User’s desks are not fixed. They can move across different floors
Few users are using VDI thin clients where the XenApp servers are in the DCs
There are multiple floors
Cisco Stack access switches
VSS on Cisco Core switches
Mesh connectivity wherever supported
Cisco ISE with TrustSec license
Contain cisco devices
Access services in different datacenters across WAN links
Users are accessing large numbers of destination IPs
Firewall on Stick (firewall is gateway for all vlans/zones)
IPs are assigned via DHCP using MAC address bindings
Different layers of non cisco Firewalls
Alot of zones, IP subnets
Diagram: A rough diagram is attached to provide you an idea about the network
Queries and Recommendations:
What are the best practices of IP Schema, IP addresses and vlans assignment design for a site/Campus that contains movable/portable users?
What are the possible options of handling Firewall permissions for movable users where the IP for users might be different on different floor (depends on Question#1).
What are the best practices for firewall permission to be build based on users, security tags(trustSec) or IPs.
The user site is proposed to be based on TrustSec technology while it may not be feasible if you don’t have end to end (from source=users site to destination=DC) Cisco Technologies. Please provide possible feasibility options considering that there are large numbers (2000 IPs) of destinations in the DC. Additionally how the firewall permissions will be handled in the Datacenter firewall incase TrustSec is used in user site.
Solution Option1: Use one large vlan/IP subnet for all floors. In such case, users will always get same IP regardless of the floor and Firewalls permissions can be granted based on IP Addresses for each users.
Issue with Option1: broadcast domain will become large and will result in slowness
Solution Option2: Use different vlan per each floor to avoid large broadcast domain and handle firewall permissions based on ISE TrustSec or usersnames.
Issue with Option2: Firewalls in the DC are not supporting firewall permissions based on Security Tags or permissions based on users
We use /21 address block in our campus VLAN (we have more VLANs, but this is the largest one) and we see no broadcast issues here. No multiple VLANS for the same class of users just because "different floor".
We are using L2 authentication. Any user can use any plug - he will be connected to VLAN claimed by RADIUS server (we have multiple VLANs for multiple classes of users).
Our radius server verify not only just credentials provided by user, but MAC address of the device as well. Thus no user can spoof MAC address of other user wishing for "more powerfull IP assigned by DHCP". Moreover we have IP Guard turned on on switches thus no user can use IP address unless assigned by DHCP to them.
In short - user use IP assigned by DHCP server only and he can't spoof MAC to cheat DHCP server.