[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3391
  • Last Modified:

VLAN Configuration Recommendations

Hello Fellow experts,
I am the LAN Administrator for a Central School District (All one physical Building) and I am considering implementing VLAN's in my network.  Putting the VLAN's in won't be a problem, as I'm relatively savvy in this respect, and yes I have the adequate hardware layer 2 switches throughout with Layer 3 at top of closets.  My question is, how you all would recommend segmenting or "organizing" the VLAN's....I have thought about doing it based upon what Wire Closet they are attached to, while providing separate VLAN's for the Servers and Network Printers.....But I am curious to know your suggestions/recommendations.  

Here are the end devices:

Each computer must connect to SERVER 1 for NAT and SERVER 2 for MAIL and DNS

55 Networked Laser Printers all managed by SERVER 3

Elementary School

75 Student Computers
25 Faculty Computers

Middle School

250  Student Computers
150  Faculty Computers

High School

250 Student Computers
150  Faculty Computers
0
Jandakel2
Asked:
Jandakel2
  • 2
  • 2
  • 2
  • +1
1 Solution
 
naveedbCommented:
What is the purpose of implementing VLANs? Security, Ease of Administration, Issues with Broadcasts?
0
 
Jandakel2Author Commented:
The purpose is to create a whole bunch of needless work for myself, just for the heck of it.
0
 
naveedbCommented:
Do you have routing/trunking device so the VLANS will be able to communicate with each other, assuming you have a router you can:

Create one VLAN each for Elementary, Middle and High School Students with /24

One VLAN for Facultiy Computers with /22

Keep all ther servers on a seperate VLAN including management of routers/switches.

Use the router for communication amoung VLANs with ACL in place for traffic/bandwidht control.
0
Transaction-level recovery for Oracle database

Veeam Explore for Oracle delivers low RTOs and RPOs with agentless transaction log backup and transaction-level recovery of Oracle databases. You can restore the database to a precise point in time, even to a specific transaction.

 
pseudocyberCommented:
First of all, I would recommend doing it with an eye based on 802.11x - port based authentication - so you can get to the point where you can identify a device as faculty or student.  I would create faculty vlans, student vlans, printer vlan, server vlan, and network management vlan.

I don't know your network designer expertise level, so please don't be offended if I come off as condescending.

Design downward - you would your entire network to be addressable behind one network IP.  In this case, I've chosen 192.168.0.0/20 for the heck of it.  

This can give you 8 networks of 510 hosts each.

They are (I'm cheating and using SolarWinds excellent IP Subnet Calculator):

IP Address       : 192.168.0.0
Address Class    : Classless /20
Network Address  : 192.168.0.0

Subnet Address   : 192.168.0.0
Subnet Mask      : 255.255.254.0
Subnet bit mask  : nnnnnnnn.nnnnnnnn.nnnnsssh.hhhhhhhh
Subnet Bits      : 23
Host Bits        : 9
Possible Number of Subnets : 8
Hosts per Subnet : 510

Subnet      Mask      Subnet Size      Host Range      Broadcast
192.168.0.0      255.255.254.0      510      192.168.0.1  to  192.168.1.254      192.168.1.255
192.168.2.0      255.255.254.0      510      192.168.2.1  to  192.168.3.254      192.168.3.255
192.168.4.0      255.255.254.0      510      192.168.4.1  to  192.168.5.254      192.168.5.255
192.168.6.0      255.255.254.0      510      192.168.6.1  to  192.168.7.254      192.168.7.255
192.168.8.0      255.255.254.0      510      192.168.8.1  to  192.168.9.254      192.168.9.255
192.168.10.0      255.255.254.0      510      192.168.10.1  to  192.168.11.254      192.168.11.255
192.168.12.0      255.255.254.0      510      192.168.12.1  to  192.168.13.254      192.168.13.255
192.168.14.0      255.255.254.0      510      192.168.14.1  to  192.168.15.254      192.168.15.255

I would further subnet the first network 192.168.0.0/23 into:

IP Address       : 192.168.0.0
Address Class    : Classless /23
Network Address  : 192.168.0.0

Subnet Address   : 192.168.0.0
Subnet Mask      : 255.255.255.128
Subnet bit mask  : nnnnnnnn.nnnnnnnn.nnnnnnns.shhhhhhh
Subnet Bits      : 25
Host Bits        : 7
Possible Number of Subnets : 4
Hosts per Subnet : 126

Subnet      Mask      Subnet Size      Host Range      Broadcast
192.168.0.0      255.255.255.128      126      192.168.0.1  to  192.168.0.126      192.168.0.127
192.168.0.128      255.255.255.128      126      192.168.0.129  to  192.168.0.254      192.168.0.255
192.168.1.0      255.255.255.128      126      192.168.1.1  to  192.168.1.126      192.168.1.127
192.168.1.128      255.255.255.128      126      192.168.1.129  to  192.168.1.254      192.168.1.255

Just for grins, I would reserve the first network 192.168.0.0/25.

