Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1600
Views
0
Helpful
3
Replies

Network segmentation on healthcare environment

juanestebanmrpo
Level 1
Level 1

‎07-22-2011 08:41 AM - edited ‎03-07-2019 01:21 AM

I work in a large hospital with 3000 employees aprox, and we are given the task of segmenting our network, and we are thinking of implementing 802.1x

Our hospital is very dynamic, all months we have areas which are moved to another location and stuff like that, we want to automatize the vlan assignment process, because we have personal from different areas all over the hospital, not on an specific location.

That`s why we are thinking of use dynamic vlans that will be assigned by our ACS which is synchronized with our Active Directory, so a nurse which belongs to the NURSE vlan will be able to log in any computer on any floor of our hospital with her AD username and password and will be assigned the same vlan and can access to the same network resources everywhere she goes.

We use an star topology, we have a 4507 with 2 6E supervisors as a core, and our access layer are 2960S and 2060G.

But my question is: if I have only 2 users which belong to vlan 20 on every one of the 10 floors of my building, wont that affect the performance of my network or will cause a very big increase CPU on our core? (theres no way I can put the on another vlan because the network resources they use are very specific and limited). 

We will use:

- VTP with prunning enabled for vlan distribution.

- PEAP for authentication.

- AD as our external database for ACS.

Any other suggestions? I`ll appreciate you suggest documentations about this kinds of networks which are tremendously dynamic.

Pd: excuse my English, haven`t practiced for a while.

Labels:
0 Helpful
3 Replies 3

Rahul Kachalia
Cisco Employee
Cisco Employee

‎07-22-2011 10:55 AM

Hello Juan,

It appears you are statically assigning the VLAN in AAA server to authenticate and derive the dynamic VLAN IDs for each user profile. In such case yes you ll have span the VLAN in each wiring closet which may create large broadcast domain and introduce different set of challenges.

Alternatively you can use static and unique VLAN per access switches, however with common VLAN name, i.e

SW1 = Vlan10 = Nurse_VLAN

SW2 = Vlan20 = Nurse_VLAN

Instead using static VLAN ID, you can use static VLAN_Name that will dynamically select the unique VLAN without SPAN. Now it is assume you will have some sort of Layer 3 segmentation done beyond multilayer boundary - MPLS or VRF etc...

thanks,

rahul.

0 Helpful

juanestebanmrpo
Level 1
Level 1
In response to Rahul Kachalia

‎07-22-2011 11:08 AM

What would you recommend? VLAN per floor and apply access list on the servers VLAN?

0 Helpful

Rahul Kachalia
Cisco Employee
Cisco Employee
In response to juanestebanmrpo

‎07-23-2011 05:09 AM

Hello Juan,

You can use unique VLAN per floor. Again I assume you will have some segmentation done in L3 network. Server access design varies - dedicated server per segmented network OR using shared services.

Please check your inbox for additional informations...

thanks,

rahul.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card