Enable / disable internet access in selected classrooms

Hi,

We have several classrooms networked (wired ethernet) which need
continous access to the domain controller (which has DHCP and DNS) and
in addition, internet access only when allowed by the teacher.

The router / firewall IP is on the same subnet as the domain controller.
A small sketch of a similar system is available here (with separate
switches for internet and domain controller):

http://www.kuntigi.net/download/ClassroomLAN.jpg

How can we avoid connecting ALL classrooms to the internet once the
gateway cable is connected to the domain controller net in *one* classroom?

All classrooms which have the blue cable (in the sketch) plugged into
one of the classroom switch' ports will have internet access, and no
access when this blue cable is uplugged.

The domain controller subnet switch (in the sketch) need to have each
port isolated from each other so an interconnection between black
(domain controller net) and blue (gateway net) in selected classrooms
does not influence internet access for the rest of the classrooms.

Thanks if someone have some bright ideas ;-)

regards Geir

Re: Enable / disable internet access in selected classrooms

"Geir Holmavatn" wrote in message
news:4n8gaiF9655rU1@individual.net...
> Hi,
>
> We have several classrooms networked (wired ethernet) which need continous
> access to the domain controller (which has DHCP and DNS) and in addition,
> internet access only when allowed by the teacher.
>
> The router / firewall IP is on the same subnet as the domain controller. A
> small sketch of a similar system is available here (with separate switches
> for internet and domain controller):
>
> http://www.kuntigi.net/download/ClassroomLAN.jpg
>
> How can we avoid connecting ALL classrooms to the internet once the
> gateway cable is connected to the domain controller net in *one*
> classroom?
>
> All classrooms which have the blue cable (in the sketch) plugged into one
> of the classroom switch' ports will have internet access, and no access
> when this blue cable is uplugged.
>
> The domain controller subnet switch (in the sketch) need to have each port
> isolated from each other so an interconnection between black (domain
> controller net) and blue (gateway net) in selected classrooms does not
> influence internet access for the rest of the classrooms.
>
> Thanks if someone have some bright ideas ;-)
>
> regards Geir

I'm not experienced with larger networks,but sine there has been nor other
response, I can offer some ideas.
What is you equipment budget? Can you afford additional routers/switches?
I don't know of any way to have two separate uplink cables from a single
router.
However, linux will support multiple ethernet cards, so in each computer you
could have one configured for local access, and one for internet access.
Have a second router in each class, one local and one internet.

You mention continuous access to the domain controller - why is this? I
would find a work around to this. Perhaps the real need which the domain
controller serves can be met in other ways.

If not, then set up a shell script to change your firewall settings to
allow/disallow a specified classroom router from calling out.

If you are using an actual linux computer as your firewall/router this would
be easy. If you have a firewall appliance, then it should be possible to set
up such a script.

I can't say if this will work, as I do not have the equipment here to test
it.

Stuart

Re: Enable / disable internet access in selected classrooms

Geir Holmavatn wrote:

> Hi,
>
> We have several classrooms networked (wired ethernet) which need
> continous access to the domain controller (which has DHCP and DNS) and
> in addition, internet access only when allowed by the teacher.
>
> The router / firewall IP is on the same subnet as the domain controller.
> A small sketch of a similar system is available here (with separate
> switches for internet and domain controller):
>
> http://www.kuntigi.net/download/ClassroomLAN.jpg
>
> How can we avoid connecting ALL classrooms to the internet once the
> gateway cable is connected to the domain controller net in *one* classroom?
>
> All classrooms which have the blue cable (in the sketch) plugged into
> one of the classroom switch' ports will have internet access, and no
> access when this blue cable is uplugged.
>
> The domain controller subnet switch (in the sketch) need to have each
> port isolated from each other so an interconnection between black
> (domain controller net) and blue (gateway net) in selected classrooms
> does not influence internet access for the rest of the classrooms.
>
> Thanks if someone have some bright ideas ;-)
>
> regards Geir

I won't absolutely guarantee this will work, as it's late at night, but we'll
let the rest of the group filter it for potential gotchas. (I THINK it's ok.)

1) Replace your two central switches with layer-3 switches that have full IP
routing services. You can keep the cheap switches for everything else. You're
going to configure all of the ports on both new switches as Layer-3 routed
ports, with IP addresses. (So the switches act like many-port ethernet
routers.) As in your drawing, switch 1 connects to your server(s), and switch 2
connects to the internet.

2) You'll need to change your internal address space. Exactly what numbering
system you come up with depends on your situation--I'll assume you know how to
do that, and just use letters for the network portion of the address in the
remaining descriptions; you can fill in the numbers based on what you come up
with. Assign a separate IP subnet to each classroom (A,B,C,...). Assign
another subnet for use by your domain controller (X). Another subnet for the
firewall (Y), and one final subnet (Z) to connect your two layer-3 switches.
Set up each classroom as a separate DHCP scope on your domain controller, giving
the PCs in that scope the ".1" address of their subnet for a default gateway.
Reserve at least the .2 and .3 as well; you'll need them.

3) Connect the LAST port (24?) on switch ONE to your domain controller. (Or if
you've got several types of server systems, put them on another small switch,
and connect that to switch ONE. Configure the interface with IP address X.1.
Your domain controller will be X.10, any other servers will be X.something. All
servers in this subnet will have a default gateway of X.1.

4) Connect the LAST port on switch TWO to your firewall. Configure the switch
interface as Y.1, and the firewall as Y.254.

5) Connect the NEXT-TO-LAST ports on switches ONE & TWO to each other. Switch
ONE, port 23 gets address Z.1. Switch TWO, port 23 gets Z.2. The interface on
switch TWO also gets "ip access-group 101 in".

6) Create an access list 101 on switch TWO to permit only ip packets with a
source address in subnet X. Since this access list is applied to the
inter-switch connection, it prevents anything from the classrooms on switch ONE
from entering switch TWO, and allows only traffic from the server subnet.

7) Add a static route on switch ONE, to reach the internet (0.0.0.0) via Z.2.
Put static routes on switch TWO to reach the server subnet via Z.1, and to reach
the internet via Y.254. IF you also need direct communication between computers
&/or printers in different classrooms, add one more static route on TWO, to
point all traffic for your entire inside address space to Z.1. (Note that this
MUST be a single route with a shorter net mask than the others, or you will have
trouble!)

8) Classroom A gets a black cable to port 1 of switch ONE and a blue cable to
port 1 of switch TWO. Switch ONE, port 1 gets IP address A.2. Switch TWO, port
1 gets IP address A.3. The two switches share an HSRP address of A.1, with
priority set to prefer the interface on switch TWO. On BOTH switches, configure
port 1 with "ip helper-address X.10". This will route DHCP requests to your
domain controller.

(Repeat step 8 for the remaining classrooms B,C,D... on ports 2,3,4...)

Now you've got a system that will behave exactly the way you originally
intended, with the only control you need being the insertion or removal of the
blue cable in each classroom. The server subnet can always reach the internet,
but classrooms can only reach the internet if their blue cable is in.

Switch selection is controlled by the use of Hot Standby Router Protocol. Since
all the PCs are configured to use .1 addresses for their default gateway,
whichever switch owns the .1 for a given subnet will receive all of their
traffic. Switch TWO gets it by the priority setting, unless the blue cable is
unplugged. Both switches' classroom ports are configured to pass DHCP requests
to the domain controller, and both can reach it, thanks to the static route on
switch TWO. DHCP responses from the domain controller can come back to switch
TWO via the inter-switch cable, and DNS requests from the domain controller can
reach the internet, but internet requests from classrooms attached to switch ONE
cannot.

If classroom A has its blue cable in and classroom B does not, internet-bound
packets from B cannot pass thru A to get there, because the traffic is now
controlled by layer-3 rules instead of layer-2. The static route in switch ONE
forces all internet-bound packets to the inter-switch cable, but the ACL on
switch TWO will drop everything that didn't come from the server subnet.

Other misc traffic between the domain controller and classroom computers (or
printers) may follow a circuitous (but usable) path, as the server subnet can
always pass traffic to any classroom thru the switch ONE ports, but traffic from
the classroom to the server subnet will prefer switch TWO if the blue cable is
in. Alternatively, you can configure printers to use .2 as their default
gateway, so they'll always use switch ONE. If you added the extra route in step
7, PC-PC or PC-Printer traffic from A can reach destinations in B by routing up
thru switch ONE.

Good luck!