need SOHO design advice

[WannaFly]

My work is going to be moving into a new building they bought. Its empty, they are going to run cables where they need to be run. We have about 70 employees, about 70 computers too.

Departments:
Graphics & Medical
CSR
Copies
Imaging
Other?

Our network layout sucks now.
I am trying to come up with a new way to implement when we move to the new building. Each department can be separate, but would be nice to be able to transfer files between each. We'll have an incoming T1 connected to a cisco router.

I was thinking something along making 5 VLANs, but i am not sure of routing between them, maybe just use subnets?
Also, i need to put a firewall in place, sonicall or watchdog, whatever. I gotta do some research on them.

So, if anyone has advice on what they'd do or technologies i should look into, LMK please. I have some offtime at work and will be doing massive research on this. Oh, also recommendations on managed switches would be great. Thanks!

 

[Fatt]

You have to start with a physical blueprint, just like the one the contractors who built the place used.

You then have to make an overlay that has the physical location of the different departments.

You need to figure out where your main closet and sub-closets are going to be.

You're also going to want to run TWO cables to every location where there either is or could be a host (workstation, printer, copier, etc.)

Take the time to do the wiring right and do it well. Seriously. Don't lay it on top of the ceiling grid. Use plenty of wire ties and whatever wire-run accessories you can talk the boss into.


I have some general suggestions for equipment:

Definitely cisco routers and switches. Cisco doesn't own 80% of the market because they have a pretty logo.

Definitely use VLANs for the whole place. For several reasons.


Go with dell workstations running 2000 pro or XP pro, which can be stripped down to pretty light installs.
Windows 2000 Adv Server with active directory for your domain controllers, which will make for easier administration.
(That is, if you have the opportunity to upgrade to new equipment)


Use two windows servers for WINS. (one for failover)
Use two linux servers for DHCP and two more for DNS, again, one each for failover.
These six machines can be pretty basic, mid to low performance machines.
They don't have to scream, they just have to run without crashing. And I only suggest windows for the WINS servers because, well... it's WINS....

Get a couple of REAL servers for network storage. Cisco has some good products there as well.

GHOST EVERYTHING. It's a real chunk of money but it will pay off.

Explain to your boss that IT is like physical plant. Lights, Heat, Plumbing...
It has to be dead on reliable, because you can't play games these days.

 

[Fatt]

By the way...

Use private addressing inside to save money. You COULD run GM with ONE ip address. OK, it's easier to have a few, but really...
One for your inside area and one for your DMZ where you have the web server for the outside world. In fact, consider outsourcing the web. Co-Lo.

If you use, for instance, the 172 net, you could have it set up like this:

x.x.1.x = dept 1
x.x.2.x = dept 2
x.x.3.x = dept 3
etc...

makes administration easier. well, at least i think it does, but I'm kind of obsessive-compulsive.

 

[WannaFly]

Can you give me some of the reasons i should use VLANs, i dont know much about them...
We arnt going to buy new dells for each workstation, as we already have computers for all the employees.
They arnt going to go for linux server, noone knows anything about them. If anything they'll use windows 2000 DNS, DHCP.

I need to do alot of research on SANs and figure out how much they cost. THe graphics department easily can use 100GB/month in disk space, medical can go about 150GB. They each store it all on their own HD's, it'd be nice to have a central storage location.
If your online and have a sec, i'd like to chat with you if i could. PM me if you'd like.
I am also condering proposing a VoIP solution, but thats way outta my league.

Its funny how bad our network layout sucks now. Theres about 50 clients all on the same broadcast domain all sharing the same bandwidth. We dont even have a WINS server!! Can we say broadcasts galore!

 

[cmetz]

Fatt, Cisco dominates the router and switch market for the same reasons that IBM used to dominate the PC market:

1. Nobody gets fired for buying Cisco
2. You can buy your whole network solution all-Cisco

Note that neither of these statements are saying that Cisco is the best. Extreme, Foundry, and even sometimes Enterasys and 3Com make better products that cost less money. Some of Cisco's switches are real junk - and some of them are very good. It's very important if you buy Cisco to understand which are which. (I say the same about your "buy Dell" comment, but since the original poster isn't going to buy new PCs anyway, it's a non-issue)

Your wiring suggestions are on the money. For this scale, one wiring closet would probably be the way to go though.

I seriously second the suggestion that outside-facing servers like WWW and external DNS be colocated. These days, colo is cheap.

WannaFly, if you have the budget, I would suggest that you build your network so that the (hopefully few) storage heavy users can have switched 1000BaseT gigabit to the desktop, and everyone else gets 10/100 switched to the desktop. At 70 employees (let's say 150 stations, that is, some room to grow and some extra for printers and such), this can all be brought into one switch without much trouble, and that'll make management far easier.

