How do you implement VLAN segmentation in your buildings?

[Tristan RHODES <tristanrhodes () WEBER EDU>]

Greetings,

We are discussing various ways to segment traffic using VLANS.  How are
other universities doing this? 

We have a pair of layer-3 switches in most buildings that serve as the
distribution layer.  The question is, how many networks do you create
for a building? Do you:

1) Segment based on security level?  (guest/kiosks, students/labs,
faculty/staff, facility management, network management)

2) Segment based on department/college? (accounting, finance, human
resources)

3) Segment based on location? (first floor, second floor, third floor)

4) Or do you follow Cisco best practices which promote the idea of one
unique vlan/network for every switch?

I do not like the high-level of maintenance in models 1 and 2.  For
example, when people move or if their roles change how will we be
notified so that we can change their VLAN?

I prefer the location based segmentation due to its simplicity.  To
provide security segmentation, something like NAC + Mcafee EPO can be
used to enforce firewall policies on end-hosts. 

Thanks for your input.

Tristan Rhodes