Can you give me some advice on network Infrastructure

October 16, 2017 at 03:45:27
Specs: Windows 10, I7
While I know basic computing and network concept and principles after doing getting educated on IT at a basic level , I am still not completely comfortable and lack the actual work experience on the next steps with regards to expanding our small business network .

I started a job to support around 8 users (and other project support) without any managed network services such as AD or DNS,( another aim for another day ) on a simple workgroup netork which has now grown to around 25 users. Additionally the business now has a growing amount of visitors on training courses, (up to 40 visitors at any time) . At a peak busy time , there could be up to 90 Devices on the network ( laptops , computers, tablets , phones )

I originally set up a simple one network configuration and let our router handle the DHCP and Guest Wi-Fi. Since then in preparation for future expansion ideas, I have installed managed switches on both floors and replaced the router with a WRT compatible model (Asus Dark Night).

Over the last few months the staff and visitor count has expanded quite a lot and I have noticed what I would call ' internal traffic' issues - such as clients disconnecting from file shares and internet speed sometimes coming to a halt ( a 200mb down , 20up )

As potential solutions for alleviating some of the connectivity and speed issues, were Ideas of introducing a second or potentially third network and using VLANs. The idea was to have our business users on the LAN with additional access points ( for greater Wi-Fi coverage ) and possibly have a second network , with its own IP range , dedicated to ports on a switch somehow ; possibly via VLAN tagging .

I may be getting a bit confused around VLANs and separate networks, so I just wanted to get a bit more clarification on these technologies and some guidance on a more robust solution for the company moving forward.

I initially had asked senior management that we outsource an IT company to set this all up but, unfortunately though I have been told it is not possible due to lack of funds .

So on the idea of having a separate network or networks for trainees (to access education resources over internet), this would mean that there would be a different IP range, furthermore a separate DHCP server/ or router on this network. I understand the second router could be given a route to the first router, meaning the 'trainee' network could access the internet but, would not be able to access the business network.

Am I right in thinking that if we wanted to host something on the first network that we wanted clients to access on the second network , let’s assume a trainee file server, then this is where a VLAN would be needed? IF so, I am presuming there would need to be additional configuration needed on the 1st router and 2nd router, so that packets can be sent across networks. Furthermore the switches would need to be configured to recognise VLAN packet headers?

Apologies again if I am confusing matters though, any guidance or clarification would be appreciated and would help me out here.

Thanks


See More: Can you give me some advice on network Infrastructure

Reply ↓  Report •

#1
October 16, 2017 at 08:04:43
Ok.....first things first.

Guest networks (wifi) and training type networks should not be allowed to access internal (company) resources. That's a huge risk and you need to keep work separate from non-work networks.

VLAN's are definitely the way to go and since you already have VLAN capable switches, you're ready to start. Oh, if you could tell me what you bought for switches, I could look up what they can and can't do.

So here's what I see as required for your setup:

- VLAN 1 (managment)
- VLAN 2 (internal - staff/company)
- VLAN 3 (wifi)
- VLAN 4 (training)

Realistically, you could use the same VLAN for wifi and training since you don't really want them accessing internal resources but if there is a direct need for the training group to do so, this would make it easier.

In the above example, VLAN 3 and 4 would be internet access only. If you end up separating wifi and training you will want to limit bandwidth usage by the wifi network.


VLAN 1 is typically the default management VLAN on any managed switch and use for network appliances only. (ie: switches, router, bridge etc etc)

With regard to VLAN 4. If there are no internal resources on the training server you will want to put it in the training VLAN. Then there's no reason for students to access your internal network and resources. I can't stress enough how important it is to restrict access to internal resources! If you can put any/all training related materials on a server in the training network then you can make VLAN 3 both wifi and training to make your topology simpler.

You would of course require a DHCP server for each network/VLAN. I would suggest if you have access to some older PC's and are a little skilled in linux, you could easily setup a linux box on each segment to route and do DHCP. If not, then SOHO routers will work just fine.

Ok so based on typical default TCP/IP settings on SOHO Routers, here's what I see:

VLAN 1 = mgmt
Network = 192.168.1.0/24

VLAN 2 = internal
Network = 192.168.2.0/24

VLAN 3 = wifi
Network = 192.168.3.0/24

VLAN 4 = training
Network = 192.168.4.0/24

Your primary SOHO Router (the one connected to the internet) would be as follows:
External IP: assigned by ISP
Internal (LAN)
IP: 192.168.1.1
SM: 255.255.255.0
DHCP enabled = no
Access the internet = no

Switch 1:
IP: 192.168.1.2
SM: 255.255.255.0
Default Gateway = 192.168.1.1

Switch 2:
IP: 192.168.1.3
SM: 255.255.255.0
DG: 192.168.1.1

and so on......

VLAN 2 (internal)
External IP: 192.168.1.4
SM: 255.255.255.0
Route on this router that points to 192.168.1.1 as it's DG

LAN IP: 192.168.2.1
SM: 255.255.255.0
DHCP enabled = yes
DHCP Scope = 192.168.2.100 - 2.199

Ensure you do not have any routes allowing access from any one network into another network.

