+ Post New Thread
Page 2 of 2 FirstFirst 12
Results 16 to 29 of 29
How do you do....it? Thread, Subnet Mask in Technical; I'll give you two answers on this ... one from the LA/RBC point of view and the other from an ...
  1. #16

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,935
    Thank Post
    1,341
    Thanked 1,783 Times in 1,106 Posts
    Blog Entries
    19
    Rep Power
    594
    I'll give you two answers on this ... one from the LA/RBC point of view and the other from an independently minded school.

    Firstly, there are so many reasons why you should use an RBC based addressing system, including the fact that an RBC is a WAN ... and dirty great big one, but a WAN nonetheless. The idea is to ensure that schools within and LA and within a region have the best possible connectivity to each other as well as the best possible connectivity to the National Education Network.

    QoS and Cos are set up with each RBC and across JANET and the NEN ... if a school starts closing itself off then it makes life more difficult for everyone involved, especially when it comes to ensuring all services are viable. To make best use of the available services and to ensure teh best levels of security sticking by the set guidelines is best.

    JISC and JANET have a number of papers about all of this and they are easily obtainable.

    There are a number of examples of good practice for the use of supernetting and VLANs if required, but NAT should not really be used within a small institute (anything around /19 or below should be considered small according to a JANET session circa 2004)

    ---------

    And now from a different viewpoint.

    Why the heck should I be dictated to? I don't want to spend weeks (or months) waiting for additional ranges, only to find they are not concurrent, I have to make further changes internally and then have to jump through hoops to get the right access to the outside world for them.

    Why can't I just put my own firewall in? At tleast that way if a DoS attack is being launched from my school it is likely to get caught by my kit and not affect the rest of the RBC? Does it really matter that you can't track which specific machine is making a request to the internet or to a service? I'm sure I could do it instead.

    --------

    Both fairly good arguements ... and with valid points ... but the idea of being in an RBC is agreeing to the rules that they set. There is nothing wrong with challenging those rules and coming up with your own ideas but there are times you have to accept that it will limit you instead.

    I have my own firewall and NAT. All traffic goes out via the WAN face of that device and so has that IP address ... apart from a few boxes that have one-to-one NAT setup (internet facing servers such as web servers, proxy / cache, etc).

    The limitations include a difficulty with LA based Video Conferencing, knowing that when it is available after the present changes I will not be able to do LAN logins that are hooked into the Regional IDP ... so no federation of services ... and not forgetting the whole "you are not a standard network build so it will take longing to work out where your problems are" thing. I accept this at the moment.

    So ... what is best for your school? Damned if I know ... I just know what is best for mine ... at the moment ... and that will change over the next 3 years.

    I'll tell you something else ... these splinters from sitting on the fence ... they don't half hurt!

  2. #17

    tech_guy's Avatar
    Join Date
    May 2007
    Location
    That little bit in the middle of Little Old England
    Posts
    8,135
    Thank Post
    1,908
    Thanked 1,344 Times in 742 Posts
    Blog Entries
    3
    Rep Power
    395
    Quote Originally Posted by TeddyKGB View Post
    at the start of term,our printers are spewing out crap from other schools. Turns out they hadn't updated their little spreadsheet for a while and had given us someone elses range!!

    Hmmmm, tempting to use this little 'feature' on the day I leave.............

  3. #18
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,456
    Thank Post
    10
    Thanked 494 Times in 434 Posts
    Rep Power
    112
    I think the idea of an *enforced* RBC wan is a complete farce. I go for the second viewpoint.

    We are already severly restriced, I would even say hampered by the services offered by the RBC. Getting unintentional traffic from someone elses lan is beyond unreasonable.

    I have a range, I use exactly 1 ip in it, our firewall. Actually I use 7 as it manages multiple forwarding ips comming in from the "real" internet.

    We also have no QoS options available. Mail service is a joke, cost is far too high these days, ntp server often stops working and filtering is from the stone age. I've also had 2 1/2 days (concurrent) down time already this year.

    You will have to excuse me if I think RBC are a bad idea, but if you used segfl you would think so too!

    And finally, whats the point of virus scanning an attachment if YOU ARE GOING TO DELETE IT ANYWAY! (these options are helpfully unchangeable and set on a RBC level)

  4. #19

    m25man's Avatar
    Join Date
    Oct 2005
    Location
    Romford, Essex
    Posts
    1,625
    Thank Post
    49
    Thanked 460 Times in 336 Posts
    Rep Power
    140
    Quote Originally Posted by interele View Post
    You should be using non routable IP addresses
    that way the school down the road could be using exactly
    the same addresses and it wouldn't matter. Your LEA/Council
    would then map your internal default gateway to external ones
    via their firewall ( the same way your broadband works at home but
    just on a bigger scale )
    Sorry Interele to contradict, but all IP addresses are in fact routable.
    It's just that certain ranges were excluded from Internet use by RFC1597 in 1994.
    These are sometimes refered to as "Non-Routable" but effectively this just means "Private".

    Most of the National Grid for Learning already operates on Private "non-routable" addresses.

    These are all inter connected some via a Metro VPN arrangement allowing the LEA's to manage/control connectivity between the various schools and the internet under their jurisdiction.

    Most of the Broadband Consortiums follow the guidelines that were origionally set up far too many years ago by JANET, BT and oh yes, two guys from RM.

    Each school was initially allocated just 2 subnets, 255 addresses for Admin and another 255 for the Curriculum as this was all that was ever envisaged they would need!
    The subnets needed to be able to route between each other if desired and allow the LEA to route easily between the other schools connected to their Metro VPN.
    Effectively, a fully routable network but using private address ranges.

    Fortunately, the planners did have the savvy to group them so that each school could if need be have 4 Subnets for Curriculum and 2 for Admin.

    Now even these are under stress.

    With so many schools requiring bigger and bigger networks we now have site admins establishing IP networks independently of the LEA guidelines that end up performing NAT behind NAT which only complicates an already difficult to manage system.

    Your perspective (Interele) it seems is, as many people think, that beyond your edge device is the internet, a public IP either directly assigned to your firewall or mapped by forwarding or VLAN when in fact, you may be several hops or more downstream of a public facing internet address.

    In London as the LGFL spans dozens of LEA's via the Synetrix system they call it Virtual Firewalling, carried out at L2/3, whereas in Herts there is the additional ability to route at L4.

    Therefore dependent on where you work the simplest task of getting a port redirected will take several applications written in blood, followed by a seven week period of fasting and possibly resulting in you having to sleep with the firewall administrators gay cousin!

    To the thread starter,
    Changing your internal subnet mask will not help you as you would also need to modify the gateway devices settings in order to route your packets correctly. This device is not under your management but that of your broadband consortium.
    Mess with your internal subnet masking without prior approval from your LEA or RBC, may result in your Internet connection being suspended until the changes are corrected and a severe bollocking from the LEA's MIS department.

    Yes it sucks! But rules is rules and anarchy is not an option.
    Last edited by m25man; 3rd February 2008 at 10:59 PM. Reason: Typo

  5. Thanks to m25man from:

    sidewinder (5th February 2008)

  6. #20

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,935
    Thank Post
    1,341
    Thanked 1,783 Times in 1,106 Posts
    Blog Entries
    19
    Rep Power
    594
    One thing that I would like people to remember is that there is a lot of presumption that all schools have staff, and that those staff are happy setting up their own firewalls, getting NAT going, configuring QoS and CoS within their own network ...

    We are forgetting about the schools with no tech support other than someone shared a day or so a week, who may not have time or resources to do more bespoke work, or schools with just crap support.
    Each of these are likely to mean a school would get a better service by sticking to the guidelines.

  7. #21


    Join Date
    Sep 2007
    Location
    UK
    Posts
    5,420
    Thank Post
    1,437
    Thanked 877 Times in 563 Posts
    Rep Power
    645
    Quote Originally Posted by m25man View Post
    To the thread starter,
    Changing your internal subnet mask will not help you as you would also need to modify the gateway devices settings in order to route your packets correctly. This device is not under your management but that of your broadband consortium.
    Mess with your internal subnet masking without prior approval from your LEA or RBC, may result in your Internet connection being suspended until the changes are corrected and a severe bollocking from the LEA's MIS department.

    Yes it sucks! But rules is rules and anarchy is not an option.
    The gateway is 255.255.252.0 it was just nobody told me when it was installed so we stuck with 255.255.255.0 until the admin server was replaced and that was changed to 252.0. So I can't see any problem with putting the curriculum subnet to 254.0 it will simply give me a smaller range within the range. Or would I be best changing that to 252.0 and be done with it?

  8. #22

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    738
    Thank Post
    17
    Thanked 105 Times in 65 Posts
    Rep Power
    37

    Less skill set

    Quote Originally Posted by GrumbleDook View Post
    One thing that I would like people to remember is that there is a lot of presumption that all schools have staff, and that those staff are happy setting up their own firewalls, getting NAT going, configuring QoS and CoS within their own network ...

