This doth be a machine-wrought text which may contain errors!
Imagine, prithee, a school’s network where scholars, teachers, administration, and IoT devices (printers, smart screens, cameras) do all share the selfsame network. All may, in theory, behold one another. ‘Tis neither secure nor efficient. The solution doth lie in segmentation.
Wherefore Segment?
Segmentation doth signify the dividing of a network into sundry lesser parts. Each part is sequestered from the others, so that traffic doth not flow freely betwixt them.
| Benefit | Explanation |
|---|---|
| Security | A compromised IoT-camera cannot reach the servers |
| Performance | Less broadcast-traffic per segment |
| Control | Diverse rules for diverse user-groups |
| Troubleshooting | Easier to isolate problems to a certain segment |
Et praktisk eksempel
In a school, the network may appear thus:
- VLAN 10: Governance - Wages, Human Resources, and the leadership. Access most strictly confined.
- VLAN 20: Staff - Teachers and other employees. Access to shared folders and printing devices.
- VLAN 30: Scholars - Internet access only, and learning platforms.
- VLAN 40: Devices of the Age - Printers, smart screens, and cameras. No access to the internet (or most sparingly).
- VLAN 50: Servers - Internal servers, inaccessible directly from other VLANs.
What is a VLAN?
VLAN doth stand for Virtual Local Area Network. ‘Tis a manner of creating divers logical networks upon the selfsame physical switch. Rather than to purchase a switch for each network, thou dost configure the switch to treat sundry ports (or traffic) as separate networks.
Each VLAN hath its own address range (subnet):
| VLAN | Name | Subnet | Gateway |
|---|---|---|---|
| 10 | Administration | 10.0.10.0/24 | 10.0.10.1 |
| 20 | Staff | 10.0.20.0/24 | 10.0.20.1 |
| 30 | Scholars | 10.0.30.0/24 | 10.0.30.1 |
| 40 | IoT | 10.0.40.0/24 | 10.0.40.1 |
| 50 | Servers | 10.0.50.0/24 | 10.0.50.1 |
Subnetting kort forklart
/24 doth signify that the first four and twenty bits be the network portion of the address. In sooth, ‘tis to say that thou hast two hundred and fifty-four addresses available (.1 to .254) within each VLAN.
10.0.10.0/24doth yield addresses from10.0.10.1to10.0.10.254- The gateway is oft the first address (
.1)
Tagged vs. Untagged Traffic
For that VLANs may function o’er divers switches (or ‘twixt switch and router), doth tagging serve:
| Type | Explanation | Use |
|---|---|---|
| Untagged (access) | The port belongeth to but one VLAN. The device doth not know of VLANs. | PCs, printers, telephones |
| Tagged (trunk) | The port doth bear traffic from sundry VLANs, marked with VLAN-ID. | ‘Twixt switches, toward routers |
Devices such as PCs and printers need not know that they are upon a VLAN. They are connected to an “access” port which is assigned unto the proper VLAN. The connection ‘twixt two switches, or ‘twixt switch and router, doth employ a “trunk” port which beareth all the VLANs.
Task 1 - Behold VLAN in Practice
If thou hast access to Unifi or some other network management platform at the school:
- Observe which VLANs are configured.
- Which ports be set as access, and which as trunk?
- Endeavour to discover unto which VLAN thy PC is connected (hint: inspect thine IP address and compare with the subnet table).
Firewall Rules ‘Twixt VLANs
To fashion VLANs is but half the task. Without firewall rules, traffic may yet flow ‘twixt them through the router/gateway. Thou must expressly decree what is permitted:
| From (Source) | To (Destination) | Allowed? | Reason |
|---|---|---|---|
| Scholars | The Internet | ✅ Aye | Needful for instruction |
| Scholars | Servers | ❌ Nay | Scholars require not access to servers |
| Staff | Servers | ✅ Aye | File storage and internal systems |
| IoT | The Internet | ❌ Nay (or limited) | IoT devices seldom require the internet |
| IoT | Scholars/Staff | ❌ Nay | IoT should be isolated |
| Servers | All | ✅ Aye (outward) | Servers may answer requests |
Standard: blokker alt, tillat det du trenger
A good firewall policy doth commence with blocking all traffic ‘twixt the VLANs, and then opening only that which is needful. ‘Tis far safer than to begin with all open and attempt to block that which thou dost not desire.
Subnetting
Each VLAN doth require its own subnet. A subnet defineth the address range for the network:
| Subnet | Network Mask | Number of Addresses | Typical Use |
|---|---|---|---|
/24 | 255.255.255.0 | 254 | Most VLANs |
/25 | 255.255.255.128 | 126 | Lesser Segment |
/16 | 255.255.0.0 | 65 534 | Great Networks |
Task the Second - Reckon a Subnet
Employ an online subnet calculator, forsooth, such as subnet-calculator.com:
- Enter
192.168.1.0with mask/24. How many addresses dost thou receive? - What doth transpire shouldst thou alter it to
/25? Or/23? - What wouldst thou choose for a schoolroom with 30 scholars?
DHCP per VLAN
Each VLAN doth require its own DHCP configuration, that devices may receive the proper IP address for its segment. This may be configured upon the router, or a dedicated DHCP server.
Example for the Student VLAN:
| Setting | Value |
|---|---|
| Subnet | 10.0.30.0/24 |
| Gateway | 10.0.30.1 |
| DHCP-range | 10.0.30.100 - 10.0.30.250 |
| DNS | 1.1.1.1 / 8.8.8.8 |
Summary
- Segmentation doth divide the network into parts isolate, for safety and control.
- VLANs be virtual networks upon the self-same physical switch.
- Access ports do connect devices unto one VLAN, whilst trunk ports do bear divers VLANs.
- Firewall rules do determine what is permitted ‘twixt the VLANs.
- Each VLAN doth require its own subnet and DHCP configuration.
- The starting point: block all, allow only that which is needful.