🏫 CAN

Campus Area Network β€” Multi-Building LAN with Identity, Segmentation & Evidence

A CAN (Campus Area Network) connects multiple buildings across a campus (corporate, university, hospital, plant) into one low-latency, high-reliability fabric.
SolveForce designs CANs that are secure-by-default, identity-aware, and observableβ€”from fiber backbones and distribution switching to Wi-Fi 6/6E/7β€”with 802.1X/NAC, microsegmentation, and audit-grade telemetry.

Where CAN fits in the stack:
πŸ–§ Fabric β†’ Networks & Data Centers β€’ 🏠 Access β†’ LAN β€’ πŸ™οΈ Metro β†’ MAN β€’ 🌍 Wide β†’ WAN
πŸ” Security β†’ Cybersecurity β€’ πŸšͺ Access β†’ NAC β€’ πŸ”’ Per-App β†’ ZTNA / SASE
🧩 East-West β†’ Microsegmentation β€’ 🧰 Cabling/Power β†’ Structured Cabling β€’ Racks & PDUs
πŸ“Š Evidence/Automation β†’ SIEM / SOAR

🎯 Outcomes (Why SolveForce CAN)

  • Low-latency campus fabric β€” predictable performance for voice, collaboration, EMR/OT, and AI/edge workloads.
  • Identity-first access β€” 802.1X EAP-TLS everywhere; device posture gates before network entry.
  • Least-privilege by design β€” role/tag-based segmentation with microsegmentation for crown-jewel apps.
  • Operational clarity β€” standardized VLAN/IP plans, DHCP/DNS/IPAM hygiene, PoE budgets, and change automation.
  • Audit-ready β€” auth/port/wireless events, changes, and SLOs exported to SIEM with runbooks in SOAR.

🧭 Scope (What We Build & Operate)

  • Backbone & Distribution β€” single-mode (SMF) rings/spurs between buildings; distribution switches with 25/40/100/400G uplinks.
  • Access Switching β€” 1/2.5/5/10G multigig, PoE/PoE+/UPOE for APs/cameras/phones/badges.
  • Wi-Fi 6/6E/7 β€” high-density RF planning, roaming/handoff tuning, IoT/guest isolation.
  • Access Control β€” 802.1X (EAP-TLS), NAC (posture + dynamic VLAN/ACL/SGT), guest sponsor portals. β†’ NAC
  • Segmentation β€” VLANs/VRFs/SGT and microsegmentation policies for least privilege. β†’ Microsegmentation
  • Services β€” DHCP, DNS, AAA (RADIUS/TACACS+), NTP, IPAM; logging & retention.
  • Facilities β€” IDF/MDF layout, fiber/copper plant, UPS/generator integration, environmental monitoring. β†’ Structured Cabling β€’ Racks & PDUs

🧱 Building Blocks (Spelled Out)

  • Topology β€” hierarchical (Access β†’ Distribution β†’ Core) or leaf/spine for larger campuses; L3 at distribution/core to bound L2 domains.
  • Fiber plant β€” SMF for inter-building; MMF inside buildings; diverse conduits/entrances for resilience.
  • Wi-Fi β€” dual/tri-band with 6 GHz where legal; fast roaming (802.11r/k/v) for voice; separate SSIDs for corp/guest/IoT with distinct policies.
  • Identity & Posture β€” certificates via PKI; MDM/UEM + EDR health checks; contractor profiles with time-boxed access.
  • Segmentation β€” role/tag intent compiled to ACL/SGT/NetworkPolicy; IoT/OT in function-specific enclaves; deny east-west by default.
  • Cloud/Metro tie-in β€” CAN uplinks to MAN ring or colo hub, then private on-ramps to cloud. β†’ MAN β€’ Direct Connect

πŸ› οΈ Design Patterns (Choose Your Fit)

A) Identity-First Campus

802.1X EAP-TLS on wired & Wi-Fi, NAC posture gates, dynamic VLAN/ACL/SGT; guest/contractor portal (Internet-only).
β†’ NAC β€’ IAM / SSO / MFA

B) Zero-Trust CAN + Per-App Access

Users reach apps via ZTNA/SASE; campus enforces least-privilege paths; no flat VPNs.
β†’ ZTNA β€’ SASE

C) OT/IoT & Life-Safety

Device profiling, function-based enclaves, strict allowlists; 802.1X where feasible; fallback MAC auth tightly scoped; NDR monitors anomalies.
β†’ NDR

D) High-Density / Learning & Healthcare

6E for capacity, AP placement by seat/bed counts; roaming and airtime fairness tuned; voice/telemetry QoS lanes.