    We are forgetting about the schools with no tech support other than someone shared a day or so a week, who may not have time or resources to do more bespoke work, or schools with just crap support.
    Each of these are likely to mean a school would get a better service by sticking to the guidelines.
    Hi Tony,

    Yes i agree with this and for those schools the RBC "way of doing things" does come in handy for them. I still think for larger schools with higher skill set technicians and NMs there should be some flexibility in regards to this. The difficulties that arises is that when a schools runs out of the allocated ranges and they want to extend the range. If RBCs are playing their cards right then they should have a plan for this so this scenario is covered and a step-by-step guide is provided to school who's been re-allocated a new range of extended their range. This will allow the school's tech team/dept. to implement the changes as quickly as possible and with mimimal distruption.

    I still don't like the RBC/LEA want to see right down to the school's workstation level, i personally don't see any reason for this except the firewall/filtering, which can be handled at the school permiter.

    Ash.

  9. #23

    SYNACK's Avatar
    Join Date
    Oct 2007
    Posts
    11,170
    Thank Post
    868
    Thanked 2,697 Times in 2,287 Posts
    Blog Entries
    11
    Rep Power
    772
    Quote Originally Posted by laserblazer View Post
    The gateway is 255.255.252.0 it was just nobody told me when it was installed so we stuck with 255.255.255.0 until the admin server was replaced and that was changed to 252.0. So I can't see any problem with putting the curriculum subnet to 254.0 it will simply give me a smaller range within the range. Or would I be best changing that to 252.0 and be done with it?
    Unless you plan to split up the network further internally to lower broadcast traffic then I suggest that you just set it up to be able to use all of your avalible addresses. That way if you get lots more stuff that is IP enabled you won't need to go through the expansion process again.

  10. #24

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,935
    Thank Post
    1,341
    Thanked 1,783 Times in 1,106 Posts
    Blog Entries
    19
    Rep Power
    594
    Quote Originally Posted by ashok View Post
    Hi Tony,

    Yes i agree with this and for those schools the RBC "way of doing things" does come in handy for them. I still think for larger schools with higher skill set technicians and NMs there should be some flexibility in regards to this. The difficulties that arises is that when a schools runs out of the allocated ranges and they want to extend the range. If RBCs are playing their cards right then they should have a plan for this so this scenario is covered and a step-by-step guide is provided to school who's been re-allocated a new range of extended their range. This will allow the school's tech team/dept. to implement the changes as quickly as possible and with mimimal distruption.

    I still don't like the RBC/LEA want to see right down to the school's workstation level, i personally don't see any reason for this except the firewall/filtering, which can be handled at the school permiter.

    Ash.
    The procedure for requesting additional ranges was actually written some time ago, but has only just started to be put into practice. It will be clear how it fits in after the end of March once the new Standard Network Build documentation is out (or sooner hopefully).

    IP control down to the desktop is one of those things that some like and others don't. Once you start getting into federation between school, the Regional IDP (ie the RBC) and 3rd party companies ... then you need it down to client level ... that is the way the whole federated access management is configured to be most efficient and most cost effective.

    That is the other problem with all this ... whilst it might only be a bit of extra work for you considering your own setup ... if a raft of schools all have something different then this can put an extra burden on the LA / RBC support provider ... and all we then get is a lot of moaning about x doesn't work and y is too costly.

    Roll on April!

  11. #25
    torledo's Avatar
    Join Date
    Oct 2007
    Posts
    2,928
    Thank Post
    168
    Thanked 155 Times in 126 Posts
    Rep Power
    48
    Quote Originally Posted by GrumbleDook View Post
    The procedure for requesting additional ranges was actually written some time ago, but has only just started to be put into practice. It will be clear how it fits in after the end of March once the new Standard Network Build documentation is out (or sooner hopefully).

    IP control down to the desktop is one of those things that some like and others don't. Once you start getting into federation between school, the Regional IDP (ie the RBC) and 3rd party companies ... then you need it down to client level ... that is the way the whole federated access management is configured to be most efficient and most cost effective.

    That is the other problem with all this ... whilst it might only be a bit of extra work for you considering your own setup ... if a raft of schools all have something different then this can put an extra burden on the LA / RBC support provider ... and all we then get is a lot of moaning about x doesn't work and y is too costly.

    Roll on April!
    Tony

    Could you explain what you mean by federation between schools. And examples of how this is used or needed.

