How to successfully set up an in-house network!
Building an in-house network for an SME is a multi-faceted and exciting challenge. You often hear from newcomers to the field that it’s hard to get an overview of the material and all the important aspects of decision making. That’s why we have tried to compile the most important issues in this area and give a rough overview.
In order to make further research less difficult, we have tried to at least briefly touch on further aspects, so that you have a starting point.
Which type of connectivity should I prefer??
Certainly, for many of you who come from a home networking background, WLAN is the preferred choice for networking clients to the Internet or to each other.
Undisputedly, a WLAN offers many advantages: spatial independence is probably the biggest, the low costs and the elimination of cabling are also weighty arguments.
In the corporate world, however, WLANs unfortunately also bring with them many disadvantages. Beside the lower bandwidth, which some can still get over, there is another serious problem with WLANs, and that is called shared medium. In the past, in old hubs, all clients involved in network communication shared a bus, one could simplify it by saying a cable with many sockets on it. Only one client could transmit at a time, so the bandwidth in the network was also limited by the number of clients participating in the communication. Switches have almost completely eliminated this problem at the end of the 90s. WLANs have tried to prevent this problem by using different channels and other tricks, but since there is only one "ether" in each room, WLANs are also communication in a shared medium. So, as soon as many clients come together in a small space, as is often the case in office buildings, the bandwidth and the reliability of the communication decreases here as well.
Furthermore there is the problem of security. Although modern encryption algorithms provide sufficient security for WLANs, you should still try to handle especially high-value and "expensive" information as discreetly as possible. Cables are clearly the better choice.
To keep your network manageable and expandable, you should plan at least two Ethernet interfaces per intended workstation.
At the workplace, the interface should be provided in the form of a socket, depending on the situation in the floor tank or a wall strip near the sockets. If you lack the necessary expertise, you should have this cabling work carried out by an electrician or an installation company. In larger buildings, there are many fire safety regulations, and poorly connected outlets can lead to a big performance loss and hidden faults that cause a lot of headaches later on.
In order to be able to change active components easily and to maintain an overview, it is advisable in networks of approx. 50 participants, the cables that you lead from the workstations into the network rooms should end on so-called patch panels. Here you can make sure that you always know what is at the other end of the line by means of a labeling corresponding to the sockets.
Your patch panels and network devices should be suitable for installation in a so-called 19″ rack, such cabinets are available in different sizes and with different features. They offer the great advantage that your expensive equipment can be stored somewhere central and locked away from dust and unsuspecting cleaning ladies.
Although communication in companies should mainly take place via cable, it can make sense to operate a WLAN parallel to the classic network structure, for example for guests, mobile devices for synchronization or for sales staff without their own workstation. However, security aspects and a configuration that is as restrictive as possible should be given the utmost importance.
Which active network components do I need?
The type and quantity of so-called active components (i.e. network devices that have a plug) depends on the size of your network and the security and maintainability requirements you have.
you will need at least switches where the cables from the patch panel arrive. If you also want to have Internet, then you need one or more routers that are connected to the switches. In very small networks, routers with integrated switches can also be used.
If you want to separate network segments from each other, for example to reduce the size of broadcast domains and thus prevent broadcast storms, you should use manageable switches. These are able to handle different VLANS (virtual LANS, completely separated LAN segments running on one switch) and can set up "trunks" among each other to be able to exchange packets from different VLANS over several parts of the building. For example, you can manage all developers of a company, even if they are not sitting together, in a separate LAN with special rights that, for example, commercial employees do not have.
Probably you will want to offer your own services like e-mail or file servers in your network. These should be connected to their own switch in a master network room. Switches today can also often act as router-on-a-stick (ROAS), routing data from one VLAN to another. If your switches do not support this, you will have to plan your own router capacity for this.
Which IP addresses should I choose?
One of the most important decisions in your network is the address structure. Most of the in-house networks are still operated with IPv4 today and for the
In the beginning you will surely do well to stay with it. It is important to know that there are specially reserved address ranges in the protocol, which are "private. These addresses are generally not routed to the Internet by routers, requests from outside to these addresses are always rejected by a router. This is a huge security gain. Your clients should have a public IP, if they don’t have one (which by the way you can’t assign just like that, but you have to apply for it and, if necessary, request it). also have to pay) always get an IP from this address range. Depending on the size of your network you have the choice between a Class A, B or C network. Most known are addresses in the range of 192.168.X.X, here 254 networks with 254 clients each are possible. Class-B networks are mainly intended for larger organizations, where more than 254 clients should be in one network (this is achieved by CIDR and subnetting, a topic which is unfortunately too broad for our article). You will never be able to implement Class A networks in an SME in a meaningful way.
With the 254 networks that a Class-C network offers you, you will be able to make sensible divisions in most cases. Even if you have already separated your network segments by VLANS, it makes sense to use different networks in different areas, if only for the sake of clarity. Maintenance of your network is greatly simplified by such measures.
How do I configure my network?
So once you have decided on an address structure, you should think about whether you want to assign fixed addresses to the clients, or enable a DHCP server on your switches (or routers, depending on the quality of the switches, they may not have the capability for DHCP). Both have advantages: With fixed addresses you can safely recognize clients, in some situations this will help you with authorization problems. If the clients get their address via DHCP, they are easier to replace and more mobile. In between there are other possibilities, for example a DHCP server that knows its clients and always assigns the same address to known clients. Windows login scripts, which rely on a DHCP server within a Windows server, are also a good way to keep order in your network.
What you decide to do depends on the size of your network as well as your budget. It is important that you find a concept that makes it as easy as possible for you to maintain your network later, especially to expand or replace clients and to adapt to changing requirements.
So after you have ensured connectivity on layer 1&2 (i.e. the "cable layer" and the "home network layer"), you should take care of configuring the VLANs in your switches and connecting the routers to your VLANs.
Very simple routers work on the principle that all data transported over a predefined WAN interface should be available for all connected clients at the LAN interfaces. Normally these routers will block all requests from the outside and allow all requests from the inside to pass through unhindered to the outside. This behavior makes little sense for enterprise routers.
By means of a tool called access-lists, which are also used on firewalls, you can teach your router exactly which "services" (i.e. communication on which TCP ports) and which IP address ranges are allowed to access which other ranges and services. For example, you can regulate access to certain areas of the Internet or make sure that certain clients can only reach the servers made available for them on the network. In this way you can also allow that single of your servers can be reached from outside, for example to connect distributors or home offices to your network. The instrument of port-forwarding is usually used for this purpose. This way you can use a public IP address, which you usually get for free from your ISP, to make multiple servers reachable.
If you plan to do something like this, it is recommended to invest in another router that acts as a firewall and thus gives you the possibility to build a real DMZ (a DMZ with only one router can never provide sufficient security for system-theoretical reasons, contrary to what the advertising of some router manufacturers promises, it is never a DMZ by definition but Exposed Hosts).
How to keep my network running?
To make maintenance possible and keep track of your network, meticulous documentation is essential. This documentation is almost as valuable as your whole network, without it you can face unsolvable challenges even with the smallest problems and will spend a lot of time searching for actually known information.
Furthermore there are network management tools like the products of Nagios, which show you your networks and clients on a clear interface and retrieve errors and status messages from your devices using SNMP. You can also do reboots partially from your desk with these tools. This way you can proactively counteract problems and often fix minor damage before your users even notice anything is wrong.