I'll give you two answers on this ... one from the LA/RBC point of view and the other from an independently minded school.
Firstly, there are so many reasons why you should use an RBC based addressing system, including the fact that an RBC is a WAN ... and dirty great big one, but a WAN nonetheless. The idea is to ensure that schools within and LA and within a region have the best possible connectivity to each other as well as the best possible connectivity to the National Education Network.
QoS and Cos are set up with each RBC and across JANET and the NEN ... if a school starts closing itself off then it makes life more difficult for everyone involved, especially when it comes to ensuring all services are viable. To make best use of the available services and to ensure teh best levels of security sticking by the set guidelines is best.
JISC and JANET have a number of papers about all of this and they are easily obtainable.
There are a number of examples of good practice for the use of supernetting and VLANs if required, but NAT should not really be used within a small institute (anything around /19 or below should be considered small according to a JANET session circa 2004)
And now from a different viewpoint.
Why the heck should I be dictated to? I don't want to spend weeks (or months) waiting for additional ranges, only to find they are not concurrent, I have to make further changes internally and then have to jump through hoops to get the right access to the outside world for them.
Why can't I just put my own firewall in? At tleast that way if a DoS attack is being launched from my school it is likely to get caught by my kit and not affect the rest of the RBC? Does it really matter that you can't track which specific machine is making a request to the internet or to a service? I'm sure I could do it instead.
Both fairly good arguements ... and with valid points ... but the idea of being in an RBC is agreeing to the rules that they set. There is nothing wrong with challenging those rules and coming up with your own ideas but there are times you have to accept that it will limit you instead.
I have my own firewall and NAT. All traffic goes out via the WAN face of that device and so has that IP address ... apart from a few boxes that have one-to-one NAT setup (internet facing servers such as web servers, proxy / cache, etc).
The limitations include a difficulty with LA based Video Conferencing, knowing that when it is available after the present changes I will not be able to do LAN logins that are hooked into the Regional IDP ... so no federation of services ... and not forgetting the whole "you are not a standard network build so it will take longing to work out where your problems are" thing. I accept this at the moment.
So ... what is best for your school? Damned if I know ... I just know what is best for mine ... at the moment ... and that will change over the next 3 years.
I'll tell you something else ... these splinters from sitting on the fence ... they don't half hurt!
I think the idea of an *enforced* RBC wan is a complete farce. I go for the second viewpoint.
We are already severly restriced, I would even say hampered by the services offered by the RBC. Getting unintentional traffic from someone elses lan is beyond unreasonable.
I have a range, I use exactly 1 ip in it, our firewall. Actually I use 7 as it manages multiple forwarding ips comming in from the "real" internet.
We also have no QoS options available. Mail service is a joke, cost is far too high these days, ntp server often stops working and filtering is from the stone age. I've also had 2 1/2 days (concurrent) down time already this year.
You will have to excuse me if I think RBC are a bad idea, but if you used segfl you would think so too!
And finally, whats the point of virus scanning an attachment if YOU ARE GOING TO DELETE IT ANYWAY! (these options are helpfully unchangeable and set on a RBC level)
It's just that certain ranges were excluded from Internet use by RFC1597 in 1994.
These are sometimes refered to as "Non-Routable" but effectively this just means "Private".
Most of the National Grid for Learning already operates on Private "non-routable" addresses.
These are all inter connected some via a Metro VPN arrangement allowing the LEA's to manage/control connectivity between the various schools and the internet under their jurisdiction.
Most of the Broadband Consortiums follow the guidelines that were origionally set up far too many years ago by JANET, BT and oh yes, two guys from RM.
Each school was initially allocated just 2 subnets, 255 addresses for Admin and another 255 for the Curriculum as this was all that was ever envisaged they would need!
The subnets needed to be able to route between each other if desired and allow the LEA to route easily between the other schools connected to their Metro VPN.
Effectively, a fully routable network but using private address ranges.
Fortunately, the planners did have the savvy to group them so that each school could if need be have 4 Subnets for Curriculum and 2 for Admin.
Now even these are under stress.
With so many schools requiring bigger and bigger networks we now have site admins establishing IP networks independently of the LEA guidelines that end up performing NAT behind NAT which only complicates an already difficult to manage system.
Your perspective (Interele) it seems is, as many people think, that beyond your edge device is the internet, a public IP either directly assigned to your firewall or mapped by forwarding or VLAN when in fact, you may be several hops or more downstream of a public facing internet address.
In London as the LGFL spans dozens of LEA's via the Synetrix system they call it Virtual Firewalling, carried out at L2/3, whereas in Herts there is the additional ability to route at L4.
Therefore dependent on where you work the simplest task of getting a port redirected will take several applications written in blood, followed by a seven week period of fasting and possibly resulting in you having to sleep with the firewall administrators gay cousin!