Home-run, centralize the wiring into one small room, organize it well. MAKE SURE YOUR NETWORK ROOM HAS EGREGIOUS COOLING. Run extra/special AC into there, whatever, talk with some real HVAC guys. Tell 'em you want to be able to disappate heat equivalent to, say, 80A@120VAC (forget how many BTUs that comes out to). If you don't have adequate cooling for your network equipment, it is more likely to fail, and you don't want that, do you? Similarly, make sure there's oodles of power in there, and make sure in particular you have several 15/20A@220VAC circuits 'cause some higher-end networking gear and/or higher-end UPSs will need that (much easier to run the wires now than when the room is filled with gear in production). Put down anti-static tile on the floor of that room - raised is probably not necessary, but there are glue-on tiles from several of the major manufacturers specifically for anti-static electronics applications, they're cheap, easy, and prevent ESD damage (most of which is subtle and over time, btw). Oh, and make sure the racks are properly grounded.

Be extremely picky about the wiring subcontractor. Make sure you've SEEN work done by that sub before you even allow 'em to bid. Some wiring subs are absolutely pedantic about neatness and that your cable plant / cable management is top notch. These are the kind of guys you want. Other guys simply run wires. Those are the kind of guys you don't want. No matter what your wiring room starts out looking like, it ends up a jungle. Excellent cable organization and neatness to start out with, and good cable management stuff installed to start out with, will make your life dramatically easier over the lifespan of this cable plant.

Consider separate racks for equipment and for cable management. At your scale, you just aren't going to have that many ports, so maybe you can get away with top half/bottom half. The key is to clearly separate cable management from equipment AND to have a way that you don't have to run bunches of long cables far to go from switches to ports. Also, remember that heavy stuff should go on the bottom of the rack, so UPSs at the very bottom, and if you get a high-end switch, that might be at the bottom too. While patch panels and finger ducts are nice and light and can go at the top, no problem.

If you have the budget, make sure the switch you get has full redundancy - redundant backplanes, redunant management modules, and the ability to hot-swap cards. An example is Extreme's Black Diamond, Cisco's 65xx (don't know which ones/what configurations get you redundancy), and I'm sure Foundry and Enterasys have similar. Otherwise you have a single point of failure that will, inevitably, fail on you

An alternative strategy which might be cheaper is to buy lower-end modular switches (Extreme's Alpine, Cisco's 47xx, etc.) and to simply have a cold spare of every part. The trick being that, for example, you only should need ONE spare of every part in the box, not one spare for each one you have (so for example, if you have 3 10/100 cards, you only need one spare, not three). This would mean some downtime on system failure, but if you have a cold spare chassis physically racked right above/below the main chassis, you can swap spare parts into the real unit pretty darn fast under fire. Plus in a pinch you already have a box to grow into if you need more capacity (just make sure to buy a new "spare").

Another alternative strategy which might be cheaper is to buy several fixed-configuration switches. You could, for example, buy a higher-end L3 switch with 12 to 16 100/1000BaseT gigabit ports, and then buy a few dumb L2 (or managed L2) switches with 10/100 ports and 1000BaseT uplinks - one dumb switch per "VLAN," and use the higher-end switch to route fast between the VLANs and to service the fewer number of power users. If you buy two of the higher-end switches and cable things right, you can get some redundancy (yaaay). This sort of configuration will be much cheaper than a big modular switch, but it WILL be a lot more headache to administer.

The main two reasons to use VLANs are:
1. Separates the broadcast domain, so that ARP and true broadcast traffic doesn't get to be too much. If memory serves, the CSMA/CD Ethernet specs say no more than 100 stations on an Ethernet -- this is mostly because of stuff related to CSMA/CD, but it's not a horrible rule of thumb in the modern world.

The main problem with broadcasts are that every single station has to receive them and minimally proceess them, creating some CPU load on every box on your network. If the rate of broadcast traffic is sufficiently low, it doesn't really matter, but if you start seeing even hundreds of kilobytes per second of broadcasts, it can start to matter for embedded devices. So splitting up your network into a few separate broadcast domains helps keep the rate of broadcasts that stations see down to a nominal level.

2. Makes it easier to implement administrative controls. This network is the HR network, it has this IP subnet, and now I can write IP address based server ACLs for it easily. Granted, IP address based ACLs are lousy to begin with, but they're easy so they're common. It also lets you create internal-only networks that can't see the outside world (for things like printers), separate from production networks that can. And you probably want to strictly separate systems that are inside the firewall from systems that are outside the firewall.

3. Allows you to split switches more easily. If you buy a big switch now sized for 150 users, and someday you end up with 1,500 users, it's often easier to do so by buying more switches and migrating a few whole VLANs to one of the other switches. And maybe by that point, the new switches physically migrate closer to the users.

The switches you should be looking at anyway (but double check for the feature) are "layer 3" switches, so they can do IP routing between VLANs within the switch chassis. All can do IP ACLs, too, and some of them even can do ACLs without massive slowdowns (*ahem*). "layer 3" switches tend to all around have more features than the really low end switches, and you probably will be happier buying in that class.

"SANs" - I'd suggest instead of trying to do a SAN that you instead try to do a NAS (also known as a file server). Get a Network Appliance fileserver. Don't buy their lowest end boxes. Make sure that the box you buy has a whole bunch more potential capacity than you're actually using, 'cause your needs WILL grow. Also look at back-up solutions that run directly on the NetApps box.

VoIP - not baked. Maybe in the future it'll be a great thing, but not now. It's a phone. It should Just Work. Get a traditional phone system that's been around for a while and Just Works. If you want a good small- to mid-sized PBX on the cheap, check out Altigen. They make a PC-based phone system that can use your favorite POTS phones on people's desks and can scale to a few hundred stations. It's based on NT, which scares the heck out of me, but then again, you don't want to know what's inside most PBXs, only whether it ends up working or not. Friends of mine with Altigen systems have had good experiences, and that's not true of friends of mine with various other smaller PBXs (Avaya, NEC).

Firewall - Watchdog? You mean Watchguard? I got a friend who'll sell you a pretty high end Firebox, cheap. You will have to get to him before he puts it downrange of his AK-47, and promise him that he will never, ever see that box again. He had several major outages because the box hard locked and stopped passing all traffic. Simply unacceptable. It got ripped out.

Sonicwall is pretty simple and straightforward, but probably too low end for your application.
Netscreen is okay, user interface sucks and they don't have a whole lot of features, but they work.
Cisco PIX is okay, user interface sucks and it's expensive at your scale, but they work.

A PC running OpenBSD or Linux makes a great firewall if you have enough clues. IPCop and a few others are free Linux-based firewall distributions on a CD that are set up to be easy to use and powerful - check 'em out. Very cheap, and works as well as the commercial ones (IMO) - IF you're willing to put some time and clues into it. If you aren't, see Cisco PIX or Netscreen.

Any PCs in the network room? Re-case them into rack-mount cases. 2U if you don't need many cards, 4U otherwise. 1U the thermals are more delicate as are the parts in general, and they're more prone to failure, so I'd avoid 1U unless you're truly hurting for rack space. Cheap 2U/4U rack-mount cases are okay (cheap 1U are NOT), but in the long run rack mounting PCs will just make life far easier for you.

 

[WannaFly]

Wow! Where to start!

First of all, let me say this. I am going to school for networking and have a decent background in networking, but some of the terms you used i didn't recognize! I'll figure them out. Anyways, like i said its a small business and the current network was just thrown together. After the cable contractor wired everything, *WE* had to go back and fox-and-hound each wire because he DIDN'T LABEL THEM!!! Sadly enough, they have used that guy to run cables again, but hopefully not in the new building. What i'd like to do is (even though i don't have a floor plan), throw together a "proposal" for our new network, because they've mentioned the idea that i can help in redoing it. I need the experience

I am gonna start looking into some wiring products. I've seen a neat rack that runs above the ceiling that neatly encloses cable. Anyway, i'll talk to some contractors and look through magazines for that.

Thank for for such specifics with the power and air conditioning, that'll help a lot. Definitely gonna have some sort of UPS for the entire network rack. (what are finger ducts?)
I am definitely going to be doing a lot of research on the switches. IS a L3 switch different then a router?. The whole switch layout confuses me regarding how VLANs talk and are connected. I need to see if i can get someone to give me a tour of their NOC/wiring closet somewhere.

I really don't think gigabit connections are needed for the medical/graphics, but maybe from the NAS to the switches? Regarding NAS, your talking about like Snap Drives? ( i believe those are NAS's).

I agree with Voip, i figure the company wouldn't go for it anyway. I thought it would save us because we have 8 offices all over the country too.

Firewall - ya, watchguard, thats what i meant! Depending on how cheap he'll sell it, i might want it, i'm always looking for something new to play around with . I am taking Cisco classes and next semester(fall) we'll be learning about Cisco PIX, but thats too far away! Guess i'm on my own...

I really do like the linux solutions, a lot. But really, it would mean one thing. Job Security for me. Literally, this place has *no one* that has ever touches linux besides me. And they wont pay enough to hire someone good.

We wont be running any servers except for WINS/AD from the NOC. I have to go and each what the difference between 2U/4U/1U is.

Any way, thanks for all the helpful information, you've given me a really good start and really gave me alot of things to think about. I hope i am not getting over my head! Even if i am, i love doing this stuff. Thanks agagin...

 

[Fatt]

Originally posted by: WannaFly
Can you give me some of the reasons i should use VLANs, i dont know much about them...

Well, with switches as cost effective as they are, microsegmentation has become very popular. That puts your hosts on their own private collision domains with the performance benefits that entails.
Now, VLANing, among other things, lets you move Joe Blow & his workstation to another plysical location in your building, plug him in and have his "virtual network" follow him. That's oversimplified to the point where I don't know if I even said something useful, but it's one of those things where you'd be better served typing VLAN into Google and reading a couple of articles.

===========================================================================

Originally posted by: cmetz
Fatt, Cisco dominates the router and switch market for the same reasons that IBM used to dominate the PC market:

1. Nobody gets fired for buying Cisco
2. You can buy your whole network solution all-Cisco

Note that neither of these statements are saying that Cisco is the best. Extreme, Foundry, and even sometimes Enterasys and 3Com make better products that cost less money. Some of Cisco's switches are real junk - and some of them are very good. It's very important if you buy Cisco to understand which are which. (I say the same about your "buy Dell" comment, but since the original poster isn't going to buy new PCs anyway, it's a non-issue)

Well, the two reasons you mentioned are, in the real world, good reasons.
But I can't say I agree with your assessment that Cisco isn't the best equipment you can buy in most situations, in large part because of the Cisco IOS. However, I don't want to argue the point. Neither one of us is suggesting crap and it ultimately ends up being a Ford vs Chevy argument anyway.
As regards Dell, I didn't base my comment on that annoying "dell dude"
Rather, I base it on their price point and better than average support.
Of course, you're correct that the point is moot.

Finally, I'd be willing to bet a lobster & steak dinner that there is no way he can get away with 1 closet.
I base that on the amount of employees that 70 hosts imply and the physical space that people take up.
Of course, if the building is set up to be densely populated I'd be picking up the chack, but that's what makes bets interesting, isn't it.


Oh, almost forgot...

If the budget allows it, consider hiring a GOOD electrician to do the network cabling, in addition to the electrical wiring.

 

[WannaFly]

I like the idea of VLANs, but the one thing that is confusing me is. Doesthe L3 switch handle the routing between them, or does the L3 switch connect to a router to route them?

Regarding the number of wiring closets, i believe the TIA/EIA standards call for one closet per floor (its a multi story building) and on each floor one closet for every 1000 sqaure meters. I dont know if most people stick to that or not.

 

[Fatt]

I like the idea of VLANs, but the one thing that is confusing me is. Doesthe L3 switch handle the routing between them, or does the L3 switch connect to a router to route them?
Again, this is oversimplifying, but think of it this way:
Your Switches would handle your internal "routing" and your routers would stand between you and the outside of your physical building.
I have a friend at Cisco. If you like, you can give me your e-mail address and I can pass it along to him so that he can make specific suggestions for your needs.




Regarding the number of wiring closets, i believe the TIA/EIA standards call for one closet per floor (its a multi story building) and on each floor one closet for every 1000 sqaure meters. I dont know if most people stick to that or not.
Those standards are for the GUIDANCE of the installer. They have not come down from Mt Sinai graven in stone. Having said that, the standards were established for a reason.
My suggestion to you is that you use the standards as a jump off point to design your network, modifying it as you see fit to meet your specific needs.
The only thing you want to really "obey" are the wire length limits, since there are limitations based on the laws of physics. Make a real effort to limit your runs to 75 meters or less, and your patch cables to 2 meters or less. That gives you some wiggle room.

 

[cmetz]

WannaFly, finger ducts are cable management things (devices? dunno what you'd call 'em) that have an area you run cables down in one direction, and then a bunch of little semi-flexible "fingers" in the perpendicular direction. So, for example, a horizontal finger duct typically attaches as a 2Uish rack-mount panel, and is open on the sides with fingers left-to-right. You run the cable horizontally from wherever and then slot it between the right fingers to hold it tightly in place near where it needs to attach. When you see one (look at Ortronics's web site), this will make a ton more sense. These keep the cables neat and separated near switches and patch panels.

A layer 3 switch is for all intents and purposes a router. Typically they are cache-flow routers, which are fine for LAN purposes. A L3 switch typically can do fast-path IP forwarding at the same speed as it can switch on Ethernet packets (meaning if you have a non-oversubscribed backplane, wire speed, which is good).

>I really don't think gigabit connections are needed for the medical/graphics, but maybe from the NAS
>to the switches? Regarding NAS, your talking about like Snap Drives? ( i believe those are NAS's).

Gigabit is useful today for severs and NAS, but I suspect that you will find it useful for a few power users also. Don't think of gigabit in this context as being fully 1Gb/s, but rather as more than 100Mb/s. So even if a PC only can push 200-300Mb/s, that's still a nice performance boost over 100Mb/s. You may find that some of your heaviest users can benefit from such a capability, though most won't.

Network Appliance. Really. They're the vendor to talk to, IMO.

Fatt,
>But I can't say I agree with your assessment that Cisco isn't the best equipment you can buy in most
>situations, in large part because of the Cisco IOS

IOS is good. BUT, and this is a huge BUT, it can't make up for limitations and flaws of the hardware. And many of the catalyst switches simply don't have enough hardware capacity, or don't have important features done by the hardware (meaning slow path). And if the hardware is unstable, you still lose.

>Finally, I'd be willing to bet a lobster & steak dinner that there is no way he can get away with 1 closet.

I say "room" not closet. I think he needs enough space for at least one full 72" rack and surrounding clearance (which should always be overestimated!), and two racks is a happier place to be. This is bigger than typical "wiring closets" but still not quite so big as a full office or real room. It depends on what the poster has available to work with -- it sounds like the interior build-out has been done already and so he's gonna get the space he's gonna get, or at least he's gonna have to find a space in the existing interior that meets his requirements.

But I do think it's possible to bring all this to one room.

>If the budget allows it, consider hiring a GOOD electrician to do the network cabling, in addition to the
>electrical wiring.

I have to strongly disagree with this statement. My experience is that electricians, even good ones, live in a world of current-carrying wires -- they understand that stuff really well -- but that's their world. Every electrician I've seen doing communication wires has done them as if they were current-carrying wires, and that's where the problems start. Signal quality isn't an issue for current-carrying, it's a huge issue for communications. There's no good reason why a good electrician can't be a good communications wiring guy, but every time I've seen it, that's the way it's worked out. Keep 'em separate, find good professional communication network installers to do that work (sounds like the original poster has to work with the choice his management already made, though).

