We've been thinking through re-arranging our network and VLAN configuration. Here's the situation.

We already have our servers, VoIP phones, and printers on their own VLANs, but our problem lies with end user devices. There are just too many to lump on the same VLAN without being hammered with broadcasts! Our current segmentation strategy has them split into VLANs like this:

• Student iPads
• Staff iPads
• Student Macbooks
• Staff Macbooks
• Gaming devices
• Staff (Other)
• Student (Other)

*Note that our network has many more iPads and MacBooks than most.

Since the primary reason we're splitting them is just to put them in smaller groups, this has been working for us (for the most part). However, this required our staff to maintain access control lists (MAC addresses) of all devices belonging in these groups. It also has the unfortunate side effect of illogically grouping broadcast traffic. For example, using this setup, students on opposite ends of campus using iPads will share broadcasts, but two devices belonging to the same user (in the same room) will likely be on completely separate VLANs.

I feel like there must be a better way of doing this.

I've done a lot of research and I'm having trouble finding instances of this kind of segmentation being recommended. The feedback on the most relevant SO question seems to point toward VLAN segmentation by building/physical location. I feel like that makes sense because logically, at least among miscellaneous end users, broadcasts will typically be intended for nearby devices.

• Are there other campuses/large-scale networks out there segmenting VLANs based on end-system OS?
• Is this a typical configuration?
• Would VLAN segmentation based on physical location (or some other criteria) be more effective?

EDIT: I've been told that we will soon be able to dynamically determine device OS without maintaining access lists, although I'm not sure how much that affects the answers to the questions.