Gotchas to watch out for....AP installation

[komatsu]

I am about to install 7 X Zyxel AP's in one office building. They are a gaming company.

They have two broadband lines from same ISP in building.

One router will be used for uploads only and the other for downloads.

I have never deployed 7 APs in the same building before.

What are the gotchas to look out for in installing such a network?

 

[stevech]

Security, esp. if customer info involved. Doesn't sound like legal services or healthcare is involved.
User authentication - needs to be integrated with servers, e.g., LDAP or Microsoft domain servers. Big deal.

wiring and switches!
Coverage planning - don't just shoot from the hip. RF planning needed. Much of this comes only from experience with different construction materials.
Capacity planning - there may be areas where there is higher than normal average loads based on job duties of people.

By all means, don't put immobile desktop PCs on WiFi. Make it wired, always.

Have a guest SSID that routes ONLY to the internet and supports VPN for guests/visitors/contractors.

 

[coxhaus]

Just curious how are you going to setup the one router for upload and the other for download. I guess you can use default gateway for upload but controlling download I am not sure. Maybe use an ACL to block all inbound traffic on one router. Maybe a routing protocol between both routers. What's the general plan?

Download is usually much bigger on an internet pipe. You will be wasting a lot of download potential only using the upload. Can you control the uploads by port? Maybe a dual wan router to where uploads are forced by port to one WAN port but you can still use the extra download bandwidth. I really would like to know how this is going to work.

 

[stevech]

I assumed "upload" meant people with jobs that do a lot of file uploading to a server. Vice-versa people who download a lot by their job.

With common TCP/IP, one cannot split data traffic directions on two different ISP provided WAN connections. Each will have a different WAN IP address, and TCP for simple routers isn't able to do so.

The bigger question in such an enterprise is how are you going to do user authentication to be able to access the WiFi and the LAN and its servers? As mentioned in post #2. This is question 1 for the project. For professional setting, one does not just rely on the WiFi password.

 

[komatsu]

Thanks guys for the responses to far.

This particular operation does not yet use any physical servers.
Most of their work is done online with laptops and desktops.
So what authentication does one use (if any) when there are no servers involved?
And what would be the optimal use of the 2 x routers?

(Sorry but this is a bit of a learning curve for me as I usually deal with more boring setups like
auto repair shops and small accountancy practices)

 

[coxhaus]

From my reading he has 2 internet lines from the same ISP. So there will be 2 WAN IP addresses. And yes you can control traffic by port if you have the right equipment. All uploads will still need download acknowledgements and vice versa so all traffic downloaded for the upload router cannot be blocked but you can figure out what the traffic is to allow it to pass. Probably if you block port 80 for business you stop most of the traffic on the upload router but you will end up wasting all the excess download pipe.

Splitting traffic by person is easy. Trying to control traffic by what was stated would be much harder.

Authentication is easy just use Microsoft domain account logon information.

I think wireless units would be easy. Use several SSIDs and VLANs. If you overload a AP split an SSID off to another AP. Make sure you have an separate executive SSID to take care of the important people.

 

[sfx2000]

I am about to install 7 X Zyxel AP's in one office building. They are a gaming company.

They have two broadband lines from same ISP in building.

One router will be used for uploads only and the other for downloads.

I have never deployed 7 APs in the same building before.

What are the gotchas to look out for in installing such a network?

There's a lot of concern here - you didn't mention your role here - in-house employee, contractor, installer, consultant?

There's a lot of factors to consider - how many seats, how many floors, minimum bandwidth needs per seat, etc... and with a small business at stake, if you can't answer these questions, then you need to start considering them - or find a CWNP certified Pro to help you out.

I guess what this comes down to - know what you're getting in to - with a small business, networks are pretty important, and if not done well, can get you into a lot of trouble, not just from a on-going business perspective, but also from a legal/liability angle..

 

[komatsu]

>>Authentication is easy just use Microsoft domain account logon information

What will this come under in the AP's settings?

>> If you overload a AP split an SSID off to another AP.

How is this done?

 

[komatsu]

There's a lot of concern here - you didn't mention your role here - in-house employee, contractor, installer, consultant?

There's a lot of factors to consider - how many seats, how many floors, minimum bandwidth needs per seat, etc... and with a small business at stake, if you can't answer these questions, then you need to start considering them - or find a CWNP certified Pro to help you out.

I guess what this comes down to - know what you're getting in to - with a small business, networks are pretty important, and if not done well, can get you into a lot of trouble, not just from a on-going business perspective, but also from a legal/liability angle..

My role is just the IT guy really. I have installed tons of secure and good performing WLANs before with just 1 or 2 APs. All of these jobs went fine but with this job there are some more variables thrown in than usual.

 

[coxhaus]

Microsoft authentication is going to grant you access to the network. SSID is going to allow access on the wireless system and the appropriate VLAN.

 

[komatsu]

Microsoft authentication is going to grant you access to the network. SSID is going to allow access on the wireless system and the appropriate VLAN.

I guess you're talking about two-factor authentication but if there is no server involved...what is used to authenticate?

 

[coxhaus]

I don't know of any business which does not have security on their network. How do they currently handle security?

PS
Sorry I am drinking bourbon.

PSS
If you are not responsible network security then just worry about SSIDs access. Forget their bad security. It's not your problem if you only are setting up wireless.

 

[komatsu]

A pfSense firewall and WPA2-AES for wireless security.

So, how would you authenticate if there is no server invovled?

 

[coxhaus]

For wireless access the wireless logon is handled by the wireless devices. The rest of the network does not matter. It is kind weird there is no network security but there is always a first.

PS
I would think if they had a server where all the data resided then they could use all their bandwidth on their 2 internet pipes. All they need to do is to replicate all uploads from the server with high priority for upload to the cloud or an off site place. This way all uploads are to the local server then replicated out to wherever with priority on internet pipes. The server could provide security as well. This would allow full use of their internet pipes.

 

[komatsu]

ok thanks coxhaus.

 

[stevech]

>>Authentication is easy just use Microsoft domain account logon information

What will this come under in the AP's settings?

>> If you overload a AP split an SSID off to another AP.

How is this done?

OP said there are no servers, and thus, no MS domain.
No real security.
HIGH RISK in an organization that is incorporated or LLC.

 

[komatsu]

OP said there are no servers, and thus, no MS domain.
No real security.
HIGH RISK in an organization that is incorporated or LLC.

so what do you recommend to make the wireless network more secure in the absence of an MS domain?

 

[YeOldeStonecat]

Multiple APs in the same building....would benefit from running off of a controller....you're planning on using the setup that includes the controller, right?

 

[stevech]

so what do you recommend to make the wireless network more secure in the absence of an MS domain?

It's a company management policy issue foremost.
Hire an IT/LAN security expert. Don't wing it and risk a data breach, disgruntled employee/consultant/visitor sabotage, etc.

If you just won't have a AAA server (authentication for access to network and to file servers on site), then buy some good liability insurance.

 

[komatsu]

Does the AAA server have to be Microsoft?