Re: Enable / disable internet access in selected classrooms
- From: Mike Dorn <mrdorn@xxxxxxxx>
- Date: Sun, 24 Sep 2006 03:37:33 -0500
Geir Holmavatn wrote:
Hi,
We have several classrooms networked (wired ethernet) which need continous access to the domain controller (which has DHCP and DNS) and in addition, internet access only when allowed by the teacher.
The router / firewall IP is on the same subnet as the domain controller. A small sketch of a similar system is available here (with separate switches for internet and domain controller):
http://www.kuntigi.net/download/ClassroomLAN.jpg
How can we avoid connecting ALL classrooms to the internet once the gateway cable is connected to the domain controller net in *one* classroom?
All classrooms which have the blue cable (in the sketch) plugged into one of the classroom switch' ports will have internet access, and no access when this blue cable is uplugged.
The domain controller subnet switch (in the sketch) need to have each port isolated from each other so an interconnection between black (domain controller net) and blue (gateway net) in selected classrooms does not influence internet access for the rest of the classrooms.
Thanks if someone have some bright ideas ;-)
regards Geir
I won't absolutely guarantee this will work, as it's late at night, but we'll let the rest of the group filter it for potential gotchas. (I THINK it's ok.)
1) Replace your two central switches with layer-3 switches that have full IP routing services. You can keep the cheap switches for everything else. You're going to configure all of the ports on both new switches as Layer-3 routed ports, with IP addresses. (So the switches act like many-port ethernet routers.) As in your drawing, switch 1 connects to your server(s), and switch 2 connects to the internet.
2) You'll need to change your internal address space. Exactly what numbering system you come up with depends on your situation--I'll assume you know how to do that, and just use letters for the network portion of the address in the remaining descriptions; you can fill in the numbers based on what you come up with. Assign a separate IP subnet to each classroom (A,B,C,...). Assign another subnet for use by your domain controller (X). Another subnet for the firewall (Y), and one final subnet (Z) to connect your two layer-3 switches. Set up each classroom as a separate DHCP scope on your domain controller, giving the PCs in that scope the ".1" address of their subnet for a default gateway. Reserve at least the .2 and .3 as well; you'll need them.
3) Connect the LAST port (24?) on switch ONE to your domain controller. (Or if you've got several types of server systems, put them on another small switch, and connect that to switch ONE. Configure the interface with IP address X.1. Your domain controller will be X.10, any other servers will be X.something. All servers in this subnet will have a default gateway of X.1.
4) Connect the LAST port on switch TWO to your firewall. Configure the switch interface as Y.1, and the firewall as Y.254.
5) Connect the NEXT-TO-LAST ports on switches ONE & TWO to each other. Switch ONE, port 23 gets address Z.1. Switch TWO, port 23 gets Z.2. The interface on switch TWO also gets "ip access-group 101 in".
6) Create an access list 101 on switch TWO to permit only ip packets with a source address in subnet X. Since this access list is applied to the inter-switch connection, it prevents anything from the classrooms on switch ONE from entering switch TWO, and allows only traffic from the server subnet.
7) Add a static route on switch ONE, to reach the internet (0.0.0.0) via Z.2.
Put static routes on switch TWO to reach the server subnet via Z.1, and to reach the internet via Y.254. IF you also need direct communication between computers &/or printers in different classrooms, add one more static route on TWO, to point all traffic for your entire inside address space to Z.1. (Note that this MUST be a single route with a shorter net mask than the others, or you will have trouble!)
8) Classroom A gets a black cable to port 1 of switch ONE and a blue cable to port 1 of switch TWO. Switch ONE, port 1 gets IP address A.2. Switch TWO, port 1 gets IP address A.3. The two switches share an HSRP address of A.1, with priority set to prefer the interface on switch TWO. On BOTH switches, configure port 1 with "ip helper-address X.10". This will route DHCP requests to your domain controller.
(Repeat step 8 for the remaining classrooms B,C,D... on ports 2,3,4...)
Now you've got a system that will behave exactly the way you originally intended, with the only control you need being the insertion or removal of the blue cable in each classroom. The server subnet can always reach the internet, but classrooms can only reach the internet if their blue cable is in.
Switch selection is controlled by the use of Hot Standby Router Protocol. Since all the PCs are configured to use .1 addresses for their default gateway, whichever switch owns the .1 for a given subnet will receive all of their traffic. Switch TWO gets it by the priority setting, unless the blue cable is unplugged. Both switches' classroom ports are configured to pass DHCP requests to the domain controller, and both can reach it, thanks to the static route on switch TWO. DHCP responses from the domain controller can come back to switch TWO via the inter-switch cable, and DNS requests from the domain controller can reach the internet, but internet requests from classrooms attached to switch ONE cannot.
If classroom A has its blue cable in and classroom B does not, internet-bound packets from B cannot pass thru A to get there, because the traffic is now controlled by layer-3 rules instead of layer-2. The static route in switch ONE forces all internet-bound packets to the inter-switch cable, but the ACL on switch TWO will drop everything that didn't come from the server subnet.
Other misc traffic between the domain controller and classroom computers (or printers) may follow a circuitous (but usable) path, as the server subnet can always pass traffic to any classroom thru the switch ONE ports, but traffic from the classroom to the server subnet will prefer switch TWO if the blue cable is in. Alternatively, you can configure printers to use .2 as their default gateway, so they'll always use switch ONE. If you added the extra route in step 7, PC-PC or PC-Printer traffic from A can reach destinations in B by routing up thru switch ONE.
Good luck!
.
- References:
- Enable / disable internet access in selected classrooms
- From: Geir Holmavatn
- Enable / disable internet access in selected classrooms
- Prev by Date: Re: Blocking unauthorized remote access
- Next by Date: Re: Blocking unauthorized remote access
- Previous by thread: Re: Enable / disable internet access in selected classrooms
- Next by thread: Is this possible?
- Index(es):
Relevant Pages
|
