[ednog] Techniques for overlays and walled gardens

[John Kristoff]

On Tue, 5 Apr 2005 18:55:55 -0400
Frank Sweetser <fs at WPI.EDU> wrote:

> Here, for the important stuff (security cameras, environmental controls, etc)
> we put them in an application specific VLAN with an RFC1918 addressing scheme.

Is your network really flat so these layer 2 VLANs span the entire
campus?  Or do you simply create separate and isolated layer 2 VLANs
at each routing domain and not connect them together?

> > We've also had some discussion about separating classes of users,
> > such as delineating between faculty, staff and students.  Perhaps
> > all three of these general scenarios has a common theme?
> 
> We've had discussions about this (mostly with regard to our wireless subnet),
> and couldn't figure out any good way to clearly define a mapping between a
> given machine and a given class of user, especially given that we don't have
> a PKI.  For example, how do you handle loaner machines that may be used by
> anyone?

I don't think we've really thought through all the issues yet, but
to give you an idea of what this might look like under an ideal
scenario...  All users have a Northwestern 'netid' that is used
to authenticate their host onto the dial, wireless or wired net.
Port-level authentication is the holy grail for this to happen,
but using our Netpass system we could theoretically do this based
on a set group of VLANs.  If you register as a student, you get
put into the student VLAN, as a staff member, the staff VLAN and
faculty go into the faculty VLAN.  Using the magic of MPLS, each
group's VLAN sees a different picture of the routing table and
gets funneled through the net per that group's class.  Faculty
might be unencumbered, students might all first have to go behind
a firewall and rate limiter that shields those hosts from the
rest of us, etc.

> I'd definately be curious in hearing how this turns ouf if you go
> that route.

That makes two of us.  :-)

John