This browser is no longer supported.

For a better viewing experience, please consider using one of our supported browsers below.

The Segmented Campus Network

Does your network meet all of your needs, or is it the sum product of a series of compromises put in place to meet competing needs for different applications and use cases?

Imagine being able to build a single physical network, and then being able to have it adapt dynamically to the user or endpoint that connects to it based on defined policy. For instance:

  • Employee: When an employee logs in from a corporate laptop, their endpoint is analyzed to ensure compliance with corporate security policies. They are then placed on the trusted corporate network and provided appropriate access to internal systems and data, partner connectivity, cloud environments, and the internet.

  • Vendor: When a vendor is on-site to perform work or do a presentation, they can self-register or be registered in advance and provided credentials via a portal to provide them with limited corporate access (as required) and internet.

  • Guest: Transient and anonymous users (e.g., customers, visitors, guests) can register via a self-service portal for guest internet access, with content filtering and other security constraints as appropriate for your environment and policy.

  • Infrastructure: Physical endpoints (e.g., printers, IoT) will be deployed to the appropriate network automatically, with the minimum required connectivity based on a variety of criteria as defined by the use case.

These are just some examples of use cases for the Segmented Campus network, a “Network as an Application,” where multiple logical network overlays can be built using a single physical network (underlay), with different capabilities, restrictions, security postures, and endpoints assigned to the appropriate network based on role, security policy, and other criteria.

While this is not new functionality (think Frame Relay, MPLS, or simple Ethernet VLANs), only now are all the necessary component parts available and at a level of maturity to make this feasible and accessible to Enterprise Networks. This can be thought of as a multi-generational leap forward from using VLANs to segment a single Ethernet switch in to multiple logical broadcast domains, or using VRFs to create multiple isolated routing planes within a single router, but with substantially more intelligence, capabilities, and security.

Compared to how things have been done historically, where the physical and logical networks are tightly coupled, relatively static, configured manually, and prone to errors, this new approach to networking opens up amazing new possibilities for flexibility, security, and insight!

The Segmented Campus starts like most any other network, with a good network design and resilient connectivity. Whether utilizing the traditional core/distribution/access modality, a leaf-spine design, or some other variation, at its foundation there needs to be a well-designed physical network that provides the speeds and feeds required.

We are able to create a dynamic network that automatically provides the right access and service—when and where it is needed—for each individual endpoint, as well as providing telemetry and reporting and maximizing the investment and utilization of a single physical network, by adding:

  • A security platform that provides directory services, authentication, authorization, and accounting (AAA), captive-portal functionality, self-service registration, and policy enforcement

  • A network controller for interpreting policy and transforming this intent in to a functional control plane

  • An API for automation

Across retail, healthcare, hospitality, education, manufacturing, and corporate environments, the applications and benefits of a Segmented Campus are almost endless. It gives organizations the tools and systems needed to design and build networks that bring meaningful value.

The Segmented Campus network delivers the features and functionality we have wanted from our networks all along: automation, abstraction, scalability, virtualization, and security. Be aware, though, that there are always tradeoffs: delivering all of these features and functionality does introduce complexity, as the network moves from being a static infrastructure to a distributed systems architecture, integrating a number of disparate systems and applications to provide a true next-generation network. This will require network designers and operators to approach the network more as a distributed application rather than simple infrastructure. It will also broaden the scope of skills needed to include an understanding of automation and software development, security, and a closer relationship with the business to tailor the solution to specific business use cases.

With ConvergeOne, you can be ready to adapt for your remote workforce

At ConvergeOne, our software-defined network experts build secure, cloud-architected networks that enable your organization to power the future of work, engage customers in new ways and run secure, reliable IT operations. Schedule a consultation
About the author:
Sean Mathias is a technology expert and problem solver focused on network architecture, systems engineering and cloud infrastructure. He helps companies to realize real value from technology by collaborating with them to understand the needs of their business, and develop an architecture and solutions that solve those problems.