on a layer 3 switch.

Access Control Most layer 3 switches and routers allow access control

(packet filtering) between the VLAN interfaces. These will allow you to regulate traffic between VLANs

creating security domains. At Ulster, we classify our VLANs under four different

security domains: Employees Students VoIP Personal Devices

Access Control

Access Control Ulster utilizes strict ACLs. Only permitted ports

between subnets and hosts are allowed. All denied traffic is logged to a syslog server. Currently our employee ACL is 370 lines and growing. Student ACL is 219 lines. VoIP ACL is 61 lines.

IP Schema Data subnets utilize a 10.<vlan>.0.0/16 networks. We use the third octet to identify a device type:

Third octet of 1 is used for routers. 2 and 3 id computers and printers. 5 is used for switches. 6 for access points. 7 for cameras and codecs. 10 for servers.

IP Schema Our voice VLAN numbers are our geographical data

VLAN numbers +500. HAS 1st Floor Data = VLAN 52 HAS 1st Floor Voice = VLAN 552

Voice subnet utilize a 172.16.<vlan-500>.0/24 networks. HAS 1st Floor Computer = 10.52.2.2 HAS 1st Floor Phone = 172.16.52.10

These schemas allow quick identification of VLAN and device type.

Questions and Contact Info

Jesse Becker, Technical ManagerSUNY UlsterPhone: 845 687 5064Email: beckerj@sunyulster.edu