+ Post New Thread
Results 1 to 7 of 7
Wired Networks Thread, setting up vlans in Technical; I know in theory what vlans are but never had need to set them up before One of the schools ...
  1. #1


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,579
    Thank Post
    228
    Thanked 853 Times in 732 Posts
    Rep Power
    294

    setting up vlans

    I know in theory what vlans are but never had need to set them up before

    One of the schools i support have an internet connection that does filtering but its site wide. Staff want to be able to access facebook/youtube/other stuff they dont want the kids to see. Taking to internet provider it is in theory not a problem their setup supports it i just need to use 2 ports on the router one for staff traffic and one for pupils.

    Now this sounds like it shouldnt be the world biggest problem all the schools switchgear is managed hp procurve gear (various models). The school has 3 servers (2 dcs and a microserver thats a glorified nas that hosts wds/mdt). I presume i could set up 2 vlans now would the 2 vlans be fine with one dhcp server and getting random ips or would i need to add a 2nd nic to the dhcp server and dish out ips depending on what vlan they are on? I assume the latter if i need a different gateway address. Also as some staff laptops use wifi as do pupil laptops is there any way i could separate traffic for that (managed netgear g solution but model name escapes me atm and im elsewhere)

    sorry if this sounds simple/stupid i just have no idea where to start (other than setting up a test network somewhere)

  2. #2

    sonofsanta's Avatar
    Join Date
    Dec 2009
    Location
    Lincolnshire, UK
    Posts
    4,934
    Thank Post
    861
    Thanked 1,438 Times in 988 Posts
    Blog Entries
    47
    Rep Power
    616
    I'm still new to this whole VLANning thing so I may be wrong on the details, I'm far from an expert, but... I did do it over the Easter break with the help of a network engineer in for the day, so it is at least fresh in my mind.

    Regards DHCP, you don't need a second NIC or anything... you just need to set up a separate scope for the VLANs, tell the switches to relay any DHCP packets and which servers to send them to. You can then set gateway in the scope options.

    Do you have complete freedom wrt your IP range? If so, the way we've done it here is to set up the underlying infrastructure on the switches for the /20 range next door to our existing range (albeit subnetted down into /24s from there). That way everything is still running on VLAN 1 in the original range until we explicitly switch the port over, so it's allowed for a much more measured, taking-our-time approach to doing it.

    Alternatively, the quick 'n' dirty way would be to set up staff equipment with a static IP and set their default gateway yourself. Would certainly be easier from a technical point of view if you've not VLANned before, as it's a fair old thing to wrap your head around the first time

  3. #3

    Join Date
    May 2011
    Location
    Jus North of London, close but not too close
    Posts
    739
    Thank Post
    172
    Thanked 56 Times in 54 Posts
    Rep Power
    35
    Not sure if vLans are the answer here, seems a bit unusual, and once you assign a machine to a different vLan what happens if a student needs to use or uses and accesses YouTube, FaceBook etc.

    Ideally you need a filtering system that talks to AD so you can setup per group/user filtering if all the machines you are talking about. Of course BYOD devices may need a different filtering solution/system as they will ideally be on a seperate network (and probably different IP class altogether) from your main production environment.

    Some county based filtering do give a lower filtered proxy ip address, you could setup a policy for certain AD users/groups to point to the different proxy IP address I guess. Is this what the ISP meant I wonder.

  4. #4
    Jamo's Avatar
    Join Date
    Jan 2009
    Posts
    1,349
    Thank Post
    66
    Thanked 175 Times in 147 Posts
    Rep Power
    60
    One other option is to setup two of your own proxy boxes (check out smoothwall express or IPCop)

    Use one for staff and one for students, its quite common for the ISP to be able to filter by IP (as all your interwebs traffic from each group will then be coming from a different proxy box)

  5. #5


    Join Date
    Mar 2009
    Location
    Leeds
    Posts
    6,579
    Thank Post
    228
    Thanked 853 Times in 732 Posts
    Rep Power
    294
    Quote Originally Posted by Jamo View Post
    One other option is to setup two of your own proxy boxes (check out smoothwall express or IPCop)

    Use one for staff and one for students, its quite common for the ISP to be able to filter by IP (as all your interwebs traffic from each group will then be coming from a different proxy box)
    i thought of that one but somone else i work with tried that and had nothing but trouble i also like the idea of hiving off parts of the network so say i could give the suite its own vlan or set up one i could use just for say wds/mdt

    i assume its not possible to vlan "on the fly" based on mac address?

  6. #6
    Jamo's Avatar
    Join Date
    Jan 2009
    Posts
    1,349
    Thank Post
    66
    Thanked 175 Times in 147 Posts
    Rep Power
    60
    It does sound overly complicated for internet filtering.

    We have 2 linux squid boxes forwarding traffic for us, no problems at all. Wireless is on a separate VLAN, as are switches.

    Would like to move printers and servers into a separate VLAN but wouldn't do it for staff vs students as you can never guarantee that a staff member wont want to use a student desktop or that a student won't use a staff laptop

  7. #7

    Miscbrah's Avatar
    Join Date
    Dec 2011
    Posts
    885
    Thank Post
    244
    Thanked 251 Times in 151 Posts
    Rep Power
    114
    Gotta add that when I ran a 'flat' network (meaning one with no vlans) I was in this exact situation, and just did what Jamo said. Two IPCops, one for staff and one for kids, group policy dictates which group gets what.

    Served me totally fine, but I'm a little hazy on the guide I used to install and run IPCop. I'll have a rummage and see if I have it/there's a better one...

    Edit - bam, right there.
    Last edited by Miscbrah; 25th April 2012 at 10:05 AM.

  8. Thanks to Miscbrah from:

    sted (25th April 2012)

SHARE:
+ Post New Thread

Similar Threads

  1. Setting up a VLAN
    By iSteve in forum Wireless Networks
    Replies: 9
    Last Post: 1st July 2014, 04:02 PM
  2. Setting up home wireless network with MAC and PC..?
    By tosca925 in forum General Chat
    Replies: 6
    Last Post: 21st November 2011, 04:39 PM
  3. Setting up VLANS
    By mattpant in forum Wireless Networks
    Replies: 14
    Last Post: 22nd February 2011, 09:16 AM
  4. Setting up test scenario on Server 2003/Active Directory/GPO
    By tosca925 in forum How do you do....it?
    Replies: 20
    Last Post: 24th January 2006, 11:38 AM
  5. Setting up NAT using IPTABLES
    By ChrisH in forum *nix
    Replies: 23
    Last Post: 9th November 2005, 01:54 PM

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •