Greetings, dear hackers and random guests. In this series of articles, we will talk about building a simple network for a company that is not too demanding on its IT infrastructure, but at the same time needs to provide its employees with a high-quality Internet connection, access to file shares, and provide employees with VPN access to the workplace and connection of a video surveillance system, access to which would be available from anywhere in the world. The small business segment is characterized by rapid growth and, consequently, re-planning of the network. In this article, we will start with one office for 15 workplaces and then we will expand the network. So, if any topic is interesting, write in the comments, we will try to implement it in the article. I will assume that the reader is familiar with the basics of computer networks, but I will provide links to Wikipedia for all technical terms, if something is not clear, click and correct this defect.
So, let's begin. Any network begins with a survey of the area and obtaining the requirements of the client, which will later be formed in the TOR. Often the customer himself does not fully understand what he wants and what he needs for this, so he needs to be directed to what we can do, but this is more work for a sales representative, but we provide the technical part with you, so let's assume that to We got the following initial requirements:
- 17 workstations for stationary PCs
- Network disk storage ()
- Video surveillance system using and IP cameras (8 pieces)
- Office Wi-Fi coverage, two networks (internal and guest)
- It is possible to add network printers (up to 3 pieces)
- The prospect of opening a second office on the other side of the city
Equipment selection
I will not delve into the selection of a vendor, since this is a question that gives rise to centuries-old disputes, let's focus on the fact that we have already decided on the brand, this is Cisco.
The basis of the network is (router). It is important to assess our needs as we plan to expand the network in the future. Purchasing a router knowingly with a reserve for this will save money for the customer when expanding, although it will be a little more expensive at the first stage. Cisco offers the Rvxxx series for the small business segment, which includes routers for home offices (RV1xx, most often with a built-in Wi-Fi module), which are designed to connect multiple workstations and network storage. But they are not of interest to us, since they have rather limited VPN capabilities and rather low bandwidth. Also, we are not interested in the built-in wireless module, since it is supposed to be placed in a technical room in a rack, Wi-Fi will be organized using the AP (). Our choice will fall on the RV320, which is the junior model of the older series. We do not need a large number of ports in the built-in switch, since we will have a separate switch in order to provide a sufficient number of ports. One of the main advantages of the router is a fairly high bandwidth server (75 Mbits), a license for 10 VPN tunnels, the ability to raise a Site-2-site VPN tunnel. Also important is the presence of a second WAN port to provide a backup Internet connection.
The router is followed . The most important parameter of a switch is the set of functions it has. But first, let's count the ports. In our case, we plan to connect to the switch: 17 PCs, 2 APs (Wi-Fi access points), 8 IP cameras, 1 NAS, 3 network printers. Using arithmetic, we get the number 31, corresponding to the number of devices initially connected to the network, add 2 to this (we plan to expand the network) and stop at 48 ports. Now about the functionality: our switch should be able to , preferably all 4096, do not interfere mine, since it will be possible to connect a switch at the other end of the building using optics, it must be able to work in a vicious circle, which makes it possible for us to reserve links (), also the AR and cameras will be powered via twisted pair, so you need to have (you can read more about the protocols in the wiki, the names are clickable). Too complicated we do not need the functionality, so our choice will be on the Cisco SG250-50P, since it has sufficient functionality for us and at the same time does not include redundant functions. We will talk about Wi-Fi in the next article, as this is a fairly extensive topic. We will also focus on the choice of AR. We do not choose NAS and cameras, we assume that other people are doing this, but we are only interested in the network.
Planning
To begin with, let's decide what virtual networks we need (you can read what VLANs are on Wikipedia). So, we have several logical network segments:
- Client workstations (PCs)
- Server (NAS)
- Video Surveillance
- Guest devices (WiFi)
Also, according to good manners, we will move the device management interface to a separate VLAN. You can number VLANs in any order, I will choose this:
- VLAN10 Management (MGMT)
- VLAN50 Server's
- VLAN100 LAN+WiFi
- VLAN150 Visitor's WiFi (V-WiFi)
- VLAN200 CAM's
Next, we will draw up an IP plan, we will use 24 bits and subnet 192.168.x.x. Let's get started.
The reserved pool will contain addresses that will be statically configured (printers, servers, management interfaces, etc., for clients will give a dynamic address).
So we figured out the IP, there are a couple of points that I would like to draw attention to:
- There is no point in setting up DHCP in the control network, just like in the server room, since all addresses are assigned manually when configuring the equipment. Some people leave a small DHCP pool in case of connecting new equipment, for its initial configuration, but I’m used to it and I advise you to configure the equipment not at the customer’s place, but at your desk, so I don’t do this pool here.
- Some camera models may require a static address, but we assume that cameras receive it automatically.
- On the local network, we leave the pool for printers, since the network print service does not work very reliably with dynamic addresses.
Configuring the Router
Well, let's finally get to the setup. We take a patch cord and connect to one of the four LAN ports of the router. By default, the DHCP server is enabled on the router and it is available at 192.168.1.1. You can check this with the ipconfig console utility, in the output of which our router will be the default gateway. Let's check:
In the browser, go to this address, confirm the insecure connection and log in with the username/password cisco/cisco. Immediately change the password to a secure one. And first of all, go to the Setup tab, Network section, here we assign a name and domain name for the router
Now let's add VLANs to our router. We go to Port Management / VLAN Membership. We will be greeted by a VLAN-ok sign, configured by default
We do not need them, we will delete everything except the first one, since it is default and cannot be deleted, we will immediately add the VLANs that we have planned. Don't forget to check the box at the top. Also, we will allow device management only from the management network, and we will allow routing between networks everywhere except for the guest network. Ports will be configured later.
Now let's configure the DHCP server according to our table. To do this, go to DHCP / DHCP Setup.
For networks in which DHCP will be disabled, we will only configure the gateway address, which will be the first in the subnet (respectively, the mask).
In networks with DHCP, everything is quite simple, we also configure the gateway address, and register the pools and DNS below:
On this, we figured out DHCP, now clients connected to the local network will receive an address automatically. Now let's configure the ports (ports are configured according to the standard , the link is clickable, you can read it). Since it is assumed that all clients will be connected via managed switches of an untagged (native) VLAN on all ports there will be MGMT, this means that any device connected to this port will enter this network (more details here). We return to Port Management / VLAN Membership and configure this. We leave VLAN1 on all ports Excluded, we do not need it.
Now on our network card we need to configure a static address from the management subnet, since we got into this subnet after we clicked "save", and there is no DHCP server here. We go to the settings of the network adapter and configure the address. After that, the router will be available at the address 192.168.10.1
Let's set up our Internet connection. Suppose we received a static address from an ISP. We go to Setup / Network, mark WAN1 below, click Edit. Select Static IP and configure your address.
And the last thing for today - we will configure remote access. To do this, go to Firewall / General and check the Remote Management box, if necessary, configure the port
For today, perhaps, everything. As a result of the article, we have a basic configured router with which we can access the Internet. The volume of the article is more than I expected, so in the next part we will finish configuring the router, raise the VPN, configure the firewall and logging, and also configure the switch and we will be able to start our office. I hope that the article was at least a little useful and informative for you. I am writing for the first time, I will be very glad to constructive criticism and questions, I will try to answer everyone and take into account your comments. Also, as I wrote at the beginning, your thoughts about what else can appear in the office and what else we will configure are welcome.
My contacts:
Telegram:
skype/mail: [email protected]
Join, let's chat.
Source: habr.com