What VALN's

[ozydave]

Hi

We have a flat network at the moment and just replaced all out switches for Procurve, core is 5406zl
I have a little knowledge of VLANs, I just after opinions as to what to put in each vlan
Students and staff are obvious choices.
Other VLAN I thought about are printers, CCTV.
Would servers be best on own vlan?
We have 5 Wireless AP, suppose they could be in own vlan. We also have three new laptop trolleys (not my idea). These at some point would be plugged into the network port in the classrooms which would mean they are in the teacher VLAN. I assume routing would take care of this.

Any offers for what you have??

[localzuk]

Our structure is done by location, and function. So we have VLAN's for our servers, our admin department, one for each ICT suite, one for Wifi, one for our phone system and a 'general' one for everything else.

I was kind of restricted as to what I could do by the number of IP's available to us at the time.

The point with vlans isn't to think about what you could seperate off - it is to think why you want to segment things. My thinking was down the lines of:

1. I want to provide a guarenteed route for the phone system, I want wifi to be able to be separated off nicely, and I wanted each classroom to be on its own so multicasting a room of machines wouldn't drown the entire network - just that suite.

The advantages of segmentation come as a bonus with the above thinking.

Regarding plugging things in - if you used mac based port authentication for the majority of your ports, the devices would automatically be assigned to their designated VLAN when plugged in.

[Theblacksheep]

Location here too... well, building blocks, plus ciric wireless, minibook wireless, teacher laptops (wireless and fixed), admin staff and handheld wireless.

Servers and switchs on the default vlan. No classroom facing ports are on the default vlan.

[ssiruuk2]

we have over 20 vlans across our Cisco kit - servers, switches, printers, wireless (management), and each IT room / dept in own vlan. Each wireless ssid in own vlan also.

Then theres ACLs controlling what can flow between each..

[bizzel]

Just thought I'd ask about broadcast packets flowing between VLANs. Can these be controlled by ACLs?

[PiqueABoo]

broadcast packets flowing between VLANs. Can these be controlled by ACLs?

MAC broadcasts won't flow to another VLAN (subnet).

[User3204]

I have split my student network into three VLANs all running on separate 24bit IP ranges, they all have a link into the server one and until I start to lock stuff down they can all see eachother, but this will cut down on the broadcasts (which I seem to get an inordinate amount).

We've had to set up a DHCP relay (each) as otherwise the these packets get dropped.


This also means I can create another VLAN (relatively) easily if we need to expand things.

We have a few other VLANs too: staff, wireless, voip, etc.

[spc-rocket]

MAC broadcasts won't flow to another VLAN (subnet).

There are ways around this where it can broadcast for the whole subnet. I know this becuase we had to tweak our ACLs to get WOL working on another subnet/vlan.

I would say that you need to plan plan and plan more before implementing vlans as it can cause issuses which are not easier to spot. DHCP relay agent should not be needed if you switches support ip helper type of command where it the switch recieves a broadcast packet and forwards that as an unicast packet to the dhcp server. This is certainly possible with cisco and hp siwtches but can't say for other vendors.

IP subnet and address space should be carefully thought out especially (i'm not a fan of this at all) if you IPs are allocated by your RBC.

The core switch acts as a layer 3 switch which handles the routing between the vlans and it is also the switch that should have all the different vlans defined so it makes it possible to create ACLs to control traffic.

Ash.

[PiqueABoo]

we had to tweak our ACLs to get WOL working on another subnet/vlan.

Presumably by turning IP directed broadcasts on (which is typically off by default because of it's old use for DOS amplification )?

if you switches support ip helper type of command where it the switch recieves a broadcast packet and forwards that as an unicast packet to the dhcp server

The switch feature set may or may not include serious L3 ACLs, but if switches that support VLANs don't support BOOTP/DHCP relay then they are a heap of doodoo.

I would say that you need to plan plan and plan more before implementing vlans

I'm not particularly thrilled by VLANs unless there's a decent case for them. Yes, you can carve up your network into lots of little subnets, blue boxes here, pink boxes over there, but it adds all that planning and a whole heap of subsequent management & documentation issues. I would say, justify, justify and justify more... and remember that using something like IPSEC on sensitive machines/resources can give you a lot more assurance than sticking them on a separate VLAN (unless you add all the port access control stuff).

Plus, it's OK, but in this day and age I'm not a huge fan of using switch ACLs instead of proper firewalls with management/auditing/reporting. [Essential if you're going to do anything more than make worthless random guesses when it comes to that "risk management" thing]

[ssiruuk2]

Piqueaboo - Why mention firewall rules when you are the whole point of VLANs is regarding whats going on inside your LAN (esp for a school) ? ipsec is a whole different ball game and is not relevant to why you should and shouldn't use vlans. In what day and age was it wise to use them!? Our L3 switches provide all the syslogs you could possibly dream of it thats your thing (overload comes to mind!)

Yes L2 switches provide VLAN support but I think you will be hard pushed to find a entry level L3 switch that does not offer any form of broadcast "helper-address" support for DHCP etc.

Two quick examples of why to use other than creating lots of subnets with blue and pink boxes

1) large network > 500 hosts.. broadcast hell... faulty nic on a host flooding the system? good luck..!

