The correct configuration of the local network in a school or in an academy is essential, not only to have access to the Internet and local resources, but also to avoid security problems regarding intrusions, both external and from within the network itself. local. It is very important to have a global vision of all the configurations that we are going to be able to carry out in a network of this type, and what each technology or protocol that we are going to apply is for. Today in RedesZone we are going to explain in a simple way everything that the network of any school or academy should have, and we will show you real configuration examples.
General configuration of the local network
Having a global vision of the general configuration of the local network is critical, to know if we are covering all the needs, both at the level of network operation and also with regard to the security that we have on the network. It is possible that some of the protocols that we are going to explain to you do not know that they existed, or that you do not know exactly what they are for. Next, we are going to explain everything that the local network of any school or academy should have, both in terms of hardware equipment and the basic configuration that you should incorporate.
Professional router and configuration
The router is the most important device in the network, it is in charge of providing us with Internet connectivity and also connectivity in the professional local network. It is very important to buy a professional router that has enough configuration options to satisfy our needs. For example, one of the models that we recommend if you use D-Link switches and APs is the DSR-1000AC, a high-end model that has really advanced configuration firmware. This router has all the Gigabit Ethernet ports, with the possibility of configuring two Internet connections simultaneously (Dual-WAN) to have a redundant connection.
Some of the configurations that we could make to this router are the following:
- Dual-WAN: we can configure two Internet connections simultaneously, with the aim that if one connection goes down the second one starts working, and have connection failover. We could also use load balancing, in this way, the clients will have a higher Internet connection speed, some traffic will go through the first WAN and other traffic will go through the second WAN.
- VLANs: It is absolutely necessary that in a school or academy, we properly segment the network with VLANs. We can create an administration VLAN, another for teachers and finally another for students. VLANs allow us to isolate the traffic within them, so that a student cannot connect to the teachers’ network, either through the wired or wireless network.
- firewall: Thanks to the built-in firewall, we will be able to create advanced rules to allow or deny Internet traffic.
- ACLs: we can create access control lists to block or allow traffic on VLANs. This feature is very important to correctly manage what traffic is allowed or denied.
- vpn: We can configure VPN servers to connect to the school network remotely. This is essential to access shared school resources remotely and securely, as all network traffic will be encrypted and authenticated.
- Site-to-Site VPN: If a school has several branches, we can interconnect them through the Internet using VPN site-to-site, in this way, both schools could communicate with each other.
As you can see, having a professional router in our organization, we will have great versatility when it comes to configuring the network securely.
Managed switches and configuration
Switches are a very important part of a school or academy, thanks to these devices we can connect dozens of devices via cable to the network, and we can also power the wifi hotspots as long as we have a PoE (Power over Ethernet) switch. These PoE switches allow us to power WiFi access points or IP cameras with just the Ethernet network cable, without the need for a nearby plug, in addition, we can power equipment at a great distance, much greater than the typical current transformers .
When configuring the switch, we must ensure that it has some very important features:
- VLANs: any manageable switch is capable of managing VLANs to properly segment traffic, in this way, we can separate the networks of teachers, administration and students who are in the classrooms. Not only is it essential that the professional router supports VLANs to intercommunicate if necessary, the switches must also have this configuration option if we want it to work correctly.
- ACLs: In the switches we can also implement the access control lists, since we can block the traffic of certain devices connected to others, since they all must go through the switch. To isolate the VLANs from each other, it is normal to do it on the device that is responsible for inter-VLAN routing. There are L3 switches that allow VLANs to communicate with each other, in these cases the ACLs must be placed on the switch itself, otherwise the VLANs will be able to communicate with each other.
- Port Security: this function allows you to block a certain port or directly turn it off in case a non-allowed computer is detected. A switch can have ports that are not used but connected and available for certain devices based on their MAC. If we configure this Port Security option, we will be filtering by MAC which devices can or cannot be connected.
- IP-MAC Binding: This function allows you to “bind” a specific IP address to a MAC address. Its objective is to protect the computers that are in the local network at the switch level, so that a certain computer with a specific MAC cannot change its IP address to try to impersonate another computer.
