My planned SMB network architecture - please critique

N

Neutrino

Gawd
Joined
Nov 10, 2005
Messages
602
Hi guys,

Background:
I am currently helping a dentist friend set up his IT infrastructure. Current layout is: 2 dentist offices + patient waiting room + dental assistant/secretary office. All this is attached to a medium size 3 story house.

This is how I currently plan to set up his network:

Internet from cable provider > cable provider all-in-one box (I will set as a bridge) > Cisco RV320 router > 16 port GB switch with poe > multiple wireless AP / wired connections

The Cisco RV320 router looks like it would give me all the features I need:

  • decent VPN options / performance
  • VLANs to separate home/business networks
  • DMZ for the patients AP
  • usb port for a 4G modem (backup in case cable goes down)
http://www.cisco.com/c/en/us/products/routers/rv320-dual-gigabit-wan-vpn-router/index.html
http://www.smallnetbuilder.com/lanw...co-rv320-dual-gigabit-wan-vpn-router-reviewed

I will set up a VPN so he can access his network with patient data etc remotelly. I'll have to see which VPN option is the most tablet/smartphone friendly

VLANs will be used to separate the home and business networks

In case he does not want to buy a dedicated AP for the patients I will not use the DMZ port and use the AP SSID to VLAN feature to keep the patient guest network separate.

----
As advised in my previous thread,

http://hardforum.com/showthread.php?t=1883164

I will be using multiple N class APs to cover the house/offices. They should be cheaper and less finicky than the new fancy AC and from what I gather multiple cheap spread out APs with roaming should work better than trying to use a single expensive more powerful unit.

As previously mentioned I will be using the SSID to VLAN feature of the APs to keep networks separate.

So far I plan to use one Cisco wap121 (should be enough for basic internet access) for the patients and (2-3) Cisco wap 131 for the rest of the house/offices

http://www.cisco.com/c/en/us/produc...-n-access-point-single-point-setup/index.html
http://www.cisco.com/c/en/us/products/wireless/wap131-wireless-n-dual-radio-access-point/index.html

The servers/desktops will be on the wired network.

------

PS. Well <insert expletive> I just saw they 16 port switch we bought (Linksys lgs 116p) does not support 802.1q, so i cannot trunk my VLANs.

http://www.linksys.com/us/support-product?pid=01t80000003KdELAA0

Any ideas on a cheap 16 port switch with 802.1q and POE?
 
This is not a simple question.
Th network/computers must meet hipaa requirements and if they take credit cards pci.
The proposed network will not meet those requirements.
 
Last edited:
in this case HIPAA does not apply since this setup is not located in the United States :)

The network just needs to be stable and decently secure :) ... all on a very tight budget :(
 
Last edited:
Here's a way you can save money...

You likely only need 1 AP for the "office" and maybe even the same will work through-out the house depending on the house size and layout.

I got a 3 pack for my house + garage/shop that's located 100' in another building from the AP I use in the house. The AP in the house is on the furthest side of the house, installed SIDEWAYS at about 5' high.. AKA it's hanging from the CAT5 cable on something that was already there to hook it too. My house is 3 stories, this is on the middle floor, far corner behind an "outside wall" (not just drywall) that backs up to a closet before any "air/free space" in the house that a human might occupy. I've had the AP turned toward the house, and toward the shop, turned the WRONG way toward the garage/shop I could nEVER tell a difference in my house which was BEHIND the AP. Facing my house the AP worked FINE in the garage. I ended up only using this 1 AP, and it gets service 300' or more behind it, installed 5' off the ground.

Ubiquiti UAP-LR-3 UniFi AP Enterprise Long Range WiFi System, 3 Pack
Click to expand...

That's the model / package I got.
 
Sounds like you are over complicating this. Keep it simple and secure. Otherwise it will come back to bite you with support requests.

And since it's your buddy (and I don't think you're getting paid), this is a scenario where you DON'T want additional support requests. :D
 
I've had bad luck with the Cisco RV series. Specifically:

Settings not taking or losing settings frequently
VPN connectivity works only if the stars are aligned properly on the given day.

Granted, this was on the older models that came over with the Linksys purchase, but the issues were well known, and no fixes were offered after several years of Cisco ownership, even though the products were still being sold.
 
REDYOUCH said:
Sounds like you are over complicating this. Keep it simple and secure. Otherwise it will come back to bite you with support requests.

And since it's your buddy (and I don't think you're getting paid), this is a scenario where you DON'T want additional support requests. :D
Click to expand...


My problem is: I don't see any way to simplify it, if I am forced to use the existing nightmare house network and still keep the 3 networks separate + VPN access.



jardows said:
I've had bad luck with the Cisco RV series. Specifically:

Settings not taking or losing settings frequently
VPN connectivity works only if the stars are aligned properly on the given day.

Granted, this was on the older models that came over with the Linksys purchase, but the issues were well known, and no fixes were offered after several years of Cisco ownership, even though the products were still being sold.
Click to expand...


Yeah I would really like to avoid reliability issues, maybe I should look at other stuff.


Speaking of which, does anyone have any experience with: http://routerboard.com/

It seems they offer killer features for very low prices
 
The main thing is to keep the network architecture simple and secure. I noticed that the security aspect of your network architecture is missing. This is extremely important, especially since your friend works in the medical field. It&#8217;s crucial to protect patient data, as the number of hacks on healthcare organizations rises every day. I recommend implementing a multi-layer protection system that includes an early detection system, an anti-virus software and a firewall. Let me know if you have any other questions!
 
You might want to look into a Fortinet UTM type device. Depending on model, it will have built in Wifi Controller along with Web, Spam, Antivirus, IDS, and IPS filtering. It can also handle your VPN connections as well. The subscription isn't too high per year on those in my opinion.

Don't you hate building things with a low budget.
 
I second the the above Fortigate opinion as a step the correct direction. I also see nothing in your proposal about a backup solution. Without a backup plan in place along with periodic testing this is a disaster waiting to happen.
 
You must log in or register to reply here.
Back
Top