Campus Area Network — Multi-Building LAN with Identity, Segmentation & Evidence
A CAN (Campus Area Network) connects multiple buildings across a campus (corporate, university, hospital, plant) into one low-latency, high-reliability fabric.
SolveForce designs CANs that are secure-by-default, identity-aware, and observable—from fiber backbones and distribution switching to Wi-Fi 6/6E/7—with 802.1X/NAC, microsegmentation, and audit-grade telemetry.
Where CAN fits in the stack:
🖧 Fabric → Networks & Data Centers • 🏠 Access → LAN • 🏙️ Metro → MAN • 🌍 Wide → WAN
🔐 Security → Cybersecurity • 🚪 Access → NAC • 🔒 Per-App → ZTNA / SASE
🧩 East-West → Microsegmentation • 🧰 Cabling/Power → Structured Cabling • Racks & PDUs
📊 Evidence/Automation → SIEM / SOAR
🎯 Outcomes (Why SolveForce CAN)
- Low-latency campus fabric — predictable performance for voice, collaboration, EMR/OT, and AI/edge workloads.
- Identity-first access — 802.1X EAP-TLS everywhere; device posture gates before network entry.
- Least-privilege by design — role/tag-based segmentation with microsegmentation for crown-jewel apps.
- Operational clarity — standardized VLAN/IP plans, DHCP/DNS/IPAM hygiene, PoE budgets, and change automation.
- Audit-ready — auth/port/wireless events, changes, and SLOs exported to SIEM with runbooks in SOAR.
🧭 Scope (What We Build & Operate)
- Backbone & Distribution — single-mode (SMF) rings/spurs between buildings; distribution switches with 25/40/100/400G uplinks.
- Access Switching — 1/2.5/5/10G multigig, PoE/PoE+/UPOE for APs/cameras/phones/badges.
- Wi-Fi 6/6E/7 — high-density RF planning, roaming/handoff tuning, IoT/guest isolation.
- Access Control — 802.1X (EAP-TLS), NAC (posture + dynamic VLAN/ACL/SGT), guest sponsor portals. → NAC
- Segmentation — VLANs/VRFs/SGT and microsegmentation policies for least privilege. → Microsegmentation
- Services — DHCP, DNS, AAA (RADIUS/TACACS+), NTP, IPAM; logging & retention.
- Facilities — IDF/MDF layout, fiber/copper plant, UPS/generator integration, environmental monitoring. → Structured Cabling • Racks & PDUs
🧱 Building Blocks (Spelled Out)
- Topology — hierarchical (Access → Distribution → Core) or leaf/spine for larger campuses; L3 at distribution/core to bound L2 domains.
- Fiber plant — SMF for inter-building; MMF inside buildings; diverse conduits/entrances for resilience.
- Wi-Fi — dual/tri-band with 6 GHz where legal; fast roaming (802.11r/k/v) for voice; separate SSIDs for corp/guest/IoT with distinct policies.
- Identity & Posture — certificates via PKI; MDM/UEM + EDR health checks; contractor profiles with time-boxed access.
- Segmentation — role/tag intent compiled to ACL/SGT/NetworkPolicy; IoT/OT in function-specific enclaves; deny east-west by default.
- Cloud/Metro tie-in — CAN uplinks to MAN ring or colo hub, then private on-ramps to cloud. → MAN • Direct Connect
🛠️ Design Patterns (Choose Your Fit)
A) Identity-First Campus
802.1X EAP-TLS on wired & Wi-Fi, NAC posture gates, dynamic VLAN/ACL/SGT; guest/contractor portal (Internet-only).
→ NAC • IAM / SSO / MFA
B) Zero-Trust CAN + Per-App Access
Users reach apps via ZTNA/SASE; campus enforces least-privilege paths; no flat VPNs.
→ ZTNA • SASE
C) OT/IoT & Life-Safety
Device profiling, function-based enclaves, strict allowlists; 802.1X where feasible; fallback MAC auth tightly scoped; NDR monitors anomalies.
→ NDR
D) High-Density / Learning & Healthcare
6E for capacity, AP placement by seat/bed counts; roaming and airtime fairness tuned; voice/telemetry QoS lanes.
E) Campus ↔ DC / Cloud
Inter-building SMF to distribution hubs; routed core to colo; private on-ramps to cloud; SD-WAN for branches.
