These days everybody is thinking about Multiprotocol Label Switching (MPLS) as the core networking technology for their enterprise local area network (LAN). Reason why organizations are thinking about MPLS is segmentation of groups of users, business units etc. My opinion about MPLS is that it’s difficult and very expensive protocol to manage. Within an enterprise LAN administration must be simple to reduce operation costs. A protocol like MPLS is complex to manage and troubleshoot. Another disadvantage is the price for the MPLS equipment. If segmentation is the requirement for these organizations HP ProCurve has the optimal solution ‘MPLS per user’. Products that you can use for this solution is the HP ProCurve Intelligent edge switches in combination with HP ProCurve Identity Driven Manager (IDM). Within IDM you can create policies for users, groups and or devices (like IPT phones, clients etc.). You can assign the policies to Access Policies Groups (APGs). To each APG you can assign policies for different parameters like location, time, system, user/group, endpoint-integrity state and WLAN. The policies consist of a few parameters:

- VLAN

- Access Control List

- QoS

- Bandwidth

Below I provide an example how you can use this solution:

Company X wants to create companywide flexible users in the organization. The company will implement flex desks where everybody can connect and authenticate by IEEE 802.1x to the network via wired LAN and for the conference room via wireless LAN. The company wants to authenticate users and limit their privileges on the network attach to their job role. There are some departments where this flexibility is difficult because of privacy regulations. The HR department is based on the 4^th floor behind a wall of glass. The company also wants to have a lot of flexibility and automation of administration and specific demands on reporting.

To implement this solution the ‘MPLS per user’ solution really fits perfect. You can create a group within Active Directory for e.g. all domain users and HR users (Active Directory groups is not mandatory you can also use IDM own groups). Turn on Auto synchronization and the group will be automatically sync within the IDM application. Now can you create policies, if the HR user connects on the 4^th floor then he/she can access:

- HR apps

- Internet

- Mail

- His/her user share(s).

If the HR user connects to a different location than the 4^th floor he/she can access:

- Internet

- Mail

- His/her user share(s)

- But not the HR apps

All the other users are placed into another group and can access mail, internet and user share. But if these users logon via the wireless LAN they can only access mail, internet. This is fully transparent for the users. The policies will follow the users anywhere anytime. This is really segmentation per user and you control the entry point of the user in a flexible, automated and secure way.

A lot of companies are trying to find the best fit for their enterprise LAN. During this search they are looking for the best relationship between:

- Cost

- Security

- Flexibility

- Speed

The problem is that the points above also have negative influence to each other. For e.g. if you want to have a very secure network the cost will go up and flexibility will drop. The other way around if you want to have a very flexible network cost will go up and security will drop etc. I think that the ‘MPLS per user’ is a perfect solution for enterprise LANs because you implement a lot of flexibility, speed for changes and a lot of security and the cost will be in control.

Hewlett Packard, HP, ProCurve, Network, Networking, Tools, Tips, MPLS, Identity management, Architecture