Role-based networks (RBNs) give Area Technology Officers new tools to organize and manage endpoint and server devices on the WSU network while managing firewall rules and DNS records. RBNs can be created for the VPN, wired, and wireless networks. Example uses include granting access to secure services based on user identity, ensuring your customers are always in the same network no matter where they work from, or to achieve regulatory compliance.

What is Role-Based Networking?

Role-based networks are small networks that are built to serve a specific function or set of users, as compared to large, general-purpose building networks. Role-based networks are helpful to simplify firewall Access Control Lists (ACLs), manage customer devices, and in some cases, to segment network traffic.

What types of Role-Based Networks are currently available?

  • Role-Based VPN services (available 6/10/2020)
  • Role-Based wired networks (available 9/1/2020)
  • Role-Based wireless networks (available 7/1/2021)

What is a Role-Based network service?

Role-based network service creates a small network that only your customers land in.

For VPN and wireless role-based service, access is managed by an AD security group within your Business Unit’s OU that controls which of your customers can access your services. Once users are added to your security group for your role-based network, the user will obtain an IP address in your role-based network.

For wired role-based service, access is controlled at the jack level. Only jacks designed by you are moved to the new VLAN.

What are the technical details for the Role-Based network services?

  • /22’s, which support up to 1000 concurrent customers (Wireless only)
  • /23’s, which support up to 500 concurrent customers (Wireless only)
  • /24’s, which support up to 250 concurrent customers (VPN, Wired, and Wireless)
  • /25’s, which support up to 120 concurrent customers (VPN, Wired, and Wireless)
  • /26’s, which support up to 60 concurrent customers (VPN, Wired, and Wireless)

Each role-based network will be in private IP space and will have a dedicated NAT IP. The private client IP will be within your role-based network, and outbound traffic will NAT using your dedicated IP address.

Role-based networks utilize DHCP. DHCP reservations can be made for wired and wireless clients only. Access can be delegated to the unit to manage the role-based network IP space allocated to the unit.

DHCP reservations are not available for the role-based VPN service.

What are the current restrictions on Role-Based network services?

We are currently limiting role-based network service to requests that segment users along high-level organizational boundaries (i.e., Area and Department) or to support those users and systems subject to external audit requirements. Once these initial needs are met, we will expand the service to support more granular networks.

Additionally, if ITS runs low on available networks, ITS reserves the right to re-assign networks whose 12-month rolling average usage of IP addresses drops below 25%.

Finally, ITS will never resize a role-based network. If a new network size is needed, ITS will allocate a new network.

How do I submit a request for a Role-Based network service?

To request a role-based VPN service, complete the Role Based Network Request form with the following information:

  • The Canonical Name (CN) of the security group in your OU that you wish to use to manage authorized users of your role-based network (VPN and wireless only)
  • The size of the network you are requesting
  • The name of the Business Unit or audit control group that is being served by the network (e.g., College of Business or Office of Research PCI Users)

What do I need to be aware of when using the role-based network service?

Firewall rules that allow your customers access to services will need to be updated to reflect the new range of IP addresses.


Distributed IT, Central ITS, and Staff.