Showing results for 
Search instead for 
Did you mean: 

Network and Security Design best practices for User/Campus site design with movable users


User Site:

  • User’s desks are not fixed. They can move across different floors
  • Few users are using VDI thin clients where the XenApp servers are in the DCs
  • There are multiple floors
  • Cisco Stack access switches
  • VSS on Cisco Core switches
  • Mesh connectivity wherever supported
  • Cisco ISE with TrustSec license
  • Contain cisco devices
  • Access services in different datacenters across WAN links
  • Users are accessing large numbers of destination IPs
  • Firewall on Stick (firewall is gateway for all vlans/zones)
  • IPs are assigned via DHCP using MAC address bindings

Data Center:

  • Different layers of non cisco Firewalls
  • Alot of zones, IP subnets


Diagram: A rough diagram is attached to provide you an idea about the network


Queries and Recommendations:

  1. What are the best practices of IP Schema, IP addresses and vlans assignment design for a site/Campus that contains movable/portable users?
  2. What are the possible options of handling Firewall permissions for movable users where the IP for users might be different on different floor (depends on Question#1).
  3. What are the best practices for firewall permission to be build based on users, security tags(trustSec) or IPs.
  4. The user site is proposed to be based on TrustSec technology while it may not be feasible if you don’t have end to end (from source=users site to destination=DC) Cisco Technologies. Please provide possible feasibility options considering that there are large numbers (2000 IPs) of destinations in the DC. Additionally how the firewall permissions will be handled in the Datacenter firewall incase TrustSec is used in user site.

Solution Option1: Use one large vlan/IP subnet for all floors. In such case, users will always get same IP regardless of the floor and Firewalls permissions can be granted based on IP Addresses for each users.

Issue with Option1: broadcast domain will become large and will result in slowness

Solution Option2: Use different vlan per each floor to avoid large broadcast domain and handle firewall permissions based on ISE TrustSec or usersnames.

Issue with Option2: Firewalls in the DC are not supporting firewall permissions based on Security Tags or permissions based on users

1 Reply 1

Dan Lukes

We use /21 address block in our campus VLAN (we have more VLANs, but this is the largest one) and we see no broadcast issues here. No multiple VLANS for the same class of users just because "different floor".

We are using L2 authentication. Any user can use any plug - he will be connected to VLAN claimed by RADIUS server (we have multiple VLANs for multiple classes of users).

Our radius server verify not only just credentials provided by user, but MAC address of the device as well. Thus no user can spoof MAC address of other user wishing for "more powerfull IP assigned by DHCP". Moreover we have IP Guard turned on on switches thus no user can use IP address unless assigned  by DHCP to them.

In short - user use IP assigned by DHCP server only and he can't spoof MAC to cheat DHCP server.

As a result, we can use IP based firewall.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Recognize Your Peers