Events for all Levels and InterestsStay
Jump Start Your Career GrowthStay
Get on the Higher Ed IT MapStay
Uncommon Thinking for the Common Good™Stay
moving away from extended L2 networks for service networks
This is related to a couple of other posts:
We have some service networks (i.e. environmental controls, security cameras, door locks) that are currently isolated campus-wide at layer 2. A VLAN is associated with a service and then trunked to wherever the service is required – across buildings and across dedicated fiber links between campuses. The VLAN is trunked back to a core ASA, and access is granted as necessary.
We are building a case to move to a design similar to that which Jeff Kell presents here: http://net.educause.edu/content.asp?page_id=1026971&PRODUCT_CODE=SEC11%2FSESS26&bhcp=1 In our design, we plan to build the VRFs out at the distribution layer only (VRF-lite, no MPLS). A point-to-point VLAN will connect the VRF SVI at the distribution layer to a sub-interface on the core ASA. From that point, access will be granted in exactly the same way it was granted before.
The goal of the design it to be a simple, to isolate broadcast as much as possible, and to isolate the individual service networks from each other so that if a rogue device is connected – it does not have visibility to the entire service VLAN.
We certainly intend to reference the University of Tennessee presentation, but in building this case, the more examples we can present, the better off we’ll be. Has anyone else make a similar transition from campus-wide L2 isolation to some form of L3 isolation using VRFs?