Use

Use 'virtual networks' to separate instructional and administrative computing

By Steven Moskowitz

(Reprinted from the November 2000 issue of eSchool News)

Savvy school network administrators can take advantage of the latest generation of network switches to save bandwidth and increase network security at the same time. How? By implementing "virtual" local area networks, or VLANs, to separate instructional from administrative functions over the same network pipeline.

You can use VLANs to separate larger networks into a series of logical subgroups using software and network hardware instead of manually moving cables and ports in a wiring closet. VLAN technology lets you group specific computers into logically defined "communities" of interest. These communities could include an administrative network, the science department, the library, or any other important network resource. VLANs limit traffic over the LAN, reduce the demand for bandwidth, allow network traffic to flow more efficiently, and improve network performance dramatically.

To understand the power of VLAN technology in an educational environment, consider how school networks traditionally were designed and implemented. The first school networks were instructionally driven and were lab-based. These networks weren't necessarily linked together outside the classroom. Administrative and instructional networks often were placed on separate cabling systems and were never connected together.

Now, consider the trend in school networking during the last few years. Schools are enhancing their infrastructures by installing large-scale structured cabling systems with internet connectivity. These networks can run hundreds of computers at once. But how can you ensure that performance and security will not be compromised by connecting together all of these resources? Enter the VLAN.

A VLAN can be a tremendous asset in a school environment because it establishes separate "domains" for computer users and applications, while creating an overall blueprint for how the network will be used. As an example, consider the following practical model of a high school building that recently was cabled. All rooms in the building were cabled with fiber or copper cable, and all computers are connected to the central wiring closets. This building also houses the central district office. There are two file servers here-one instructional and one administrative-and a CD-ROM server located in the library. All teachers need to access school attendance data, as well as instructional applications, from their classrooms. The administrative office needs to access the instructional file server as well as the administrative one. Both teachers and administrators need to share the closet electronics and internet connection.

A VLAN can be created through which only administrators and teachers have access to the administrative server. Student workstations will be totally blocked out from this server, thus securing important data. While security is critical, it is only one advantage of a VLAN. A VLAN also can be established for each specific department or work group-such as a computer-aided drafting (CAD) lab-thereby giving them direct access to the instructional file server or the router and substantially increasing network bandwidth and performance.

How do VLANs work?

VLANs work by combining information from a computer and its network connection to create a "virtual" network group. This is done by merging the computer's MAC (Media Access Control) address and the port address from the network hardware into a single logical group, as opposed to a physical group. The MAC address is the computer's unique hardware number; on an Ethernet LAN, it's the same as your Ethernet address. The port address is the physical port the computer is plugged into inside the network wiring closet.

VLAN software has the ability to accept this information, combine it as a single identifier, and create a logical group with specific access privileges. What is unique to a VLAN is its ability to create a group in which users aren't necessary co-located to each other physically, thereby segmenting the network according to various user groups.

VLAN solutions, which are proprietary in nature, are implemented in LAN switches, and the LAN administrator defines VLAN membership using the software that configures the switches. Without VLANs, you could break up flat networks by inserting a router between the subnets, but this is a complex and hard-to-manage solution. VLANs can increase the efficiency of your network traffic while remaining transparent to the network end-user.

Planning and implementing a VLAN

To create a VLAN, you'll need manageable network switches or hubs such as the ones made by 3Com, Cisco, or Intel. These are readily available, and prices are substantially lower than they were a few years ago when they first were introduced. If you are committed to implementing a VLAN, I recommend that you purchase network hardware made by one company. This will greatly simplify the project.

The first step is to plan and organize your network according to its applications and their users. The following questions may apply:

Which network users need access to student and financial data (and which don't)?
Do all users need to be connected to the internet?
Which users need to share files on the network?
Do these users share any computers?
Where are these users located on the network?

To establish logical groups with appropriate access privileges, you'll need the MAC addresses and network hardware ports for the computers of users whom you want to group together.

Can you do it yourself? Yes, if you plan the project well and have a fair amount of network expertise. Once your network is in place, you will need to run network management software to create and configure the VLAN. This software is available from the network hardware manufacturer. For example, if you establish a VLAN using 3Com network hardware, you would run Transcend Management Software, a software application from 3Com used to configure the network.

Usually, the hardware manufacturer will provide technical assistance. If you contact the manufacturer before you purchase the equipment, the company often will send an engineer to your district to set things up for you at little or no charge.

The design of large, building-wide networks in schools should be taken as seriously as that of larger corporate networks. School networks must be planned and managed to ensure they will run as efficiently and effectively as possible-and VLANS are tools that can make this concept a reality.

Steven Moskowitz is the director of technology for Brewster School District in New York.