Solved

vlan setup for a medium size school

Posted on 2010-09-21
6
1,933 Views
1 Endorsement
Last Modified: 2012-05-10
I'm planning to segment a school network. It is one big broadcast domain. The network has about 250 PCs, 50 laptops, 30 Macs, 15 networked printers and 7 servers. Currently we are on a gigabit ethernet connections using a layer 3 switch and several layer two switches.

We hope to go wireless in the near future as well.

The task/challenge for me is to segment the network to create a secure network making full use of the layer 3 switch and also increase the efficiency of the network by elliminating excess and unecessary traffic.

Currently there are about 800 students and 80 staff who are users. We use Active directory to authenticate users who want to access resources on the network.

The current topology is simillar to the attached picture with class B address of 172.16.x.x /23

Any help would be much appreciated

Thanks
Dae


Network-Diagram.jpg
1
Comment
Question by:Daeraligh
  • 4
  • 2
6 Comments
 
LVL 8

Accepted Solution

by:
Nothing_Changed earned 300 total points
Comment Utility
In general, ensure that you create enough VLANs/subnets so nothing is on a subnet larger than a /24 (255.255.255.0). Separate VLANs by physical area and/or function. In a school, I would strongly suggest separating student areas from teacher areas from office/admin areas. I'm not sure what your firewall is or how much capacity it has, but a best practice would be to firewall off the student areas from the office/staff areas and firewall everything off from the internet. Each firewall interface and even each layer 3 interface is a potential enforcement point.

Don't skimp on VLANs, they don't cost you anything including performance, as long as your gear is scaled to route/switch at line rate (not that anything you are likely to have will run anywhere near line rate for more than a few milliseconds). Troubleshooting is far easier when you can pin an offending IP address down to the server farm, or the east user closet, etc., rater than 'well it's in the user area somewhere, lets hunt thru every switch ARP table looking for it'.

Physical security is the first and most critical step in any security plan. Make sure students do not have access to network devices, or to ports that are not 'student-safe". Don't trust 802.1q tagging as a security boundary. Some people will say it's ok, it specifically is not ok. Its very easy to push traffic across using Q in Q tagging, students will figure it out, and get anywhere they want to. I strongly suggest (when time & budget permits it) to add a separate firewall to provide a security boundary between any possible student access (including wireless) and the business side of the network such as teacher work areas or office/admin areas. "Bad kid" and "curious experimental kid" are indistinguishable when your network crashes, or the internal web pages are all plastered with pr0n :)


Microsoft AD servers are painful to readdress. It's supposed to work, but there's always nagging problems cropping up. Forever. Choose your servers as the devices to leave on the existing network space. Change the mask, leave the addresses & gateway the same. Make sure to update all of the site/segment definitions in every one of your servers.

IDF=Intermediate Distribution Frame, or data closet where a group of users are patched that uplinks to the MDF (main distribution frame) or computer room.

I've attached a sample drawing that should be extensible for any single or small multi site network like this.
General-Netowrk-Design.pdf
0
 

Author Comment

by:Daeraligh
Comment Utility
Thanks for the information. That is most helpful.

With VLAN, the current addressing scheme will have to change to account for the different subnets. This will mean breaking down the broadcast address space into different subnets using VLSM.

I want to account for future expansion and may require more VLANs in the future. Currently the mask is a 255.255.252.0 which accounts for a total of 1024 addresses. SOrry about stating the wrong mask from my earlier question.

We only have less than 500 components at the moment so there are plenty of addresses to go around. However with VLANs, there are blocks of addresses that will be taken depending on VLSM and I may need more than what I currently have to account for future expansion. I’m thinking of using a mask of 255.255.248 which will give me plenty of addresses. Will this be ok.

The other question relates to our phone system. These have been integrated in to the switched network that we currently have. Do I treat them similarly to components such as PCs? Shall I put them on a separate vlan?

Thanks again.
0
 

Author Comment

by:Daeraligh
Comment Utility
Thank you so much Nothing_Changed for your helpful advice. I really want achieve the best possible vlan implementation with what I currently have so a good plan has to be in place before I go into configuration mode.

I have been told that if there is a good plan then implementation should follow well. So here is what I have in mind. Any helpful comments or advice is most welcome.

Components

Layer 3 switch is an Allied Tellesis x900 gigabit switch. It uses cisco like commands and so that is helpful.

Layer 2 switches are 8000GS switches. All the ports are gigabit ports and uses cisco like command lines to configure.

All cables are either gigabit fibre link or gigabit copper cables.

Plan.

VLANS

vlan 10 Servers, say will have ip addresses in subnet 172.16.1.0/24
vlan 20 Staff, ip address range 172.16.2.0/24
vlan 30 Office ip address range 172.16.3.0/24
vlan 40 Students, ip address range 172.16.4.0/24
vlan 50 Device Management, range 172.16.5.0/27
vlan 60 Voice, ip address range 172.16.6.0/24
vlan 70 wireless, ip address range 172.16.7.0/24

Is this fine for an addressing scheme?

I had thought of VLSM scheme, where I can be exact with my numbers. Will this be a better pathway to go down considering that I already have a lot of address space within my flat network and I can apply VLSM to 172.16.x.x/22.

Any advice most welcome.

Thanks





0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 8

Assisted Solution

by:Nothing_Changed
Nothing_Changed earned 300 total points
Comment Utility
To keep everything as simple as possible, I'd suggest not using a /24 mask for everything. There won't be any advantage to you in making a bunch of different mask sizes, and you can use any addressing in the RFC1918 space anywhere you like (http://www.ietf.org/rfc/rfc1918.txt).  Like I said, VLANs are free :) The one exception would be WAN links on any point to point, frame, or MPLS last mile interconnects, then use the smallest mask possible, /30 is common.

So in general, your VLAN/IP scheme looks fine, just make em all /24. Based on the environment you described, it seems unlikely that you'll ever need more addresses than you can provision even staying within the 172.16.0.0-172.31.255.255 space with /24 masks.

And yes, your VoIP/phone gear should get its own VLAN. With a Cisco or Juniper I know I can config a port to talk to the phones and automagically detect that it's a VoIP device and drop it on the right VLAN, but with the allied stuff and whatever phone system you're on I'm not sure. The upside to switches being able to put VoIP traffic into one VLAN and user data into another is that you can provision less drops to each location and save a little $. But again, in your environment I'd strongly suggest to keep it as simple and straightforward as possible, so trunk the necessary VLANs to each edge switch, and manually put ports into the data or VoIP VLANs as appropriate. I use different colored inserts on the wall jacks, blue is data, white is voice, but that's just my preference. As long as you are consistent it's never hard to tell even the most unsophisticated user where their phone patches in vs where their PC patches in. I even color code their cables so the cable matches the jacks. Simple keeps your nights & weekends free, heh.
0
 

Author Comment

by:Daeraligh
Comment Utility
Thanks, this is most helpful. It brings clarity and confirms what I plan to do.

The voice setup is integrated into the switched network as well. With VLAN, I'm assuming that, I will have to allocated selected ports on my switches for voice. Is that right? Currently, if someone wants their extension moved to another location, then I can be patch it easily to a port that is convenient to them.

BTW: Yes the coloured insert for voice on the switches are and data is blue:)

I havent done any configurations for voice but I'm assuming that the commands will be simillar to cisco, so I will probably ask questions relating to it later.

Thanks again for your help.

0
 

Author Closing Comment

by:Daeraligh
Comment Utility
Solutions given by Nothing_Changed were complete in their own right, however they are part of a solution to a work-in-progress project.
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

I wrote this article to help simplify the process of combining multiple subnets. This can be used for route summarization also but there are other better ways to summarize routes, This article is a result of questions I participate in here at Ex…
In the world of WAN, QoS is a pretty important topic for most, if not all, networks. Some WAN technologies have QoS mechanisms built in, but others, such as some L2 WAN's, don't have QoS control in the provider cloud.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now