WannaFly,
>I like the idea of VLANs, but the one thing that is confusing me is. Doesthe L3 switch handle the
>routing between them, or does the L3 switch connect to a router to route them?

You can do either. A L3 switch can route between them. Or you can get a L2 switch -- or a L3 switch with the L3 routing disabled -- and connect to a router, which can do the actual forwarding. Normally, you'll want to use the L3 switch for this because per unit dollar the IP forwarding performance is far better.

>Regarding the number of wiring closets, i believe the TIA/EIA standards call for one closet per floor (its
>a multi story building) and on each floor one closet for every 1000 sqaure meters. I dont know if most
>people stick to that or not.

I haven't heard of this before, but it doesn't terribly surprise me.

In practice, you can do nearly anything as long as the cable distances work out. However, the EIA specs were made for good reasons, and they're pretty good guidance. If you follow their guidance, you're more likely to have a good network than if you don't, but at the end of the day knowing what you're doing and having installers who know what they're doing is much more important.

Between floors in particular I can see being an issue. I would also suggest you run fiber from floor to floor and use that for risers. So, for example, you could get one 48 10/100 + 2 1000BaseSX switch per floor, and interconnect them using gigabit fiber (using the fiber as an 802.1q VLAN trunk). Extreme has a ring technology you can use, for the other guys, cable them to be a star or tree if possible (make the root in the middle).

Within a floor, "for every 1,000m^2" I wouldn't worry about, so long as you can make the cable distances work. Think about what 1,000m^2 would look like and remember that 100m is the limit on 100BaseTX and 1000BaseT, I think if you follow the length spec you'll naturally follow the other.

 

[cmetz]

WannaFly, BTW, there is a EIA standard now for cable COLORS that identifies their roles in standard ways. Check it out and try to comply with it -- it'll make life easier.

Anixter's catalog has a bunch of appendices with good executive summaries of many of these standards. And it's free! (well, 'till you go shopping and realize all the cable management goodies in there you can use...)

 

[WannaFly]

Thanks for the information. I went to Ortronics's website and it would not let me fill out the request catalog form! Anixter's didnt even have one, i guess i'll have to look through their online catalogs. Tonight and tomorrow i'll be doing alot of research on some different switches, as I need to start deciding on things soon. I am hoping to have my "proposal" done within 2-3 weeks. Going to get the floorplan on tuesday. I dont think i'll have any troubles, except with giga bit, i have never used it and am not quite sure how that would work out, but that's to come. I am definately looking into the EIA standards and going to use them as a general guideline for the layout. If i did VLANs, would that mean each VLAN gets a different subnet address?

 

[cmetz]

WannaFly, yes, typically you'll have one IP subnet per VLAN - it's certainly the right way to design it initially. (later you may find that things mutate)

GigE in this case can be thought of as working the same as regular Ethernet. For stations, do it all 1000BaseT over copper. For long distances or between floors, then consider fiber. Fiber's main benefit is that you can't end up with electrical ground potential difference kinds of problems. (even one side of a building to another can have different ground potentials, and if the lowest-impedence path happens to be your backbone wire and a big potential difference builds up, boom, some piece of equipment gets fried)

 

[WannaFly]

One more thing, i went to barnes & noble and borders today and could not find any magazines regarding networking/server/cabling... any recommendations? Or an online vendor that sells mostly everything (rackmounts, switches, routers, firewalls...)?

 

[cmetz]

I've been very disappointed with the technical trade press in the networking/PC/IT world. I haven't see anything I'd recommend.

Find somebody who knows what they're doing. If you can find a local Linux/BSD user group, for example, you're likely to find a high density of networking clues there too. Anyway, find someone who really knows what they're doing who's willing to trade clues for beer

On wire and cable stuff, I've found that if you call up your local Anixter sales office a few times, usually at least one of the sales people actually knows their cable/cable management products pretty well. Their job is supposed to be to help you understand what you need, which is why they're not the cheapest game in town. Of course, there are also many clueless sales people in their force, so you have to ask some thoughtful questions and listen to their answers, then make a call as to whether the sales person is clueful or not. Once you find one who is, remember his name and call him up to buy stuff. (obviously, if you find a clueful sales rep, you should actually buy some stuff from him, not just ask him for free consulting.. I'm pretty sure those guys are on commission over there, and I know that sales guys over there who don't bring in dollars don't last long at all)

These forums aren't too bad, just remember that all advice (no matter what the source) is to be taken with a grain of salt and you should always research things yourself. But at least you can get some new ideas from the folks here on what to research.

 

[WannaFly]

cmetz, i have been doing my research on L3 switched and man theres alot out there. The cisco one i looked at was $22K for 40 ports! Anyway, i found This which is reasonably priced at about $6K for 48 ports. It says it includes "base layer 3 support" but for an upgrade for $5K it can have "full layer 3 support, including IP...". But nowhere can i find what "base" is. Any ideas? I have decided i want to keep this project at about $10K-$15K, which seems like it might be hard to do! Also, regarding the VLANs, i am assuming a windows 2000 server can appropriately give via DHCP a client the appropriate address on its subnet? I know you can specify scopes, but i just wanted to find out if it knows what VLAN it came from. Also, will file sharing/printing/browing be an issue across the VLANs? TIA...

 

[cmetz]

Extreme and Foundry are bitter rivals, if you see something from Foundry that's interesting, go talk to some Extreme resellers and see if they can match/beat. Cisco is just going to be more expensive - you don't normally buy from them because they're the cheapest. The box you linked to seems to be similar to Extreme's 48si, which I got a friend of mine to buy a couple of - they're great little boxes. He got them with dual power supplies for $5k each. I think the PSs alone were $1500, so that'd make the boxes $3500ish. The 48si is 1U instead of 2U, and all the ports are auto-crossover (way cool! Foundry and Cisco are doing this too in new products, and it's about time).

If you're tight on budget, these are the kinds of boxes to look at -- fixed-configuration. But if you can spare more $$, get a modular switch, something that has some expandability for more media types, more gig ports, etc. If you get fixed-config switches, think very carefully about how they interconnect. For example, if you have two 48 10/100 + 2 1G switches interconnected by 1 1G link, then it would be a good idea to try to keep VLANs mostly on one switch or the other if you can, so as to keep traffic off the 1G link. Better, if you can keep the Ethernet VLANs completely within the switch and have a "backbone" IP subnet over the 1G link between them, so that you don't have silly spanning tree sending stuff over that 1G link that doesn't really need to go to the other switch.

If you're REALLY tight on budget, maybe what you need to do is get one L3 switch to be your "backbone" and then use some dumb L2-only switches to multiplex from stations into the L3 switch. For example, if you get two 48+1 dumb switches and pull the 1Gb/s uplink ports into the L3 switch's 1G ports, you can have one "VLAN" basically just be each of the dumb switches, and let the L3 switch handle IP routing. Another approach would be to get a L3 switch with all gigabit ports (Summit1iTX, and I'm sure Foundry and Cisco have similar), and to use dumb L2-only switches to handle traffic inside a VLAN, and the L3 switch to go between.

The problem with both of the fixed-configuration based approaches here is you are oversubscribing your backbone capacity - that is, fully loaded, you could be sending 20 100Mb/s ports' worth of data into a 1Gb/s backbone link, and that means some traffic is going to get dropped, which is BAD. However, the whole point of statistical multiplexing is that most stations are idle most of the time, so you can oversubscribe to some degree safely, you just have to watch out in case you can't handle peak load. Just be careful about it. Also, you might want to have some gig ports into your network for things like a file server.

Typically, "basic L3" means static routing. And maybe something like RIP, but don't run RIP because it's EVIL. This will probably work fine for what you need - you probably don't want dynamic routing if it's all in one box anyway! They should also do IP-level ACLs as part of "basic L3," but be careful about what ACLs are wire speed and what are slow path (not wire speed = don't do it!).

>Also, regarding the VLANs, i am assuming a windows 2000 server can appropriately give via
>DHCP a client the appropriate address on its subnet? I know you can specify scopes, but i
>just wanted to find out if it knows what VLAN it came from. Also, will file sharing/printing/
>browing be an issue across the VLANs? TIA...

I am not a Windows person, but I believe that 2K/XP can do 802.1Q VLAN tags. Therefore, it should be possible to have one wire going from your switch to your DHCP server carrying a bunch of VLANs, tagged, and have Windows pretend it has an interface on each individual VLAN. This way, you tell your DHCP server about the address ranges on each of these virtual interfaces, and the right thing should happen. You'll need a decent NIC (Intel Pro/100 or Pro/1000 for example) that can deal with the slightly oversized frames needed for a tagged VLAN (1504 MTU vs. 1500). If this doesn't work, you can get four-port 10/100 Ethernet NICs cheap on EBay or around the net, and then you just run four wires to serve four VLANs (or eight for eight, or you get the idea).

802.1Q is the way to go if you can though.

 

[WannaFly]

Ok. Getting down into the details. I've already written my draft proposal, just have to come up witha network layout.
This is rough, but please take a look at it.
Layout

This is what i have so far. I think this layout is just about right, i am just not sure which to use the netscreen 204 or 5xt and i dont know it those actually will act as a router, they can be DHCP which is good. Anyway, give me your feedback please. I also plan on (somehow) proividing a VPN connection with the netscreen LAN-to-LAN so our remote offices have access to our network.

Regarding the VLANs, our departments hardly communitcate at all except for Medical & Graphics, which i am going to put on the same VLAN. So this should be ok?

 

[dzeanah]

OK, breaking this down into a couple of pieces here...

My Recommendations

With regard to a firewall, I wouldn't rule out SonicWALLs. They're easy to manage, are full featured, reliable in my experience, and are more than fast enoug to work in your role (their low-end rack-mount firewall costs about $1,500 from an internet discounter, passes traffic at 190Mb/s, passes 3DES traffic at 25 Mb/s, and handles 30k simultaneous connections). I prefer SonicWALL products over some of the others because they're affordable (most of my clients are small businesses), make it easy to implement web filtering if you run into users with "issues" about what they're doing at work, and have an AntiVirus solution that's both inexpensive and tied into the firewall in such a way that anyone who isn't running the current definitions can't access the Internet.

