First glaring issue I'd recommend changing.... VLAN1 used for management. Get rid of it change it to something else... like say VLAN 999. Either way avoid using VLAN 1 as any ports on the switch will by default belong in vlan 1 unless otherwise specified.

As a malicious actor, I could easily negotiate a connection to one of the access switches and then I can potentially manage your devices as I will be in the management vlan.

Another note, consider what switch will be the root for your spanning-tree. This will have significant impact on your switched traffic flows and a wrong placement of the root bridge can result in an unstable network.

1. Can I take just like that an IP address and start to subnet in my network (like I did above)?

Your IP addressing scheme is a weird one... it's dis-contiguous, was this part of the design?

2. Should I put a switch between core switch and server/wireless controller?

As it stands you currently have a single point of failure in the network, Should the core switch fail then connectivity to the server, WLC and internet is severed. If high availability is of concern then you might want to change this design.

A collapsed core design might be something worth looking for. As an example, consider the following:

Use it as an example, ignore the details in the boxes but focus on how the switches are interconnected, every access switch should have multiple uplinks to the distribution switchs.

Also, try and AVOID putting links between access switches (Where the end users plug into). This makes policy enforcement difficult and may affect your flexibility in traffic engineering. You want north to south traffic flows as opposed to west to east traffic flows. :wink:

3. How does the wired network identifies who is using it (teacher, student or guest)? In wireless they log in with their SSID but what about classroom/library wired outlets?

Well from an IP addressing and networking perspective it won't know. Ideally you would put the library in a separate VLAN and IP subnet. Policy enforcement at that level would typically be done on your server through active directory and group policy enforcement.

4. Could I use the software based cisco built-in firewall also or is separate firewall box more worth?

You could, but I would advise a hardware based appliance as it will offer better network performance. If you enforce both then that is even better as the failure of one firewall won't leave your network open for attacks.

5. What would be easiest tools to manage the small network?

SNMP!!!!! Look into SNMP and management tools that you can use. Solarwinds and PRTG are good ones that I have personally used but others do exist

6. We have one school server(windows server 2012) with database and shared storage (using SMB). What would be a smart backup system for that?

From a system perspective, add another physical server. From an SMB perspective, do you have RAID running at all? Equally, if you have some form of SAN infrastructure then SCSI might be worth looking into for data centre resiliency.

Hope This Helps,
Josh :smile:

 

Thank you very much for such a good answer and advice Josh

1. What do you mean IP schema "it's dis-contiguous". This was not part of the design, I try to create it myself. So, what would be better solution? Right now I can make changes as I like. I was trying to do so according to hosts needs. Picked just random address and started.... As far as I know I can choose inside school network addresses from any range or not?

2. I made a new network design. Is this better? But I do not understand SPF in one point- if core switch is down (the one that is connected to internet), then internet is gone everywhere. So, I would understand starting with two core switches...that makes more sense to me. But yeah about server and down part design, I agree totally.

3. Most of the students and guests use their own laptops. So, if I would be a guest teacher and plug in the cable to outlet in the classroom, I would like to get the access to internet straight away but as network admin, I would like the guest to be in guest VLAN. How is that done? The main worry is- how to identify in wired network a person with his own laptop wherever in the school he plugs the computer in. AD as I understand is used with mainly computers that are stationary or belong to employer?

 

1. What do you mean IP schema "it's dis-contiguous". This was not part of the design, I try to create it myself. So, what would be better solution? Right now I can make changes as I like. I was trying to do so according to hosts needs. Picked just random address and started.... As far as I know I can choose inside school network addresses from any range or not?

Your address type is fine, 192.168.0.0/16 is part of the RFC 1918 private address range. What I mean is that you have subnetted down the address ranges yet have left gaps in the addressing scheme which defeats the purpose subnetting it.

For example:

192.168.1.192/26 - Management VLAN. Yes that works but what about 192.168.1.0 - 191? You haven't allocated that range anywhere?

A similar case with the employees VLAN.

192.168.3.192/26

What about 192.168.3.0 - 191?

As far as the addressing scheme is concerned you could've just assigned a /24 to everyone and it would've made no difference :wink:

Ideally you want subnets next to each other for summarisation purposes, for example,

Management - 192.168.1.0/26
Employees - 192.168.1.64/26
... etc

2. I made a new network design. Is this better? But I do not understand SPF in one point- if core switch is down (the one that is connected to internet), then internet is gone everywhere. So, I would understand starting with two core switches...that makes more sense to me. But yeah about server and down part design, I agree totally.

Looks much better! You have a clear point of policy application and appropriate redundancy. In order to access some resource each client shouldn't have to travel more than 2 hops to get it. Remember, make sure to keep the core switches as the STP root otherwise you will end up in poor traffic flows.

3. Most of the students and guests use their own laptops. So, if I would be a guest teacher and plug in the cable to outlet in the classroom, I would like to get the access to internet straight away but as network admin, I would like the guest to be in guest VLAN. How is that done? The main worry is- how to identify in wired network a person with his own laptop wherever in the school he plugs the computer in. AD as I understand is used with mainly computers that are stationary or belong to employer?