- ARP Spoofing Prevention: This feature blocks any attempt to perform an ARP Spoofing attack, it is usually configured on access switches (those closest to the end user). This feature is critical to maintaining the security of the local network.
- Link Aggregation: If we need higher bandwidth between two switches, we can create a logical link from two physical links. In this way, if our switches have 1Gbps ports but we need to pass up to 2Gbps bandwidth to another switch, we can virtually join two network cables and increase the available bandwidth. In this case, it is important to have a manageable switch that allows you to modify the available load balancing algorithm, the more granular it is, the better the available load balancing will be.
- QOS: this feature allows us to prioritize certain traffic over another, in addition, we could also configure a bandwidth limiter per port, to prevent a certain computer from consuming all the bandwidth of the network, either from the Internet or from the local network.
- PoE: as we have explained before, if we have WiFi APs we can buy PoE switches to manage the power of these access points. An interesting feature is the possibility of turning off the access points at a certain time, with the aim of leaving the entire school without WiFi connectivity at night or on weekends, when it is not going to be used. In this way, we can save a lot of energy.
- Management: Currently the vast majority of switches are managed locally via the web, however, we can also buy switches that are managed centrally, both with Nuclias Connect and Nuclias Cloud. This will allow us to configure the switches much more easily without having to go one by one.
Professional APs with centralized management
All professional WiFi access points have the possibility of create several WiFi networks (SSID) simultaneouslyin addition, they allow assigning a certain SSID to a certain VLAN to properly segment traffic wireless from different clients. Depending on the name of the WiFi network that we have, the clients will connect to one VLAN or another wirelessly, as if we were on the part of the switches. What we should look at when buying WiFi AP is:
- Wi-Fi Features: It is essential that they be simultaneous dual band with the new Wi-Fi 6 standard. Depending on the number of simultaneous clients, we will have to choose between equipment that has two 2×2 antennas, three 3×3 antennas or four 4×4 antennas to that works properly and without the WiFi network being saturated.
- wired connectivity: If we are going to install a high-end Wi-Fi 6 AP, it is very important that it has a 2.5G Multigigabit port or higher, otherwise we will have a bottleneck in the wired network. Of course, it is also very important that the switch has 2.5G Multigigabit ports with PoE, to adequately power the APs and provide them with the maximum possible speed.
At the software level, it is very important to know what form of management this WiFi access point has:
- Management with local controller: It is a computer with software that is responsible for centrally monitoring and managing all WiFi access points. It can also be a hardware device that has this same software internally. In the case of the manufacturer D-Link, we are talking about Nuclias Connect, both in the software version and with the DNH-100 that integrates Nuclias Connect. We must know that this does not have any type of cost at the license level, we only need to install the software or buy the DNH-100 to centrally manage the APs of the manufacturer’s DAP range.
- Management with Cloud controller: in this case the monitoring and administration will be done through the cloud, we do not have a computer or any hardware device, everything is in the cloud. In the case of D-Link it is called Nuclias Cloud, and it is one of the most advanced management platforms for APs and switches that currently exist. In an important aspect is that it works with licenses for each device, it is something that you must take into account.
Other equipment that you should value
In the case of wanting a management of compatible switches and APs, a device that you must buy is the DNH-100 incorporating Nuclias Connect. This will allow you to centrally manage and monitor all the switches and APs that we have installed, and force updates to all of them simultaneously. In the case of having Nuclias Cloud you will not need it because the controller is in the cloud. If you don’t want to buy this device, you can always use a any computer as “server” to install the Nuclias Connect software, however, you must take into account that it will have to be permanently on.
Other equipment that you should consider installing on the network of your school or academy is a NAS server, this type of device allows us to have storage connected to the network and accessible both from the local network and from the Internet. We can create a set of folders with different permissions for the school administration, the teachers and even the students. In addition, with a powerful NAS server we could virtualize an operating system like Windows and install Nuclias Connect to have complete control of the switches and APs without the need for anything else.
As you have seen, to set up the network of a school or academy, many things must be taken into account, both at the level of technical characteristics of routers, switches and APs, as well as what configuration options they have and their possibilities.