+ Post New Thread
Results 1 to 14 of 14
Wireless Networks Thread, What VALN's in Technical; Hi We have a flat network at the moment and just replaced all out switches for Procurve, core is 5406zl ...
  1. #1
    ozydave's Avatar
    Join Date
    Jun 2007
    Posts
    271
    Thank Post
    90
    Thanked 38 Times in 26 Posts
    Rep Power
    33

    What VALN's

    Hi

    We have a flat network at the moment and just replaced all out switches for Procurve, core is 5406zl
    I have a little knowledge of VLANs, I just after opinions as to what to put in each vlan
    Students and staff are obvious choices.
    Other VLAN I thought about are printers, CCTV.
    Would servers be best on own vlan?
    We have 5 Wireless AP, suppose they could be in own vlan. We also have three new laptop trolleys (not my idea). These at some point would be plugged into the network port in the classrooms which would mean they are in the teacher VLAN. I assume routing would take care of this.

    Any offers for what you have??

  2. #2

    localzuk's Avatar
    Join Date
    Dec 2006
    Location
    Minehead
    Posts
    18,517
    Thank Post
    526
    Thanked 2,641 Times in 2,045 Posts
    Blog Entries
    24
    Rep Power
    923
    Our structure is done by location, and function. So we have VLAN's for our servers, our admin department, one for each ICT suite, one for Wifi, one for our phone system and a 'general' one for everything else.

    I was kind of restricted as to what I could do by the number of IP's available to us at the time.

    The point with vlans isn't to think about what you could seperate off - it is to think why you want to segment things. My thinking was down the lines of:

    1. I want to provide a guarenteed route for the phone system, I want wifi to be able to be separated off nicely, and I wanted each classroom to be on its own so multicasting a room of machines wouldn't drown the entire network - just that suite.

    The advantages of segmentation come as a bonus with the above thinking.

    Regarding plugging things in - if you used mac based port authentication for the majority of your ports, the devices would automatically be assigned to their designated VLAN when plugged in.

  3. Thanks to localzuk from:

    ozydave (28th August 2009)

  4. #3

    Theblacksheep's Avatar
    Join Date
    Feb 2008
    Location
    In a house.
    Posts
    1,964
    Thank Post
    139
    Thanked 291 Times in 211 Posts
    Rep Power
    193
    Location here too... well, building blocks, plus ciric wireless, minibook wireless, teacher laptops (wireless and fixed), admin staff and handheld wireless.

    Servers and switchs on the default vlan. No classroom facing ports are on the default vlan.

  5. #4

    Join Date
    Feb 2008
    Posts
    270
    Thank Post
    14
    Thanked 44 Times in 35 Posts
    Rep Power
    22
    we have over 20 vlans across our Cisco kit - servers, switches, printers, wireless (management), and each IT room / dept in own vlan. Each wireless ssid in own vlan also.

    Then theres ACLs controlling what can flow between each..

  6. #5
    bizzel's Avatar
    Join Date
    Jul 2007
    Location
    Cambridge
    Posts
    654
    Thank Post
    102
    Thanked 204 Times in 72 Posts
    Rep Power
    52
    Just thought I'd ask about broadcast packets flowing between VLANs. Can these be controlled by ACLs?

  7. #6

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    116
    broadcast packets flowing between VLANs. Can these be controlled by ACLs?
    MAC broadcasts won't flow to another VLAN (subnet).

  8. Thanks to PiqueABoo from:

    bizzel (1st September 2009)

  9. #7
    User3204's Avatar
    Join Date
    Aug 2006
    Location
    Wirral
    Posts
    769
    Thank Post
    55
    Thanked 66 Times in 62 Posts
    Rep Power
    34
    I have split my student network into three VLANs all running on separate 24bit IP ranges, they all have a link into the server one and until I start to lock stuff down they can all see eachother, but this will cut down on the broadcasts (which I seem to get an inordinate amount).

    We've had to set up a DHCP relay (each) as otherwise the these packets get dropped.


    This also means I can create another VLAN (relatively) easily if we need to expand things.

    We have a few other VLANs too: staff, wireless, voip, etc.

  10. #8

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    747
    Thank Post
    17
    Thanked 109 Times in 69 Posts
    Rep Power
    38
    Quote Originally Posted by PiqueABoo View Post
    MAC broadcasts won't flow to another VLAN (subnet).
    There are ways around this where it can broadcast for the whole subnet. I know this becuase we had to tweak our ACLs to get WOL working on another subnet/vlan.

