HELP Building a Small Business Network w/ VLAN

[nostawydoc]

Hi I am new here and I am hoping some of you can give me some input. I can put lots of information in here but here is kind of a simple run down of what I am doing.

I am helping my local church out by installing a network and phone system for them. Here are 3 things that we are trying to accomplish:

1 - Install a VOIP Phone System - (TalkSwitch is the company we are going with)
2 - Install a gigabit wired network.
3 - Install wireless access points through out the campus.

I think I have most of this figured out. (MAYBE?)

I dont have my heart set on this equipment but here is what I am thinking of using.

3 - Gigabit Network Switches with VLAN & QOS support - Dell PowerConnect 2708
3 - Wireless Access Points - LINKSYS WAP200 Wireless AP

With us having a Data and VOIP network going on the same network we are going to have at least 2 VLAN's - 1 for Data and 1 for VOIP. I think this makes since to keep them from conflicting with each other. We are not super rich so all of our equipment will have to be port based VLAN tagging.

We have DSL coming into this network and I would like to run the DSL into a Router/Firewall then out of the Router into the chain of switches. In my mind the router will be what is issuing IP addresses to the entire network (is this correct?)
Also what type of router should I use?
Does anyone have recommendations?
Do I need a router with QOS/VLAN support as well?

If you need more information on what we are doing - I have lots of documentation written up on this already.

Thanks for your help in advance.

 

[scotty]

You're on the right track it seems. For this sort of thing, you would want a router that supports VLAN'ing, QoS, etc. A good 'small-business' grade router that supports these sorts of features would be something like a Linksys RV0 type router. Tim's got a good article on the site about setting up basic VLANs (with a Linksys RV0, no less).

Another router that can support a lot of features like this for very little $$ (given that this if for a church, who's budget is probably pretty tight) is something like pfSense, an open-source (BSD) based router. pfSense is really powerful and free, you just throw it on a PC with a couple NIC's. It's all configured by a web interface like a normal router. Just mentioning as an option.

 

[thiggins]

How many simultaneous calls are you going to handle with VoIP and what is your DSL up and downlink speed?

What sort of area are you trying to cover with the wireless LAN? Why the WAP200s?

 

[nostawydoc]

Thanks to both of you for the quick responses.
I am also sorry I posted this in the wrong section.

In reference to our VOIP phone system that we are wanting to install. We will have analog lines coming into our phone system not VOIP trunks. The reason we are wanting to use VOIP is because we have multiple buildings that are fairly close together but we really just want to tie them together with a couple of network cables and not have to worry about running a bunch of phone lines and network cables. So with the VOIP and the gigabit setup I think it will be easy to expand our phone system in the future because you will just be able to plug a phone into the network. Rather than running a new wire.

How many simultaneous calls are you going to handle with VoIP and what is your DSL up and downlink speed?

What sort of area are you trying to cover with the wireless LAN? Why the WAP200s?

Our DSL Speed 1.5mbs Down 384kbs Up.
Simultaneous calls 2-4 right now we will start with 2 but have the capability of 4 in the future.

Our wireless lan we have 2 buildings to cover right now.
1- Building one is a metal building with drywall throughout the inside, and has 2 levels in it. This building is about a 7200 sq ft foot print on both levels. So I was going to put 1 Wireless AP in that building.
2- Building two is between 17,000 and 20,000 sq ft. It is a brick and mortar building and the interior walls are concrete block through the majority of it. Right now we have a Linksys WRT54G and it doesnt cover but about half of it. So I was going to put 2 different wireless AP in this building.

I dont have any reasoning for using the WAP200's other than I read a few good things about them. I am open to any suggestions for equipment, throughout the network.

Again thanks for the help.

 

[YeOldeStonecat]

How many computers on the LAN? And how many of those actually on and used at the same time?

Is there a server on the LAN (knowing church networks..most likely not)

 

[nostawydoc]

How many computers on the LAN? And how many of those actually on and used at the same time?

Is there a server on the LAN (knowing church networks..most likely not)

7-10 computers.
We will also have a server(s) in the future. They will just be file servers - no web servers or anything.

 

[thiggins]

So it sounds like your VoIP use is local and that you will be using POTS for actual outside calls. Probably a good way to start. But this means that you will need to have a VoIP PBX and VoIP phones. What are you planning for that? Something Asterisk-based for the PBX. Take a look at this article to get started. Decent phones may cost you more than you think.

Your DSL speed is low, so any current router can handle the speed. The question is what sort of features you want in the router. Scotty had a good suggestion with pfSense. It has plenty of features including bandwidth control and VPN if you need it. Can run on an old computer or preferably notebook (for low power consumption).

If you want something off the shelf, you can go with most any consumer router; no need for a small-biz grade. I would do any VLANing or QoS controls with an inexpensive "smart" switch. The HP ProCurves are well-liked by folks here. Dell's PowerConnects are pretty good too.

Given the construction and areas that you are trying to cover, I think three APs is a bit thin. For the two story building, I would put one on each floor, as centrally located as possible. For the larger building, perhaps three, one at each end and one in the middle.

Again, if you are watching budget, you can take any consumer wireless router and convert it to an Access Point. 11b/g products are fine. I would not hassle with draft 11n at this point.

 

[nostawydoc]

so It Sounds Like Your Voip Use Is Local And That You Will Be Using Pots For Actual Outside Calls. Probably A Good Way To Start. But This Means That You Will Need To Have A Voip Pbx And Voip Phones. What Are You Planning For That?

What we are looking at using for our PBX is a TalkSwitch 480VS we can also use a few Polycom Soundpoint Phones or use the TalkSwitch phones. I am leaning towards using the Polycom phones.

your Dsl Speed Is Low, So Any Current Router Can Handle The Speed. The Question Is What Sort Of Features You Want In The Router. Scotty Had A Good Suggestion With pfsense. It Has Plenty Of Features Including Bandwidth Control And Vpn If You Need It. Can Run On An Old Computer Or Preferably Notebook (for Low Power Consumption).

Here are a few things that we are looking for in our router. The ability to block certain website through out the network. Obviously since we are a church we don't want people to be able to freely surf the internet to any website that they want to go to. We have a filter on our internet already that is through our ISP but I would like to restrict web traffic down further. That is really the only thing that I am looking to do with the router. (I am not sure this is where it is done or if it is possible to do)

Another thought about pfsense is I am a little concerned about is reliability. We will not have an IT person on site at all times (I am the IT person and I work at another establishment) So lets say the power flickers and my box goes off and lets assume that it is not on some sort of UPS then I would have to reboot that box every time that happened. Am I correct in thinking that an off the shelf router would just reboot itself and be back up in a minute or two? That is all hypothetical (I hope to have UPS backup on everything.)

if You Want Something Off The Shelf, You Can Go With Most Any Consumer Router; No Need For A Small-biz Grade. I Would Do Any Vlaning Or Qos Controls With An Inexpensive "smart" Switch. The Hp Procurves Are Well-liked By Folks Here. dell's Powerconnects Are Pretty Good Too.

I looked at the Procurves as well as the Powerconnects - both will meet our needs. I just got to make up my mind which we will go with.

Also dont you agree that if I do all of VLAN and QOS setup via our switches the all I would really need on a router is just a standard DHCP server?

again, If You Are Watching Budget, You Can Take Any Consumer Wireless Router And convert It To An Access Point. 11b/g Products Are Fine. I Would Not Hassle With Draft 11n At This Point.

Wireless AP - I am willing to convert a wireless router or use anyt ype of AP that you all recommend.

I am not going to hassel with 802.11 N - I don't think it is worth the money and most computers out there do not have 802.11 N capability in it so really all I would be adding is range.

Thanks again for all the help.

 

[YeOldeStonecat]

Small network.....I'm not sure if worrying about VLAN'ing is necessary. Regardless, plenty of inexpensive easy to web manage switches out there on the market today which allow you to do those port based VLANs.

Reliability of the *nix distro routers can vary. On decent hardware...they can run for years without a reboot. However, the fact that people download the distros and install them on some wonky frankenstein collections of various computer parts..is IMO part of the reason some people don't have success.

An off the shelf router will be fine with power outages (although I always want all network equipment on APC units). So a power drop, once the power is on, the router will boot up in a minute and you're internet will be OK.

A linux distro would require the PC that it's installed on..to be turned on..and wait a few minutes to boot up.

What I did at home, I have PFSense on an old laptop. Sips power compared to a PC, low profile, low noise, and...a built in battery backup!

I'll toss in an opinion though. Much of the success of VoIP can depend on the primary router being used. I've fiddled with tons of different routers on my home connection, many that don't have special QoS features will render your Vonage phone call akin to trying to talk to someone underwater as soon as someone is doing something on the internet with their PC while you're on the phone. Even some off the shelf home grade routers that boast QoS features...effectiveness..not always so much. For the success of your VoIP....stive for something decent in this area.

 

[nostawydoc]

I agree with what you say about pfsense - I am sure it is a very reliable system.

I'll toss in an opinion though. Much of the success of VoIP can depend on the primary router being used. I've fiddled with tons of different routers on my home connection, many that don't have special QoS features will render your Vonage phone call akin to trying to talk to someone underwater as soon as someone is doing something on the internet with their PC while you're on the phone. Even some off the shelf home grade routers that boast QoS features...effectiveness..not always so much. For the success of your VoIP....stive for something decent in this area.

In reference to your quote above I agree that in order to use VOIP I need to have a system where QOS comes into play.

What my main question here is if all of my equipment is plugged into the switches in the network rather than the router where would the QOS come into play? The router or the switches? Do I need it at both places?

 

[nostawydoc]

Here is kind of a run down of what I have in mind of our network, I have attached a document showing kind of how I have the network setup in my mind.

Here is a simple document that I made giving a simple drawing of the network.

Here is the equipment and its location that I had in mind using before I came here to ask for advise:

Router:
Control Room - Linksys/Cisco RV042 (This is where I am really stumped at - what router to use?)

Switches:
Control Room - Dell PowerConnect 2708
Office Area - Dell PowerConnect 2716
Family Ministry Center - Dell PowerConnect 2708

Wireless AP: All 3 places would be the same.
Netgear WG102 or
Linksys WAP200
Now we will install as many AP as it takes to cover the whole campus - if it takes more as Tim said then we will add those.

Phone System/PBX:
PBX is a TalkSwitch 480VS

I am open to suggestions on any of this equipment.

 

[thiggins]

In reference to your quote above I agree that in order to use VOIP I need to have a system where QOS comes into play.

I think YeOldeStonecat's comments are more applicable to VoIP going to and from the Internet. Unless your LAN is very busy and you have a lot of call traffic, I doubt if you would see any degradation in local PBX VoIP. So no real need for VLANs either as YeOldeStonecat pointed out.

Thanks for the equipment list. Yes, any router will have a DHCP server, which you can use to assign LAN IPs. Any router will do from a throughput point of view. The tougher requirement is web filtering.

What features does your ISP filtering provide and what specifically do you need to add? Decent filtering will be subscription based and most offerings bundled with Consumer Routers are kinda holy (no pun intended).
For example many of D-Link's routers now can have their SecureSpot 2.0 service added. But we found that it wasn't that great at web blocking.

Linksys has partnered with TrendMicro for its business class routers. But we haven't reviewed that service.

Another approach would be to take the filtering outside the router and use something like a Yoggie instead.

 

[YeOldeStonecat]

Just a note on your diagram....
(a side note..I'm not very experienced with VoIP stuff, experience limited to traditional home grade ISP<Comcast> and Vonage supplied VoIP packages...so don't take my VoIP notes as gospel)

If the VoIP supplied device is in front of your broadband router, such as your diagram sort of suggests, the QoS features of your router would not come into play, as VoIP traffic is not being passed through your router. Internet traffic however, would be passing through your VoIP box...can end up with a double NAT situation.

It is when you have your VoIP box behind your router...that having a router with QoS features would be desired.

Now, with the Vonage VoIP that I'm running at home now, they supply a little unit which can be your NAT router for the network..and be up front, or...have it sit behind your own router.

Not knowing the equipment you will be having, my first question would be....if your VoIP box is up front...linked to your switches...is it running DHCP and NAT for your network? Or...does the ethernet traffic tranparently run through it to tie in with your own router to do the NAT and DHCP.

I do like the RV0 series...for their stability, IMO it is a good stable router that can handle the higher loads of a typical small business network...without the need for periodic reboots such as commonly needed with home grade routers put in a heavier business network scenario. While, from the firmware versions I've dealt with so far, it doesn't have a "pre-configured QoS setting for instant VoIP support, the RV0 series does have support for bandwidth management, where you can create custom services and allocate higher priority for those services.

So to get back on track as I sip some more coffee...I guess, after seeing your above diagram...the first thing I would want to know, is what equipment is your VoIP provider giving you, and where do they recommend placing it on your network.

I believe in the methodology of building your network around your needs, versus taking a canned traditional network and trying to get your needed services running on it.

 

[nostawydoc]

What features does your ISP filtering provide and what specifically do you need to add?

My ISP filters against porn. It is something that is just standard with their service. What I am wanting to filter against is things like Facebook / Myspace / Personal Add Website (yahoo personals, eharmony) stuff like this. Stuff that isn't necessary to get on to at church. This maybe something that we wait on? I dont know - But I am guessing the best option would be to have some kind of appliance on the network that we could setup to block this for any computer that accesses the network. Instead of having to buy licenses for each machine that accesses the internet.

If the VoIP supplied device is in front of your broadband router, such as your diagram sort of suggests, the QoS features of your router would not come into play, as VoIP traffic is not being passed through your router. Internet traffic however, would be passing through your VoIP box...can end up with a double NAT situation.

It is when you have your VoIP box behind your router...that having a router with QoS features would be desired.

Not knowing the equipment you will be having, my first question would be....if your VoIP box is up front...linked to your switches...is it running DHCP and NAT for your network? Or...does the ethernet traffic tranparently run through it to tie in with your own router to do the NAT and DHCP.

