TR Forums

OK guys, what I don't know is what I don't know, ya know? I've been posting in here a lot recently because I'm doing things I've never done before. While I want to take time to learn the proper way to approach much of this stuff, I'm currently looking for some quick and useful things to keep me going and not make me look totally incompetent. I'm about to have the time I need to take things step by step, thus this post asking you lovely people for all the help.

Here's a rundown of my network:

Comcast Business Class Coax 150/25 (currently running)
CenturyLink Fiber 200/200 (final installation being done as I type this)
6 Switches (2 Ubiquity 48/500w PoE, 2 Cisco Catalyst 3560 PoE 48, 1 Dlink something 48, 1 ZyXEL something 48.
Ubiquity Router (not connected yet)
6 Ubiquity WAPs.
8 Axis Cameras
22 VOIP phones (not hosted by us, but using our bandwidth).
A few printers and about 170 computers in the building. We're a call center and using a soft phone system called Five9.

As it stands I haven't setup jack or **** in regards to actual settings with the exception of blocking a few websites and setting a few static IPs.

Here are the questions I kinda know to ask. Any pieces you care to fill in, any questions you answer, I will appreciate the hell out of it.

1. How segmented do I make my network with VLANs? The physical side of it all is messy as ****. Do I separate out the WAPs, Cameras, VOIP devices, each into their own VLAN? Do I need to configure each switch separately?

2. Did I pick up correctly on the idea that I should have multiple physical connections between my switches so they can route traffic more efficiently?

3. Is there any value, that I can sell to my company, in getting the same brand switches across the board? You can see I'm going with Ubiquity. Primarily because I realized early on that they would give me the easiest tools to work with at a novice level.

4. What types of things do I allow my router to handle instead of my switches?

5. Is there a way for me to give priority, and is it useful to, for our soft phone traffic?

6. What tools exist that are useful for me monitoring the health of the network and what should I be looking for?

Anything else you guys can toss at me. Feeling a tad overwhelmed, but not terribly so. I'm just worried that I'm missing something obvious that I should be doing. The network isn't exactly humming, but it seems to be only mildly hiccuping.

Just some of my thoughts on this:

I'd say you definitely want a common switch manufacturer and model with a common config across your whole network + one on hand for spare.

Definitely put the VoIP stuff on its own VLAN and use the VLAN priority to make sure it gets through no matter how busy a segment of your network gets. If VoIP doesn't get the cleanest way through then you will get bad quality and complaints from the users. Probably want cameras on a separate to avoid people from poking at them, and also maybe the APs. Use your router to do the appropriate routing between the VLANs.

For connections between switches, if you just run multiple links in parallel then STP will shut down some of them, if you are running out of bandwidth then LACP will give you some physical redundancy and more bandwidth. It's going to depend on total network throughput on if you want to mesh the network, but that can end up using a lot of ports.

In terms of tools, you are going to want something that can dump the RMON stats out of SMNP to produce nice graphs and help you spot where you are running out of bandwidth, plus handle alerts for failures. Also think about the scenario where someone fires up a rogue DHCP server - you want an easy way to map MAC address to switch port and then to which jack on the wall so you can go and re-educate the luser with a clue-by-four.

notfred wrote:

Just some of my thoughts on this:
I'd say you definitely want a common switch manufacturer and model with a common config across your whole network + one on hand for spare.

This was my thought as well. What do you think the best way to sell the expense is? Frankly, it's a drop in the bucket compared to what they've been spending, but I still need to justify it as much as possible.

notfred wrote:

Definitely put the VoIP stuff on its own VLAN and use the VLAN priority to make sure it gets through no matter how busy a segment of your network gets. If VoIP doesn't get the cleanest way through then you will get bad quality and complaints from the users. Probably want cameras on a separate to avoid people from poking at them, and also maybe the APs. Use your router to do the appropriate routing between the VLANs.

The physical VOIP phones we have in offices and such are actually at a slightly lower priority than the traffic coming from the PCs for the soft phones therein. I'm not quite sure how to tackle just the segment of traffic for that program on the PCs though.

The WAPs will definitely be on their own, but primarily because we're going to switch them over to the Comcast connection and allow the majority of users to utilize wifi. We currently restrict it.

The cameras... I need to look into multicast or some such I think? Not sure how that needs to be setup. It's yet another piece.

For connections between switches, if you just run multiple links in parallel then STP will shut down some of them, if you are running out of bandwidth then LACP will give you some physical redundancy and more bandwidth. It's going to depend on total network throughput on if you want to mesh the network, but that can end up using a lot of ports.

