This here’s a machine-translated text that might contain errors!
Now, picture a school network where students, teachers, administration, and IoT gadgets (printers, smart boards, cameras) all share the same network. Everyone can see each other, in theory. It ain’t secure nor efficient. The fix is segmentin’.
Why Segment, Partner?
Segmentin’ means splittin’ yer network into smaller pieces. Each piece is kept separate from the others, so traffic don’t just wander freely between ‘em.
| Benefit | Explanation |
|---|---|
| Security | A compromised IoT camera can’t reach the servers |
| Performance | Less broadcast traffic per segment |
| Control | Different rules for different groups of folks |
| Troubleshooting | Easier to isolate problems to a specific segment |
Et praktisk eksempel
In a school, the network might look like this:
- VLAN 10: Administration - Payroll, HR, management. Strictly limited access.
- VLAN 20: Staff - Teachers and other employees. Access to shared folders and printers.
- VLAN 30: Students - Internet access and learning platforms only.
- VLAN 40: IoT - Printers, smart screens, cameras. No internet access (or very limited).
- VLAN 50: Servers - Internal servers, inaccessible directly from other VLANs.
What in tarnation is a VLAN?
VLAN stands for Virtual Local Area Network. It’s a way to build a bunch of logical networks on the same physical switch. Instead of buyin’ a separate switch for each network, ya configure the switch to treat different ports (or traffic) like they’re separate networks.
Each VLAN has its own address range (subnet):
| VLAN | Name | Subnet | Gateway |
|---|---|---|---|
| 10 | Administration | 10.0.10.0/24 | 10.0.10.1 |
| 20 | Employees | 10.0.20.0/24 | 10.0.20.1 |
| 30 | Students | 10.0.30.0/24 | 10.0.30.1 |
| 40 | IoT | 10.0.40.0/24 | 10.0.40.1 |
| 50 | Servers | 10.0.50.0/24 | 10.0.50.1 |
Subnetting kort forklart
/24 means the first 24 bits are the network portion of the address. In practice, that means you have 254 available addresses (.1 to .254) in each VLAN.
10.0.10.0/24gives addresses from10.0.10.1to10.0.10.254- The gateway is usually the first address (
.1)
Tagged vs. Untagged Traffic
Fer VLANs ta work across multiple switches (or between a switch an’ a router), we use taggin’:
| Type | Explanation | Use |
|---|---|---|
| Untagged (access) | The port belongs ta one VLAN. The device don’t know ‘bout VLANs. | PCs, printers, phones |
| Tagged (trunk) | The port carries traffic from multiple VLANs, marked with the VLAN ID. | Between switches, towards routers |
Devices like PCs an’ printers don’t need ta know they’re on a VLAN. They’re connected ta an “access” port that’s assigned the right VLAN. The connection between two switches or between a switch an’ a router uses a “trunk” port that carries all the VLANs.
Task 1 - Seein’ VLANs in Action
If ya got access to Unifi or some other network management platform at school:
- Take a gander at which VLANs are configured.
- Which ports are set as access, and which are trunk?
- Try and figure out which VLAN yer PC is hooked up to (hint: check yer IP address and compare it to the subnet table)
Firewall Rules Between VLANs
Creatin’ VLANs is only half the work. Without firewall rules, traffic can still flow between ‘em through the router/gateway. Ya gotta explicitly decide what’s allowed:
| From (source) | To (destination) | Allowed? | Reason |
|---|---|---|---|
| Students | Internet | ✅ Yes | Needed for teachin’ |
| Students | Servers | ❌ No | Students don’t need access to servers |
| Staff | Servers | ✅ Yes | File storage and internal systems |
| IoT | Internet | ❌ No (or limited) | IoT devices rarely need the internet |
| IoT | Students/Staff | ❌ No | IoT should be isolated |
| Servers | All | ✅ Yes (outgoing) | Servers can respond to requests |
Standard: block everything, allow what ya need
A good firewall policy starts with blockin’ all traffic between VLANs, and then only openin’ what’s necessary. That’s a whole lot safer than startin’ with everything open and tryin’ to block what ya don’t want.
Subnetting
Every VLAN needs its own subnet. A subnet defines the address range for the network:
| Subnet | Network Mask | Number of Addresses | Typical Use |
|---|---|---|---|
/24 | 255.255.255.0 | 254 | Most VLANs |
/25 | 255.255.255.128 | 126 | Smaller segment |
/16 | 255.255.0.0 | 65 534 | Large networks |
Task 2 - Figure Out a Subnet
Use an online subnet calculator, like subnet-calculator.com:
- Enter
192.168.1.0with mask/24. How many addresses do ya get? - What happens if ya change it to
/25? Or/23? - What would ya pick for a classroom with 30 students?
DHCP per VLAN
Each VLAN needs its own DHCP configuration so’n devices get the right IP address for their segment. This can be configured on the router or a dedicated DHCP server.
Example for the Student VLAN:
| Setting | Value |
|---|---|
| Subnet | 10.0.30.0/24 |
| Gateway | 10.0.30.1 |
| DHCP-range | 10.0.30.100 - 10.0.30.250 |
| DNS | 1.1.1.1 / 8.8.8.8 |
Summin’ It Up
- Segmentin’ splits the network into isolated parts for security and control
- VLANs are virtual networks on the same physical switch
- Access ports connect devices to one VLAN, trunk ports carry multiple VLANs
- Firewall rules decide what’s allowed between the VLANs
- Each VLAN needs its own subnet and DHCP configuration
- Startin’ point: block everything, only allow what’s needed