Avast ye! This be a machine-translated text, an’ it may contain errors, aye!
Aye, picture a school network where students, teachers, administration, and IoT devices (printers, smart boards, cameras) all share the same network. All can see each other, in theory. ‘Tis neither secure nor efficient, it be. The solution be segmentation.
Why Segment, Aye?
Segmentin’ be meanin’ to split yer network into smaller pieces, see? Each piece be isolated from the others, so traffic don’t flow freely between ‘em.
| Benefit | Explanation |
|---|---|
| Security | A compromised IoT camera can’t reach the servers, savvy? |
| Performance | Less broadcast traffic per segment |
| Control | Different rules for different groups o’ users |
| Troubleshooting | Easier to isolate problems to a specific segment |
Et praktisk eksempel
At a school, the network might look like this:
- VLAN 10: Administration - Payroll, HR, management. Strictly limited access.
- VLAN 20: Staff - Teachers and other employees. Access to shared folders and printers.
- VLAN 30: Students - Internet access and learning platforms only.
- VLAN 40: IoT - Printers, smart screens, cameras. No internet access (or very limited).
- VLAN 50: Servers - Internal servers, inaccessible directly from other VLANs.
What be a VLAN?
VLAN stands for Virtual Local Area Network. ‘Tis a way to create multiple logical networks on the same physical switch. Instead o’ buyin’ a separate switch for each network, ye configure the switch to treat different ports (or traffic) as separate networks.
Each VLAN has its own address range (subnet):
| VLAN | Name | Subnet | Gateway |
|---|---|---|---|
| 10 | Administration | 10.0.10.0/24 | 10.0.10.1 |
| 20 | Crew | 10.0.20.0/24 | 10.0.20.1 |
| 30 | Landlubbers | 10.0.30.0/24 | 10.0.30.1 |
| 40 | Gadgets | 10.0.40.0/24 | 10.0.40.1 |
| 50 | Captain’s Quarters | 10.0.50.0/24 | 10.0.50.1 |
Subnetting kort forklart
/24 means the first 24 bits be the network part o’ the address, aye. In practice, ‘tis means ye have 254 addresses available (.1 to .254) in each VLAN.
10.0.10.0/24gives addresses from10.0.10.1to10.0.10.254- The gateway be usually the first address (
.1)
Tagged vs. Untagged Traffic
For VLANs to work across multiple switches (or between a switch and a router), tagging be used:
| Type | Explanation | Use |
|---|---|---|
| Untagged (access) | The port belongs to one VLAN. The device be not aware o’ VLANs. | PCs, printers, phones |
| Tagged (trunk) | The port carries traffic from multiple VLANs, marked with the VLAN ID. | Between switches, towards routers |
Devices like PCs and printers need not know they be on a VLAN. They be connected to an “access” port that be assigned to the correct VLAN. The connection between two switches or between a switch and a router uses a “trunk” port that carries all the VLANs.
Task 1 - Behold the VLAN in Practice
If ye have access to Unifi or another network management platform at the school:
- Observe which VLANs be configured
- Which ports be set as access, and which as trunk?
- Try to discover which VLAN yer PC be connected to (hint: check yer IP address and compare with the subnet table)
Firewall Rules Between VLANs
Creatin’ VLANs be just half the work, aye. Without firewall rules, traffic can still flow between ‘em through the router/gateway. Ye must explicitly decide what be allowed:
| From (source) | To (destination) | Allowed? | Reasonin’ |
|---|---|---|---|
| Students | Internet | ✅ Aye | Needed for learnin’ |
| Students | Servers | ❌ Nay | Students need no access to servers |
| Staff | Servers | ✅ Aye | File storage and internal systems |
| IoT | Internet | ❌ Nay (or limited) | IoT devices rarely need the internet |
| IoT | Students/Staff | ❌ Nay | IoT should be isolated |
| Servers | All | ✅ Aye (outbound) | Servers can respond to requests |
Standard: block all, allow what ye need
A hearty firewall policy begins with blockin’ all traffic ‘tween the VLANs, and then openin’ only what be needed. ‘Tis much safer than startin’ with all open and tryin’ to block what ye don’t want.
Subnetting
Each VLAN needs its own subnet, aye. A subnet defines the address range for the network:
| Subnet | Network Mask | Number o’ Addresses | Typical Use |
|---|---|---|---|
/24 | 255.255.255.0 | 254 | Most VLANs |
/25 | 255.255.255.128 | 126 | Smaller segment |
/16 | 255.255.0.0 | 65 534 | Large networks |
Task 2 - Calculate a Subnet
Use an online subnet calculator, such as subnet-calculator.com:
- Enter
192.168.1.0with mask/24. How many addresses do ye get? - What happens if ye change to
/25? Or/23? - What would ye choose for a classroom with 30 scallywags?
DHCP per VLAN
Each VLAN needs its own DHCP configuration so that devices get the right IP address for their segment. This can be configured on the router or a dedicated DHCP server.
Example for the Student VLAN:
| Setting | Value |
|---|---|
| Subnet | 10.0.30.0/24 |
| Gateway | 10.0.30.1 |
| DHCP-range | 10.0.30.100 - 10.0.30.250 |
| DNS | 1.1.1.1 / 8.8.8.8 |
Summary
- Segmentin’ divides the network into isolated parts for security and control, aye!
- VLANs be virtual networks on the same physical switch, savvy?
- Access ports connect devices to a single VLAN, while trunk ports carry multiple VLANs, arr!
- Firewall rules determine what be allowed between the VLANs, aye?
- Each VLAN needs its own subnet and DHCP configuration, shiver me timbers!
- Startin’ point: block all, allow only what be needed, aye!