OK so, I have two switches on our 2nd floor that only connect to devices on the second floor. The remaining 4 switches are in our basement run the main floor and the basement. My router has 8 physical connections. If I use two slots to connect both internet providers, one for each switch in the building, and then just make sure each switch is connected to each switch on the same floor, will that be OK? Because much of what you said is over my head. I recognize some of the words!

In terms of tools, you are going to want something that can dump the RMON stats out of SMNP to produce nice graphs and help you spot where you are running out of bandwidth, plus handle alerts for failures. Also think about the scenario where someone fires up a rogue DHCP server - you want an easy way to map MAC address to switch port and then to which jack on the wall so you can go and re-educate the luser with a clue-by-four.

Yes, I need physical mapping soooo badly. Especially with the **** job the electrician did routing everything. So, suggestion on a program?

|FN|Steel wrote:

notfred wrote:

Just some of my thoughts on this:
I'd say you definitely want a common switch manufacturer and model with a common config across your whole network + one on hand for spare.

This was my thought as well. What do you think the best way to sell the expense is? Frankly, it's a drop in the bucket compared to what they've been spending, but I still need to justify it as much as possible.

It's capital cost vs operational cost. Talk about the scenario of 1 switch going down. If they are all the same manufacturer with the same config then you have one ready to go and the downtime is literally how long it takes you to physically remove the old one and then replace it with the new one. If they are all different then you will need to source a new one from your supplier and then reconfigure it for that specific switch before you can now drop it in. Plus there is the ongoing cost of having to track all the different manufacturers and update to the latest versions to address vulnerabilities, as opposed to just 1 support contract and when a vulnerability comes out you flash all the switches to the new version.

|FN|Steel wrote:

The cameras... I need to look into multicast or some such I think? Not sure how that needs to be setup. It's yet another piece.

Hmm, multicast is a whole other ball of wax. Your cameras may just be unicast if you are lucky, but if they are multicast you are going to want to do something like IGMP snooping to stop the multicast traffic flooding through the network and only having it go to places where someone is interested in it.

|FN|Steel wrote:

OK so, I have two switches on our 2nd floor that only connect to devices on the second floor. The remaining 4 switches are in our basement run the main floor and the basement. My router has 8 physical connections. If I use two slots to connect both internet providers, one for each switch in the building, and then just make sure each switch is connected to each switch on the same floor, will that be OK? Because much of what you said is over my head. I recognize some of the words!

Is it really just everything connecting out to the Internet and no internal servers that people will be hitting? If yes then your plan sounds OK as that gives every switch port a redundant path to the router, but you will have to carefully set things up so that STP will block the links between the switches. Also this means people on a floor will talk via the router to things on the other switch on that floor.

|FN|Steel wrote:

notfred wrote:

In terms of tools, you are going to want something that can dump the RMON stats out of SMNP to produce nice graphs and help you spot where you are running out of bandwidth, plus handle alerts for failures. Also think about the scenario where someone fires up a rogue DHCP server - you want an easy way to map MAC address to switch port and then to which jack on the wall so you can go and re-educate the luser with a clue-by-four.

Yes, I need physical mapping soooo badly. Especially with the **** job the electrician did routing everything. So, suggestion on a program?

Upfront disclaimer that I should have done initially, I write networking stuff rather than admin it. Back in the day HP OpenView was the one I saw and we would develop plugins for our hardware. If you are standardising on one switch manufacturer they may have their own suggestions. I see people post MRTG graphs as well.

I'm just gonna keep posting on this thread unless I have something really specific to speak to I think.

Trying to understand VLANs and such. Due to how my switches are setup, I can clear a few on each easily for trunking (if I'm using terms incorrectly please lemme know). I'm trying to make sure I'm understanding the following correctly:

VLANs are primarily used to isolate traffic so that it's not repeated every friggin' place and takes the shortest route to it's destination.

Only VLANs in the same subnet can speak to each other... so 10.1.20.1 and 10.1.30.1 can talk, but not 169.1.1.1? How can I change this if I NEED two addresses like that speaking to each other?

As mentioned before, I have security cameras, VOIP, WAPs, and the rest of the users. I also have two internet connections. I want the WAPs all going to the second internet connection. Should I setup a separate trunk just for this and then one for the remainder? If I'm using two trunk ports... should I also then have a separate connection from each switch to another for untagged traffic?

|FN|Steel wrote:

I'm just gonna keep posting on this thread unless I have something really specific to speak to I think.

Trying to understand VLANs and such. Due to how my switches are setup, I can clear a few on each easily for trunking (if I'm using terms incorrectly please lemme know). I'm trying to make sure I'm understanding the following correctly:

VLANs are primarily used to isolate traffic so that it's not repeated every friggin' place and takes the shortest route to it's destination.