With regard to a firewall in general terms, Linux-based firewalls are cheap and there are a number fo distributions that are made to keep the process simple (see Mandrake's Multi Network Firewall for a good looking solution), but it's still a general purpose OS under the hood that someone is going to have to administer occasionally. The firewall appliances will cost more, but offer increased reliability and ease of use (provided you buy well -- most of my experience is with SonicWALLs). Ease of use is a big one here -- if you want to set up 2 firewalls as a failiver pair, with SonicWALL that's as simple as plugging the second one in and filling out 5 items of info. How do you do it with a linux-based solution? Answer: it's possible, but you just bumped the complexity of the solution. Don't take this as an argument for SonicWALLs over the competition either, as I'm in favor of any firewall appliance over a firewall built on a general-purpose OS. The exception to this rule comes in when you need the extra configurability that one of these solutions offers, and you have someone on staff who's capable of adminning the thing (or your company is willing to pay for a good consultant).

Seriously consider coming up with a standardized image for your users, or one for each department. Win2k/RIS is wonderful for this -- it makes adding a new machine or reimaging a machine as simple as booting from the network, selecting the image you want, and waiting 20 minutes for the installation to complete. If you think it through properly, you can insure that all user data is stored on your fileserver so it can be backed up nightly -- imagine a network where the loss of a workstation didn't result in the loss of any data older than last night. Go a step further and set up Active Directory to automagically deploy software, and you can have a network where your graphic designers can log into any workstation and have access to their files, e-mail, and specal applications (though there will be a delay as they're deployed); the next time someone else logs into that workstation, the application will be removed. Kinda nice, isn't it?

Go to the effort of insuring that all your critical data is backed up and stored off-site. This might be a hard-sell as far as management is concerned (especially considering the cost of something like a DAT changer, which it soulds like you'll need), but IMHO it's critical to have a system that allows you to recover from a site failure in a very short period of time. The ideal recovery after a fire or whatever would look like: find new site while getting insurance check; buy replacement hardware; wire new network together; restore servers from backup; boot new workstations from network to find that everything is as it was just before the previous night's backup. Beautiful (though you'll need to run some serious tests to make sure things are running as you anticipate).

I would prefer RIS to Ghost -- Ghost is very hardware dependent, and it requires that you only use it on comparable hardware. RIS requires that the workstation you're adding have a network card it has the drivers for (you can add 'em manually), and will be happy to deploy an image to multiple computer configurations at once. Makes replacements cheaper and easier as well, as you aren't stuck buying the same (obsolete) configuration years later for more money than it's worth.

It's probably worth the expense to hire a consultant to come in and help you plan this out, even if you're going to deploy it all yourself. There's no substitute for proper planning, and there's no better teacher than having done it yourself in the past.

I wouldn't bother with WINS servers -- if everything is running Win2k/XP, then it's no longer necessary. Personally, I'm glad to be rid of it. In my experience NT-based DNS servers were flaky as hell, but Win2k does a much better job. I'm generally a pro-Linux-down-with-Bill-Gates kind of guy, but I don't feel much need to deploy Linux simply to run DNS -- DNS in 2k is solid.

Re: broadcast traffic... A couple of thoughts. If you aren't seeing NetBIOS broadcasts from the workstations (they can get all their info from DNS), are you really going to be seeing much more than regular ARP broadcasts? VLANS are neat, but they add to the complexity of the network and make problem diagnosis a little bit tougher -- I'd do some sniffing on the network before I implemented this to see if it's necessary. Deployment of VLANs for security reasons is another issue entirely, and it can make a lot of sense to make sure HR is on their own (essentially physically separate) subnet. I know Cisco gear in particular can limit VLANs to particular ports and from particular MAC addresses; I'd guess that other solutions can as well. Just make sure you set yout file server to be a memer of every VLAN (which of course, brings security back into question...)

Great advice on cabling in this thread. Hire someone competent, and lay more wire than you think you'll use. Believe me, it's incredibly convenient to have 2 network and 2 phone ports at every workstation. The additional cost of doing it this way is negligible.

I prefer to maintain web servers and what-not in-house, but I get a little paranoid if they're not on a DMZ with limited/no access to the local network. Make sure your SQL programmer unserstands the importance of this and doesn't code in such a way that the Internet server requires full, administrative access to the primary file server. That's just foolish, but you'd be amazed how many times it happens in smaller shops.


Now, for some questions for other posters:

• What can you tell me about the administration and configuration of equipment from Extreme Networks or Foundry? I learned IOS and find it works exceptionally well, though it locks me into Cisco solutions which are often times way overpriced. I really like the volumes of documentation available from Cisco, but I'd be happy to cut my hardware costs and keep my proposals priced about comparably. About how are these solutions price against comparable Cisco gear -- 60% of Cisco cost? (Don't want to contact a sales rep at Extreme Networks to get pricing information).

• Can you give me a rough estimate of NetApp costs? How easy are they to back up? I generally spec out a Dell/IBM (it's fun to get them to bid against each other) server running hot-swap RAID-5 SCSI when a file server is needed. I'd love to see a cheaper but robust solution available.

• Is 1000-base-T to the desktop really a viable solution? Last I heard GB over copper was limited to fairly short cable runs.

