Need Input on my small biz network plan

[hiroo]

Actually, this is for my church, but the needs are similar to a small business. We are redoing our internal network and have a contractor pulling cat5e throughout. I'm researching the equipment to support all this once the cables are pulled.

There are two buildings. Each will have a 48-port switch that all the new cables will feed into. Building A's switch will be connected to the network rack in Building B via a fiber link.

Requirements:
- VLANs to separate the staff computers and resources (printers, file servers, etc) from non-staff and guest access. VLAN should work on both wireless and wired.
- WiFi access points with guest network that allows internet access but not to other network resources. This guest network should have a way so that people attending church can use the internet but we don't become a general public ISP. Password of the day/week?
- Long-range, narrow beam WiFi to get net access to a staff residence that is across the street, diagonal two suburban-type houses down.
- Longer-term, VPN access for staff to get into the network from home or mobile locations.

My first pass selections:

WiFi: Ubiquiti UniFi system
- UniFi AP-PRO access points in the two buildings. Selected the AP-PRO because it supports 802.3af PoE.
- The UniFi AC AP's seem too expensive at this point.
- I could choose the AP or AP-LR to save money but think it might clutter up the wiring on the rack since they use their own custom PoE injectors.
- AP Outdoor+ units to cover the courtyard between the buildings and one with a directional antenna to reach the staff house.
- Choosing UniFi mainly because it offers a enterprise-ish managed system without the price.

Switches: ZyXEL GS1910-48HP
- Gigabit, built-in 802.3af/at PoE, port/protocol/mac-based VLAN, VLAN tagging, voice and guest VLAN
- Any comments on reliability, usage, first-hand experience?

Router:
- Totally open to suggestions at this point.
- Looked at multiple TP-Link models but they don't seem to support VLAN tagging.
- Like the sound of the Ubiquiti Edge Router series but the GUI sounds incomplete at this point. I do have a CS degree but have not done much CLI network stuff and am not a full-time person so don't want to be the only one that can change stuff.

If anybody has suggestions or comments on the following, please help:

1) suggestions on router models that will support what we're trying to do
2) comments on the switch or wifi units that i've selected based on experience; or alternative suggestions
3) Are the AP Outdoor+ units the best way to get signal to the staff house? The other Ubiquiti outdoor units don't seem to work with the UniFi management software (or do they?)

Thanks in advance.

 

[abailey]

I totally agree with your choice of Ubiquiti Unify AP-Pro for indoor and AP outdoor+ units. I have installed them and have had great success. Just make sure you map out your setup, especially in the 2.4ghz range. With only three non-overlapping channels 1,6, and 11 you just need to make sure to rotate the channels so AP's that are near each other are using different channels.
Ok to get the signal down the street to the house... I would use a P2P wireless setup and then install an AP in the house. I would use a pair of Ubiquiti Nanostation LocoM5's if you have a line of site between buildings. The problem with trying to get an AP signal that far is that you can definately get the signal there with the right equipment but the devices in the house will not be powerful enough to get the responding signal back to the church.
On the switch, I don't know anything about the ZyXEL GS1910-48HP. I have not used any ZyXEL stuff before so I will have to let some one else comments on that.
As far as router goes. You could get a consumer router, like an ASUS brand and load a software like DD-WRT on it and it could do what you wanted. Personally I would go with a pro level router Like a Ubiquiti or Cisco. I use the Ubiquiti Edgerouter Lite at my house and have been very happy with it. With the latest OS, many of the functions are in the GUI. You may have to use the CLI a little for the VLANs but the Ubiquiti forums and knowledgebase are awesome. You can usually find what you need in the knowledgebase (with examples), but if not the forums are extremely active and you can usually get a response to your question within an hour.

