Let me start this thread by stating that I have worked in IT for nearly 20 years. I have even taught as an adjunct professor for a school teaching Associates level networking. To this day, I had never heard of the separation between VLANs and subnets. While logically, I knew that there is a difference, I was never taught or shown a network setup that uses VLANs that aren't tied to a specific subnet. (e.g. VLAN100 - 10.1.0.0/16)
I say all of that to bring up my point. I am in a unique situation where I need to take a traditional "Higher Education" network and start the process of micro-segmentation to aide in meeting regulatory compliance. I am trying to figure out how to do this without causing network outages or disruption if possible, or to at least minimize them. I inherited this network with over 490 subnets and roughly as many VLANs all directly tied together and purpose built. Needless to say, this is not very conducive to implementing a NAC solution with RBAC to specific VLANs based on user / device / application, etc.
To describe where I am at in my thinking, we have 48 active buildings on campus. Currently, each building has a specific building number and has been assigned 10 VLANs. An example of this would be:
Building 12
- VLAN 120 name BLDG-MGMT - 10.12.0.0/20
- VLAN 121 name BLDG-FacStaff - 10.12.16.0/20
- VLAN 122 name BLDG-Students - 10.12.32.0/20
- VLAN 123 name BLDG-Guests - 10.12.48.0/20
- VLAN 124 name BLDG-WiFi - 10.12.64.0/20
- VLAN 125 name BLDG-IPVID - 10.12.80.0/20
- VLAN 126 name BLDG-VOIP - 10.12.96.0/20
- VLAN 127 name BLDG-TBA - 10.12.112.0/20
- VLAN 128 name BLDG-TBD - 10.12.128.0/20
- VLAN 129 name BLDG-Quarantine - 10.12.144.0/20
I am trying to wrap my brain around a logical change that would simplify the logic in NAC policies to increase network security and regulatory compliance using RBAC based on AD security groups to automatically place users in specific VLANs across campus depending on their device type, device ownership, HIP profile, AD User security group, and any other identifiable attributes required to meet compliance needs for the different types of data to be accessed. Once this model is built, automation should then become a piece of cake therefore reducing the time and effort spent on such menial tasks as user on-boarding and device management.
It seems like there should be a way to utilize the current subnet structure that is in place and assign VLANs based on regulatory compliance restrictions, RBAC, or IOT device types. I'm just not 100% confident in how to go about this. I get that you can have multiple subnets in a specific VLAN, but I start getting fuzzy on how this routes or works when managing a fairly decent sized network.
Has anyone else crossed this hurdle and successfully segmented their network across a mid to large sized campus or business network with an average of 7500 users and upwards of 21,000 devices?
No comments:
Post a Comment