VLANs for a DORM to isolate rooms from each other?

Archived from groups: alt.computer.security,alt.computers.security,comp.security.firewalls (More info?)

I have a client with a dorm of 100 students. They currently (not my
design) use a stack of switches and connect all users to a single DHCP
scope for addresses and then NAT it to internet access.

As you can guess, this really causes problems when one or more of the
kids get infected.

I was thinking of purchasing a couple managed switches, setting up one
VLAN per switch port to keep each network jack isolated from the others.
I would still need a single DHCP server to provide addresses to the kids
network devices, and I would want them to all use the same NAT internet
solution, just to be isolated from each other.

Anyone got any feedback on VLAN's using a managed switch to build this?


--
--
spamfree999@rrohio.com
(Remove 999 to reply to me)
12 answers Last reply
More about vlans dorm isolate rooms other
  1. Archived from groups: alt.computer.security,alt.computers.security,comp.security.firewalls (More info?)

    Leythos <void@nowhere.com> wrote in news:MPG.1ae5fe574de8815198a3ad@news-
    server.columbus.rr.com:

    > I have a client with a dorm of 100 students. They currently (not my
    > design) use a stack of switches and connect all users to a single DHCP
    > scope for addresses and then NAT it to internet access.
    >
    > As you can guess, this really causes problems when one or more of the
    > kids get infected.
    >
    > I was thinking of purchasing a couple managed switches, setting up one
    > VLAN per switch port to keep each network jack isolated from the others.
    > I would still need a single DHCP server to provide addresses to the kids
    > network devices, and I would want them to all use the same NAT internet
    > solution, just to be isolated from each other.
    >
    > Anyone got any feedback on VLAN's using a managed switch to build this?
    >
    >

    you gonna setup 100 vlans? why?

    your major spof is the acual switches' ip address that you use to manage
    the switch. got to manage the switch sans ip or telnet.

    :-(


    Rowdy Yates
    "the man who tried and failed miserably"
    --
    Visit Rowdy's Home Page
    http://rowdy_yates2.tripod.com/
  2. Archived from groups: alt.computer.security,alt.computers.security,comp.security.firewalls (More info?)

    On Tue, 13 Apr 2004 18:41:14 GMT, Leythos wrote:

    > I have a client with a dorm of 100 students. They currently (not my
    > design) use a stack of switches and connect all users to a single DHCP
    > scope for addresses and then NAT it to internet access.
    >
    > As you can guess, this really causes problems when one or more of the
    > kids get infected.
    >
    > I was thinking of purchasing a couple managed switches, setting up one
    > VLAN per switch port to keep each network jack isolated from the others.
    > I would still need a single DHCP server to provide addresses to the kids
    > network devices, and I would want them to all use the same NAT internet
    > solution, just to be isolated from each other.
    >
    > Anyone got any feedback on VLAN's using a managed switch to build this?

    This probably would not be a good idea. Remember the only way to
    communicate between VLANs is to route. So you are going to need 2 ports
    per user, one to them, one to an external router. Another option would be
    to use VLAN tagging which would allow users to be in their own VLAN as well
    as in the VLAN of the default gateway, but everything in the default
    gatewaty's VLAN would need to be 802.1q compliant. I've never tried that
    so I dont even know if it would work.

    Im not sure if you can configure this over inter-switch links so you might
    need a huge switch to do it this way, probably making cost a factor.
  3. Archived from groups: comp.security.firewalls (More info?)

