Digital Learning Program Development

Networking

A good network is seldom noticed and a great network is never noticed. The goal of network services is to ensure that Internet access is always available at the point of need to however many people need it.

Network Architecture

In Enterprise environments, the interaction that most people will have with physical networks are the ports on the wall that connect hard-wired devices to the Internet. Behind that port is an 8-strand wire (one ethernet cable is actually made up of 8 smaller cables inside that each have a different purpose) that connects to a device called a switch. Switches intelligently route traffic on the network either to another point on the network or out to another switch which will eventually take the traffic out to the Internet. All of the switches connect to a central switch, called a “Core Switch”, which is the hub of a network for a building. This network in the school is called the Local Area Network (LAN). In a multi-site district, the core switch will connect back to a router or another switch connecting the one site to the Central Office. The connection from the Central Office to all of the schools is called the Wide Area Network (WAN). While some schools may operate their own WAN service by connecting each school with microwave radio or fiberoptic cable, WAN service is typically purchased from a service provider, such as telephone or cable company.

At the Central Site (which is sometimes, but not always, the district central office), the WAN connection feeds in to a firewall which protects your WAN from outside intrusion and cyber attacks. All traffic entering or leaving the district flows through the firewall. Firewall configuration is a critical component to securing your network. Managed firewall services are available to public schools in NC for free though the School Connectivity Initiative and MCNC (the state’s public Internet Service Provider). Traffic may also flow through a content filtering device for filtering purposes and for a service called Quality of Service (QoS), which prioritizes some traffic over another (for example, traffic for the standardized testing app always gets sent and received before traffic from YouTube). These devices connect to what’s called the “edge router” which is exactly what it sounds like - it’s the device on the furthest edge of your internal network, connecting it to the Internet. Typically, your Internet service provider is responsible for installing, configuring, and maintaining your edge router and the switches that connect to the WAN. However, all of the other equipment is the financial and technical responsibility of each school. As a CTO, your job is to budget for, plan, purchase, implement, and support this network with your team. There is limited funding support available through the E-Rate program, which is discussed in Unit 6.

Each device on the Internet has an IP address. An IP address is an address for each computer, that helps distinguish it from every other computer on the Internet. An IP address is four sets of numbers (called octets) representing a number from 0-255. They’re called octets because 0-255 is 256 possible numbers which is 2^8. Doing the math, that means there are 4,294,967,296 possible IP addresses. This is not enough IP addresses to serve every device in the world. Note that this structure is referred to as IP Version 4. IP Version 6, which was introduced in 1995 and is seriously behind on deployment, has support for 340,282,366,920,938,463,463,374,607,431,768,211,456 unique addresses and is actually much more feature-rich and secure. However, deployment is very far behind anticipated targets, and it won’t be widely used in real world scenarios for a while.

All edge-facing Internet connections will have at least one public IP address. This is the IP address that is unique across the Internet that allows traffic to be sent to and from your network. Domain names are translated to IP addresses using a service called the Domain Name Service (DNS). DNS is basically a large database with all of the domains that you can go to, and their IP addresses. When you type a domain name into your browser, it sends a request to the DNS server, which returns that IP address for the site you entered. From there, all of the software involved in connecting your computer to the Internet makes the connection and downloads the content you’re looking for.

Because there aren’t enough IP addresses for every computer in the world to have a unique IP address, internal networks use “private IP addresses” to assign a unique IP address to each device in a school. Private IPs usually start with 192.168 or 10. The entire 10 scope is reserved for private use from 10.0.0.0 to 10.255.255.255 (as a rule, you can’t use 0 or 255 in any octet - they’re reserved). As a result, most large enterprises use this scope for their IP addressing. IP addresses are typically assigned to devices automatically using a service called Dynamic Host Configuration Protocol (DHCP). DHCP allocates a pool of IP addresses and allocates them out to devices as they request them for a period of usually 24 hours (though this can be configured to be longer or shorter based on network conditions). If the device is still connected after 24 hours, the lease gets renewed. A frequent fail point for schools as they move in to 1:1 and BYOD environments is that their DHCP pool is not large enough to provide enough IP addresses to every device that needs one. DHCP can allocate different pools of IP addresses to different devices based on how they’re connected (this is called subnetting, or creating networks within networks). A way to avoid this is to have devices subnetted by type, with DHCP pools in each space that are large enough to accommodate. For example, in networks that I design, I typically use the second octet to identify the school, so any IP address 10.1 is Elementary A and any IP address 10.2 is Elementary B. That gives me from 10.2.1.1 to 10.1.254.254 to assign to devices (254 usable slots in each octet, meaning I have 64,516 IP addresses at each school to play with. Within the school, I’ll typically divide the network as follows:

  • District-Owned Desktops (10.x.20.1-10.x.34.254)
  • Connected Devices (10.x.35.1-10.x.39.254)
  • Staff Device and BYOD (10.x.40.1-10.x.99.1)
  • Student Device and BYOD (10.x.100.1-10.x.220.254)
  • Guest (10.x.220.1-10.x.254.254)

Because I have 120 slots in the second octet and 254 possible slots in each of the third octets, I was able to have up to 30,480 unique student devices on my network in any given 24-hour period (which is highly unlikely). In addition, because the IP addresses were scoped by building and device type, if an issue came up in my content filter or firewall, I could easily identify the location and device type simply by looking at the IP address. An issue that schools often have is not making their DHCP scopes wide enough for the number of devices. Even if a school is 1:1, by the time you add the three other devices a student is likely bringing and connecting (phones, gaming devices, etc.) combined with other devices like printers and AppleTVs, you may actually have four or five devices per student on your wi-fi and needing an IP address.