→ Colocation • Direct Connect • SD-WAN
📐 SLO Guardrails (Targets You Can Measure)
| KPI / SLO | Target (Recommended) |
|---|---|
| Access port 802.1X auth (p95) | ≤ 2–5 s |
| Wi-Fi association + DHCP (p95) | ≤ 2–4 s |
| Roam time (p95, same SSID) | ≤ 50–150 ms (voice-safe) |
| One-way CAN latency (p95) | ≤ 1–3 ms campus; ≤ 0.5–1 ms intra-DC |
| Jitter (one-way) | ≤ 1–3 ms |
| Packet loss (sustained) | < 0.1% |
| PoE headroom per switch | ≥ 20% at peak draw |
| Change success rate | ≥ 99% (staged rings + rollback) |
| Evidence completeness | 100% (auth, posture, RF, changes) |
SLO breaches open tickets and trigger SOAR actions (quarantine, RF retune, rate-limit, rollback). → SIEM / SOAR
🔒 Security (Zero-Trust at the Edge)
- 802.1X everywhere (wired & wireless); RA/DHCP Guard & DAI on access; MACsec on sensitive uplinks. → Encryption
- Per-App Access via ZTNA/SASE; campus policy blocks lateral movement. → ZTNA • SASE
- Microsegmentation for workloads and crown-jewel systems. → Microsegmentation
- Keys/Secrets from vault; short-lived tokens; no plaintext in configs. → Secrets Management • Key Management / HSM
📊 Observability & NOC
- Wired: interface/PoE, EAP states, errors, QoS queues, link events.
- Wi-Fi: SNR, airtime, retries, client load, roam metrics; DHCP/DNS timings.
- Security: NAC decisions, guard hits, segmentation denies, ZTNA attach times.
Dashboards, alarms, and monthly reports; escalation runbooks. → NOC Services • Circuit Monitoring
💵 Commercials (What Drives Cost)
- Building count & distances, fiber laterals/conduits, switch/port & PoE counts, Wi-Fi density, NAC/AAA licensing, cabling & UPS.
- Managed vs co-managed support, software subscriptions, maintenance windows.
🛠️ Implementation Blueprint (No-Surprise Rollout)
1) Survey & goals — users/devices per building, density, voice/IoT/OT needs, compliance.
2) Fiber & topology — SMF ring/spur design, diverse entrances, distribution/core architecture.
3) Address & VLAN plan — per-building/zone scheme; IPAM updates.
4) Identity & posture — 802.1X EAP-TLS, device certs, NAC policy; guest/contractor flows.
5) Wi-Fi RF — heatmaps, AP placement, channel/power plans; 6 GHz where supported.
6) Segmentation — VLAN/VRF/SGT map; microseg intents; default-deny.
7) Services — DHCP/DNS/NTP/AAA; log export parsers; SIEM dashboards.
8) Pilot & rings — one building/floor → campus; staged changes with rollback.
9) Operate & drill — quarterly RF tune-ups, failover tests, NAC reviews; publish RCAs.
✅ Pre-Engagement Checklist
- 🗺️ Campus map, building list, IDF/MDF locations, existing fiber routes.
- 👥 Headcount/devices & concurrency by space type (classroom, lab, clinic, office, warehouse).
- 🔐 Identity model (SSO/MFA), certificate plan, NAC posture gates.
- 🧩 VLAN/VRF/SGT map; voice/IoT/OT requirements; microseg intents.
- 📶 RF constraints (walls/DFS), 6 GHz eligibility, roaming goals.
- ⚡ PoE budgets, UPS runtimes, generator presence.
- 🌐 Uplinks to MAN/WAN/colo/cloud; DNS & Anycast strategy.
- 📊 SIEM/NOC destinations; SLO targets; escalation contacts; change windows.
🔄 Where CAN Fits (Recursive View)
1) Grammar — campus fabric in Networks & Data Centers & Connectivity.
2) Syntax — feeds Cloud and metro hubs via routed cores.
3) Semantics — Cybersecurity enforces identity, posture, segmentation.
4) Pragmatics — SolveForce AI predicts congestion/coverage and auto-tunes policy.
5) Foundation — consistent terms via Primacy of Language.
6) Map — indexed in the SolveForce Codex & Knowledge Hub.