For schools, and other similiar “public” institutions vLAN can be your friend.
I’ve been entrusted with the job of “protecting” public higher level schools from “wise guy” students, also other students who think copy pasting from Google makes them a “guru”. Better (or worse) script kiddies…
But as mentionned before: You NEED good switches (pricey), but combining vLAN, restrictive Proxys and Firewalls (Even between your subnets!) can help solve the problem.
Basic concept for vLANs:
10 public (students) network
11 printing (public)
12 teachers / faculity members
13 printing (teachers / faculity members)
and so on.
The BIG difference in a “public” instition like a school / university is you can’t just fire / reprimand someone who’s misusing the infrastructure, you have to make it break-proof and basically bullet-proof and tamper-proof everything. This also means basic access: Locked IT rooms!
I’ve had such institutions dish out thousands for security, only to leave doors and server racks open. Not really practical…
A “wise guy” even stole the schools WLan AP in the cafeteria - ending the free WLan for all for quite some time (Till the new budget almost a year later). The AP was actually hidden in the cealing, not that easily acciessible…
My 2 cents