    W.B wrote:

    > On Tue, 13 Apr 2004 18:41:14 GMT, Leythos wrote:
    >
    >
    >>I have a client with a dorm of 100 students. They currently (not my
    >>design) use a stack of switches and connect all users to a single DHCP
    >>scope for addresses and then NAT it to internet access.
    >>
    >>As you can guess, this really causes problems when one or more of the
    >>kids get infected.
    >>
    >>I was thinking of purchasing a couple managed switches, setting up one
    >>VLAN per switch port to keep each network jack isolated from the others.
    >>I would still need a single DHCP server to provide addresses to the kids
    >>network devices, and I would want them to all use the same NAT internet
    >>solution, just to be isolated from each other.
    >>
    >>Anyone got any feedback on VLAN's using a managed switch to build this?
    >
    >
    > This probably would not be a good idea. Remember the only way to
    > communicate between VLANs is to route. So you are going to need 2 ports
    > per user, one to them, one to an external rout
    > to use VLAN tagging which would allow users to be in their own VLAN as weller. Another option would be
    > as in the VLAN of the default gateway, but everything in the default
    > gatewaty's VLAN would need to be 802.1q compliant. I've never tried that
    > so I dont even know if it would work.
    >
    > Im not sure if you can configure this over inter-switch links so you might
    > need a huge switch to do it this way, probably making cost a factor.


    Not so fast... Cisco now has Layer 3 switches that does inter-vlan
    routing. This will eliminate the layer3 issues, I curently use 5 cisco
    3550 with about 8-10 VLANS , one VLAN per department and this works
    great. Also the added security you get is also a plus. One other thing
    you will see with doing VLANS is you reduce the amount of broadcast
    traffic from all the PC's as the broadcast will not go from one VLAN to
    another.


    hth,

    Chad
  4. Archived from groups: comp.security.firewalls (More info?)

    >
    >
    > Not so fast... Cisco now has Layer 3 switches that does inter-vlan
    > routing. This will eliminate the layer3 issues, I curently use 5 cisco
    > 3550 with about 8-10 VLANS , one VLAN per department and this works
    > great. Also the added security you get is also a plus. One other thing
    > you will see with doing VLANS is you reduce the amount of broadcast
    > traffic from all the PC's as the broadcast will not go from one VLAN to
    > another.
    >
    >
    > hth,
    >
    > Cha

    Neato. I'll have to check those out. My Catalysts are ancient, but I'm
    not in a rush until Cisco managed Gigabit switching gets a little cheaper.

    The only other problem with this, is in Leythos's case, all ports would
    need to be expensive Cisco Catylist ports. Which is tough on the
    pocketbook. But apparently it is plausable.
  5. Archived from groups: comp.security.firewalls (More info?)

    W.B wrote:

    >>
    >>Not so fast... Cisco now has Layer 3 switches that does inter-vlan
    >>routing. This will eliminate the layer3 issues, I curently use 5 cisco
    >>3550 with about 8-10 VLANS , one VLAN per department and this works
    >>great. Also the added security you get is also a plus. One other thing
    >>you will see with doing VLANS is you reduce the amount of broadcast
    >>traffic from all the PC's as the broadcast will not go from one VLAN to
    >>another.
    >>
    >>
    >>hth,
    >>
    >>Cha
    >
    >
    > Neato. I'll have to check those out. My Catalysts are ancient, but I'm
    > not in a rush until Cisco managed Gigabit switching gets a little cheaper.
    >
    > The only other problem with this, is in Leythos's case, all ports would
    > need to be expensive Cisco Catylist ports. Which is tough on the
    > pocketbook. But apparently it is plausable.
    This is true **BUT** the switch is also a router so Leythos would not
    need to do one port to one vlan instead he could create VLANS based on a
    per floor basis and then create ACL's to restrict traffic even when the
    machines are in the same VLAN.

    Chad
  6. Archived from groups: comp.security.firewalls (More info?)

    In article <1w8m8rbsa6jxu$.1tn71b2al0olu.dlg@40tude.net>,
    civikminded@yahoo.com says...
    > On Tue, 13 Apr 2004 18:41:14 GMT, Leythos wrote:
    >
    > > I have a client with a dorm of 100 students. They currently (not my
    > > design) use a stack of switches and connect all users to a single DHCP
    > > scope for addresses and then NAT it to internet access.
    > >
    > > As you can guess, this really causes problems when one or more of the
    > > kids get infected.
    > >
    > > I was thinking of purchasing a couple managed switches, setting up one
    > > VLAN per switch port to keep each network jack isolated from the others.
    > > I would still need a single DHCP server to provide addresses to the kids
    > > network devices, and I would want them to all use the same NAT internet
    > > solution, just to be isolated from each other.
    > >
    > > Anyone got any feedback on VLAN's using a managed switch to build this?
    >
    > This probably would not be a good idea. Remember the only way to
    > communicate between VLANs is to route. So you are going to need 2 ports
    > per user, one to them, one to an external router. Another option would be
    > to use VLAN tagging which would allow users to be in their own VLAN as well
    > as in the VLAN of the default gateway, but everything in the default
    > gatewaty's VLAN would need to be 802.1q compliant. I've never tried that
    > so I dont even know if it would work.
    >
    > Im not sure if you can configure this over inter-switch links so you might
    > need a huge switch to do it this way, probably making cost a factor.

    So, other than installing 100 linksys NAT routers, got any idea on how I
    can isolate 100 users in the same network without having to install
    anything on their personal computers?

    Thanks

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  7. Archived from groups: comp.security.firewalls (More info?)

    In article <107qjph6d0lt640@news.supernews.com>, spamme@mah0ney.com
    says...
    > Not so fast... Cisco now has Layer 3 switches that does inter-vlan
    > routing. This will eliminate the layer3 issues, I curently use 5 cisco
    > 3550 with about 8-10 VLANS , one VLAN per department and this works
    > great. Also the added security you get is also a plus. One other thing
    > you will see with doing VLANS is you reduce the amount of broadcast
    > traffic from all the PC's as the broadcast will not go from one VLAN to
    > another.

    Chad, this was what I was looking for. In order to isolate the dorm
    rooms from each other I know of about 3 ways to do it, but I was looking
    for something like VLANS there it would route all the traffic to port 48
    on each switch...

    Are you using different subnets for each vlan, I'm assuming you are?

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  8. Archived from groups: comp.security.firewalls (More info?)

    Leythos wrote:

    > In article <107qjph6d0lt640@news.supernews.com>, spamme@mah0ney.com
    > says...
    >
    >>Not so fast... Cisco now has Layer 3 switches that does inter-vlan
    >>routing. This will eliminate the layer3 issues, I curently use 5 cisco
    >>3550 with about 8-10 VLANS , one VLAN per department and this works
    >>great. Also the added security you get is also a plus. One other thing
    >>you will see with doing VLANS is you reduce the amount of broadcast
    >>traffic from all the PC's as the broadcast will not go from one VLAN to
    >>another.
    >
    >
    > Chad, this was what I was looking for. In order to isolate the dorm
    > rooms from each other I know of about 3 ways to do it, but I was looking
    > for something like VLANS there it would route all the traffic to port 48
    > on each switch...
    >
    > Are you using different subnets for each vlan, I'm assuming you are?
    >
    Leythos,

    Yes I use subnets such as 192.168.100.0/24 for IT then 192.168.200.0/24
    for accounting, etc ...

    As far as routing traffic to a certain port, very doable **BUT** there
    are about a hundred ways to do this, depending on YOUR actual needs. I
    would start with this link from cisco:

    http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a008007e71b.html


    http://www.cisco.com/en/US/products/hw/switches/ps646/products_configuration_guide_chapter09186a008014f375.html


    However I would not suggest using a VLAN per switch ports, remember the
    switch is also a router therefore you can always setup ACL's to restrict
    traffic from machine even within the same VLAN. But then again if money
    is of no object then yes one port = one vlan :)

    Chad
  9. Archived from groups: comp.security.firewalls (More info?)

    In article <107qnsak742o455@news.supernews.com>, spamme@mah0ney.com
    says...
    > However I would not suggest using a VLAN per switch ports, remember the
    > switch is also a router therefore you can always setup ACL's to restrict
    > traffic from machine even within the same VLAN. But then again if money
    > is of no object then yes one port = one vlan :)

    Actually, money is a problem. I have about $1000 to find and build a
    solution. I don't think it's going to involve CISCO since I can't even
    spell CISCO without being charged $10 for it :)

    Thanks for all the feedback.

    --
    --
    spamfree999@rrohio.com
    (Remove 999 to reply to me)
  10. Archived from groups: comp.security.firewalls (More info?)

    Leythos wrote:

    > In article <107qnsak742o455@news.supernews.com>, spamme@mah0ney.com
    > says...
    >
    >>However I would not suggest using a VLAN per switch ports, remember the
    >>switch is also a router therefore you can always setup ACL's to restrict
    >>traffic from machine even within the same VLAN. But then again if money
    >>is of no object then yes one port = one vlan :)
    >
    >
    > Actually, money is a problem. I have about $1000 to find and build a
    > solution. I don't think it's going to involve CISCO since I can't even
    > spell CISCO without being charged $10 for it :)
    >
    > Thanks for all the feedback.
    >


    too funny...


    Chad
  11. Archived from groups: comp.security.firewalls (More info?)

    "W.B" <civikminded@yahoo.com> wrote in
    news:1w8m8rbsa6jxu$.1tn71b2al0olu.dlg@40tude.net:

    > On Tue, 13 Apr 2004 18:41:14 GMT, Leythos wrote:
    >
    >> I have a client with a dorm of 100 students. They currently (not my
    >> design) use a stack of switches and connect all users to a single
    >> DHCP scope for addresses and then NAT it to internet access.
    >>
    >> As you can guess, this really causes problems when one or more of the
    >> kids get infected.
    >>
    >> I was thinking of purchasing a couple managed switches, setting up
    >> one VLAN per switch port to keep each network jack isolated from the
    >> others. I would still need a single DHCP server to provide addresses
    >> to the kids network devices, and I would want them to all use the
    >> same NAT internet solution, just to be isolated from each other.
    >>
    >> Anyone got any feedback on VLAN's using a managed switch to build
    >> this?
    >
    > This probably would not be a good idea. Remember the only way to
    > communicate between VLANs is to route. So you are going to need 2
    > ports per user, one to them, one to an external router. Another
    > option would be to use VLAN tagging which would allow users to be in
    > their own VLAN as well as in the VLAN of the default gateway, but
    > everything in the default gatewaty's VLAN would need to be 802.1q
    > compliant. I've never tried that so I dont even know if it would
    > work.
    >
    > Im not sure if you can configure this over inter-switch links so you
    > might need a huge switch to do it this way, probably making cost a
    > factor.

    i thoghout about his idea after i posted. actually it's an interesting
    thought. i am just thinking it might be a serious pain the the butt to
    setup. lots of manual grunt work involved on the switch.

    you also make a very good point.

    Rowdy Yates
    "the man who tried and failed miserably"
    --
    Visit Rowdy's Home Page
    http://rowdy_yates2.tripod.com/
  12. Archived from groups: comp.security.firewalls (More info?)

    In article <MPG.1ae71949ace4bd0f98a3af@news-server.columbus.rr.com>,
    void@nowhere.com says...
    > In article <1w8m8rbsa6jxu$.1tn71b2al0olu.dlg@40tude.net>,
    > civikminded@yahoo.com says...
    > > On Tue, 13 Apr 2004 18:41:14 GMT, Leythos wrote:
    [cut]
    > So, other than installing 100 linksys NAT routers, got any idea on how I
    > can isolate 100 users in the same network without having to install
    > anything on their personal computers?

    Hi,

    You could use a switch with level 4 ACL to filter/block trafic between
    users.

    http://www.infoworld.com/article/03/10/24/42TCdell_1.html
    http://www1.us.dell.com/content/products/productdetails.aspx/pwcnt_3348?
    c=us&cs=555&l=en&s=biz


    --
    ICQ# 114297372
Ask a new question

Read More

Firewalls Security Networking