Only VLANs in the same subnet can speak to each other... so 10.1.20.1 and 10.1.30.1 can talk, but not 169.1.1.1? How can I change this if I NEED two addresses like that speaking to each other?

As mentioned before, I have security cameras, VOIP, WAPs, and the rest of the users. I also have two internet connections. I want the WAPs all going to the second internet connection. Should I setup a separate trunk just for this and then one for the remainder? If I'm using two trunk ports... should I also then have a separate connection from each switch to another for untagged traffic?

I'm not a network guru by any means, but most WAPs let you tag VLAN traffic. I know for a fact Ubiquity does this. Switches also let you TAG ports to send that traffic onward. You can tag multiple VLANs per port if neccessary, but you can only UNTAG 1 VLAN per port. Anything coming into an untagged port belongs to that specific VLAN.

A more practical explanation - We have a guest SSID set up on our Wifi. It gets tagged with the VLAN ID 999. The switches between the APs and the firewall have tagged ports so that the 999 can get to the firewall. The firewall has a virtual interface with ID 999 that has a 192.168 address, and hands out IPs for the guest network. No one on our internal network can see traffic between the firewall and guest devices, unless I mistakenly tagged their network port. All non-AP ports are untagged with VLAN ID 1 because I don't know enough to do more with it.

If you want to send all AP traffic through 1 ISP, untag that router's connection in your switches as a separate VLAN, then tag all ports between it and the APs.

Unlike notfred, I don't write networking stuff, except for tons and tons of documentation for implementations and design, but since about 12 years ago, I've been doing operations, troubleshooting, design, implementations and integration within security and networking. Basically, most of the things that pertain to networking and security as switches, routers, firewalls, IPS, loadbalancers as well as supporting services with regards to monitoring,identity management, logging, SIEM, certificate infrastructure, ip-addressing, dns, audits, etc. Not everything into the total nitty gritty(pure debugging of processes and kernel tables is reserved for a few specific areas where firewalls, a bit of woreless and some radius implementations stand out).

|FN|Steel wrote:

I'm just gonna keep posting on this thread unless I have something really specific to speak to I think.
Trying to understand VLANs and such. Due to how my switches are setup, I can clear a few on each easily for trunking (if I'm using terms incorrectly please lemme know). I'm trying to make sure I'm understanding the following correctly:

VLANs are primarily used to isolate traffic so that it's not repeated every friggin' place and takes the shortest route to it's destination.

Only VLANs in the same subnet can speak to each other... so 10.1.20.1 and 10.1.30.1 can talk, but not 169.1.1.1? How can I change this if I NEED two addresses like that speaking to each other?

Steel - Not really.
10.1.20.1 and 10.1.30.1 can depending on how you have subnetted, either be on separate subnets, or be on the same subnet.
10.1.20.1 with a /20 (255.255.240.0) mask will be on the same subnet as 10.1.30.1, and then they can talk to each other. If the hosts are setup with a smaller mask... /21 or smaller, they cant talk to each other. And that is on the same vlan. If they are on separate vlans, you need something connection those vlans together.

Vlans are used for isolation. This have nothing to do with taking the shortest path to a destination though. Although there are other technologies that can facilitate that, but that is beyond this discussion I would say.

A vlan is a basically a virtual switch. If you have two physical switches not connected to each other, two vlans is the virtual version of the same, but sharing the same physical chassi. Vlans are normally totally isolated from each other and nothing on them can talk to each other unless you have connected something between them, either a cable, or most often a router.
A trunk, sometimes mentioned as tagged trunk, is just a connection between several switches that has several vlans traversing it. It is used between switches, or between router & switches, or for instance, a phone with a computer connected to it and a switch, and is a way to have several vlans go between two devices over a single cable.

Vlan by themselves have nothing to do with subnets though. You can setup devices with different subnets on the same vlan, but the usual way is to have a one subnet on one vlan, then have a router that routes between subnets. And thus are connected to two separate vlans. The router has an adress on each subnet that is normally used as a gateway. If a computer needs to talk to something outside of its own subnet, they send that traffic to the gateway. If they want to talk to something on the same subnet, they talk directly with the other host.

Now to learn how to talk with that equipment, they use a protocol called ARP, that translates an IP-adress to a MAC, adress. Which is how computers and switched knows which devices connected to a VLAN. VLAN's and switches(layer-2) deals with MAC-adresses. And only endpoints and routers deal with IP-Addresses ( layer-3).