 

[fistv]

The issue with using a consumer based router with say ddwrt once you get more than about 20 users connected, disconnected, 20 more added, 10 leave 20 more connect they tend to take a dump from the tables getting full. You can reduce this by using a seperate DHCP and DNS server. I don't even like using my Cisco routers as DHCP servers even though I do use two Cisco 891W's but those routers are have a separate wap from the core services on the wan side. The 891 has 8 lan ports and 2 wan ports 4 of the lan ports can be used as POE ports by adding the internal cisco daughter card. The 891 you can vlan, just remember to keep one for management, I use 4-7 vlan1 for that as the 0-3 are PoE in my setup and are vlan2 for the cisco 1600e-saps.
The fiber should work great, I use it to get to switches in the warehouse and loading docks, they are connected to HP Procurve layer 3's. just make sure the fiber is outdoor rated or encased in sealed conduit. If you are going the sealed buried conduit route be sure to put in a couple of extra pull lines even if you have to go next size up on the conduit. Yes, I am an avid fan of overkill, every time I've used 'goodenuf' it's bitten me in the butt somewhere down the road.

This might be a stupid question but I better ask. The cable puller, I hope he is punching those cables down to a patch panel and wall ports. If not then have him do so. Yes, I have seen a job or two done where they put Rj45 connectors on BOTH ends because patch panel and wall plates were not specified. Do no forget a decent rack or racks, get an 8 foot tall one. it can be a telco rack [two aluminum I beams] those are easier to work with than an enclosed rack with front door, sides and back cover. Rack mounted power strips also. Different colored patch cords to denote their use/vlan. The servers can go in an enclosed rack, use a screen door in the front that locks if necessary, new generation, 2006+, servers air flow goes front to back.

 

[hiroo]

I do realize that the Zyxel switches aren't that popular of a brand. I didn't find any other well-priced ones with all the VLAN options as well as standard 803.2af/at PoE. I'm open to suggestions on other managed switch models that have known reliability that would work in this setup.

One other question on the topology of the fiber link. Should it go:

Switch A ->fiber converter->fiber->fiber converter->Switch B->Router

or

Switch A ->fiber converter->fiber->fiber converter->Router

I also understand that you can get fiber converters as a SFP module. The switches each have 4 SFP module slots. Is this better that going with the external fiber converters? At the least it would seem cleaner.

 

[hiroo]

Ok to get the signal down the street to the house... I would use a P2P wireless setup and then install an AP in the house. I would use a pair of Ubiquiti Nanostation LocoM5's if you have a line of site between buildings. The problem with trying to get an AP signal that far is that you can definately get the signal there with the right equipment but the devices in the house will not be powerful enough to get the responding signal back to the church.

ok, got it on the need for a point-to-point bridge rather than just AP+antenna.

Just to be clear: the nanostations just provide the bridge and do not provide a wifi access point at the far end, correct?

Also, what is the difference between the nanostations and the ns loco models?

 

[abailey]

ok, got it on the need for a point-to-point bridge rather than just AP+antenna.

Just to be clear: the nanostations just provide the bridge and do not provide a wifi access point at the far end, correct?

Also, what is the difference between the nanostations and the ns loco models?

Yes for your configuration the Nanostation would just be the P2P bridge. You would then attach an AP or a home SOHO wireless router or whatever to it to distribute the network.
The NanoStation LOCO M is about 1/2 the size and 1/2 the power of the Nanostation M. It is perfect for short distances. Where Ubiquiti's other P2P wireless solutions (including the NanoStation M) are too powerful for short distances (like less than a mile) even if you turn the power all the way down. Too much signal will make the link slow down considerably. When you match up your Nanostations you really want your signal level to show between -50db and -60db with a noise floor hopefully of -90db or more. If your signal is too strong, say -40db, that will cause problems, and if the signal is weak, like -70db, that will also cause problems. These "problems" I am talking about are slow performance.

 

[abailey]

I do realize that the Zyxel switches aren't that popular of a brand. I didn't find any other well-priced ones with all the VLAN options as well as standard 803.2af/at PoE. I'm open to suggestions on other managed switch models that have known reliability that would work in this setup.

One other question on the topology of the fiber link. Should it go:

Switch A ->fiber converter->fiber->fiber converter->Switch B->Router

or

Switch A ->fiber converter->fiber->fiber converter->Router

I also understand that you can get fiber converters as a SFP module. The switches each have 4 SFP module slots. Is this better that going with the external fiber converters? At the least it would seem cleaner.

How you hook it up (switch to switch or switch to router) will depend on preference, where your devices are located, and how you lay your network out. If I were you I would pick the best router and switch for the job (whether they have built in SFP or not). Then figure out how to hook them together. If they have built in SFP slots that is nice as it eliminates another point of failure (transceivers), but to me that would be a secondary deciding factor.

