setting up vlans
I know in theory what vlans are but never had need to set them up before
One of the schools i support have an internet connection that does filtering but its site wide. Staff want to be able to access facebook/youtube/other stuff they dont want the kids to see. Taking to internet provider it is in theory not a problem their setup supports it i just need to use 2 ports on the router one for staff traffic and one for pupils.
Now this sounds like it shouldnt be the world biggest problem all the schools switchgear is managed hp procurve gear (various models). The school has 3 servers (2 dcs and a microserver thats a glorified nas that hosts wds/mdt). I presume i could set up 2 vlans now would the 2 vlans be fine with one dhcp server and getting random ips or would i need to add a 2nd nic to the dhcp server and dish out ips depending on what vlan they are on? I assume the latter if i need a different gateway address. Also as some staff laptops use wifi as do pupil laptops is there any way i could separate traffic for that (managed netgear g solution but model name escapes me atm and im elsewhere)
sorry if this sounds simple/stupid i just have no idea where to start (other than setting up a test network somewhere)
I'm still new to this whole VLANning thing so I may be wrong on the details, I'm far from an expert, but... I did do it over the Easter break with the help of a network engineer in for the day, so it is at least fresh in my mind.
Regards DHCP, you don't need a second NIC or anything... you just need to set up a separate scope for the VLANs, tell the switches to relay any DHCP packets and which servers to send them to. You can then set gateway in the scope options.
Do you have complete freedom wrt your IP range? If so, the way we've done it here is to set up the underlying infrastructure on the switches for the /20 range next door to our existing range (albeit subnetted down into /24s from there). That way everything is still running on VLAN 1 in the original range until we explicitly switch the port over, so it's allowed for a much more measured, taking-our-time approach to doing it.
Alternatively, the quick 'n' dirty way would be to set up staff equipment with a static IP and set their default gateway yourself. Would certainly be easier from a technical point of view if you've not VLANned before, as it's a fair old thing to wrap your head around the first time :(
Not sure if vLans are the answer here, seems a bit unusual, and once you assign a machine to a different vLan what happens if a student needs to use or uses and accesses YouTube, FaceBook etc.
Ideally you need a filtering system that talks to AD so you can setup per group/user filtering if all the machines you are talking about. Of course BYOD devices may need a different filtering solution/system as they will ideally be on a seperate network (and probably different IP class altogether) from your main production environment.
Some county based filtering do give a lower filtered proxy ip address, you could setup a policy for certain AD users/groups to point to the different proxy IP address I guess. Is this what the ISP meant I wonder.
One other option is to setup two of your own proxy boxes (check out smoothwall express or IPCop)
Use one for staff and one for students, its quite common for the ISP to be able to filter by IP (as all your interwebs traffic from each group will then be coming from a different proxy box)
i thought of that one but somone else i work with tried that and had nothing but trouble i also like the idea of hiving off parts of the network so say i could give the suite its own vlan or set up one i could use just for say wds/mdt
Originally Posted by Jamo
i assume its not possible to vlan "on the fly" based on mac address?
It does sound overly complicated for internet filtering.
We have 2 linux squid boxes forwarding traffic for us, no problems at all. Wireless is on a separate VLAN, as are switches.
Would like to move printers and servers into a separate VLAN but wouldn't do it for staff vs students as you can never guarantee that a staff member wont want to use a student desktop or that a student won't use a staff laptop
Gotta add that when I ran a 'flat' network (meaning one with no vlans) I was in this exact situation, and just did what Jamo said. Two IPCops, one for staff and one for kids, group policy dictates which group gets what. :)
Served me totally fine, but I'm a little hazy on the guide I used to install and run IPCop. I'll have a rummage and see if I have it/there's a better one...
Edit - bam, right there. :)