vlan setup for a medium size school

I'm planning to segment a school network. It is one big broadcast domain. The network has about 250 PCs, 50 laptops, 30 Macs, 15 networked printers and 7 servers. Currently we are on a gigabit ethernet connections using a layer 3 switch and several layer two switches.

We hope to go wireless in the near future as well.

The task/challenge for me is to segment the network to create a secure network making full use of the layer 3 switch and also increase the efficiency of the network by elliminating excess and unecessary traffic.

Currently there are about 800 students and 80 staff who are users. We use Active directory to authenticate users who want to access resources on the network.

The current topology is simillar to the attached picture with class B address of 172.16.x.x /23

Any help would be much appreciated


Who is Participating?
Nothing_ChangedConnect With a Mentor Commented:
In general, ensure that you create enough VLANs/subnets so nothing is on a subnet larger than a /24 ( Separate VLANs by physical area and/or function. In a school, I would strongly suggest separating student areas from teacher areas from office/admin areas. I'm not sure what your firewall is or how much capacity it has, but a best practice would be to firewall off the student areas from the office/staff areas and firewall everything off from the internet. Each firewall interface and even each layer 3 interface is a potential enforcement point.

Don't skimp on VLANs, they don't cost you anything including performance, as long as your gear is scaled to route/switch at line rate (not that anything you are likely to have will run anywhere near line rate for more than a few milliseconds). Troubleshooting is far easier when you can pin an offending IP address down to the server farm, or the east user closet, etc., rater than 'well it's in the user area somewhere, lets hunt thru every switch ARP table looking for it'.

Physical security is the first and most critical step in any security plan. Make sure students do not have access to network devices, or to ports that are not 'student-safe". Don't trust 802.1q tagging as a security boundary. Some people will say it's ok, it specifically is not ok. Its very easy to push traffic across using Q in Q tagging, students will figure it out, and get anywhere they want to. I strongly suggest (when time & budget permits it) to add a separate firewall to provide a security boundary between any possible student access (including wireless) and the business side of the network such as teacher work areas or office/admin areas. "Bad kid" and "curious experimental kid" are indistinguishable when your network crashes, or the internal web pages are all plastered with pr0n :)

Microsoft AD servers are painful to readdress. It's supposed to work, but there's always nagging problems cropping up. Forever. Choose your servers as the devices to leave on the existing network space. Change the mask, leave the addresses & gateway the same. Make sure to update all of the site/segment definitions in every one of your servers.

IDF=Intermediate Distribution Frame, or data closet where a group of users are patched that uplinks to the MDF (main distribution frame) or computer room.

I've attached a sample drawing that should be extensible for any single or small multi site network like this.
DaeralighAuthor Commented:
Thanks for the information. That is most helpful.

With VLAN, the current addressing scheme will have to change to account for the different subnets. This will mean breaking down the broadcast address space into different subnets using VLSM.

I want to account for future expansion and may require more VLANs in the future. Currently the mask is a which accounts for a total of 1024 addresses. SOrry about stating the wrong mask from my earlier question.

We only have less than 500 components at the moment so there are plenty of addresses to go around. However with VLANs, there are blocks of addresses that will be taken depending on VLSM and I may need more than what I currently have to account for future expansion. I’m thinking of using a mask of 255.255.248 which will give me plenty of addresses. Will this be ok.

The other question relates to our phone system. These have been integrated in to the switched network that we currently have. Do I treat them similarly to components such as PCs? Shall I put them on a separate vlan?

Thanks again.
DaeralighAuthor Commented:
Thank you so much Nothing_Changed for your helpful advice. I really want achieve the best possible vlan implementation with what I currently have so a good plan has to be in place before I go into configuration mode.

I have been told that if there is a good plan then implementation should follow well. So here is what I have in mind. Any helpful comments or advice is most welcome.


Layer 3 switch is an Allied Tellesis x900 gigabit switch. It uses cisco like commands and so that is helpful.

Layer 2 switches are 8000GS switches. All the ports are gigabit ports and uses cisco like command lines to configure.

All cables are either gigabit fibre link or gigabit copper cables.



vlan 10 Servers, say will have ip addresses in subnet
vlan 20 Staff, ip address range
vlan 30 Office ip address range
vlan 40 Students, ip address range
vlan 50 Device Management, range
vlan 60 Voice, ip address range
vlan 70 wireless, ip address range

Is this fine for an addressing scheme?

I had thought of VLSM scheme, where I can be exact with my numbers. Will this be a better pathway to go down considering that I already have a lot of address space within my flat network and I can apply VLSM to 172.16.x.x/22.

Any advice most welcome.


The 14th Annual Expert Award Winners

The results are in! Meet the top members of our 2017 Expert Awards. Congratulations to all who qualified!

Nothing_ChangedConnect With a Mentor Commented:
To keep everything as simple as possible, I'd suggest not using a /24 mask for everything. There won't be any advantage to you in making a bunch of different mask sizes, and you can use any addressing in the RFC1918 space anywhere you like (http://www.ietf.org/rfc/rfc1918.txt).  Like I said, VLANs are free :) The one exception would be WAN links on any point to point, frame, or MPLS last mile interconnects, then use the smallest mask possible, /30 is common.

So in general, your VLAN/IP scheme looks fine, just make em all /24. Based on the environment you described, it seems unlikely that you'll ever need more addresses than you can provision even staying within the space with /24 masks.

And yes, your VoIP/phone gear should get its own VLAN. With a Cisco or Juniper I know I can config a port to talk to the phones and automagically detect that it's a VoIP device and drop it on the right VLAN, but with the allied stuff and whatever phone system you're on I'm not sure. The upside to switches being able to put VoIP traffic into one VLAN and user data into another is that you can provision less drops to each location and save a little $. But again, in your environment I'd strongly suggest to keep it as simple and straightforward as possible, so trunk the necessary VLANs to each edge switch, and manually put ports into the data or VoIP VLANs as appropriate. I use different colored inserts on the wall jacks, blue is data, white is voice, but that's just my preference. As long as you are consistent it's never hard to tell even the most unsophisticated user where their phone patches in vs where their PC patches in. I even color code their cables so the cable matches the jacks. Simple keeps your nights & weekends free, heh.
DaeralighAuthor Commented:
Thanks, this is most helpful. It brings clarity and confirms what I plan to do.

The voice setup is integrated into the switched network as well. With VLAN, I'm assuming that, I will have to allocated selected ports on my switches for voice. Is that right? Currently, if someone wants their extension moved to another location, then I can be patch it easily to a port that is convenient to them.

BTW: Yes the coloured insert for voice on the switches are and data is blue:)

I havent done any configurations for voice but I'm assuming that the commands will be simillar to cisco, so I will probably ask questions relating to it later.

Thanks again for your help.

DaeralighAuthor Commented:
Solutions given by Nothing_Changed were complete in their own right, however they are part of a solution to a work-in-progress project.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.