 

[fistv]

The external fiber>ethernet converters will work OK within limits, just an extra piece hardware to complicate the design. The built in fiber slots are my choice when doing this and the price difference is minor. Try to stay same brand/family in the switches when you do this. I run all HP Procurve here and have fiber runs though out the entire building using the sfp ports back to my big core switch. I even use fiber between server racks switches back to the core switch in the same room. The tech has come a long way since thin-net and token ring. I've used and use the converters but that has been mainly where a company suddenly needs the main office connected to motor pool, maintenance bldg and guard shacks for two or three devices at each location, it worked, have done the same thing where a new building was built across a parking lot and had 40 or so office workers, not so much.

 

[hiroo]

Try to stay same brand/family in the switches when you do this.

have done the same thing where a new building was built across a parking lot and had 40 or so office workers, not so much.

Do you mean, use the same brand SFP adapter as the switch? How good of a standard is SFP? Where do I shop for SFP fiber inserts?

Do you have any opinion on the topology? Should the fiber from the Building A switch come into Switch B and then to router? Or directly to router via converter box?

 

[hiroo]

just make sure the fiber is outdoor rated or encased in sealed conduit. If you are going the sealed buried conduit route be sure to put in a couple of extra pull lines even if you have to go next size up on the conduit. Yes, I am an avid fan of overkill, every time I've used 'goodenuf' it's bitten me in the butt somewhere down the road.

This might be a stupid question but I better ask. The cable puller, I hope he is punching those cables down to a patch panel and wall ports. If not then have him do so. Yes, I have seen a job or two done where they put Rj45 connectors on BOTH ends because patch panel and wall plates were not specified. Do no forget a decent rack or racks, get an 8 foot tall one. it can be a telco rack [two aluminum I beams] those are easier to work with than an enclosed rack with front door, sides and back cover. Rack mounted power strips also. Different colored patch cords to denote their use/vlan. The servers can go in an enclosed rack, use a screen door in the front that locks if necessary, new generation, 2006+, servers air flow goes front to back.

There is an existing conduit (with other stuff in it already) and I believe the installer has already pulled the fiber through.

Thanks for the reminder on the termination; it was already specified that the installer terminate to wall plates and to a patch panel on the rack.

Somebody else had the brilliant idea to enclose the whole rack area in custom wood cabinets (which are beautiful, but not great for cooling). I'm probably going to recommend fans be installed to pull air out the top of the front doors of the cabinets to cool down the interior. This goes slightly against the front to back but the back is an exterior wall so venting there isn't an option.

 

[hiroo]

Can anybody that has use the UniFi stuff share how they implemented the controller? Does it have to be on 24x7 or just for configuration? What about it we do the guest network?

 

[abailey]

Can anybody that has use the UniFi stuff share how they implemented the controller? Does it have to be on 24x7 or just for configuration? What about it we do the guest network?

For most functions the controller only has to be on for configuration. This includes the guest network. Now if you want to try to use a captive portal on the guest network to have people accept terms of use or something before they can connect, then the controller has to be on. Also if you want the controller to log statistics then it has to be on.

 

[fistv]

Do you mean, use the same brand SFP adapter as the switch? How good of a standard is SFP? Where do I shop for SFP fiber inserts?

Do you have any opinion on the topology? Should the fiber from the Building A switch come into Switch B and then to router? Or directly to router via converter box?

I would setup a core switch next to the router, put sfp in that switch, run fiber to next switch, insert sfp, connect fiber, done. For a third switch, insert 2nd sfp in core switch, run fiber to third switch, insert and connect, done. You can daisy chain but you can suffer performance issues from the switch in the middle.
My HP Procurves are using J4858C procurve Gigabit-sx-lc Mini-GBIC, they work across the entire line of procurves I have here. They also come with a lifetime warranty.

 

[abailey]

How many fiber cables are you pulling between the buildings? If your pulling at least two I would aggregate the 2 lines at the switches. This would give you more throughput plus a redundant link in case an SFP or fiber pair fails. Also daisy-chaining is not as much of an issue with this setup.

 

[Samir]

For the point-to-point to the residence, I'd recommend anything from netsys-direct.com if you have any type of copper connecting the two buildings.