We've been thinking through re-arranging our network and VLAN configuration. Here's the situation.
We already have our servers, VoIP phones, and printers on their own VLANs, but our problem lies with end user devices. There are just too many to lump on the same VLAN without being hammered with broadcasts! Our current segmentation strategy has them split into VLANs like this:
- Student iPads
- Staff iPads
- Student Macbooks
- Staff Macbooks
- Gaming devices
- Staff (Other)
- Student (Other)
**Note that our network has many more iPads and MacBooks than most.*
Since the primary reason we're splitting them is just to put them in smaller groups, this has been working for us (for the most part). However, this required our staff to maintain access control lists (MAC addresses) of all devices belonging in these groups. It also has the unfortunate side effect of illogically grouping broadcast traffic. For example, using this setup, students on opposite ends of campus using iPads will share broadcasts, but two devices belonging to the same user (in the same room) will likely be on completely separate VLANs.
I feel like there must be a better way of doing this.
I've done a lot of research and I'm having trouble finding instances of this kind of segmentation being recommended. The feedback on the most relevant SO question seems to point toward VLAN segmentation by building/physical location. I feel like that makes sense because logically, at least among miscellaneous end users, broadcasts will typically be intended for nearby devices.
- Are there other campuses/large-scale networks out there segmenting VLANs based on end-system OS?
- Is this a typical configuration?
- Would VLAN segmentation based on physical location (or some other criteria) be more effective?
EDIT: I've been told that we will soon be able to dynamically determine device OS without maintaining access lists, although I'm not sure how much that affects the answers to the questions.
Best Answer
I think segmenting user subnets by OS is more work than it's worth, and quite honestly in all my interactions with HiEd IT people, I've never heard anyone talk about segmenting by OS. What benefit would you get by doing that? Additionally, what do you do when the operating system of a certain machine changes or perhaps a more common situation would be what to do with a computer that dual-boots say OSX and Windows?
We have around six different security "zones" on campus:
Each of the above are divided into smaller subnets, usually by building and then by which wiring closet they connect to. For wireless, we have several subnets that non-privileged users get assigned to at random. For the server rooms, we do group by OS (mostly for security separation between Windows and Linux), as well as further sub-dividing within OS groups for ITS servers versus Department-owned servers. We maintain subnet ACLs for each subnet with a default deny policy, only allowing traffic through that we explicitly allow. In addition to the subnet firewalls, we implement host firewalls on all of our servers, whether Linux or Windows. There are also several special-purpose VLANs kicking around for things like server management, network management, iSCSI, HVAC equipment, door access panels, security cameras, etc.
Your goal of keeping broadcast domains small is a good goal to have. Honestly, though, it doesn't really matter if two people sitting next to each other are in the same L2 broadcast domain.