    I would say that you need to plan plan and plan more before implementing vlans as it can cause issuses which are not easier to spot. DHCP relay agent should not be needed if you switches support ip helper type of command where it the switch recieves a broadcast packet and forwards that as an unicast packet to the dhcp server. This is certainly possible with cisco and hp siwtches but can't say for other vendors.

    IP subnet and address space should be carefully thought out especially (i'm not a fan of this at all) if you IPs are allocated by your RBC.

    The core switch acts as a layer 3 switch which handles the routing between the vlans and it is also the switch that should have all the different vlans defined so it makes it possible to create ACLs to control traffic.

    Ash.

  11. Thanks to spc-rocket from:

    bizzel (1st September 2009)

  12. #9

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    116
    we had to tweak our ACLs to get WOL working on another subnet/vlan.
    Presumably by turning IP directed broadcasts on (which is typically off by default because of it's old use for DOS amplification )?

    if you switches support ip helper type of command where it the switch recieves a broadcast packet and forwards that as an unicast packet to the dhcp server
    The switch feature set may or may not include serious L3 ACLs, but if switches that support VLANs don't support BOOTP/DHCP relay then they are a heap of doodoo.

    I would say that you need to plan plan and plan more before implementing vlans
    I'm not particularly thrilled by VLANs unless there's a decent case for them. Yes, you can carve up your network into lots of little subnets, blue boxes here, pink boxes over there, but it adds all that planning and a whole heap of subsequent management & documentation issues. I would say, justify, justify and justify more... and remember that using something like IPSEC on sensitive machines/resources can give you a lot more assurance than sticking them on a separate VLAN (unless you add all the port access control stuff).

    Plus, it's OK, but in this day and age I'm not a huge fan of using switch ACLs instead of proper firewalls with management/auditing/reporting. [Essential if you're going to do anything more than make worthless random guesses when it comes to that "risk management" thing]

  13. #10

    Join Date
    Feb 2008
    Posts
    270
    Thank Post
    14
    Thanked 44 Times in 35 Posts
    Rep Power
    22
    Piqueaboo - Why mention firewall rules when you are the whole point of VLANs is regarding whats going on inside your LAN (esp for a school) ? ipsec is a whole different ball game and is not relevant to why you should and shouldn't use vlans. In what day and age was it wise to use them!? Our L3 switches provide all the syslogs you could possibly dream of it thats your thing (overload comes to mind!)

    Yes L2 switches provide VLAN support but I think you will be hard pushed to find a entry level L3 switch that does not offer any form of broadcast "helper-address" support for DHCP etc.

    Two quick examples of why to use other than creating lots of subnets with blue and pink boxes

    1) large network > 500 hosts.. broadcast hell... faulty nic on a host flooding the system? good luck..!

    2) - Try creating something such as a "untrusted" / open wireless system for kids to connect to using mobiles / laptops etc and you want to give them access to 1 thing .. the internet whilst still maintaining your secure lan services from the same APs. How else are you going to support that without VLANs (with ACLs) ? Id love to know if theres a better solution

    Ashok - surely your LEA / Provider can give you any IP range it wants at the end of the day but that doesn't restrict what you can and can't do behind it. You can have however many networks and hosts on a completely different class if you want with just a single device such as a proxy, router, firewall interface or L3 switch (whatever really!) on the same subnet that they assign you just to get out to the big wide world. You can likewise map any inbound traffic to a specific ip on their range to anything on your other network address scheme and no ones the wiser..

    ..well thats what I do anyway

  14. #11

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    747
    Thank Post
    17
    Thanked 109 Times in 69 Posts
    Rep Power
    38
    Quote Originally Posted by ssiruuk2 View Post
    Piqueaboo - Why mention firewall rules when you are the whole point of VLANs is regarding whats going on inside your LAN (esp for a school) ? ipsec is a whole different ball game and is not relevant to why you should and shouldn't use vlans. In what day and age was it wise to use them!? Our L3 switches provide all the syslogs you could possibly dream of it thats your thing (overload comes to mind!)

    Yes L2 switches provide VLAN support but I think you will be hard pushed to find a entry level L3 switch that does not offer any form of broadcast "helper-address" support for DHCP etc.

    Two quick examples of why to use other than creating lots of subnets with blue and pink boxes

    1) large network > 500 hosts.. broadcast hell... faulty nic on a host flooding the system? good luck..!

