Identity awareness: it’s more than just a packet

It was about 20 years ago when I plugged my first Ethernet cable into a switch. It was for our new chief executive officer. Little did she know that she was about to share her traffic with most others on the first floor. At that time being a network engineer, I had five floors to be looked after.

Having a few virtual LANs (VLANs) per floor was a common design practice in those traditional days. Essentially, a couple of broadcast domains per floor were deemed OK. With the VLAN-based approach, we used to give access to different people on the same subnet. Even though people worked at different levels but if in the same subnet, they were all treated the same.

Port-by-port and VLAN-by-VLAN enforcement

I used to define the access control policies on a port-by-port and VLAN-by-VLAN basis. I would associate a VLAN with an IP subnet to enforce subnet control, regardless of who the users were. When a user connects to a different subnet, what happens to the IP access control lists that are tied to the previous VLANs and subnets? Policies that are tied to earlier subnets eventually get lost when users move from one subnet to another. The priority used to be defined by the subnet and not by the network engineer.

As a matter of fact, segmentation was not the purpose behind the introduction of VLANs. They were primarily created to divide broadcast domains. Segmentation was introduced at a much later stage but today, it comes in many interesting flavors and SD-WAN being one of them.

Leave a Reply

Your email address will not be published. Required fields are marked *