Campus VLAN Segmentation - By OS?
I think segmenting user subnets by OS is more work than it's worth, and quite honestly in all my interactions with HiEd IT people, I've never heard anyone talk about segmenting by OS. What benefit would you get by doing that? Additionally, what do you do when the operating system of a certain machine changes or perhaps a more common situation would be what to do with a computer that dual-boots say OSX and Windows?
We have around six different security "zones" on campus:
- General (non-privileged) faculty/staff office ethernet drops
- Privileged staff office ethernet drops (mostly ITS staff)
- Guest Wifi (only has internet access)
- ResNet (dorm networking)
- Secure Wifi (WPA2/802.1x, users get put into a specific VLAN depending on role)
- Server rooms
Each of the above are divided into smaller subnets, usually by building and then by which wiring closet they connect to. For wireless, we have several subnets that non-privileged users get assigned to at random. For the server rooms, we do group by OS (mostly for security separation between Windows and Linux), as well as further sub-dividing within OS groups for ITS servers versus Department-owned servers. We maintain subnet ACLs for each subnet with a default deny policy, only allowing traffic through that we explicitly allow. In addition to the subnet firewalls, we implement host firewalls on all of our servers, whether Linux or Windows. There are also several special-purpose VLANs kicking around for things like server management, network management, iSCSI, HVAC equipment, door access panels, security cameras, etc.
Your goal of keeping broadcast domains small is a good goal to have. Honestly, though, it doesn't really matter if two people sitting next to each other are in the same L2 broadcast domain.
Seems like A LOT of work for the IT department to have to organize and keep track of the MAC addresses and devices they are associated with.
The biggest side effect that I thought of was the "two devices belonging to the same user (in the same room) will likely be on completely separate VLANs." You'll have a lot of folks calling IT support wondering why they can't see each others devices in iTunes. :)
I still think the best solution is segmenting by building, then by official campus devices, and finally student devices. This way you can make sure that all devices can talk to each other that need to talk to each other while mitigating students from hacking official campus devices.
What do you think?
I agree with what ErikA said: break VLANs up into functional groups:
- SERVER1, SERVER2, SERVER3, etc. (say, all under 10.2.0.0/16: Windows in 10.2.0.0/17, Unix in 10.2.128/16)
- DMZ1, DMZ2, etc. (all under 10.3.0.0/16)
- WIRELESS1, WIRELESS2, (all under 10.4/16)
- GUEST1, GUEST2, (10.5/16)
- UNDERGRAD1, UNDERGRAD2, (10.6/16)
- GRADS1, GRADS2, (10.7)
- FACULTY, (10.8)
- PRINTERS (10.9)
- NETWORKING (10.10.x.y)
Sometimes particular research groups may get their own VLANs as well. Similarly you may have 'private' VLANs that are not routable to the rest of the network for things like storage (NFS, iSCSI); they often had Jumbo Frames enabled as well, whereas everywhere else had the default MTU of 1500.
If want to give the network users some flexibility, you can use something called "dynamic VLANs": this is where when a machine is plugged in, the switch takes its MAC address and queries a RADIUS server, and it tells which VLAN to make the port. Check out the RADIUS attributes of "Tunnel Type", "Tunnel Medium Type", and "Tunnel Private Group ID". Similarly for WiFi, when a user logins in via WPA2, and the AP talks to the RADIUS server, in addition to the allow/deny response for the username and password, the RADIUS server can respond back with the VLAN that the AP should put the user in.
Unregistered host MACs and users can either be denied any access (a blocked port), or put into a default (guest) VLAN, depending on your security policy. HP switches (and others?) are also able to do two-level stuff: by default MAC-level access is given, but if the user runs an 802.1x program and authenticates themselves (as opposed to just the host "authenticating" itself--with anyone actually at the keyboard), the switch can then the port to a VLAN tied to the individual.
Also, tying the functional VLANs with subnet ranges help to make firewall rules easier in many cases, as well as debugging where strange packets are coming from (Windows hosts are statistically more like to be attacked/compromised, so putting those servers in any easy to segment network may be worth considering).
When you provision users/devices for access into to WiFi (Macbooks, iPads, iPods), you'd rotate the subnets/VLANs that they'd be placed in: studentA would be place in WIRELESS1/10.4.1.0, studentB in WIRELESS2/10.4.2.0, studentC back in WIRELESS1/10.4.1.0, etc. Add more subnets/VLANS as needed to "load balance" the user load. Similarly for facultyA, facultyB, facultyC. If you notice an imbalance in distribution because of graduation/dropouts/staff-churn you can always rebalance with a simple script that updates the database (SQL, LDAP, whatever).
You can certainly also do it by building, but within each building you'll have functional separation as well: BLDA_SERVER_HR, BLDA_SERVER_FINANCE, BLDA_WIFI_STAFF, BLDA_WIFI_GUEST, BLDA_PRINTERS, BLDB_WIFI_GUEST, BLDB_PRINTERS, etc.