Taking the corporate network to a school environment

on

Introduction

We can take many of the network concepts of a large corporation and modify them to a model that would enhance an educational establishments network, something that would give an educational establishment a fast and reliable network. Centralising administration tasks and the single-sign-on model reduces the administration tasks required for managing the network.

While many people might understand the advantage of faster broadband which inevitably makes the internet experience more pleasant, understanding the advantages of faster internal networks can be difficult. The increase of wireless devices for students, teachers and visitors will dramatically increase network traffic on the local network. While a device is connected to a network it requires network resources, many people believe that if the device is not using the internet then it requires no network resources and does not impact on the flow of data across the network. Authentication to the network is an ongoing activity, devices connected to the network also send and receive data known as broadcast traffic.

To explain the reasoning behind the 10GB network utilisation, we would like to include some simple analogies for a better understanding and tying in the concept of a 10GB network backbone. Taking the flow of network traffic and turning it into something we can see, can help with our understanding of data traffic flow.

  • Taking two busy cities with large numbers of cars that often travel from one city to the other can be easily substituted for how network data flows. If these two cities were linked with a single carriageway motorway the congestion would be immense, especially considering if we had multiple access points to the motorway from each city. We then introduce a new motorway, we put ten lanes on this motorway, we can quickly understand how the congestion can be
  • We build a housing estate, each house on the estate will be given a cold-water mains supply delivered by a ½ inch pipeline. The main supply coming into the housing estate, if supplied by a ½ inch pipe would impact the residents by lack of pressure as the numbers using the supply increased. To combat the lack of supply to the houses we could introduce a 5-inch main supply to the estate which would see each house on the estate have an ample water supply to suit their needs.

Virtualisation is another concept used in network topologies, giving us the ability to use multiple servers as an example, to share the workload and reducing the need of extra expensive computing hardware. Physical networks that deliver the data can also be virtualised using the Virtual Local Area Network (VLAN) concept. Having a single Local Area Network (LAN) to accommodate a large number of users has an impact on broadcast traffic and reduces security abilities. Many network protocols and applications depend on broadcast communication to function correctly. The cost of segmenting a large network is reduced by using VLANs and accomplishing segmentation at the switch level rather than multiple costly routers. VLANs will be discussed further in relation to implementation into the proposed network.

There is one further requirement for understanding the proposed network, that is network layers and having a basic understanding of the Open Systems Interconnection model (OSI model). The OSI model is presented into seven layers, to understand the proposed network a basic understanding of Layer 2 and Layer 3 are required.

School Set up

A layer 3 switch would be required to provide VLAN capabilities to a network. The layer 3 switch enables the routing between each network and the layer 2 switches provide the connectivity.

Power over Ethernet (PoE) is a method used to provide network access while providing power to low- power devices such as wireless access points and CCTV cameras. PoE switches eliminate the need for power injectors and power points to supply power to your wireless access points.

A simplified look at switch input/output of a switch can show the restrictions implemented by a standard 24-port gigabit switch versus a 24-port gigabit switch with 10 gigabit uplinks. There are 24- port switches with separate uplink ports but they are still restricted to 1 Gb. A switch with SPF ports for uplinks could potentially push the data uplink to 40 gigabits if fitted with four SPF ports.

school setup 2

Network Topology

Network Topology

Taking the network diagram above, we shall break the network down for explanation according to the area number as defined above.

Area 1, Server 1 with active directory and file server.

Active directory plays an integral part of any domain controlled network. The active directory server authenticates users back to its local database. Active directory is a very powerful network management tool for security and deployment. Group policies can be created to deploy printers to users as an example with the printer being deployed to a user when they are on a certain computer. Software can be deployed to computers without having to manually visit each computer if the software is deployable. Shared folders can be mapped to an individual’s PC and follow them if they log onto a different PC. The remaining function of this server could be used as a file server, storing files and folders that can be accessed from user’s PCs. The true advantage of access directory is its centralised management purpose.

Area 2, Server 2, Host to Virtual Servers

Virtual machines and servers allow the use of hosting multiple servers without requiring a separate hardware solution for each server. Virtualisation allows us to separate network functions while being able to allocate the required resource for that function. The server functions listed in the list of virtual machines could all be placed on a single server with adequate power, but the resources could be hijacked by a single resource causing issues with other resources. A second objective would be the “Keeping all your eggs in one basket” approach, don’t concentrate all your prospects or resources in one thing or place, or you could lose everything.

Area 2.5, Virtual Machines

The actual virtual machines listed in the diagram above are not that important with the exception of one, the second instance of active directory. Older versions of Windows worked on the concept of a Backup Domain Controller (BDC) and Primary Domain Controller (PCD) which shared the workload and gave the facility of failover. If the PDC failed, then the BDC could be promoted to PDC and a new BDC could be installed without losing active directory configurations and data.

Today’s Windows servers work in a similar way apart from the fact that they would be equal members of the domain and still having the ability of sharing the workload and roles. Building a network customised to a particular need can take many hours and would be constructed over time, losing all that work can be costly in reconstructing if a single server is deployed and brings us back to “Keeping all your eggs in one basket”. Active directory is a busy network function, adding wireless to a network could see an increase of user’s devices and log-ons in access of 1000+ users. As authentication is an ongoing process while a device is connected it makes sense to spread the authentication process across more than one device.

Area 3, Layer 3, 10Gb Core Switch

Routing enables different networks to communicate based on a set of rules. Layer three switches have the software capabilities of routing traffic based on IP address. The core switch polices traffic and has the ability to route it to a different network if required, unlike a layer 2 switch that can route traffic to its location, if it is on the same network address scope.

To give an analogy of layer 2 and 3 switches we can compare these to a postal system where we have two postal districts, District A and District B. In each of the postal districts we have a postman, the postmen know their delivery addresses solely based on their local knowledge and have no home base. Delivering letters to their district is not a problem, the problem occurs when the people living within

 

these districts want to send a letter outside of their district, the postmen have no knowledge outside their own district. To resolve this issue, we build a post office, letters from one district and destined for the other are routed through the post office, the post office gives the letter to the appropriate postman for delivery. The post office represents layer 3 and the postmen represent layer 2.

Area 4, Active Directory Authentication

Active directory authentication is based on a user having an account on the active directory network and using those same credentials to access other services with the same credentials. Examples of other services include Wi-Fi access, Office 365 access and access to Moodle if included. The benefit being that a single user account has to be set up. The alternative is having individual accounts for the fore mentioned services which may result with users having different passwords for each service.

Area 5, Wi-Fi Controller

The image depicting the network topology above uses a Wi-Fi controller device, the controller manages the wireless access points and should authenticate its users via a single network credential stored in active directory. The authentication method should be secure and usually relies on the 802.1X, IEEE standard for port based network access control providing encrypted data passing from device to network.

Recent movements in high end Wi-Fi are seeing the demise of Wi-Fi controllers by allowing each access point to maintain a copy of the wireless network configuration locally, without the need to access a controller to read the configuration. Basically, the wireless access points have got smarter, they have more power. A second consideration is the permanent failure of a Wi-Fi controller can be expensive if replacement is the only option, the access points could also be unusable with a replacement controller.

Area 6, Microsoft Office 364

Microsoft provide schools with free Office 365 which provides free hosted email with 50GB of space per user, web conferencing, spam and malware protection and the office applications via a web browser.

Microsoft also provide a site licence or Open Value Subscription (OVS) which is priced by the number of full time teachers. The OVS agreement then covers all the school’s computers for the latest Microsoft Office products and coupled with Office 365, gives staff and students the ability to download and install a licenced version of Microsoft office to their home PC.

Microsoft have also introduced a product called Microsoft Classroom which can be used to manage assignments, engage with students and better collaboration.

The OVS also has the ability to add Windows 10 for each of the school computers. We have found in the past with the use of upgrading older PCs and installing Windows 10, the performance of older PCs can be enhanced and their lifetime extended. Performance can be enhanced by replacing standard SATA or IDE hard drives and replacing them with Solid State drives (SSD) and if required some memory upgrade.

Integrating Office 365 with active directory allows your users to access Office 365 with the same credentials as they use when using the school network computers. If the authentication is centralised and married up to active directory, the administrator has a single user account to manage. If a student leaves and the administrator disables the user account, access to Office 365 is disabled and downloaded copies of Office have their licence revoked.

 

Area 7, Wireless Devices

Wireless access points provide wireless access to wireless devices that can authenticate to the network. They require power and a network source, usually plugged into the network via a network cable.

Area 7.5 PoE Switch

Power over Ethernet (PoE) switches provide network access as with any other switch but have the extra functionality of providing power to the end device. Power can be provided to wireless access points or other low powered devices such as CCTV cameras, thus eradicating the need for the device to take up a power supply or requiring a power injector.

Area 8, Printers

Printers would usually be network enabled and managed by a dedicated print server to enable centralised management and driver installation to the local PCs. In addition to the printers, print management software can be deployed to control the use of printing, and if required a small charge for printing can be applied.

Area 9, Staff and Student PCs

Staff and student PCs are connected directly to a Layer 2 switch and authenticated by active directory.

Area 10, Layer 2 Switches

Layer 2 switches should be manageable with ports allocated to the relevant VLAN. Unused ports should be disabled for security purposes. All switches and servers should be kept in a secure locked room or cabinet.

 

Cloud Computing

Cloud Computing has in recent times become a buzz word, everyone has heard of it and believe everything will be in the cloud. Cloud Computing has a mystical sound to it, so credit to the team that came up with the name. Effectively Cloud Computing is hosting your servers or applications on someone else’s premises and accessing them via the internet, to put it simply. The trade-off is speed, due to internet access and the resources that you have access to, are also accessed by many other users. The latest buzz word coming from the IT community is Hybrid Cloud which will overcome the shortcomings of Cloud Computing.

Hybrid systems are becoming more common where some parts of our computing are cloud based and other parts are in-house. The services that have been successful in the cloud are the services that are not reliant on speed, including backups, email and failover. We are often saving documents to cloud services such as Dropbox and OneDrive which allow us to access our files and folders from other devices. The Dropbox and OneDrive systems actually open and save your documents to your local PC and synchronise changes to the cloud services in the background, this in effect hides any delay in working with documents.

A hybrid system provides the best of both worlds, services that we need to be quick would be kept in house and services that do not require speed can be cloud based. Cached versions of emails are saved to your local PC to avoid continually downloading your email from the cloud based servers.

A hybrid cloud/in-house computing system analogy can be compared to a hybrid car. While the electric car is economical and environmentally friendly it has its restrictions, the distance it can travel on a fully charged battery and the time it takes to re-charge a battery. The hybrid car uses a conventional combustion engine fuelled by petrol alongside an electronically propelled car allowing for longer travel

 

distances while increasing the miles per gallon. The Achilles heel of cloud computing is broadband bandwidth.

There are certain requirements for understanding the limitations of the internet compared to a local area connection:

 

  • Upload speed
  • Download speed
  • Latency
  • Number of connected devices
  • Contention ratio

School speed

Upload speed is usually much lower than download speed and both define the network bandwidth. Download speed would be relative to taking a file from a remote server and copying it to your device. Upload would be the opposite, moving a file from your device to a remote serverProduced by http://www.speedtest.net/

Latency refers to how long it takes for a data packet to get from A to B and back to A, shown above as ping. The latency speed can be governed by the number of devices the data packet has to be passed through, if the traffic is being filtered and the media used, fibre, copper and wireless being the most common media.

The number of devices connected to the broadband will have an effect of the bandwidth being shared between the devices. Simply accessing the internet can have little effect on the bandwidth as it is usually downloads the requested page quite quickly, the user will spend time reading the first page before requesting a second page. Transferring files on the other hand takes longer, the more users accessing files the longer they take to download. You also have to take account of the service provider and the number of users accessing their system.

Contention ratio is the number of users that share a broadband connection, if one user is continually streaming videos they will be slowing down the connection for all other users. Broadband providers often use a contention ratio where multiple broadband customers share the same 100Mb broadband connection. Ideally a 1:1 contention ratio gives you the 100Mb connection to the cabinet and it is not shared. A 24:1 contention ratio could mean that you are sharing a 100Mb broadband connection with 24 broadband customers. Finally, the number of users on your premises accessing the internet may produce a contention ratio of number of users to one 100Mb broadband connection, N:1.

 

 

We also need to appreciate the difference between Mb and MB. Mb refers to bits and MB refers to Bytes, 1 Byte = 8 bit.

100Mbps = 12.5MBps (which would be more relative to moving data/files etc.)

 

 

We have seen over the past number of years where as the number of users on a network has grown, the network speeds of an internal network have increased from 100Mbps to 1Gbps (1,000Mbps) and more recently to 10Gbps (10,000Mbps).

Moving all server resources to the cloud would be the equivalent of going back to a 100Mbps with the disadvantage of not getting the same bandwidth in both directions and the added effect of a large increase in number of users.

 

 

Onsite server typically provides:

  • Local DNS
  • DHCP with multiple scopes for VLANs
  • Shared file/folders
  • Print Services
  • Group Policy Management
  • WSUS
  • Active Directory Authentication

 

Local DNS provides translation of a local IP address to a friendly name for a network device

 

 

DHCP supplies addressing for local network devices. The NCTE typically provides a maximum of 254 devices with IP addresses to a school network. With introducing wireless networks, the number of address provided by the NCTE will be inadequate. Private address will be required and implementation of VLANs will be required. Typically, 4-5 VLANs may be required for a school network:

  • VLAN1 – Servers, Switches and Printers
  • VLAN2 – Desktop/Laptop Computers
  • VLAN3 – Staff Wireless Devices
  • VLAN4 – Student Wireless Devices

 

Shared files and folders are common on networks allowing users to access their own files when moving to another device. Sharing files between users cuts down the need of duplication of files/folders.

Print services would be managed from a central location, permissions through Active Directory can control who uses the printer. Printers would be shared to multiple users for a single or multiple devices.

 

Group Policies allow us to deploy software to all PCs from a central location for example. It is also commonly used for mapping shared network drives, printers and other shared resources to be deployed to a user when they log on to a device.

WSUS is a Windows updating service that downloads required software updates and service packs from Microsoft to a central location, this requires a single download of updates which can be pushed out to all PCs requiring Windows updates. The alternative is each PC/Laptop individually downloading Windows updates.

Active directory is an authentication method where a user can log onto the network with correct authentication credentials (username/password). Wireless access would also be authenticated in the same manner. Access to files and folders is also an Active directory authentication job meaning that authentication is an ongoing process during a user’s interaction with the network. With schools providing wireless access to students and the common number of computers in schools, the number of active connections could easily pass 1,000 devices.

 

Written by: Adrian D’Arcy