Best Practice question Preventing students from accessing other Vlans and subnets

  • 1
  • Question
  • Updated 5 years ago
  • Answered
Should I use firewall rules in the user profile or is the a better method to prevent students from browsing the network. This is a Apple network and even though I have assigned Vlans and subnets based on the student SSID, I can still browse the entire network using finder.

Thanks for the pointer in advance.

Kurt
Photo of Kurt Kidder

Kurt Kidder

  • 25 Posts
  • 1 Reply Like

Posted 5 years ago

  • 1
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Kurt,

Do you want to lock them down forever, or only during (certain) class hours? If you want to offer unfettered (other than typical "protect the children" filtering done at the internet gateway or by your ISP) access most of the time, but lock them down during class to only the sites the teacher permits, then you might want to look into our Teacherview / StudentManager apps.

Or did I misunderstand the request and what you really want to do is limit them to the student SSID and subnets and prevent them from getting to, for example, the administration VLANs and subnets?
Photo of Kurt Kidder

Kurt Kidder

  • 25 Posts
  • 1 Reply Like
Hi Mike,

The later is to the point. I wanted some guidance on best practice to prevent "what you really want to do is limit them to the student SSID and subnets and prevent them from getting to, for example, the administration VLANs and subnets?"
I currently have a teacher,student, admin SSID set up assigning a separate vlan to each and putting them in different subnet. Also running Bonjour accross the same Vlans. Using Finder, a student laptop (MBA) can view other network devices outside of his subnet and VLan. I think by establishing firewall rules I can prevent this from happening, however, I will need the teachers to be able to control the student devices via LAN school.

Thanks for the pointers in advance!

Kurt
Photo of Kurt Kidder

Kurt Kidder

  • 25 Posts
  • 1 Reply Like
Hi Mike,

I guess I was getting the cart before the horse so to speak. Our set up is fine. Trunk ports on the switches with the SSID's tagging the VLAN's. I have the Guests fire-walled off of the production network. Browsing accross the subnets is not happening except where there is a bonjour service running on a particular client device.

Next step is 802.1x.

Thanks
Photo of Mike Kouri

Mike Kouri, Official Rep

  • 1030 Posts
  • 271 Reply Likes
Kurt,
Thanks for closing the loop! Glad to hear you figured this out on your own!