Questions about Meraki for school system

JMY34
Getting noticed

Questions about Meraki for school system

Hi everybody. I recently started working at a small local school system in the IT department. My background is in hardware and software deployment and troubleshooting, but I'm really looking to expand into Networking in a big way. Our system is comprised of 5 school campuses in a small area, with one being the furthest away in a nearby rural township. I've been poring over the Meraki dashboard for the last few days and watching some overview/deep dive videos on Meraki. I am gaining some knowledge through that, but I'd really like to ask some specific questions to get guidance on.

 

Here are some observations so far, and I'd love to hear people's thoughts on these.

 

1) It looks like our Middle School facility is on VLAN 1. I have been doing some research where people are saying not to use VLAN 1. Another management VLAN can be designated, but I didn't know if it was as simple as that with no 'side effects'.

 

2) Should all Wi-Fi devices be on their own VLAN for optimizing traffic? It was a suggestion I read elsewhere, I just want to sound it out and reason on it.

 

3) Would tagging or subnets be useful for a small school system? I am seeing that not much is tagged, and I think there are very few subnets here as well. Is a subnet indicated by an IP address ending with a /28 or a similar value?

 

Thank you very much for your guidance and help.

5 Replies 5
PhilipDAth
Kind of a big deal
Kind of a big deal

(1) What a discussion topic!  Being in a school environment, I would plan/expect students to be trying to do things on purpose.  Things to cause trouble.  As such, I would keep student traffic separate from everything else.  I would try and keep them away from the management interface for everything.
In the past there were also concerns about VLAN hopping attacks, but I feel the attack vector for this is less prevalent these days.

 

(2) Another great question.  I think the answer relates to a matter of scale.  I'm going to assume you have at least 200 WiFi devices.  At that scale, I would put the WiFi devices on their own separate VLAN.  Personally, I think at this (or larger) scale it is easier to manage with a separate VLAN for WiFi.

 

(3) I find this difficult to answer without knowing more.  Typically I would be using several VLANs (each VLAN represents a subnet).  A VLAN for student WiFi (due to my lack of trust in students).  If you have servers, a VLAN for that (then you can create firewall rules between students and servers and only allow access to what is required).  I would probably have a separate VLAN for staff.  I might even have another VLAN for "admin".  It depends on how big each of these is, and how much of your environment is using on-premise servers versus cloud.

JMY34
Getting noticed

Thanks! I will look into moving student traffic to a separate VLAN. Also, would you recommend moving the Middle School off VLAN 1 or changing the management VLAN to something else? Whichever method, what do I need to take into consideration first and what pitfalls should I look out for? Thanks again.

PhilipDAth
Kind of a big deal
Kind of a big deal

>Also, would you recommend moving the Middle School off VLAN 1 or changing the management VLAN to something else?

 

I would do whichever of the two was easiest.

JMY34
Getting noticed

I'm going to shoot for creating a new VLAN and making it Management. Just so I'm clear, I'm not doing this on an individual switch, but through switch settings under the dashboard, correct? Then I have to reboot the switch for the changes to take effect, and in this case it's the MX250 that controls everything here at the Middle School. And as far as I'm aware, I don't have to change any IP addresses or Trunk port VLANs, but correct me if I'm wrong. Thanks!

alemabrahao
Kind of a big deal
Kind of a big deal

In addition to @PhilipDAth observations, I advise you to hire a specialized consultancy. Despite being something relatively simple, without the technical knowledge it can make things "painful"

I am not a Cisco Meraki employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.