  12. #26

    GrumbleDook's Avatar
    Join Date
    Jul 2005
    Location
    Gosport, Hampshire
    Posts
    9,935
    Thank Post
    1,341
    Thanked 1,783 Times in 1,106 Posts
    Blog Entries
    19
    Rep Power
    594
    Putting it simply ... it is the end goal of the NEN to have a school log into a client machine and that login will then give seamless access to a heap of resources out on the NEN or those purchased by LAs / RBCs ... with no need for additional authentication. This includes you, as a school, giving access to other schools to resources or information.

    Initially this is aimed at LA or RBC level, but eventually it will grow and a user from Somerset (with the right access) will be able to get resources hosted in Lancashire.

    Whilst people might wonder about the point of this ... just think of the collaboration that could go one ... the sharing of resources and saving of time and money.

    There are other benefits too ... and there is a nice presentation about it all on the 'Net somewhere ... I'll poke google and try and find it again.

  13. #27


    Join Date
    Oct 2006
    Posts
    3,411
    Thank Post
    184
    Thanked 356 Times in 285 Posts
    Rep Power
    149
    Quote Originally Posted by GrumbleDook View Post
    Whilst people might wonder about the point of this ... just think of the collaboration that could go one ... the sharing of resources and saving of time and money.

    Yeah itrs a great idea, in theory. Just a shame no sooner had the network been opened then busy bodies came in with their extensive training (CCNA course) and put firewalls with rediculasly restrictive rules in every nock and cranny of the network. Also they seem to go out of their way to purchase services which arnt on the network.

    Great in theory but as of yet theres no realy benifit over a standard bussiness broadband connection, or atleast in the north east.

  14. #28

    SimpleSi's Avatar
    Join Date
    Jun 2005
    Location
    Lancashire
    Posts
    5,812
    Thank Post
    1,476
    Thanked 592 Times in 444 Posts
    Rep Power
    168
    Whilst people might wonder about the point of this ... just think of the collaboration that could go one ... the sharing of resources and saving of time and money.
    Thats so unreal world talk!

    Our (and I suspect many other) RBCs won't even let its own users from accessing our own resources from outside of each school never mind someone from another RBC.

    Geoff went to great lengths with port reflectors and other stuff from Star Trek ( ) to try to support his primary schools and that's within our own network.

    Most of the secondaries around here implement their own firewalls to stop others from getting at their resources and consider it madness not to do so.

    ...back off to cage [/rant]

    regards

    Simon

  15. #29

    Join Date
    Jul 2006
    Location
    London
    Posts
    2,962
    Thank Post
    159
    Thanked 152 Times in 116 Posts
    Rep Power
    49
    Wow, this is a much more interesting thread than I thought it would be when I opened it! Learnt a fair bit about why RBC's have things set up the way they do.

    I agree for smaller schools it is probably better to use their assigned IP range, especially if they havent got any IT staff, and mainly because 255 addresses will be plenty for them.

    But for a school like us, we're assigned 255 and we have 800 computers, 80 printers, 30 odd switches, 50 access points + various other devices which need IP addresses. So even if we were given a larger range we could still struggle, because to give us a bit of headroom we would need 5x the addresses we currently have, and I cant see that being given to us.

    We run an ISA server and we have total freedom on what IP ranges we can use, and never have to worry about running out. Plus we have the benefit of having some control of what goes in and out of our network.

    Downsides are that when new things are introduced on the WAN, everyone expects them to just 'work', which they would if the we did things the 'proper' way...but it normally requires a bit of testing.
    Also, as someone said, private address ranges are used on the WAN, and we have had a few small problems - one I can remember is that a Citrix server that someone was trying to connect to had the same IP as one of our printers...
    And of course, because they know we have an ISA server and arent really happy about it, whenever we enquire about problems with the internet they always say its just our internal problem until other schools start to phone up

    Positives outweigh the negatives for me though

SHARE:
+ Post New Thread
Page 2 of 2 FirstFirst 12

Similar Threads

  1. Subnet Mask Change
    By Grommit in forum Windows
    Replies: 26
    Last Post: 24th February 2009, 03:17 PM
  2. help with network address and subnet
    By sexyali in forum Network and Classroom Management
    Replies: 4
    Last Post: 28th August 2007, 06:18 PM
  3. How do you seperate your networks. Subnet / Vlan
    By drjturner in forum Wireless Networks
    Replies: 16
    Last Post: 28th September 2006, 07:24 AM
  4. Replies: 3
    Last Post: 4th July 2006, 02:22 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •