What to know about Network Segmentation

  • All devices on campus will need to be migrated to a new network segment
    • Devices that currently use DHCP will be largely unaffected, and will grab a new IP address when moved
    • Devices with static IPs should leverage DHCP MAC address reservations where possible
    • Each building will have a dedicated network associated to its segmentation
    • Data Center Segmentation is a separate project that is also currently underway.
  • Extending the network will be phased out
    • What is a network extension?
      Example:  Putting an additional network switch behind a port, with multiple devices connected downstream
      • This blocks our ability to profile devices and manage their security profile correctly
      • This also interferes with E911 requirements for Campus Health and Safety
      • Reduces the chances of a network disruption that can impact buildings or campus
    • Devices that are extending the network will need to move to a dedicated network connection for each device, with very few exceptions
      • Meaning 1 device per port 
  • Guest Network will be the default LSA network (outbound only)

Security Considerations

  • Default preference is to use LSA networks for campus devices
  • Systems needing only outbound internet access will be assigned LSA addresses (similar to current wireless) - Will use NAT to access the Internet
  • Systems needing inbound internet access (i.e. servers) will contact ISPO for an exception and will need a new public IP
ISPO Exception Request
Resources