 

[WannaFly]

regarding the workstation images i dont know how feasible that is because each workstation's hardware is COMPLETELY different. If it were my choice, i would buy dells that are all exactly the same so that this could be done.

I just installed a packet sniffer (Analog X PacketMon), and i am on a switched network so i can see ALL The traffic, but within a minute there was about 100 broadcasts to port 137/138/139 which are all netbios name resolution i believe. I am not sure howto find if there are any ARP requests.

I understand that VLANs would make the network more complex, but i believe it would be best. Like I said earlier, any department RARLY sends data to other departments and we rarely have to access computers in other departments. Besides Graphics and Medical(we share files all the time), noone really talks except to use a printer occasionally.

We currently dont have any servers in house for external (web) use

 

[cmetz]

>What can you tell me about the administration and configuration of equipment from Extreme Networks or Foundry? I learned IOS and find
>it works exceptionally well, though it locks me into Cisco solutions which are often times way overpriced. I really like the volumes of
>documentation available from Cisco, but I'd be happy to cut my hardware costs and keep my proposals priced about comparably.
>About how are these solutions price against comparable Cisco gear -- 60% of Cisco cost? (Don't want to contact a sales rep at Extreme
>Networks to get pricing information).

Foundry I believe has a Cisco-like CLI. Cisco's Catalyst switches differ a little from router-IOS in their CLI (even the Cats that run "real IOS") so they're really Cisco-like, too. Extreme has their own - it's not hard to learn, but it IS all different.

Low-end Extreme/Foundry boxes can be found mail order - go look around and you should be able to get ballpark pricing thataway. In general, Extreme and Foundry deliver more performance for less cost than Cisco. However, there are a few Cisco products that are really competitive, features and price, and Cisco is starting to get with the program after years of bloated prices.

>Can you give me a rough estimate of NetApp costs? How easy are they to back up? I generally spec out a Dell/IBM (it's fun to get them
>to bid against each other) server running hot-swap RAID-5 SCSI when a file server is needed. I'd love to see a cheaper but robust
>solution available.

I don't know what they cost. I'm sure they're not super-cheap. But they're great boxes. Simply a class above a PC fileserver.

>Is 1000-base-T to the desktop really a viable solution? Last I heard GB over copper was limited to fairly short cable runs.

100 meters over Cat5e. Exactly the same distance limit as 100BaseTX.

1000BaseT loaded to the desktop isn't going to be much issue any time soon, but new systems can easily push more than 100Mb/s. So if you look as gigabit to the desktop as really being ">100Mb/s to the desktop," yes, it's time. Many new business-class PCs come with 10/100/1000 on board, the NICs are incredibly cheap now, and switch ports are dropping in cost fast. For heavy-volume users, this can be a very cost-effective performance boost. For most users, though 100Mb/s full duplex is stil plenty.

WannaFly et al. - one of the reasons to do VLANs and IP subnets is simply that you'll have the opportunity when moving to a new location/network to do it then, and doing it later will be painful. If you can separate the administrative domains now and separate where you think load will be now, you can avoid problems later on. Also, as I said earlier, you may find you want different ACLs on the different VLANs.

WannaFly - add a VLAN for non-Internet devices, e.g., printers and such - things that NEVER talk to the outside world. Making them their own VLAN or VLANs and their own IP subnets makes it easier to ACL 'em out at appropriate points. If it should never talk to the outside world, then make sure your access controls reflect that.

 

[WannaFly]

Do i have the right idea for the basic layout? (see above post) I am not sure whether the firewall will act as a gateway or not...would i need some sort of router?

 

[dzeanah]

regarding the workstation images i dont know how feasible that is because each workstation's hardware is COMPLETELY different. If it were my choice, i would buy dells that are all exactly the same so that this could be done.

That's the advantage of RIS -- Windows 2000 installs the base system on every machine as is appropriate for the hardware in that machine. From there, it adds changes to the registry, additional files, etc to match a base system. This means you can install Office, Netscape, and Age of Empires on a machine, create a RIS image of it, and duplicate that configuration to an eMachines box, a Compaq Presario, and a Gateway 6400 Server running as a workstation. Don't worry about device drivers and the rest -- let Windows worry about it.

Hence the comment about RIS vs Ghost.

would i need some sort of router?

Generally, yes. But nowadays most of the ISP's I deal with include a router as part of the T1 installation. I would think that someone would have thought about that detail by now.

 

[cmetz]

Your network design looked okay.

The Win2K server shouldn't need a gig connection, IMO. The fileserver should have a gig connection. If you buy Summit48si switches, make sure to get a pair of the LC (1000BaseSX) mini-GBIC modules and make sure you have multi-mode fiber run between the rooms. You probably want to have SC connectors on your fiber patch panel / jacks and to use a SC<->LC adapter cable to make the run from the jack to the switch.

Are you getting two switches or three?

 

[WannaFly]

Regaring the number of switches, probably 2, if i can get away with it, maybe even one (possibly put graphics & medical on an L2 switch as a "one port VLAN" from the summit48?)

The one fileserver i was looking at had dual gigabit connections. I am pretty use it was just cat5e gigabit. I'll need the LC mini-GBIC connectors to link the two switches, but for the fileserver its gigabit over cat5e i believe, i guess i would need a different module to do that?