Noob tasked with rethinking the office network - In need of advice on a suitable enterprise router

[Patrick S]

Hello.

Getting right to the point, I landed myself in a position where my bosses would like me to find the best solution for establishing a stable network in my office. We have fiber coming in and the router currently running the network is a poor little home grade Netgear router. It's working now, but, as is the case with many start ups that have expanded the way ours has, the network is going to run into trouble eventually. Especially as we are researching deploying VoIP sometime this year.

I should note here that I have made every effort to talk the bosses into using a professional for this project, and will continue to do so, but until I can get through to them I am pushing forward with my research.

At first, I asked around on Reddit and they suggested that I get an ASA5506x Firewall to deploy as our router. The people I was speaking with felt that deploying the Firewall as a router should be a pretty straight forward task... but I forgot I was talking to mostly professionals and I found one tutorial online and it is apparent that this is out of my depth.

My question to the forum is: are there any recommendations on suitable enterprise routers, or possibly a layer 3 Network Switch, that I could deploy at the office. We have ~25 nodes, plus smartphones and would need to be able to scale up to handle any VoIP nodes that are installed (say, another 15-30). We have only the one location at the moment, so establishing an onsite server and VLAN is in the back of my mind, but not an immediate need.

I know this is far from best practice, but budget and optimistic bosses are making my options limited. If anyone has any practical advice, I would greatly appreciate it.

Thank you.

- Patrick

 

[System Error Message]

There are some brands you can look at for professional routers such as juniper. If you go for cisco your only choice is actually professional line which is very expensive, all their cheaper lines are more like the consumer gear you find around. Depending on what you need there are also other brands like pfsense, UTM based distributions that run on x86, ubiquiti, mikrotik.

The first thing you need to know is what you need. There are 2 catogaries in this case, configurable and non configurable. A non configurable router or firewall or switch only has options for you to choose from but you cannot make your own rules or add your own codes and such. The firewall you mentioned, non pro grade cisco, consumer routers, and many switches all fall into this catogary. The configurable catogary would have cisco's high or top end products, juniper, mikrotik, ubiquiti edgerouters, some UTMs, linux servers. Some solutions are semi configurable such as pfsense and some UTMs.

Its important to know what you need and what you will be doing, configurable can do all sorts of things but require the technical skills to set them up but they are more reliable and less likely to go wrong than non configurable. If you are getting fibre optics i suggest you get a router that has SFP in it. You will need to know your throughput needed by adding up upload and download. Since you will be using firewall, QoS and such hardware acceleration is out of the question so when you look at speed you are looking for CPU performance and not the hardware accelerated stats that many put out. Regarding a layer 3 switch configurable ones are good but there are some routers like the mikrotik CCR that are so fast they can do layer 3, routing, firewall, QoS at wirespeed. I'll try break it down for you on how your network might look like.

Internet--------UTM+router/firewall---------layer3 switch---------network. Although windows server can be used it is a very poor choice not only because of security but also reliability as windows network fails when you have a lot of traffic. A linux server can handle router,firewall and UTM duties by installing the right software and configuring but it needs a lot more skill than an embedded configurable device from juniper,mikrotik or ubiquiti.

To choose a layer 3 switch or wirespeed router depends on how you will configure your network. If you will be adding filters or rules you may want a wirespeed router whereas if you wont be having filters or rules than choose a layer 3 switch with the features you want. a filter or rule would for example dropping packets going some port for example or logging rules, basically firewall stuff (i really hope you understand what im saying).

Regarding wifi, consumer routers work well in AP mode if your wifi needs are only layer 2 coverage but if you need more features for wifi than you will need to look at different brands meant for it.

Budget wise you can use an x86 linux server as the cost is only hardware but it requires having a team capable of configuring and administering it. It really depends on what you expect from it. For example mikrotik may have the same features as a top end cisco but it performs the specific functions poorly, so if you needed to run cisco features or protocols on it or the more advanced stuff they will run it slower than juniper. A lot of experts here on the forums have had experience with cisco and would recommend it but they arent aware of the business practices cisco has been doing of making their pro gear more expensive and filling their current mid to lower priced line with consumer like options. The cisco RV is a very clear example because it is a consumer grade router which people think isnt.

 

[Patrick S]

Thank you for the reply. This is all very informative.

I think that a non-configurable router would suit our needs at the moment. We're just looking to establish a stable network, with access to some limited QoS options (specifically for VoIP) and some basic web filtering.

I... have a basic understanding of what you're saying. I knew enough about networking to know that our current setup is insufficient. From there, I've been doing as much research as I can (currently starting on a For Dummies book, for whatever that's worth).

Our wireless network does not have to be complicated just yet. We are mostly in one building, but are soon expanding into three buildings on the same site. Still debating whether I want to do a wireless extender to those buildings or lay a hardwire drop (I'd prefer the latter, bosses prefer the former). But, I picked up one of the Ubiquity Unifi APs to play with, and I think something basic like that will serve the business well for now. Trying to move away from consumer grade APs.

We'll eventually be getting an off site location, which means I'd like the option of establishing a VPN in the future... but not right now. By the time we reach that point, I'm hoping that a professional will have taken this mess over.

If I'm understanding you correctly, it sounds like I would want to look for a wirespeed, non-configurable router. Something with a few options that is somewhat straight forward to setup without having to worry about too many headaches in the future.

Please correct me if I've missed a point.