Wi-FI

Layered on top of the physical network is wi-fi. Wi-fi access points connect back to physical switches. Wi-fi access points are basically switches that connect via radio waves instead of wires. Choosing an access point with adequate capacity and multiple radios is essential in an enterprise environment, as wi-fi bandwidth is shared, so a single wi-fi radio can only operate as fast as the slowest device connected to it. A typical wireless access point can accommodate 30-40 devices. In a 1:1 school, this is often sufficient, but wireless capacity could become a bottleneck in BYOD or guest access environments, where a student may have two or three devices connected to the wifi (meaning 60-90 devices per classroom). The Friday Institute and the NC School Connectivity Initiative currently base “adequate” wifi based on 1.2 access points per classroom or 1 AP per 16 students. This accounts for the increased capacity, high-density areas such as cafeterias and gyms, and concrete walls. When purchasing access points, a vendor will typically conduct a wireless site survey, where they’ll look at the building layout, construction materials, and density to determine the placement and number of access points needed. They’ll feed data from these surveys into a wireless controller, which monitors and directs the activity of access points, changing power settings and frequencies on the access points dynamically to ensure that they can handle increased capacity in one part of the building and also so that they don’t put out radio signals that interfere with one another.

Beyond the physical configuration is authentication. Most personal access points typically use a Pre-Shared Key. This means that there’s a single wi-fi password that anyone who needs to access the network can plug in to their device. While the PSK does encrypt traffic adequately, it can be a pain to secure and manage the key. RADIUS authentication connects to your directory service and allows you to encrypt your wireless traffic using your username and password through your identity service (Eduroam, on NC State campus, is an example of this). RADIUS authentication allows you to see who is connected on each device, subnet and control access more granularly, and provides much more device security.

Filtering

Filtering happens one of two ways: inline or as a proxy server. In an inline configuration, the filter device sits between your edge router and your WAN, and all traffic flows through the filtering appliance. All traffic is evaluated against filtering rules, and rejected if it needs to be filtered. The second method is as a proxy server. In a proxy configuration, a setting on each individual device redirects traffic from going directly to the remote server and instead sends it though an intermediate server somewhere else which evaluates the request, forwards it if necessary and rejects it otherwise. Modern web filtering approaches need to do both - filter inline when a device is connected to a school network (so all devices on school grounds are filtered, whether personally-owned or school-owned) and also need to function as a proxy for school-owned devices so they can be filtered when they leave campus.

The NC School Connectivity Initiative provides Z-Scaler filtering service for free on an opt-in basis to any public school. Z-scaler is an inline solution hosted at MCNC that can also act as a proxy server.

Understanding Bandwidth

“Bandwidth” is commonly used as a term to describe the speed of your Internet connection. While bandwidth is very closely related to speed, it’s not actually speed. Bandwidth refers to the capacity of the connection and not the speed at which the data moves. Consider a pipe that carries. Your internet connection speed is the rate at which the water flows through the pipe. The bandwidth is the diameter of the pipe. Obviously, if you increase the diameter of the pipe, more water flows through at any given time (and the faster a bucket at the end of the pipe would fill), even though water flows at the same rate. Both are measured as a rate (megabits or gigabits per second). A third measure, called throughput, measures the actual time for a packet of data to get to the destination. In our bucket analogy, if bandwidth measures the amount of water that can flow through a pipe at any time, throughput measures the rate that water is filling in the bucket. In our analogy, wind, heat, etc. can mean that some of the water won’t make it to the bucket. In real world, it’s impacted by the number of intermediate servers (“hops”) the data has to make to get from here to there, the speed/bandwidth across all links, the speed data can be received, and the physical distance.

The fundamental problem in network performance relates to bottlenecks. If the connecting equipment can’t fill the pipe quickly enough, you can’t use all of your available bandwidth. If too much data gets lost, or there is a bottleneck anywhere in the system, throughput will be poor.

Right-Sizing Your School’s Internet Connection

Having enough bandwidth requires active monitoring. For North Carolina Public Schools, WAN and Internet connection charges are paid for by the state through the North Carolina School Connectivity Initiative. The state automatically upgrades your Internet connection when the district is actively using above 60% of available bandwidth consistently for a month. While the 60% threshold may seem low, having the bandwidth available to handle surges in network utilization, such as for online testing, can be advantageous. However, your school WAN and switch links may be bottlenecks where they can’t fill the pipe quickly enough. The 60% threshold is a good rule of thumb for WAN links as well. Most districts use 5Gpbs (gigabits per second) links between sites and to devices. Through the Connectivity Initiative, the team at MCNC will come in to your school for free and evaluate your network health to ensure that your network is functioning optimally. They can also help chase down “gremlins” in the form of configuration errors or other issues that may impact performance. For other schools, these services can usually be contracted from a network engineering company.

Education Superhighway, an organization that tracks and advocates for Internet access in schools, recommends a target of 1Mbps per student of Internet bandwidth and 10Mbps between sites and declared the Classroom Connectivity Gap closed in 2020. North Carolina has empirical data on utilization for all LEAs and Charters showing how districts and charters leverage the bandwidth available to them.

Space Considerations

Many older school buildings were not built with network closets in mind. As a result, they end up in places like bathrooms, storage closets, and even in the hallway. When selecting a location for a network closet, consideration needs to be given to finding a place that’s physically secure so that the equipment can remain free from tampering, away from sources of water that can damage the equipment, and areas with sufficient ventilation so that the heat generated by the equipment can escape or be vented out.