Skip to main content

How to vlan a school when you don't know anything about vlans......

A little over a year ago a network engineer came in to setup a captive webportal for out BYOD WiFi. Now this is nothing to do with BYOD directly, that's just what he was doing. He asked me if I'd like him to check the health of out network. I agreed to this and he plugged in his laptop into our network and fired up an application that I now know was WireShark.

About 15 minutes later, he pronounced out network to be 80% dead. This troubled me somewhat and the engineer spent the next hour or so explaining all that was wrong about our network. In brief, we had a 'flat' network - so all devices were on the same IP address range 192.168.x.x. This I leant was bad as when one devices wanted some information from another device, it sent the request to every devices on our network - some 600 odd devices. This is broadcast traffic and 80% of out network traffic was this.

The solution looked simple on a piece of paper that he wrote on. Segment the network into several different sections, vlans (virtual local area networks) which could talk to each other using a router. So devices on each vlan have their own IP address range and don't broadcast to the whole network. This results in better network performance and security. The engineer then suggested that his company could help us do this for some fairly eye watering sums of money!

We spent some time trying to forget the 80% dead network bit as everything was working OK. However, the pressure to have more BYOD devices and talk of a 1:1 Chromebook deployment made us think of moving away from the flat network. So I got a couple of old Netgear switches and watched a few YouTube videos on how to vlan them and started to experiment.

On of the difficult things I found was that the terminology that different switch manufacturers used varied quite a bit. However, here are a few key terms I came to know:

  • Trunk port - a port on a switch configured to carry more than one vlan. So a port might be configured to be tagged on vlan 10,20,30 etc (each vlan needs a number to identify it - this needs to be the same on all switches).
  • Untagged - the setting typically given to a port on the end of the line - so a client PC. A port might be configured as untagged vlan 10. 
So on a couple of switches I setup vlans (typically going to the vlan option on the switches web GUI) and clicking on 'add vlan'. Ports going to end users where set as untagged vlan x (x being the vlan you want them on) and ports connecting switches, tagged on all the vlans you want them to carry.

On the test switches this all worked fine and was fairly easy. The question was how to route between vlans and how to provide DHCP services to each vlan? The network engineer had suggested using a Layer 3 switch and a Windows DHCP server set with multiply DHCP scopes. I looked up the price of layer 3 switches and found them to be around £2000+. Bit more than we had to spend. I then remembered we where running a ClearOS gateway server and it has some spare network interfaces. I'd read that ClearOS could act as a router so thought to give it a go.

I essence, the ClearOS box runs ESXi 5.1 (the free version). It has 6 nics. One goes to the internet. One went to feed the flat network it's internet. The other 4 were unused. So in ESXi I add four new virtual nics to the ClearOS VM. In ClearOS, I assigned IP addresses on new IP ranges to each of these nics and enabled DHCP on each ones. A different range for each nic. This is pretty easy to do in the ClearOS web interface.

The physical nics where plugged into out core switch and each port set untagged to the vlan that each nic was to feed. So we ended up with 5 feeds into the network each on a different vlan. The ClearOS VM providing DHCP and routing between vlans. We also created a separate vlan for some boilers. So in total we now have 6 vlans, So they are:
  • Servers
  • Staff PCs
  • Student PCs
  • BYOD
  • Chromebooks
  • Boilers

May add a few more in time. It has meant buying some new switches and reconfiguring every switch. But it does work and has been done with minimal disruption in school time. Some PCs needed a reboot to pick up a new IP address - thats about it. 

This is a overview of what we did:


We use Aerohive APs and these had to be set so that each SSID ran on a different vlan.

So at the end of the day, we spend a little over a £1000 on new switches, did the work over 2 months, largely in term time. We have probably broken all sorts of networking rules, but it works and thats what counts I guess.

If someone tells you your network is 80% dead - don't despair - just watch a few YouTube videos on how to configure switches and away you go......

Wireshark now gives us less than 1% broadcast traffic.
 

Comments

Popular posts from this blog

Delete a specific email using GAM

If a user send an inappropriate email to a loads of people or get stung by some sort of email exploit you can quickly delete the email from all of the recipients using a GAM command. Step 1 - get the email header Go into Google Vault and search for the offending user or someone known to have got the message. Click show details and grab the email ID. This will be a long string of characters followed by @mail.gmail.com Step 2 - find out who has the email Go into Google Vault and find the original message sent by the offending user. Look at the details to see who got it. Copy the list and dump it into a spreadsheet. Clean up to just a list of emails with a column header 'mail'. Save as a csv file. Step 3 - delete messages with GAM Put your CSV file in your GAM folder - this e.g. assumes its called mail.csv Run: gam csv mail.csv gam user ~mail delete messages query rfc822msgid: MESSAGEIDHERE doit The alternative nuke option is: gam all users delete messages query rf

Adding subdomains to G Suite

This is how I add subdomains (so basically new schools) to out G suite setup. I've got these steps documented on a scruffy set of notes that I've now got in Keep - so time to document them - for myself as much as anyone else! Steps in order (roughly) Add the new domain Verify the new domain Add MX records to hosting Add SPF record for Google to hosting Turn on email authentication Add DMARC record to hosting Setup custom Directory and restrict students OU to this. Create an admin quarantine for the domain. Configure SPAM setting for the domain. Turn on and off services as appropriate. Map a blank Google Site to the naked domain - if required. Setup some basic groups - allstaff, allusers (for directory) and students with appropriate permissions. Deploy custom wallpapers. So the steps in a bit of detail: Add the new domain & Verify ownership Click on Domains in the admin console: Add/remove domains followed by "add a domain" At this

My favorite GAM commands - well a few of them at least!

Where would be without GAM? Paying for expensive syncing tools or doing tedious manual tasks in the admin console. GAM can automate most things you might want to do in G Suite. So these are a few of my favourite commands - one I use either as part of a batch file - or just standalone. There are loads more - but these are ones that are used daily. Classroom Create a spreadsheet of all your domains classes -  gam print courses todrive Create a spreadsheet of a teacher's classes:  gam print courses teacher fred@mydomain.com todrive Bulk create classes: gam csv classes.csv gam create course alias ~alias name ~alias section ~subject teacher ~teacher status ACTIVE where classes.csv is a list of classes you want to make. Add teachers: gam csv teachers.csv gam course ~alias add teacher ~teacher Add students: gam csv students.csv gam course ~alias add teacher ~student Sync Students (in this example to a group - but could be an ou/csv file) gam csv groups.csv gam course ~g