Need some thoughts on retail store network

[night0wl]

Hi All,

https://imgur.com/a/TiFxfo5


I’m opening a new hardware store, and I need to build my network to accommodate everything we need to do. Primarily, this involves point of sale systems, a few workstations for paint coloring/mixing, management workstations, several voip lines, security cameras, wifi for management and guests, wifi for external cameras (too far for POE), and a guest wifi for customers/vendors/corporate visitors. I also have a need for VPN so that I can check in on the store remotely.



I’m trying to build a network inspired by this video:

I’m cost constrained so I can’t just hire someone to do this build, so I’d like feedback on this network design I’ve pulled together. I’m not a network analyst or admin, but have been doing a ton of reading the last 2-3 days.



My biggest concern with this diagram right now is the Linksys firewall/router/vpn box. It can do only 5 VLANs. In fact, it seems like most smb devices only do enough VLANs as there are physical ports on the device. My concern is that since this is the only device doing DHCP, then due to only 5 plans, there won’t be automatic addressing available (does that even make sense?)



Will this design work or will I have to put a dhcp server or device on each vlan…or at least the plans that aren’t setup on the Linksys vpn/firewall/router device? Is that even making sense?



Thanks for your feedback.

 

[Greg72]

A proper system would cost thousands. What are you going to be using for POS, Tablets with a service like Square? You need to consult with someone locally. Also you need to have someone manage it, not you dealing with all of the headaches.

The last thing that you need is to accidentally allow access to customer and store records to a guest or visitor, regardless of whom they are.

The cameras would have to go to a DVR which would have its own connection to a proper managed POE system for the cameras.

The layout would be POS on one VLAN, VOIP on another, Cameras on one, Office workstations on one, Wifi for wireless handsets for VOIP would be on the VOIP VLAN, tablets for inventory and item lookup would be on a wireless VLAN for office. Guests should be on a Captive portal that never touches any of the in house VLAN’s.

 

[coxhaus]

I am not sure reading for 2 or 3 days is enough to under take a project like this. I hope you understand networking. How much time do you have to get it running and how big is the store. I would think 1 wireless would not be enough to cover a hardware store. And yes you are talking a lot of money.

You should take a look at my thread on a Cisco layer3 switch. If you don't understand the networking part I am not sure you should under take this project.
https://www.snbforums.com/threads/home-network-design-help-with-l3-switch.59818/

I recommend hiring someone which does this all the time. This will give you somebody to call when you have problems and you don't have time to deal with network problems because you are too busy at work.

Reading is good and it will help you make better decisions with your network.

 

[coxhaus]

I just watched the video you posted on VLANs. It is very basic and will not prepare you for your hardware network project. Yes VLANs are a good thing to use but you need to be able to trouble shoot problems on VLANs not have a basic understanding of what they are.

Real VLANs in big networks have networks assigned to each VLAN so you are working at layer3 not layer2.

Maybe a good place to start if you want to setup something like your video you should rebuild your home network with VLANs and see how you do.

 

[night0wl]

Thanks for your feedback all. So to clarify...I have a IT background (just on the applications and ERP side). I took another crack at designing the network better based on feedback I've recieved on multiple boards. See attached now (still cant figure out how to post pic inline)

Based on feedback, I've dumped the Linksys firewall and replaced much of the equipment with Ubiquiti gear for the single pane of glass. Only the L2 switches are from a different provider (netgear) due to the cost differential...and I can go to another pane for switch port management.

The gist is to keep as much separated via VLANs as possible, especially the point of sale, "data room", guest_wifi. I've kept the IP numbering scheme off the diagram since that would be proprietary.

 

[Greg72]

IP numbering is not proprietary and as far as segmenting it as you show, I can already see some headaches. Pay the money to sit down with a consultant that knows retail systems. Most POS providers will help to design the back office and sales floor system. The Camera stuff is something that also takes having someone who can respond 24/7 to fix issues and is the most expensive part of the “system” for managing a retail business, with phones being second.

 

[night0wl]

IP numbering is not proprietary and as far as segmenting it as you show, I can already see some headaches. Pay the money to sit down with a consultant that knows retail systems. Most POS providers will help to design the back office and sales floor system. The Camera stuff is something that also takes having someone who can respond 24/7 to fix issues and is the most expensive part of the “system” for managing a retail business, with phones being second.

Ok. Will pay. But want to start with something so its not a greenfield design. Thanks.

 

[coxhaus]

Are you going to out source your phones or run the PBX in house? How are you planning to handle QoS for the IP phones? With all that network gear I think you will be better off doing the QoS for the phones in the switches.

Why are you picking all these different subnets? Why not just use class C IP addresses?

And why do you need a Wi-Fi bridge? String cable.

Please explain the security risk you are feeling with the printers? Are you planning to use LPD & LPR?

If I did this I would use a Cisco L3 switch but that is just me.

I would think just the surveillance system would be 5 to 8 thousand. And if you have to string a lot of cable maybe more.

 

[follower]

Hi All,

https://imgur.com/a/TiFxfo5


I’m opening a new hardware store, and I need to build my network to accommodate everything we need to do. Primarily, this involves point of sale systems, a few workstations for paint coloring/mixing, management workstations, several voip lines, security cameras, wifi for management and guests, wifi for external cameras (too far for POE), and a guest wifi for customers/vendors/corporate visitors. I also have a need for VPN so that I can check in on the store remotely.



I’m trying to build a network inspired by this video:

I’m cost constrained so I can’t just hire someone to do this build, so I’d like feedback on this network design I’ve pulled together. I’m not a network analyst or admin, but have been doing a ton of reading the last 2-3 days.



My biggest concern with this diagram right now is the Linksys firewall/router/vpn box. It can do only 5 VLANs. In fact, it seems like most smb devices only do enough VLANs as there are physical ports on the device. My concern is that since this is the only device doing DHCP, then due to only 5 plans, there won’t be automatic addressing available (does that even make sense?)



Will this design work or will I have to put a dhcp server or device on each vlan…or at least the plans that aren’t setup on the Linksys vpn/firewall/router device? Is that even making sense?



Thanks for your feedback.

Store: Why don't you use Web or Server Hosting for your store? If you build your own server the server will be hacked within a month.
Office Network: Contact Network Consulting Service.

 

[night0wl]

Hi, thank you for your feedback. Here are some responses.

Are you going to out source your phones or run the PBX in house? How are you planning to handle QoS for the IP phones? With all that network gear I think you will be better off doing the QoS for the phones in the switches.

I'm on the fence on this. Likely going to use an entry level VoIP provider like Vonage Business, but then move to a hosted PBX. I have thought about needing to run FreePBX/Asterisk but not initially. *GREAT* question about the QoS. I'm trying to find internet service right now and running QoS will depend on what I can get and what I can negotiate for monthly charges. For a few phone lines, if I can get 300 Mbps - 1 Gig service, I wont do QoS. If I have to do anything less, then I was planning on doing QoS. The data will be tagged. I will need to configure all switches/routers to prioritize voice traffic thats tagged.

Why are you picking all these different subnets? Why not just use class C IP addresses?

Its a security mindset. Only have machines where they belong. By limiting the available IP range, it forces discipline and perhaps blocks rogue hosts on a network. I may even go static IP on some....haven't decided that yet to be honest.

And why do you need a Wi-Fi bridge? String cable.

I have an area that will have goods (bagged goods, trailers, Uhaul, propane) that is pretty far from the main building across the parking lot. As I understand it, PoE runs cant exceed 100 meters, and really should be much much less. Rather than mount cameras away from the area and try and zoom in, I was hoping to put a wifi bridge to that area put an 8 port managed PoE switch there, then string 5-6 cameras from that switch all around the far end of the lot by stringing cable from there. Would give a way of watching the front side of the store too from an outside in perspective, you know? I *AM* however, very concerned about saturating the bandwidth on wifi by having too many cameras out there. So I may have to eventually bite the bullet in the future and trench across the parking lot in the future. Landlord has refused so far to allow that.

Please explain the security risk you are feeling with the printers? Are you planning to use LPD & LPR?

I've never ever patched the firmware of a printer. They often accept usb sticks and other memory devices for convenience sake. I dont want to have a printer exploit then be used to launch a multicast/broadcast oriented attack. Paranoid....perhaps.

If I did this I would use a Cisco L3 switch but that is just me.

Can you suggest a model?

I would think just the surveillance system would be 5 to 8 thousand. And if you have to string a lot of cable maybe more.

Yes. Its shaping up to be that. My corporate partners wanted a $30,000 system, which I am trying to do around $5,000. However, its looking to come in around $8,000 right now. I'll share my Bill of Materials when I can tonight. Just for context, our "shrink" budget (which is a lot more than just theft) is $10,000-$15,000 a year. *ouch*. If the camera system can knock that down by 200-300 basis points on total sales, then that pays back the investment quickly. Especially so if I can do this DIY rather than just paying a vendor. Also, it sets a strong message in the area to shoplifters and deadbeats that you just dont want to do that kind of stuff at my store (choose a "softer" target elsewhere).

 

[night0wl]

Store: Why don't you use Web or Server Hosting for your store? If you build your own server the server will be hacked within a month.
Office Network: Contact Network Consulting Service.

I have no intention of hosting a website for the store. The server area/vlan is for things that I am *FORCED* to host onsite. For example, right now, my plan is to do a Cloud POS backend (SaaS). However, there are feature differences. If I need those features, I may be forced to host a local point of sale server backend...and that would go in the server vlan. Another example is a pbx. If I need a lot of extensions (say I hire a B2B selling staff), then they'll need phone extensions and a cloud PBX may become prohibitively expensive on a per user basis. Then, I may deploy a local PBX infrastructure and buy more phones to allow extension calling....then buy a few SIPs for inbound/outbound dialing.