You can't not at the network level, an end host is an end host, regardless of whether it is a guest or an authorised machine.

Typically, VLAN designs are implemented based on physical locations rather than groupings of devices. You could assign the port to the guest VLAN in the classrooms and therefore make them part of the same network as the wireless devices. The only issue is that you may not want to plug in a managed machine into that port as they could be attacked by any guests. Private-VLANs might resolve this issue but it will begin to complicate the design...

Ideally, you would have a managed machine in each classroom and then provide the guest teacher a guest user account. This way your policy enforcement is done via AD instead of bending the limited powers of VLANs to resolve this issue.

Hope This Helps,
Josh :smile:

 

IP schema could be something like this:
Management VLAN666:
192.168.1.0/26 Hosts: 192.168.1.1 - 62 (62 usable hosts)
Employees VLAN333:
192.168.1.64/26 Hosts: 192.168.65 – 126 (62)
Guests VLAN222:
Network: 192.168.1.128/25 Hosts: 192.168.1.129 - 254 (126)
Students VLAN444:
Network: 192.168.2.0/23; Hosts: 192.168.2.1 – 3.254 (510)
I think now it seems better

VLANs: now I am little bit confused :-( cisco CCNA study says: VLANs enable you to group users into a common broadcast domain regardless of their physical location in the internetwork. Does that mean that if I have two floors in school and I want to put the students from the second floor together from the first floor, I can put them into the same students VLAN? In current we have only one floor. So, if I do all the outlets in classrooms/library part of students VLAN, employees rooms outlets part of the employees VLAN and Guest VLAN is used for guests when they use wireless (or if the guest teacher is plugging in the cable in the classroom then is using the students VLAN). Additionally, I think I would need to create a students dorms VLAN because I think it should be separated from the school students VLAN (regardless the fact that it is in the same building, 33 student rooms with 2 Ethernet outlets each room - all together 66 + 5 wireless APs). Or should I put the dorms part of the students VLAN?

Calculating the needed switches with ports I made a drawing and as I understand we need every access switch 48-ports and distribution/core for 24 ports?

 

IP addressing looks good to me! :wink:

As for VLANs, the reason you would put as per physical requirements is to avoid the scallability issue of large broadcast domains. For example, at the moment having all the student computers in the same VLAN is alright but what happens when the school grows to 1000+ student computers.... Put them in the same VLAN and you will end up with an unusable and congested network.

Equally, you need to think about where your boundary of layer 3 and layer 2 is. VLANs can only be spread across the trunks. If there are layer 3 connections in the path then VLANs cannot be spread across them. For example, consider the following enterprise template...

In this case the network is setup so that the distribution layer terminates the layer 2 connection and the core of the network runs layer 3 routed infrastrucure. This is because layer 3 convergence via a routing protocol is much more deterministic and faster than layer 2 convergence via STP. Now, the issue is that vlan 10 in one section will not be in the same network as vlan 10 in the other switch block as it will need to traverse a layer 3 boundary.

This makes VLAN designs to be typically based around physical location, for example:

Vlan 2 - Classroom 1
Vlan 3 - Classroom 2
Vlan 4 - Classroom 3
... etc

Student accommodation should be in a separate VLAN. As far as the network is concerned you should classify them as guests to the network.

48 ports at the access is the best, for the core you could have 24 ports but remember, scalability. Each time you add a new access switch you will consuming one additional port in the core. What happens when all 24 ports are used up?

Hope This Helps,
Josh :smile:

 

Again Josh, thank you very much for explanations They are really good and helpful.

Just one issue about the vlan. As I have read from internet and understood the vlan should have some kind of numerous hosts also, not only 10. As if I would create a vlan according to every classroom, then I would have only 10 hosts maybe. I was thinking to create vlan for classrooms (vlan-students; there are only 6 rooms, each 10 outlets). Is that bad idea? For employees, they have one area, but various small rooms (outlets all together 15, this would be employees vlan).

What about the wireless network and combination of this to LAN (VLANs). I do not know much about that also. But what I do know, that most of the users are actually gonna use wireless network, most of the traffic is going to be through wireless. For that I would create 3xSSID (students, employees, guests). Also, it is important that whatever place the student is in the school, they would be able to connect to wireless and not to be disconnected while moving one place to another (roaming). Right now for wireless there is no VLAN planned. Should I do that? And if yes, then why?

Do I understand this DHCP part correctly - when I am a student in classroom and plug my own computer to wired network (through outlet), I will get a dynamic IP from the school server which has DHCP enabled and when I log in wireless, radio (with built in DHCP or wireless controller) will give me an IP from the scope I configured. And the scope is from the same subnets as students vlan, employees vlan... depending of the SSID I log in.
Are there any other ways to use DHCP on this network?
Right now I have planned 21 radios all over the school for wireless communication. Are there any rules or common mistakes I should avoid?

 

Hi kooba3, :wave:

Josh (Shadowjk) is kind enough to give you plenty of insights regarding your school project, unfortunately due to our Forum Rules this is all we can provide you, as usually TSF do not allow us providing educational assistance.

This Thread is now closed, sorry....