Rinse and repeat for your other VLAN's.

I highly recommend you start with one VLAN and get it working. Once you do, the rest will be easy.

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Reply ↓  Report •

#2
October 16, 2017 at 08:07:34
What switches did you buy btw? I ask because they all differ a little from each other with regard to configuration.

What does your physical layout look like? Is it a multiple rooms on one floor, multiple floors/rooms? All your switches/routers in one room? etc etc

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Reply ↓  Report •

#3
October 17, 2017 at 02:14:33
Hi

Thanks Curt for getting back to me on this

I want to be informative as possible so that I can help you guys help me , before we go further , would it help to do a connection drawing of the current network set up ?

Anyhow , on site there is two cabinets , one on each floor, that are bridged together via an ehternet connection between the switches , each cabinet has cables running to different types of room

For example cabinet 1 has cables running to traning room 1 and training room 2 and main office ; cabinet 2 has cables running to training room 3 and training 4 and main office

Both cabinets have one managed 24 port Netgear GS724TP switch , the cabinet upstairs has an additional 24 port switch ( ProCurve 1800-24G J9028B)

Our business office has additional dumb switches to distribute connections to business devices ( non vistior )

With regards to the four suggested VLANS , wouldn't the the business WiFi need to be seperate from the the guest/trainee Wifi ? I am otherwise assuming that the buisness wifi AP will sit on VLAN 1 or 2

To be honest , I dont think the guest /trainee will need access to any resources from a business network , so no need to worry about seeting up another server .

message edited by 90Ninety


Reply ↓  Report •

Related Solutions

#4
October 17, 2017 at 08:15:52
would it help to do a connection drawing of the current network set up

Definitely. Any information on the topology will help decide how best to interconnect everything.

With regards to the four suggested VLANS , wouldn't the the business WiFi need to be seperate from the the guest/trainee Wifi ?

Sorry, I missed that you wanted to have to wifi networks. Definitely separate them if you're going to have a business and guest wifi but...........if you don't mind some advice............I wouldn't bother with the business wifi. I would do a guest network with internet access only and use VPN technology if a staff member wishes to use wireless for some unknown reason.

Wireless is a risk on many levels and my biggest worry is always someone bringing their personal laptop into work and connecting it to an internal network. If the device is carrying a network virus, well, think about the effects. Alternatively, if it's been taken over by someone with nefarious intent, they're suddenly inside your network. We do not run a business wifi network here at my work. We use VPN. I'll sit in a meeting with one of my department laptops and fire up the VPN to access internal resources if I need them. It's ever so much safer for you that way. Our appropriate use policy disallows connecting personal equipment to our network for very good reason.

To be honest , I dont think the guest /trainee will need access to any resources from a business network , so no need to worry about seeting up another server

We have a couple of training labs with "internet only" access and only on a very rare occasion have they required internal access. When it has happened, we moved them onto the VPN network so our security guy could tweak access to only allow them access to whatever internal resource they needed. On at least one other occasion, a "server" was brought into the room and connected (physically) to the same network so training PC's could access it.

How are your switches connected? Do you have them daisy chained or do both connect directly to the router? Is the router (routers) in one of the cabinets or a separate location?

Sadly, I've never worked with either of those switches so don't have any hands-on with them. Most managed switches are similar in most ways. Presently I work with Avaya switches (recently been sold to Extreme Networks so they will be rebranded at some point) and they do their trunk ports a little differently than say, Cisco. The big thing is configuring your trunk ports correctly so they carry the appropriate VLAN's

Question: Are your managed switches already in production? If yes, how do you have them configured at this point in time? (ie: basic "default" config running as a dumb switch, VLAN's and IP's assigned etc?)

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Reply ↓  Report •

#5
November 13, 2017 at 05:03:51
So, how's it going with your setup? Did you ever get a diagram made?

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Reply ↓  Report •

#6
November 13, 2017 at 05:18:52
Hi Curt

I have to do it soon , I am just juggling a few projects at the moment . I have to do it soon though .


Reply ↓  Report •

#7
November 17, 2017 at 09:14:07
I have knocked up a somewhat crude network diagram , please see in this link


Here


..

message edited by 90Ninety


Reply ↓  Report •

#8
November 19, 2017 at 09:24:41
That's not crude, that's perfect........LOL Crude would have been hand drawn and scanned. Which also would have been perfectly acceptable btw. :)

I think this will be easier if we move to email. Perhaps once we've worked things through and you have your setup complete you could write up a configuration including another topology diagram and put them at the end of this thread as an aid for anybody else looking to do something similar.

Please private message me through here and I'll get back to you Monday when I'm back at work and have visio at hand to rough up a diagram.


In the mean time, a couple questions:

I see you have the patch cable(s) running from the upstairs training room to the first switch disconnected.
Why is that?

Have you started using VLAN's in your switches yet? (If not, don't rush into it until we talk some more)

It matters not how straight the gate,
How charged with punishments the scroll,
I am the master of my fate;
I am the captain of my soul.

***William Henley***


Reply ↓  Report •

Ask Question