"best practice" for network design given these components?

By R_O_L_A_N_D ·
I have an office that i'm designing it's network.
it has the following already existing hw;
Cisco ASA firewall.
1 core cisco switch
4 edge cisco layer 3 switche (all Gb)
10 apple airport express.

Natted services:
- CCTV/dvr
- open directory/dns/file server

- 4 distinct type of end users/departments.

I'm considering the following:

internet -> ASA -> DMZ(open directory + dvr) | internal gateway (iptables or TMG) providing caching and shaping traffic -> core switch -> edge switches (vlans mentioned)

These are the questions i'm thinking about at the moment:
1. Who handles dhcp ? core switch or gateway (windows/linux)
2. i need per user logging, how can i enable that with vlans? in other words i want to go into my gateway and see that user X from vlan Y has traffic to destination Z. is that possible ? or i'm bound to just see the subnet source for each vlan ? (this part is related to where dhcp is set)
3. should i put ccttv/dvr and open directory in two separate vlans inside the DMZ?
4. what's the best practice for Access points to use as a bridge or they should serve their own DHCP ?
5. i need to add VPN access. should i rely on ASA or it's better to use a separate appliance.
6. in case i acquired a vpn appliance for users to connect to. what's the best location for it ? in DMZ or outside the firewall.

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Answers

Collapse -

To back up around 500 feet

by robo_dev In reply to "best practice" for netwo ...

I have designed, deployed, and managed enterprise WLANs.

Putting ten Airport Express APs all together is like a minibus filled with cheerleaders. It might look pretty and seem like a great idea at first, but long term may not work so well.

Almost any commercial-grade WLAN solution (Cisco, Aerohive, Aruba) is going to give you several features you need to think about: frequency coordination, roaming, as well as centralized management, power over ethernet, and even mesh topology so you don't need to run 10,000 feet of cable to connect the APs to the wired LAN.

Putting a whole lot of 'dumb' APs in one place creates RF issues, since there are not enough overlapping channels to work with, roaming issues, since WLAN devices can only roam from one AP to another if the two APs know about each other (IAPP Inter Access Point Protocol), and I won't mention the issues with having to bounce the power via a ladder (versus having power over ethernet POE). With standalone APs you will see every device all connect to one AP while a less congested AP is within radio range with nobody connected to it.

Related Discussions

Related Forums