2) - Try creating something such as a "untrusted" / open wireless system for kids to connect to using mobiles / laptops etc and you want to give them access to 1 thing .. the internet whilst still maintaining your secure lan services from the same APs. How else are you going to support that without VLANs (with ACLs) ? Id love to know if theres a better solution

Ashok - surely your LEA / Provider can give you any IP range it wants at the end of the day but that doesn't restrict what you can and can't do behind it. You can have however many networks and hosts on a completely different class if you want with just a single device such as a proxy, router, firewall interface or L3 switch (whatever really!) on the same subnet that they assign you just to get out to the big wide world. You can likewise map any inbound traffic to a specific ip on their range to anything on your other network address scheme and no ones the wiser..

..well thats what I do anyway

[spc-rocket]

Piqueaboo - Why mention firewall rules when you are the whole point of VLANs is regarding whats going on inside your LAN (esp for a school) ? ipsec is a whole different ball game and is not relevant to why you should and shouldn't use vlans. In what day and age was it wise to use them!? Our L3 switches provide all the syslogs you could possibly dream of it thats your thing (overload comes to mind!)

Yes L2 switches provide VLAN support but I think you will be hard pushed to find a entry level L3 switch that does not offer any form of broadcast "helper-address" support for DHCP etc.

Two quick examples of why to use other than creating lots of subnets with blue and pink boxes

1) large network > 500 hosts.. broadcast hell... faulty nic on a host flooding the system? good luck..!

2) - Try creating something such as a "untrusted" / open wireless system for kids to connect to using mobiles / laptops etc and you want to give them access to 1 thing .. the internet whilst still maintaining your secure lan services from the same APs. How else are you going to support that without VLANs (with ACLs) ? Id love to know if theres a better solution

Ashok - surely your LEA / Provider can give you any IP range it wants at the end of the day but that doesn't restrict what you can and can't do behind it. You can have however many networks and hosts on a completely different class if you want with just a single device such as a proxy, router, firewall interface or L3 switch (whatever really!) on the same subnet that they assign you just to get out to the big wide world. You can likewise map any inbound traffic to a specific ip on their range to anything on your other network address scheme and no ones the wiser..

..well thats what I do anyway

Believe me i would love it if the RBCs just acted like ISP and schools control their own IP addressing scheme but this is not the case with some RBCs. We at our school are using our own IP addressing scheme for the various subnets as we are not with an RBC and i would recommend that schools should look into moving to layer 3 design of their network infrastruture.

I agree the internal routing ACLs should be able to cater for all the needs and so don't quite get what Piqueaboo is trying to say.

Ash.

[PiqueABoo]

Why mention firewall rules when you are the whole point of VLANs

Because it's rather difficult not to when you're responding to a comment on using ACLs to control traffic. ;b

How else are you going to support that [guest LANs] without VLANs?

I didn't see any hint of that requirement from the OP, but having used VLANs for that precise purpose it was already in my justified category.

I agree the internal routing ACLs should be able to cater for all the needs and so don't quite get what Piqueaboo is trying to say.

If ACLs cater for your needs that's fine. ACLs used to cater for my needs a long time ago. But by-and-by people started making and selling firewalls that weren't just a couple of Ciscos with a DMZ in the middle, and to do that they had to add value - for me some of that management/auditing/non-overload-reporting stuff actually has been valuable and I'd much rather keep it.

---

Meanwhile BECTA appear to be interested in getting schools to do some serious security. Serious network security has long meant policies (some implemented with ACLs) and auditing/reporting of those policies. Personally I think some of those desires might be a bit unrealistic, but I'm not in charge of the universe.

[DMcCoy]

If ACLs cater for your needs that's fine. ACLs used to cater for my needs a long time ago. But by-and-by people started making and selling firewalls that weren't just a couple of Ciscos with a DMZ in the middle, and to do that they had to add value - for me some of that management/auditing/non-overload-reporting stuff actually has been valuable and I'd much rather keep it.

Switch ACLs are more about controlling the flow of inter-vlan traffic. I use them to allows machines in our unauthenticated vlan to join the domain, download the policy and startup scripts (helpfully the 802.1x settings are in the policy, I'm not sure microsoft thought that on through ).

In fact an unauthenticated VLAN can be good and bad, while getting machines authenticating correctly all the time is nothing but a dream, it does mean machines that are asleep/off are on a single vlan for WOL, similarly ghost/WDS etc are all within this vlan too. This means you can eliminate the need to allowing the directed broadcast traffic to other vlans.

[spc-rocket]

Switch ACLs are more about controlling the flow of inter-vlan traffic. I use them to allows machines in our unauthenticated vlan to join the domain, download the policy and startup scripts (helpfully the 802.1x settings are in the policy, I'm not sure microsoft thought that on through ).

In fact an unauthenticated VLAN can be good and bad, while getting machines authenticating correctly all the time is nothing but a dream, it does mean machines that are asleep/off are on a single vlan for WOL, similarly ghost/WDS etc are all within this vlan too. This means you can eliminate the need to allowing the directed broadcast traffic to other vlans.

The directed broadcast can be controlled so it only allows by one host or set of hosts. Again this can be made into an ACL to control which device can send the directed broadcast.

I think most vendors now offer the tools to manage a L3 network and as DMccoy mentioned the ACLs on switches are at least used for control of the traffic flow in an inter-vlan infrastructure.

Ash.