Hi everybody. I recently started working at a small local school system in the IT department. My background is in hardware and software deployment and troubleshooting, but I'm really looking to expand into Networking in a big way. Our system is comprised of 5 school campuses in a small area, with one being the furthest away in a nearby rural township. I've been poring over the Meraki dashboard for the last few days and watching some overview/deep dive videos on Meraki. I am gaining some knowledge through that, but I'd really like to ask some specific questions to get guidance on.
Here are some observations so far, and I'd love to hear people's thoughts on these.
1) It looks like our Middle School facility is on VLAN 1. I have been doing some research where people are saying not to use VLAN 1. Another management VLAN can be designated, but I didn't know if it was as simple as that with no 'side effects'.
2) Should all Wi-Fi devices be on their own VLAN for optimizing traffic? It was a suggestion I read elsewhere, I just want to sound it out and reason on it.
3) Would tagging or subnets be useful for a small school system? I am seeing that not much is tagged, and I think there are very few subnets here as well. Is a subnet indicated by an IP address ending with a /28 or a similar value?
(1) What a discussion topic! Being in a school environment, I would plan/expect students to be trying to do things on purpose. Things to cause trouble. As such, I would keep student traffic separate from everything else. I would try and keep them away from the management interface for everything. In the past there were also concerns about VLAN hopping attacks, but I feel the attack vector for this is less prevalent these days.
(2) Another great question. I think the answer relates to a matter of scale. I'm going to assume you have at least 200 WiFi devices. At that scale, I would put the WiFi devices on their own separate VLAN. Personally, I think at this (or larger) scale it is easier to manage with a separate VLAN for WiFi.
(3) I find this difficult to answer without knowing more. Typically I would be using several VLANs (each VLAN represents a subnet). A VLAN for student WiFi (due to my lack of trust in students). If you have servers, a VLAN for that (then you can create firewall rules between students and servers and only allow access to what is required). I would probably have a separate VLAN for staff. I might even have another VLAN for "admin". It depends on how big each of these is, and how much of your environment is using on-premise servers versus cloud.
Thanks! I will look into moving student traffic to a separate VLAN. Also, would you recommend moving the Middle School off VLAN 1 or changing the management VLAN to something else? Whichever method, what do I need to take into consideration first and what pitfalls should I look out for? Thanks again.
I'm going to shoot for creating a new VLAN and making it Management. Just so I'm clear, I'm not doing this on an individual switch, but through switch settings under the dashboard, correct? Then I have to reboot the switch for the changes to take effect, and in this case it's the MX250 that controls everything here at the Middle School. And as far as I'm aware, I don't have to change any IP addresses or Trunk port VLANs, but correct me if I'm wrong. Thanks!