vlans and access control for the college campus what is a vlan? a . vlan (or . virtual lan), is a...
TRANSCRIPT
So, what is a VLAN? A VLAN (or virtual LAN), is a logical segmentation of a
switch (or multiple switches) allowing grouped nodes to behave as if they exist on their own physical network.
Using VLAN allows: Group clients by function, location or workgroup. Separate nodes into separate broadcast domains. Consolidation of network equipment. Consolidation of network backbones. Separate nodes into separate security domains.
Functional VLANS Used to group nodes that have a similar function or
purpose. Examples include: Workgroups:
Departments Organizations Collocated Customers
Device Types: Computers Printers Telephones
Geographical VLANS Used to group nodes by location. Examples include any or a combination of:
Campus Building Floor Wing Lab
Hybrid Approach Utilizes a mix of functional and geographical VLANs. Mixed approach example:
Employee computers in building A are on a different VLAN than the Employee computers in building B.
Telephones in building A may be on a different VLAN than telephones in building B.
Wireless network is on the same VLAN in all buildings. We utilize both geographical and functional VLANs.
SUNY Ulster Geographical For each building, we have geographical VLANs setup for
employee data, student data and voice. We also have separate VLANs for each of our academic
computer labs.
32 Student / Lab VLANs 17 Employee VLANs 15 Voice VLANS
SUNY Ulster Functional SUNY Ulster also has 13 functional VLANS
Server VLANs VPN VLANs HVAC VLAN Ghosting VLAN Wireless VLANs Personally Owned Devices VLAN The “Outside” VLAN
VLAN Routing VLANs operate at the layer 2. Separate VLANs are unable to communicate each
other without the use of a router or layer 3 switch. VLAN routing is most commonly accomplished by
creating virtual VLAN routing interfaces on a layer 3 switch.
Access Control Most layer 3 switches and routers allow access control
(packet filtering) between the VLAN interfaces. These will allow you to regulate traffic between VLANs
creating security domains. At Ulster, we classify our VLANs under four different
security domains: Employees Students VoIP Personal Devices
Access Control Ulster utilizes strict ACLs. Only permitted ports
between subnets and hosts are allowed. All denied traffic is logged to a syslog server. Currently our employee ACL is 370 lines and growing. Student ACL is 219 lines. VoIP ACL is 61 lines.
IP Schema Data subnets utilize a 10.<vlan>.0.0/16 networks. We use the third octet to identify a device type:
Third octet of 1 is used for routers. 2 and 3 id computers and printers. 5 is used for switches. 6 for access points. 7 for cameras and codecs. 10 for servers.
IP Schema Our voice VLAN numbers are our geographical data
VLAN numbers +500. HAS 1st Floor Data = VLAN 52 HAS 1st Floor Voice = VLAN 552
Voice subnet utilize a 172.16.<vlan-500>.0/24 networks. HAS 1st Floor Computer = 10.52.2.2 HAS 1st Floor Phone = 172.16.52.10
These schemas allow quick identification of VLAN and device type.
Questions and Contact Info
Jesse Becker, Technical ManagerSUNY UlsterPhone: 845 687 5064Email: [email protected]