 

[System Error Message]

what i mean by wirespeed is your internal layer 3 network. If you are using a layer 3 switch this means you are either 1) doing layer 3 segmentation or 2) using a layer 3 protocol. layer 3 switches do both at wirespeed normally but if say you want to firewall certain things within LAN thats where you'll need a wirespeed router.

the best routers for vpn are those with complicated CPUs and hardware encryption. Some x86 cpus have hardware encryption. Some PPC based routers have hardware encryption and TILE based routers have hardware encryption. Certain MIPS CPUs have hardware encryption but their vpn throughput still doesnt compare to PPC or TILE or x86.

I forgot to mention power usage if it may be a factor but unless you have mission critical applications reducing the number of network devices would be preferable. Since you only have like 30 wifi clients even 1 AP can handle all of them so you only need the number of APs for coverage.

Since you;re going for a non configurable router i suggest a UTM or pfsense. They are a little configurable that they allow adding rules but they arent as configurable as a normal linux server. In terms of the x86 hardware an i3 or a non low end AMD with an intel NIC would do well as a baseline for having UTM features since i believe that a UTM is necessary in a business (anti malware, etc, anti spyware and adware). While i know there are a lot of legit ads many ads that bypass adblockers are malware based or scammers. The intel NIC usually has the lowest CPU usage so it lets you use the CPU for things like a networked anti malware and firewall. There is also a TILE based PCIe NIC but those things are essentially their own computers though facebook uses them. Avoid the lower end of cisco (quality) and avoid the entirety of dlink and linksys for security reasons.

 

[Cloud200]

Personally I would go with the following hardware if I was on a budget (and obviously you are or else you would have hired a pro) as well as they come with real support . . . unlike Ubiquiti or Mikrotik.
Yes, you can get cheaper.
Yes, you can get faster.
The caveat is you are also essentially on your own until some kind unpaid soul decides to help out.
If the device has support, use it! It usually runs out after a while (it is different from the warranty).

Firewall/Router:
Peplink BPL-ONE-CORE (with 1 year of support from the distributor, should be ~$100)
Fortinet Fortigate-60D (with 1 year of support Part number FC-10-0060D-311-02-12)

Switch:
HP 1920-48G POE+
OR
Cisco SG300-52P

HP is generally better than CiscoSMB when it comes to customer care (advance RMA shipments, less hassle) but Cisco does have more resources . . . if you pay.
If you are going POE, might as well get a POE switch now rather than later.
You can always re-purpose it.

WiFi:
Cisco WAP371
IF you can accept not having anything other than chat/forum support . . . Ubiquiti UAP-AC-Pro. You may have a hard time getting them in stock at the MSRP of $150

Basically any WiFi for a business should have some sort of clustering/controller support as well as be powered by standard 802.3af/at 48v active POE.
If it does not support that, it was never designed for use by a business.

 

[System Error Message]

i think peplink is a bit overpriced unless you use their features such as vpn bonding.

Juniper is an option if they have support and a lot of UTMs in general are a choice as well as they would have better support. the less wifi APs you can do with the better as it helps with traffic so if you need more wifi in a small area expand on the 5Ghz and not the 2.4Ghz

It really depends on what technical skills your business have. Do you have your own technical department/staff? If no one is capable and hiring is not an option than go with a UTM that has support. Make sure the device supports your internet speeds with the kind of configuration you would have.

 

[Cloud200]

. . . Really? Juniper? They already said an ASA is too difficult to work with and you want to go with a Juniper SRX?
To understand what it is you are dealing with I suggest you watch this video;

Basically exactly the same difficulty curve as an ASA but without the Cisco resources behind it. It is a better deal for your money though.

Whatever it is you get, just stay away from Sonicwall. It may seem simple enough but over time you will learn to hate it.

To understand why I suggested Peplink, take this GUI for a spin.
http://www.peplink.com/products/balance/live-demo/
Almost no different from a home router in terms of how things are organized and yet it just works.
I have a few in the field with literally over a year uptime. Mostly they are rebooted for firmware updates but that's about it.


Edit:
If you do eventually decide to go with the Cisco ASA . . . get Smart Net. Do not listen to what anyone else says . . . It is non-optional. Without it, Cisco support will pretty much ignore you for any and every issue other than the unit fails to boot.

 

[coxhaus]

If you go with a VOIP company maybe you should go with what works with their VOIP system for a router. You want easy. They will probably know what works best with their equipment. You can get deep quick into networking with some equipment.

 

[Cloud200]

If you go with a VOIP company maybe you should go with what works with their VOIP system for a router. You want easy. They will probably know what works best with their equipment. You can get deep quick into networking with some equipment.

An optimal solution is to run a second gateway just for the voice VLAN. Change your primary connection to static IP (with at least 2 static IPs available for use). Get a second internet connection (with at least 2 static IPs available for use). The primary line is for data, the backup is for voice. If one fails the other is a failover connection. Restrict the data router's secondary WAN connection to leave at least the minimum required for the phones to work properly.

There are many other variations on this but this is one way that the VoIP provider can't say the problem is on your end and you get to do exactly what they recommend.

Some providers even supply a hybrid model. This is where the provider is supplying a voice gateway on site, (usually an Adtran or Cisco) and this acts in the same role as a old PBX. Should both internet connections go down you can still call from station to station. It also only requires that you do QOS for a single device instead of door every phone.

 

[coxhaus]

Redundancy is always a good thing. Maybe a little more complicated but usually better.