[ednog] Techniques for overlays and walled gardens
jtk at northwestern.edu
Tue Apr 5 23:31:58 EDT 2005
On Tue, 5 Apr 2005 18:55:55 -0400
Frank Sweetser <fs at WPI.EDU> wrote:
> Here, for the important stuff (security cameras, environmental controls, etc)
> we put them in an application specific VLAN with an RFC1918 addressing scheme.
Is your network really flat so these layer 2 VLANs span the entire
campus? Or do you simply create separate and isolated layer 2 VLANs
at each routing domain and not connect them together?
> > We've also had some discussion about separating classes of users,
> > such as delineating between faculty, staff and students. Perhaps
> > all three of these general scenarios has a common theme?
> We've had discussions about this (mostly with regard to our wireless subnet),
> and couldn't figure out any good way to clearly define a mapping between a
> given machine and a given class of user, especially given that we don't have
> a PKI. For example, how do you handle loaner machines that may be used by
I don't think we've really thought through all the issues yet, but
to give you an idea of what this might look like under an ideal
scenario... All users have a Northwestern 'netid' that is used
to authenticate their host onto the dial, wireless or wired net.
Port-level authentication is the holy grail for this to happen,
but using our Netpass system we could theoretically do this based
on a set group of VLANs. If you register as a student, you get
put into the student VLAN, as a staff member, the staff VLAN and
faculty go into the faculty VLAN. Using the magic of MPLS, each
group's VLAN sees a different picture of the routing table and
gets funneled through the net per that group's class. Faculty
might be unencumbered, students might all first have to go behind
a firewall and rate limiter that shields those hosts from the
rest of us, etc.
> I'd definately be curious in hearing how this turns ouf if you go
> that route.
That makes two of us. :-)
More information about the ednog