Not to confuse things, especially the consumer markert bundles a lot of different things within a single box. So a home "router" is usually both part router, part switch, part wireless bridge, part firewall. And there are Router-Switches that act both as routers as switches. Most modern switches can do that if enabled.



If you want to get some solid basics down, get the Cisco CCNA self study literature and plow through that, Especailly ICND-1, which is something any administrator within IT should read, server or otherwise.
If you need something faster, there is quite a lot you need to read up on.

But what you really need to get down fully are the pure basics, then build from that.
A few tips that you really need to get down to even start with are some of the following.

OSI - model. More importantly, Layer 1-3 to start with.
* Layer-1, physical, Ethernet, copper, fiber, etc.
* Layer-2, Data-Link, Frames, MAC addresses, vlans,
* Layer-3, Network, IP, Subnetting, Packets, Arp, Routing, etc.

The specific meanings of the following, as deep as you can go.
IP
Subnet'ing
ARP
MAC
Vlans / switches
Basic Routing / Routers

Feel free to read a bit on the above, and put in a question or two if you are wondering about something specific. Not all resources are that easy to assimilate so....
But there are a lot of resources out there, and it's often easier with a few good illustrations to follow that as well.

Aphasia has it right on the VLANs vs subnets. VLANs are layer 2, think of them as entirely separate logical networks laid on top of your physical network, with VLAN trunks being conduit containing several different VLANs. Subnetting happens up at layer 3 with the IPs. You can end up with two VLANs running the same subnet (I wouldn't recommend it, you will confuse everyone including yourself!) and the traffic will not see each other as they are in separate VLANs.

Subnetting isn't good enough as you will always get someone with some smarts who can just start adding IP addresses on to their interface and jump from the subnet that they are on to one with more "interesting" possibilities. Putting their port in a VLAN on the switch locks them to that VLAN.

|FN|Steel wrote:

This was my thought as well. What do you think the best way to sell the expense is? Frankly, it's a drop in the bucket compared to what they've been spending, but I still need to justify it as much as possible.

Standardizing on a single model switch is a force multiplier or a productivity enhancement. Each switch is going to have it's own way to configure things, and varying levels of feature support. It's easier to support one type of switch since the commands and features will be uniform, and the security will be enhanced since there will be only one vendor to deal with.

|FN|Steel wrote:

OK so, I have two switches on our 2nd floor that only connect to devices on the second floor. The remaining 4 switches are in our basement run the main floor and the basement. My router has 8 physical connections. If I use two slots to connect both internet providers, one for each switch in the building, and then just make sure each switch is connected to each switch on the same floor, will that be OK? Because much of what you said is over my head. I recognize some of the words!

From the router, you should have a couple of cables going to a core switch, and the rest of the switches should plugin into the core switch. Unless you're going to physically separate the some switches, the diagram should go ISP to firewall to router to core switch then node switches. Make sure the backbone links, the links between the switches, have enough throughput to keep from being a bottleneck. I'd suggest 10G for backbone links, but it's up to you.

|FN|Steel wrote:

Yes, I need physical mapping soooo badly. Especially with the **** job the electrician did routing everything. So, suggestion on a program?

I hate dealing with electricians when running cable. It's not just another wire, and they need to educate themselves about it. I'm a little type A about cables. I went off on a facilities guy once when I found a spaghetti ball of cables for a new install. They wasted a ton of money by leaving 25 foot pigtails, and it was a disaster. Each cable has it's spot on patch panel, and it wasted my time when I had to trace everything again.

Aphasia wrote:

If you want to get some solid basics down, get the Cisco CCNA self study literature and plow through that, Especailly ICND-1, which is something any administrator within IT should read, server or otherwise.

I second the CCNA. There is a lot of good information there, and it's broadly applicable.

Regarding the cameras.

I'd certainly have them isolated from everything else but the big question is how are they going to be used. A camera on its own doesn't do much, is there going to be some kind of network DVR? Assuming there is then I don't see that you'd need multicast since the cameras would only be talking to that rather than lots of separate devices.

cheesyking wrote:

Regarding the cameras.

I'd certainly have them isolated from everything else but the big question is how are they going to be used. A camera on its own doesn't do much, is there going to be some kind of network DVR? Assuming there is then I don't see that you'd need multicast since the cameras would only be talking to that rather than lots of separate devices.

That's a good point. I'm using Zoneminder on a CentOS install... and there's an Android app that will supposedly let me access that. So, really, all the devices are going to my homemade DVR, and then anything I request through the app will probably pull through that machine. I think.

It will.

I've only played around with zoneminder and even that was a long time ago but I didn't have much luck with it. Maybe it's better now but if you do need something different there is a paid alternative I can recommend.