    2) - Try creating something such as a "untrusted" / open wireless system for kids to connect to using mobiles / laptops etc and you want to give them access to 1 thing .. the internet whilst still maintaining your secure lan services from the same APs. How else are you going to support that without VLANs (with ACLs) ? Id love to know if theres a better solution

    Ashok - surely your LEA / Provider can give you any IP range it wants at the end of the day but that doesn't restrict what you can and can't do behind it. You can have however many networks and hosts on a completely different class if you want with just a single device such as a proxy, router, firewall interface or L3 switch (whatever really!) on the same subnet that they assign you just to get out to the big wide world. You can likewise map any inbound traffic to a specific ip on their range to anything on your other network address scheme and no ones the wiser..

    ..well thats what I do anyway
    Believe me i would love it if the RBCs just acted like ISP and schools control their own IP addressing scheme but this is not the case with some RBCs. We at our school are using our own IP addressing scheme for the various subnets as we are not with an RBC and i would recommend that schools should look into moving to layer 3 design of their network infrastruture.

    I agree the internal routing ACLs should be able to cater for all the needs and so don't quite get what Piqueaboo is trying to say.

    Ash.

  15. #12

    Join Date
    Jan 2006
    Location
    Surburbia
    Posts
    2,178
    Thank Post
    74
    Thanked 307 Times in 243 Posts
    Rep Power
    116
    Why mention firewall rules when you are the whole point of VLANs
    Because it's rather difficult not to when you're responding to a comment on using ACLs to control traffic. ;b

    How else are you going to support that [guest LANs] without VLANs?
    I didn't see any hint of that requirement from the OP, but having used VLANs for that precise purpose it was already in my justified category.

    I agree the internal routing ACLs should be able to cater for all the needs and so don't quite get what Piqueaboo is trying to say.
    If ACLs cater for your needs that's fine. ACLs used to cater for my needs a long time ago. But by-and-by people started making and selling firewalls that weren't just a couple of Ciscos with a DMZ in the middle, and to do that they had to add value - for me some of that management/auditing/non-overload-reporting stuff actually has been valuable and I'd much rather keep it.

    ---

    Meanwhile BECTA appear to be interested in getting schools to do some serious security. Serious network security has long meant policies (some implemented with ACLs) and auditing/reporting of those policies. Personally I think some of those desires might be a bit unrealistic, but I'm not in charge of the universe.

  16. #13
    DMcCoy's Avatar
    Join Date
    Oct 2005
    Location
    Isle of Wight
    Posts
    3,505
    Thank Post
    10
    Thanked 508 Times in 445 Posts
    Rep Power
    116
    Quote Originally Posted by PiqueABoo View Post
    If ACLs cater for your needs that's fine. ACLs used to cater for my needs a long time ago. But by-and-by people started making and selling firewalls that weren't just a couple of Ciscos with a DMZ in the middle, and to do that they had to add value - for me some of that management/auditing/non-overload-reporting stuff actually has been valuable and I'd much rather keep it.
    Switch ACLs are more about controlling the flow of inter-vlan traffic. I use them to allows machines in our unauthenticated vlan to join the domain, download the policy and startup scripts (helpfully the 802.1x settings are in the policy, I'm not sure microsoft thought that on through ).

    In fact an unauthenticated VLAN can be good and bad, while getting machines authenticating correctly all the time is nothing but a dream, it does mean machines that are asleep/off are on a single vlan for WOL, similarly ghost/WDS etc are all within this vlan too. This means you can eliminate the need to allowing the directed broadcast traffic to other vlans.

  17. #14

    Join Date
    Oct 2005
    Location
    East Midlands
    Posts
    747
    Thank Post
    17
    Thanked 109 Times in 69 Posts
    Rep Power
    38
    Quote Originally Posted by DMcCoy View Post
    Switch ACLs are more about controlling the flow of inter-vlan traffic. I use them to allows machines in our unauthenticated vlan to join the domain, download the policy and startup scripts (helpfully the 802.1x settings are in the policy, I'm not sure microsoft thought that on through ).

    In fact an unauthenticated VLAN can be good and bad, while getting machines authenticating correctly all the time is nothing but a dream, it does mean machines that are asleep/off are on a single vlan for WOL, similarly ghost/WDS etc are all within this vlan too. This means you can eliminate the need to allowing the directed broadcast traffic to other vlans.
    The directed broadcast can be controlled so it only allows by one host or set of hosts. Again this can be made into an ACL to control which device can send the directed broadcast.

    I think most vendors now offer the tools to manage a L3 network and as DMccoy mentioned the ACLs on switches are at least used for control of the traffic flow in an inter-vlan infrastructure.

    Ash.



SHARE:
+ Post New Thread

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •