Accessibility | High Visibility | Site Map
One-School-One-LAN (1S1L)

What is 1S1L?

Currently the Leeds City Council security model for schools and libraries is that curriculum traffic and admin traffic* is kept on separate IP subnets except where strict access controls allow communication between the two.

1S1L uses only one LAN instead of the two.

* In libraries curriculum and admin traffic equate to public and staff traffic respectively.

Why one-school-two-LAN

Multiple LANS that are kept separate ensue that computers that access the MIS system(s) like SIMS and council services (including Education Leeds) will only be accessed by admin users and not ‘untrusted’ users. Physically admin computers should be kept away from untrusted users, for example, in the admin offices.

Separating admin and curriculum computers also helps to prevent the spread of virus and malicious hacking attempts.

Using a smaller broadcast domain also helps to reduce congestion, though this is less of an issue with modern network equipment.

The concept behind having two separate LANs goes back several years. The above reasons applied more strongly back then.

Why do schools want to move to 1S1L?

Whilst having two subnets (& two IP ranges) facilitates the current security model, it does create issues when allowing legitimate communication between the two.

Amongst other factors, schools have moved towards 1S1L for

  • Ease of administration – why maintain 2 subnets with 2 sets of servers, DHCP scopes, switches, 2 domains etc
    • Single set of administrator passwords to maintain
    • Data backup simplified
    • Old admin servers no longer required (only SIMS/MIS server needed)
    • Ease of management as entire network is managed by one network manager not two, one for each network.
    • Reduced networking costs as any hub cabinet can be used for new network links, rather than a specific admin or curriculum hub cabinet/switch
    • Less dependency on third party maintainers
    • Administer one set of staff folders
  • Allow easier communication between computers
    • E.g. Lesson Monitor, electronic registration
    • Sharing resources
    • Increased flexibility for printing
    • Increased flexibility to access data anywhere in school from any computer
  • Faster speeds as no longer passes through upstream routers

When will LLN support 1S1L?

As LLN moves to a new services provider the facility to move to 1S1L will become fully supported.

Is there any way of moving to 1S1L now?

Yes there is. It isn’t simple, but a number of schools have successfully been able to do so. See the accompanying hyperlinks to see how they did it.

Do I have to move to 1S1L?

Unless you have an urgent business requirement to do so, you may be advised to wait until the security model changes, when your site is migrated to the new service provider.

What services are provided only to admin users (computers with admin IP addresses or traffic which present an admin IP address to be more precise)?

  • AVCO
  • SAP MDT
  • Infobase, InfobaseSchools
  • Leeds City Council intranet (not the same as LLN intranet)
  • FAB via terminal services
  • FAB via Java client
  • Discoverer reporting tool
  • Etc

Is moving to 1S1L easy?

For the savvy network manager maybe. It can be more than a little tricky if you want to maintain security and access to services as before.

Network managers have highlighted various challenges:

  • Configuring Pix firewalls to channel traffic and allow access from external sources
  • SIMS server had to be dual homed onto old admin LLN link.
  • Ensuring only staff where able to access data on the SIMS/MIS server.
  • Moving servers across form admin domain to curriculum domain
  • Ensuring all user accounts are setup on the curriculum domain for staff
  • Sharing all files from old admin servers
  • Moving the workstations across to curriculum domain
  • Pix firewall can ‘struggle’ with the throughput
  • Having to work overnight to implement the changes when the proposes solution was changed
  • Upgrade SIMS computers (operating system, patches, hardware). One school had to replace half of the hardware to bring them up to the standard of the curriculum side.
  • Consolidating staff folders
  • “A lot of planning”
  • “Needed to set up a test rig”
  • IPSec was challenging to troubleshoot as it took a lot of tweaking

How can I prepare for 1S1L?

If you decide that you need to move to 1S1L and that must you do it now, then you can read the stories of how some schools have achieved it (see hyperlinks). Alternatively you can wait for the full 1S1L solution with that comes with the new LLN provider. Whichever you chose, your network will benefit from applying the suggestions below.

Your network will run faster if you use high speed network interface cards in all your devices, especially servers and switches. The use of low speed switches is not advised. The use of hubs will particularly slow performance. Many schools are installing gigabit infrastructure throughout. High specification client workstations and servers also help improve the user’s experience.

Disclaimer

The help here is provided for your guidance only. The solutions work for the schools concerned. If you try a solution and it does not work for you then neither the schools who contributed the ideas nor LLN are responsible for any issues arising.

Thanks to the following for their contributions to these pages:

Danny Carter Abbey Grange CofE High School
Richard Lian Cardinal Heenan Catholic High School
Simon/Rob Ralph Thoresby High School
Alastair Herron Cockburn College of Arts
Matthew Collins Otley Prince Henry Grammar School
One School One LAN (1S1L)
Frequently Asked Questions
Reference Sites
 
Cardinal Heenan Catholic High School
Otley Prince Henry
Cockburn College of Arts
Ralph Thoresby
Ask a question / make a comment
Add me to the “What’s new?” mailing list