So to get back on track as I sip some more coffee...I guess, after seeing your above diagram...the first thing I would want to know, is what equipment is your VoIP provider giving you, and where do they recommend placing it on your network.

I believe in the methodology of building your network around your needs, versus taking a canned traditional network and trying to get your needed services running on it.

Ok I am not sure I am understanding you right? Maybe my drawing isnt clear?
But I do believe that the VOIP box on our network will be behind the router/firewall. Our phone system will be running of POTS (Analog Lines) coming into it. But our network will start at the DSL modem running into the router from the router into our Dell PowerConnect Switch the Phone system will plug into that switch. From this point forward the phones will be all VOIP based. That is why I think that I do not need QOS or VLAN capabilities on the router - only on the switches, all of the phones will be from this main switch or further down the network. Because technically the only the router will be doing in this network is acting as a DHCP server for the network.

Now from what I read and understand about the TalkSwitch phone system, is that the TalkSwitch will pick up and IP Address from the router. The phones are assigned IP addresses from the TalkSwitch - the TalkSwitch will only assign IP addresses to the devices that their MAC addresses are in the TalkSwitch console. That is the way that I read it in the documentation and what their sales department tells me.

I also believe in building a network based upon what we need. That is why I am asking so many questions, because I want to understand exactly what all of this stuff means. I want to have the best bang for our buck and also not having to much at the same time.

 

[thiggins]

My ISP filters against porn. It is something that is just standard with their service. What I am wanting to filter against is things like Facebook / Myspace / Personal Add Website (yahoo personals, eharmony) stuff like this. Stuff that isn't necessary to get on to at church. This maybe something that we wait on? I dont know - But I am guessing the best option would be to have some kind of appliance on the network that we could setup to block this for any computer that accesses the network. Instead of having to buy licenses for each machine that accesses the internet.

Got it. Most routers can do simple website filtering, which sounds like it might be what you need. That plus some good traffic logging could be a simple to manage solution and not have any license fees associated with it.

The bad news is that the logging on most consumer routers is next to useless and the site blocking is limited to maybe a dozen URLs or keywords. For something more flexible, you need to go with one of the "value add" / subscription services that I indicated earlier, or start exploring open source solutions like pfSense, IpCop/CopFilter and DansGuardian.

But our network will start at the DSL modem running into the router from the router into our Dell PowerConnect Switch the Phone system will plug into that switch. From this point forward the phones will be all VOIP based. That is why I think that I do not need QOS or VLAN capabilities on the router - only on the switches

You are correct. You will have no VoIP traffic to/from the Internet, so QoS in the router isn't needed. And again, given your volume of local traffic, you may not even need it in or VLANs in the switches.

But if you have the budget, simple "smart" switches are good to have for the port management features at a minimum.

Now from what I read and understand about the TalkSwitch phone system, is that the TalkSwitch will pick up and IP Address from the router. The phones are assigned IP addresses from the TalkSwitch - the TalkSwitch will only assign IP addresses to the devices that their MAC addresses are in the TalkSwitch console.

Since there is only one Ethernet port on the device, I'm not sure how that one part acts as a DHCP client to pick up an IP from a LAN router, then acts as a DCHP server to hand out IPs. But this will put two DHCP servers on your LAN. So be sure you understand how it is supposed to work with an existing DHCP server and not conflict with it.

 

[scotty]

It sounds like VLAN'ing and QoS isn't necessary, or relevant for that matter. With only a handful of clients, both VOIP and PC, you generally dont need QoS and VLAN's.

And like Tim says, be careful about how many DHCP servers you have running on the network. I've done a fair amount of VOIP phone systems, and although some of them say they 'require' the PBX to be the DHCP server, it's not usually necessary in reality. It depends from system to system, but on most I've worked with it's only necessary for certain auto-provisioning tasks. On a network with hundreds of phones, this is very important, but for only a handful, it shouldn't matter. All depends on the phone system though.

 

[YeOldeStonecat]

My ISP filters against porn. It is something that is just standard with their service. What I am wanting to filter against is things like Facebook / Myspace / Personal Add Website (yahoo personals, eharmony) stuff like this. Stuff that isn't necessary to get on to at church. This maybe something that we wait on? I dont know - But I am guessing the best option would be to have some kind of appliance on the network that we could setup to block this for any computer that accesses the network. Instead of having to buy licenses for each machine that accesses the internet..

One consideration is OpenDNS. They have a free service. Right off the bat, your network gains "some" protection just by using OpenDNSs DNS servers, as they block known malware sites. You can also get some additional free content filtering through them. You sign up for an account, which is free, and you plug their DNS servers into your router (instead of your ISPs), or your servers DNS forwarders if you're running active directory (which you're not).

I use their DNS servers for all my small biz clients, simply for the added layer of protection against some of the malware sites.