E) Campus ↔ DC / Cloud

Inter-building SMF to distribution hubs; routed core to colo; private on-ramps to cloud; SD-WAN for branches.
β†’ Colocation β€’ Direct Connect β€’ SD-WAN

πŸ“ SLO Guardrails (Targets You Can Measure)

KPI / SLOTarget (Recommended)
Access port 802.1X auth (p95)≀ 2–5 s
Wi-Fi association + DHCP (p95)≀ 2–4 s
Roam time (p95, same SSID)≀ 50–150 ms (voice-safe)
One-way CAN latency (p95)≀ 1–3 ms campus; ≀ 0.5–1 ms intra-DC
Jitter (one-way)≀ 1–3 ms
Packet loss (sustained)< 0.1%
PoE headroom per switchβ‰₯ 20% at peak draw
Change success rateβ‰₯ 99% (staged rings + rollback)
Evidence completeness100% (auth, posture, RF, changes)

SLO breaches open tickets and trigger SOAR actions (quarantine, RF retune, rate-limit, rollback). β†’ SIEM / SOAR

πŸ”’ Security (Zero-Trust at the Edge)

  • 802.1X everywhere (wired & wireless); RA/DHCP Guard & DAI on access; MACsec on sensitive uplinks. β†’ Encryption
  • Per-App Access via ZTNA/SASE; campus policy blocks lateral movement. β†’ ZTNA β€’ SASE
  • Microsegmentation for workloads and crown-jewel systems. β†’ Microsegmentation
  • Keys/Secrets from vault; short-lived tokens; no plaintext in configs. β†’ Secrets Management β€’ Key Management / HSM

πŸ“Š Observability & NOC

  • Wired: interface/PoE, EAP states, errors, QoS queues, link events.
  • Wi-Fi: SNR, airtime, retries, client load, roam metrics; DHCP/DNS timings.
  • Security: NAC decisions, guard hits, segmentation denies, ZTNA attach times.
    Dashboards, alarms, and monthly reports; escalation runbooks. β†’ NOC Services β€’ Circuit Monitoring

πŸ’΅ Commercials (What Drives Cost)

  • Building count & distances, fiber laterals/conduits, switch/port & PoE counts, Wi-Fi density, NAC/AAA licensing, cabling & UPS.
  • Managed vs co-managed support, software subscriptions, maintenance windows.

πŸ› οΈ Implementation Blueprint (No-Surprise Rollout)

1) Survey & goals β€” users/devices per building, density, voice/IoT/OT needs, compliance.
2) Fiber & topology β€” SMF ring/spur design, diverse entrances, distribution/core architecture.
3) Address & VLAN plan β€” per-building/zone scheme; IPAM updates.
4) Identity & posture β€” 802.1X EAP-TLS, device certs, NAC policy; guest/contractor flows.
5) Wi-Fi RF β€” heatmaps, AP placement, channel/power plans; 6 GHz where supported.
6) Segmentation β€” VLAN/VRF/SGT map; microseg intents; default-deny.
7) Services β€” DHCP/DNS/NTP/AAA; log export parsers; SIEM dashboards.
8) Pilot & rings β€” one building/floor β†’ campus; staged changes with rollback.
9) Operate & drill β€” quarterly RF tune-ups, failover tests, NAC reviews; publish RCAs.

βœ… Pre-Engagement Checklist

  • πŸ—ΊοΈ Campus map, building list, IDF/MDF locations, existing fiber routes.
  • πŸ‘₯ Headcount/devices & concurrency by space type (classroom, lab, clinic, office, warehouse).
  • πŸ” Identity model (SSO/MFA), certificate plan, NAC posture gates.
  • 🧩 VLAN/VRF/SGT map; voice/IoT/OT requirements; microseg intents.
  • πŸ“Ά RF constraints (walls/DFS), 6 GHz eligibility, roaming goals.
  • ⚑ PoE budgets, UPS runtimes, generator presence.
  • 🌐 Uplinks to MAN/WAN/colo/cloud; DNS & Anycast strategy.
  • πŸ“Š SIEM/NOC destinations; SLO targets; escalation contacts; change windows.

πŸ”„ Where CAN Fits (Recursive View)

1) Grammar β€” campus fabric in Networks & Data Centers & Connectivity.
2) Syntax β€” feeds Cloud and metro hubs via routed cores.
3) Semantics β€” Cybersecurity enforces identity, posture, segmentation.
4) Pragmatics β€” SolveForce AI predicts congestion/coverage and auto-tunes policy.
5) Foundation β€” consistent terms via Primacy of Language.
6) Map β€” indexed in the SolveForce Codex & Knowledge Hub.

πŸ“ž Build a CAN That’s Fast, Secure & Auditable