Also...rereading your post. Was this meant to be a joke/sarcasm? Sorry, I missed the punchline altogether. To sleep deprived as of late to get much humor in anything.

 

[coxhaus]

I would use a class C for every VLAN over 6 devices. There is no security risk. Then I would standardize your mask for the smaller networks. This way when you work on it a couple of months down the road it will be easy know how the networks are defined. Plus super scoping VLANs is going to be easier.

If you don't have a workstation on the same network as the printers you will have to track low toner, low paper, and/or etc all yourself. Printer APPs are not going to work across networks.

 

[night0wl]

I would use a class C for every VLAN over 6 devices. There is no security risk. Then I would standardize your mask for the smaller networks. This way when you work on it a couple of months down the road it will be easy know how the networks are defined. Plus super scoping VLANs is going to be easier.

If you don't have a workstation on the same network as the printers you will have to track low toner, low paper, and/or etc all yourself. Printer APPs are not going to work across networks.

Understood. I may just collapse that printer vlan into general business use altogether, then.

 

[MichaelCG]

Its a security mindset. Only have machines where they belong. By limiting the available IP range, it forces discipline and perhaps blocks rogue hosts on a network. I may even go static IP on some....haven't decided that yet to be honest.

No...No...No. There is no security in small subnets. There is no security in static IPs. Use DHCP. If you want to have similar behavior in DHCP, just use reservations. You want to avoid at all costs manually setting up IPs in clients. DHCP is where it is at especially when it comes time to make changes. Ever tried to change your DNS servers across 50 devices when you manually configured them instead of letting DHCP assign it out?

I've never ever patched the firmware of a printer. They often accept usb sticks and other memory devices for convenience sake. I dont want to have a printer exploit then be used to launch a multicast/broadcast oriented attack. Paranoid....perhaps.

I actually like your idea of printer isolation. They are somewhat IoT devices these days. As coxhaus pointed out, it may add some challenges regarding status and maintenance alerts, but that can usually be worked around easily. I know my printers at my house work just fine not being on the same VLAN. I just had to configure DNS correctly for them and my clients point to the DNS name. You just can't rely upon broadcast for any functionality....which in a business environment you should not rely upon anyways.

 

[sfx2000]

this involves point of sale systems, a few workstations for paint coloring/mixing, management workstations, several voip lines, security cameras, wifi for management and guests, wifi for external cameras (too far for POE), and a guest wifi for customers/vendors/corporate visitors.

Points of Sale - note that if you're taking credit/debit cards, you'll need to be aware of EMV requirements to isolate them from the back office network that you're using for WiFi, VOIP, Cameras, etc...

I would definitely consult with an expert there, as mistakes with the POS can be very costly...

 

[coxhaus]

When you run multiple networks you need to run your own DNS inhouse so devices can find things. Just the way of the world. In the old days you had to run WINS also.

 

[MichaelCG]

Points of Sale - note that if you're taking credit/debit cards, you'll need to be aware of EMV requirements to isolate them from the back office network that you're using for WiFi, VOIP, Cameras, etc...

I would definitely consult with an expert there, as mistakes with the POS can be very costly...

Unless the POS solution is certified as a stand-alone, I would for sure be looking for more segmentation and expert help.
I know where I work (manufacturing, so POS is not anywhere near our primary function) we have a few POS systems around (cafeteria, company store, etc) that from IT's perspective, we are just an ISP and provide them with an Internet connection. They are segmented since we put them out on our Guest network which doesn't allow any cross-talk at all, but overall we have zero responsibility for PCI on them. The 3rd party who provides and supports it has all responsibility.

 

[Hawk]

I have noticed you don't have any redundancy on switch, if it suffer you entire goes down. I would strongly suggest add redundancy to avoid downtime.

Also along with Vlan I would use ACL to limit traffic, using different subnets is bad design, since your switch which is layer 3 will easily route between vlan and subnet. In your design if devices aware of other address or employee guess address they can pretty much access other network.

 

[MichaelCG]

Also along with Vlan I would use ACL to limit traffic, using different subnets is bad design, since your switch which is layer 3 will easily route between vlan and subnet.

This is one reason I am not a fan of a Layer3 switch when dealing with VLANs from different security zones. Let your firewall route it all and control the flows at a single point instead of dealing with Firewall policy and ACLs on the router.

About the only time I care for a L3 switch is if you are pushing too high of bandwidth for a typical FW to handle or you are segmenting for reasons other than security.

 

[coxhaus]

I kind of disagree, to me in this type of setup a router should only be used for internet traffic never for local VLAN routing. But to be honest I would not use a router for a network firewall I would look to something like a UTM, like Untangle for my firewall duties. I don't know what the latest offering from Cisco is but back when I worked we used a PIX firewall. So I would seriously consider the Cisco offering.

The core of my network will always be a layer3 switch never a router. Switches are faster than routers.