Allow List – Trusted Network Access

Allow List (authored originally Feb 4, 2015)

Technology Services is moving schools to an Allow List model of access to our networks. This is due to an overwhelming number of devices that have used up all available IP addresses at sites. An IP address is like a parking spot on the network. If no spots are available you can’t get on. Currently we are using a Deny List in most sites that is like whack a mole knocking off devices weekly and sometime daily with much unintended blocking as we don’t always know which device is whose (towing cars after they’ve parked). The Allow List strategy moves us to proactive from reactive (like the new parking gates at the Northern Grand)

We want to make certain that the networks have sufficient space for our staff and district owned devices. To allow you a parking spot, we need to know details of your device, most importantly is your Wireless MAC address. If you were to get a new privately owned device, it will have a new MAC address that would need to be submitted.

What this means is that if you have not submitted the wireless MAC address for your privately owned device we may inadvertently block you or when we move your school to the Allow model, it will not be able to connect to the SD60 Trusted Network (wired, SD60-Staff, SD60-Student). You should not have to submit anything for district owned devices as we have that MAC address in our inventory system and it has already been added to the Allow list. We will have a technician on site the day of switching to an allow list to make certain things are working. You can help us greatly and limit any connectivity issues for yourself by submitting your MAC address before the change.

Phones/iPods represent a large group of possible spaces taken up. If they have their MAC addresses submitted we will determine if there is adequate space to be allowed depending on local availability.

To submit your device’s MAC address please visit bit.ly/sd60help and click on the Trusted Network Access link on the left hand side navigation bar. Or directly here.

SD60-Public (10.xx.xx.xx addressing, throttled internet only access – port 80&443)

In some schools we have set up a separate network that allows you to connect wirelessly with any device whether we know the MAC address or not. This is to enable student owned devices, staff owned, phones etc to get to the internet only. This is not in place in all schools but we are working to have it in place. This approach will add 64,000 addresses at each site it exists. It involves significant logical networking changes and takes time to build.

Current School IP Address Mitigation Strategy (updated Feb 18, 2015)

NPSS – Deny – tentatively moving to Allow after Spring Break
ELC – Deny – Move to Allow Feb 18
Bert Bowes – Deny
Dr. Kearney – Deny
Alwin Holland – Deny – Move to Allow Feb 25
Baldonnel – not needed as of yet
Bert Ambrose – Deny – move to Allow Feb 23
Buick Creek – not needed as of yet
CM Finch – Deny
Charlie Lake – Deny – Move to Allow Feb 23
Clearview – not needed as of yet
Duncan Cran – Deny – Move to Allow Feb 24
Ecole Central – Deny
Hudson’s Hope – ALLOW
Prespatou- ALLOW
Robert Ogilvie – Deny
Taylor – not needed as of yet
Upper Halfway – not needed as of yet
Upper Pine – Deny – move to Allow Feb 27
Wonowon – ALLOW
School Board Office – not needed as of yet
Grandhaven – not needed
Facilities – not needed
NBCDES – not needed as of yet

I’ve asked  staff for dates in the next two weeks for planning where we will be implementing the Allow Lists at buildings above currently employing deny lists.

When the ALLOW will be implemented will depend on local needs (FSA, exams, report cards). We will have a technician on site for two days after the switch to make certain things are working. Five days notice will be given prior. You can submit your MAC address at any time through the link above.

Schools with Separate Public Network in Place (SD60-Public on wifi with 10.xx.xx.xx addresses)

NPSS
Dr. Kearney
Hudson’s Hope
ELC
Bert Bowes
Prespatou
Grandhaven

We plan to add others in the future.

Since When?

The Allow List and the Trusted Network Access strategy was first introduced in October 2013. There is a page in the Help Pages menu above or directly available at http://www.prn.bc.ca/ts/?page_id=2021

 

Allow List at DK progress

At the end of the day Tuesday we have 258/437 IPs used at DK on the trusted network with the change over to the allow list. 40% available is excellent where quite often before this would be in single digits or at zero! The lease times have been reset to 7 days. This should help out quite a bit with teachers wanting to use remote desktop as a tool in class.

The SD60-Public network had 184 users Tuesday. 442 devices on networks.

Wednesday traffic graphs look good below. Much more bandwidth available and being used by the trusted side of the network. Limits on SD60-Public network are working well. Near the end of the day on Wednesday we have 319/437 IP leases in use on the trusted network. 256 leases on the SD60-Public network. 575 devices with leases on networks.

Left side graphs are the trusted network, right side the sd60-public network
Left side graphs are the trusted network, right side the sd60-public network

 

 

 

 

 

 

Thursday we are up to 335/437 IP leases used on the trusted network. The public side has 284 devices. 619 devices with leases on networks. If we reach 100% on the trusted side we would need to lower the lease time allowed as some of these will not be active devices holding leases (ie visiting itinerants etc)

Friday we are up to 349/437 IP leases on the trusted network. 276 Devices on the Public side as their shorter lease times resulted in fewer overall compared to yesterday. We will continue to monitor next week to make sure that the seven day lease on the trusted network does not result in 100% use.

Tuesday (23rd) There are 358/437 IP leases used on the trusted network. 18% remaining available. Many leases will be renewed today if the devices are still present. It looks like 7 days will work provided we are not expecting to introduce a significant number of devices on a specific day to the trusted network (like a pro-d day). If that were the case I’d suggest folks connect to the SD60-public network instead who are visiting and can’t get an IP. We could also clear the leases the day of a pro-d with many new users and clear them again afterwards if we are given some notice via a Work Order. The Public side had 272 leases as of this afternoon.

Networking Changes at Dr. Kearney

Over the last year we have made some networking changes at Dr. Kearney and Bert Bowes. A significant change was to add a virtual local area network that allows for a separate network for internet only connections for personal devices. This is accessed through the wireless network SSID SD60-Public. This network has space for 64000 devices. The password is available from staff at DK.

We are now at a stage to move forward with restricting access to the SD60-Staff, SD60-Student SSIDs to only district owned devices at Dr. Kearney. There will only be space for around 500 devices on that network. After completion at DK we will work on Bert Bowes next.

Any devices not in the district asset inventory for Dr. Kearney will only be able to access internet via the SD60-Public system after we make the changes. We suggest for staff or students using a personal device to switch to the SD60-Public network before works starts so that they have no interruptions.

Timeline – after Thanksgiving.