Background
Fairly early in my tenure at Focus Camera, they decided that the time had come to open another brick and mortar in a shopping center in Lakewood, NJ. Originally they had decided to have a simple consumer-style setup there, in a location that doubled as an office. Obviously, this was rather distasteful to myself, and the others in our IT department. It would be difficult for us to manage such a simple setup, and we wouldn’t be able to provide the services the location needs to function. After some convincing, we decided to make it a proper business setup, using all of the latest standards of security.
The Plan
The task fell upon me to decide how the network should look and what network services should be provided, and how. I wanted to make the network secure, including lots of VLANs to segment the network as much as would make sense for the location. Note that this location has both an office below, and a store above. This offered a great opportunity to implement a number of VLANs at that location that have served us well and are in operation to this day.
The Physical Layout
I decided that for this location, it would be perfect to have two switches, one for PoE devices, and one for non-PoE devices. The first PoE switch has VLANs for phones, internal WiFi, public WiFi, management, and security cameras, and the second non-PoE switch has VLANs for the office network, another management VLAN, the internal store network, as well as a public store network VLAN that ended up not being used, due to a change in plans. This segmentation proved to work well, and no significant changes where made in this design since its inception.
The Logical Layout
The first step was to decide a good IP range to use for the network. I decided the 10.0.0.0/8 block would give me the most flexibility. It is indeed the block I prefer to use in general due to the availability of three completely customizable octets. Convenient! So, each VLAN was given a /24 using a shared prefix, of course allowing route summarization (although I wasn’t using routing protocols at this location, just static routes. This was enough for a small company).
Next, I decided it would be great to have the main router do DNS forwarding for all requests. This, as I figured, would allow me to easily direct DNS requests to wherever I wanted them to go. If I had to reboot the DNS servers for example, I could temporarily stop sending requests to one of the redundant servers, and only use one temporarily. This is simple to do with DNS forwarding, but if the servers are given out via DHCP, you’d have to wait for all the leases to be renewed if you wanted to prevent potential downtime. DNS forwarding resolves this nicely. So, with DNS forwarding and two nameservers hosted on the local VM host, this setup provided with DNS.
Of course, this VM host also had to be configured, and I did by setting up Windows Server 2019 running Hyper-V. It has been quite stable, save for a bad Windows Update that broke about half the VMs for some reason, but otherwise it’s been good! This, all running on a fairly recent (for 2021) Dell PowerEdge. For WiFi I decided to go pure Unifi. They’ve come a long way in recent years, and are now something I’d recommend for most businesses. A Unifi controller was set up as a VM, a guest network was set up on the controller, along with an internal WiFi network, and with that the wireless setup was done.
Firewalls all put in place, a few NAT forwarding rules, as well as a site-to-site VPN, and you have yourself a network. This is what they use at that location today, and it stays stable and secure!