To the thread starter,
Changing your internal subnet mask will not help you as you would also need to modify the gateway devices settings in order to route your packets correctly. This device is not under your management but that of your broadband consortium.
Mess with your internal subnet masking without prior approval from your LEA or RBC, may result in your Internet connection being suspended until the changes are corrected and a severe bollocking from the LEA's MIS department.
Yes it sucks! But rules is rules and anarchy is not an option.
Last edited by m25man; 3rd February 2008 at 10:59 PM. Reason: Typo
sidewinder (5th February 2008)
One thing that I would like people to remember is that there is a lot of presumption that all schools have staff, and that those staff are happy setting up their own firewalls, getting NAT going, configuring QoS and CoS within their own network ...
We are forgetting about the schools with no tech support other than someone shared a day or so a week, who may not have time or resources to do more bespoke work, or schools with just crap support.
Each of these are likely to mean a school would get a better service by sticking to the guidelines.
Yes i agree with this and for those schools the RBC "way of doing things" does come in handy for them. I still think for larger schools with higher skill set technicians and NMs there should be some flexibility in regards to this. The difficulties that arises is that when a schools runs out of the allocated ranges and they want to extend the range. If RBCs are playing their cards right then they should have a plan for this so this scenario is covered and a step-by-step guide is provided to school who's been re-allocated a new range of extended their range. This will allow the school's tech team/dept. to implement the changes as quickly as possible and with mimimal distruption.
I still don't like the RBC/LEA want to see right down to the school's workstation level, i personally don't see any reason for this except the firewall/filtering, which can be handled at the school permiter.
IP control down to the desktop is one of those things that some like and others don't. Once you start getting into federation between school, the Regional IDP (ie the RBC) and 3rd party companies ... then you need it down to client level ... that is the way the whole federated access management is configured to be most efficient and most cost effective.
That is the other problem with all this ... whilst it might only be a bit of extra work for you considering your own setup ... if a raft of schools all have something different then this can put an extra burden on the LA / RBC support provider ... and all we then get is a lot of moaning about x doesn't work and y is too costly.
Roll on April!
Putting it simply ... it is the end goal of the NEN to have a school log into a client machine and that login will then give seamless access to a heap of resources out on the NEN or those purchased by LAs / RBCs ... with no need for additional authentication. This includes you, as a school, giving access to other schools to resources or information.
Initially this is aimed at LA or RBC level, but eventually it will grow and a user from Somerset (with the right access) will be able to get resources hosted in Lancashire.
Whilst people might wonder about the point of this ... just think of the collaboration that could go one ... the sharing of resources and saving of time and money.
There are other benefits too ... and there is a nice presentation about it all on the 'Net somewhere ... I'll poke google and try and find it again.
Yeah itrs a great idea, in theory. Just a shame no sooner had the network been opened then busy bodies came in with their extensive training (CCNA course) and put firewalls with rediculasly restrictive rules in every nock and cranny of the network. Also they seem to go out of their way to purchase services which arnt on the network.
Great in theory but as of yet theres no realy benifit over a standard bussiness broadband connection, or atleast in the north east.
Thats so unreal world talk!Whilst people might wonder about the point of this ... just think of the collaboration that could go one ... the sharing of resources and saving of time and money.
Our (and I suspect many other) RBCs won't even let its own users from accessing our own resources from outside of each school never mind someone from another RBC.
Geoff went to great lengths with port reflectors and other stuff from Star Trek ( ) to try to support his primary schools and that's within our own network.
Most of the secondaries around here implement their own firewalls to stop others from getting at their resources and consider it madness not to do so.
...back off to cage [/rant]
Wow, this is a much more interesting thread than I thought it would be when I opened it! Learnt a fair bit about why RBC's have things set up the way they do.
I agree for smaller schools it is probably better to use their assigned IP range, especially if they havent got any IT staff, and mainly because 255 addresses will be plenty for them.
But for a school like us, we're assigned 255 and we have 800 computers, 80 printers, 30 odd switches, 50 access points + various other devices which need IP addresses. So even if we were given a larger range we could still struggle, because to give us a bit of headroom we would need 5x the addresses we currently have, and I cant see that being given to us.
We run an ISA server and we have total freedom on what IP ranges we can use, and never have to worry about running out. Plus we have the benefit of having some control of what goes in and out of our network.
Downsides are that when new things are introduced on the WAN, everyone expects them to just 'work', which they would if the we did things the 'proper' way...but it normally requires a bit of testing.
Also, as someone said, private address ranges are used on the WAN, and we have had a few small problems - one I can remember is that a Citrix server that someone was trying to connect to had the same IP as one of our printers...
And of course, because they know we have an ISA server and arent really happy about it, whenever we enquire about problems with the internet they always say its just our internal problem until other schools start to phone up
Positives outweigh the negatives for me though
There are currently 1 users browsing this thread. (0 members and 1 guests)