The second network is the MANAGEMENT network - 192.168.0.128/25.  All network devices are going to get VLAN tags and their IP to manage the switches, routers, etc will be in the 192.168.0.128/25 network.  This is for security - I will explain more later.

192.168.1.0/25 is for servers.  You could break this down further and have 62 servers internally, and 62 in a DMZ, or whatever.

192.168.1.128/25 is for printers.  You have a LITTLE room for expansion here, but not much (but you're holding 128 IP's at the bottom which you could further subnet to give you more to play with if you need them).

Now, you've got 6 nets for your schools - 3 faculty and 3 student.  I would put all 6 in different vlans.  Savvy students don't need to be able to pick on the elementary kids (or vice versa).  Elementary School teachers don't need access to the High School teacher vlan.  I've made them large so changes in student and faculty populations shouldn't be a problem.

VLAN 1 Default - don't use
VLAN 100 192.168.1.128 Network Management
VLAN 2 192.168.1.0 Servers
VLAN 3 192.168.1.128 Printers
VLAN 4 192.168.4.0 Student Elem.
VLAN 6 192.168.6.0 Student Mid.
VLAN 8 192.168.8.0 Student High
VLAN 10 192.168.10.0       Faculty Elem
VLAN 12 192.168.12.0       Faculty Mid.
VLAN 14 192.168.14.0 Faculty High

Now, with different vlans for different people - you can implement some security.

For instance:
- No one should be able to access the network management vlan except for you from a very specific IP address - but access from student nets should be impossible.
- Access from student nets to servers should be highly restricted - for instance only DNS and SMTP to the Mail server.
- Access to the Internet from Student Nets can easily be restricted with the SINGLE IP of 192.168.4.0/21 (255.255.248.0) - Because this encompases addresses from .0.1 to 7.254.
- Access to the Internet and Student Nets from Faculty Nets can easily be restricted and/or monitored with the SINGLE IP of 192.168.8.0/21 (255.255.248.0) - Because this encompases addresses from .8.1 to .15.254.

This is how I would do it.

Do you have port authentication?  If so, then you could drop anyone into the appropriate vlan based on your Port Auth (802.11x) infrastructure.

Hope this helps.
0
 
ECNSSMTCommented:
if you have a 6509 all loaded with 48 port switch modules, life is easy
if you have 1900s. 2900s, 3550s switches all interconnected with routers.. well may not be so easy.

biggest thing may be to segragate the faculty from the students.  This may be the most effective use of the VLAN as faculty may not all be housed in one area and depending on changes; faculty may be moved every so often.  depending on things; dynamic VLANs may be more appropriate than the Static port based VLAN.  You may want to sub divide faculty too, depending on the security you may want between these groups ( maybe you don't want teachers to view student medical records, so you separate them by VLAN and subnetwork)

The student body could be divided by classroom, floors, etc.  This will help keep all of the traffic separate, no need for printing job to go everywhere.  You may also want to set the servers on their own VLAN and subnet.  

One rule of theumb that we use, we associate the VLAN number to the subnetwork.  Makes life easy for us.  e.g. Teachers are on VLAN 3, so they are also on subnet 10.1.3.0/24

classroom 104 is on vlan 104 which is on subnet 10.1.104.0

regards,
0
 
pseudocyberCommented:
Jeff,

What did you think about my VLAN design?  Did this help?  Have any more questions?

- PC
0
 
Jandakel2Author Commented:
Pseudo, I greatly appreciate the time and effort you put into your post.  It will help me immensely in my next endeavor.....should I decide to go that route (i'm still weighing sacrifice of time vs.  gained "productivity".  Pseudo, could you do me a favor and take a look at this post:  http://www.experts-exchange.com/Networking/Q_21823153.html#16513567   I have been looking at ways to integrate a Branch Office, and I would be curious to know what your input is on this endeavor....Thanks for all your help,  

JK
0

Featured Post

New Tabletop Appliances Blow Competitors Away!

WatchGuard’s new T15, T35 and T55 tabletop UTMs provide the highest-performing security inspection in their class, allowing users at small offices, home offices and distributed enterprises to experience blazing-fast Internet speeds without sacrificing enterprise-grade security.

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now