I have been asked by one of our large secondary schools to look in to implementing VLANS. I normally only help out at primary schools but one of the senior techs is off long term sick at the moment and i am going into secondaries.
I am going to be honest here and say that i am not experienced enough to be dealing with most of the secondaries as i am still finding my feet in IT Support.
I have no idea about VLANS or as i was asked to setup or split the current DHCP scope into VLANS. I don't have a clue, i would like too so i can help out but i need some help.
Can some one help me here with an idiot proof explanation or point me to some useful websites?
I can't recommend any specific links, but Cisco's website would be one of the best places to look at regarding VLAN's.
From memory though I don't think that you can simply split a DHCP scope so that it goes to different VLANs, this is because for VLANs to communicate with each other there must be some sort of routing going on.
What's the problem your trying to solve exactly? Why does it need VLANs?
I recently (last summer) just broke our whole campus up into VLANS. I did this for several reasons. Its a k-12 school on a spread out campus. About 400 connected machines with wireless access points, server, IP security cameras.
The do have many advantages but in some cases its just not worth the extra effort.
Here's a cisco link. Unfortunetly cisco docs tend to get to technical in a hurry.
http://www.cisco.com/univercd/cc/td/...h_c/xcvlan.htm
If you could explain why they feel they need VLANs if would prob. help us point you in the right direction for a solution.
This is a pretty dumb question but what does a vlan do?
Ross
Start here
http://en.wikipedia.org/wiki/Vlan
Then go from there
a vlan is a (V)irtual (L)ocal (A)rea (N)etwork basically on a sets of switches you can configure ports to be part of a vlan which keeps the traffice confined to that rather than the physical lan.
Good for seperating voip traffic from normal traffic.
Ben
VLans provide a way for you to segment you network into smaller broadcast domains REGARDLESS of where the computer is located on the network. Usually this is done based on function and security.
For example:
If i had a three story building with : Administration, Accounts and Servers on each floor.
Normally is some cases each floor would have a switch and that switch connected to a main router for the building. So each floor is one network, all broadcasts go to everyone on the floor regardless of function.
With a vlan we can breakup those domains into functions. So all Administration computers, even though are on different floors and switches, can be there own network. Same goes for accounts. Servers get there own private network even though there on completely different floors .
VLANS also provide added securitry so if you wanted the Accounts computers to have no access to administration computers you can.
To put this in a school type example. If you have wireless access points all over campus you can have them in there own vlan (and subnet). A rogue laptop on your wireless wont tear down the whole system. With added vlan security you can restrict wireless to just being able to access the internet and nothin else on campus.
At my school we have IP security cameras all over the campus from the front gate to the back. Plugged into switches all over the place. With my vlans they're all in the same network and subnet. Nice. Since these cameras are heavy broadcasters those broadcasts only get received by the other cameras not the whole of my network.
The cool thing is I can plug a computer into one port in my switch, another computer into the port right next to it and they will be on two completely different networks (or subnets).
Hope that provides a clear example of what vlans are and can do.
This isn't technically correct. VLANs provide no security against a determined attacker. If you need to provide some separation in your network, VLANs are not a satisfactory substitute for air gaping.VLANS also provide added securitry so if you wanted the Accounts computers to have no access to administration computers you can.
Also depending on the switches themselves some of them if flooded with too much data will actually pass it across all vlans and not keep it to the one it is destined.
Ben
Sorry, I think I got ahead of myself when writing. What I had in my head was related to routing. If you block routing (or using ACLs) between certain vlans ie administration and accounting it does provide SOME added security. Not full proof of course but does make more of a challenge.This isn't technically correct. VLANs provide no security against a determined attacker. If you need to provide some separation in your network, VLANs are not a satisfactory substitute for air gaping.
What I was trying to get across was that basic IP security can be established by fuction rather then physical location.
Which I think is a school enviroment works well. Most script kiddies first instinct it to do a ping search thinking if I can't ping it -- i cant hack it. (At least thats the mantra of the one's I've run into
But as we all know with the right tools and a little time we can all clean out the Villagio. 8)
Oh here's another link I found introducing VLANS with some diagrams:
http://net21.ucdavis.edu/newvlan.htm
It provides this nice disclaimer about vlan security:
It should be noted that the enhanced security that is mentioned above is not to be considered an absolute safeguard against security infringements. What this provides is additional safeguards against "casual" but unwelcome attempts to view network traffic.
Thanks for the info always wondered
Ross
There are currently 1 users browsing this thread. (0 members and 1 guests)
Posting Permissions
LinkBack URL
About LinkBacks
Reply With Quote