Our companies network, need advice.

martinmarquez · 2015-10-16T18:54:32.000Z

This is my company and I am not happy with it.
My position is entry level tech and this is my first step at moving forward and I need your help, please.

Post your comment regardless of what everyone else has said, I need to know your opinion if you have one. It helps me understand how to make decisions that best suite my company. Thank you.

I feel we bottleneck at the main switch, as the image shows. Our whole network is also on the same sub net and managed only through the Sonic Wall Firewall. I feel a Cisco router would be more suitable for this company, however, if anyone is familiar with Sonic Wall and feels this device is just as capable please comment your experience and preference.
My thoughts are:

remove the Unmanaged Switches from the Server Racks, install Managed Switches and have the DSL line go directly to the Server Rack that hosts the RDP and data.
change the Main Switch to a fiber heavy switch to support more Managed Switches
remove the printers and PC’s that connected directly to the main switch and have them on a separate managed switch
utilize the Sonic WALL (or future router) ports to create separate networks that can be managed through their own Managed Switch to help reduce traffic through the single Main Switch

Again, please post all your comments, I appreciate criticism but please no rude comments I am not experienced and am looking for support.

Thanks.

aldrin · 2015-10-16T19:16:00.000Z

May I ask how many devices are we talking about here?

Definitely remove the connected printers and PC’s from the backbone switch.

martinmarquez · 2015-10-16T19:27:23.000Z

In total 70 end PC’s and about equivalent amount of network peripherals such as printers, label printers, etc.
220 IP addresses in total are being used under this one sub net, however this is all traffic including back ups, so our network is slowed to a crawl at midnight. Luckily we are closed during those hours.

PatrickFarrell · 2015-10-16T23:47:05.000Z

Replacing the Sonicwalls with a Cisco isn’t really going to help you here, you’ll just be changing the name in the middle of the design issue.

I have a few questions.

The offsite locations, this is strictly fiber switch to switch, there’s no internet in the middle that we have to worry about securing, right?

You have a main site and retail site internet connection, but both coming into the same network. They imply that they are going to other sites, but those other sites aren’t in the diagram. Are these just redundant internet connections? If so, you can actually run these both off a single sonicwall or cisco.

You can have multiple subnets with managed switches using vlans, which may… or may not simplify things for you. It will not improve bandwidth on the lan however. If you’re on a class C, you’re getting up there in IP utilization, so separating users from printers/servers might be an option.

What are the switch speeds in question, are they 100MB, 1GB, 10GB? What speed are the uplinks? If you’re backing up vm’s across those switches at 1GB, using link aggregation can potentially enhance things by giving you multiple traffic lanes for different streams. (Any individual connection however would still be limited to the single link speed limit). If you are backing up your 3 vm hosts to the off site ctera, that may be an issue. You would need some extra fiber pairs/gbics to create a lag.

For RDP and DSL, that still must go through a firewall before hitting your network. Having it jump through 1 switch or 3 before it gets to your server should not matter at all unless there are some serious network problems. Take a look at your current managed switches. Look at the utilization. Look at the logs. Make sure you don’t have any physical issues such as network loops that are killing your bandwidth.

apsutcliffe · 2015-10-17T04:03:22.000Z

Trying to avoid repeating the excellent advice from Patrick.

Is your core switch a single device? If so, it might be worth considering what you would do if that failed (you should try to avoid having a single point of failure).

You might also want to consider switch devices that have the option for multiple power source. You don’t indicate if there are UPS, for a network of this size, I’d suggest that should be a consideration, probably for most of the switches.

You also seem to have a mix of fibre and copper for connections from the core switch; I’d suggest that you’ll want to stick to one type. (I’d suggest that you want the edge switches going to the core, nothing else).

I’d definitely recommend getting rid of all unmanaged switches and replace with managed.

I’d agree with Aldrin that it might also be worth highlighting the number of hosts, particularly on each segment; it might be appropriate to consider if there is a need to re-balance the way that they are connected.

BTW, welcome to Spiceworks! I suspect that you’ll find most “rude” comments come from people that are fairly new to the community; they see that elsewhere and expect it here. Although some people on this site can get very passionate, especially about their own area of expertise, overall, we’re a pretty tolerant bunch.

lukaszp7317 · 2015-10-18T08:23:43.000Z

Can you separate offsite location with their own broadband line? You could use one of the Sonicwalls for them. The other Sonicwall can handle both existing lines (like Patrick mentioned). You can then set up site to site vpn and have the offsite location totally independent saving some resources at your main site.

Get rid of unmanaged switches.

What is the main switch?

What are the Sonicwall models and how fast is your fiber line?

tom2338 · 2015-10-18T22:18:37.000Z

Just to reiterate, replace the unmanaged switches. Once you do this, you can then segment into separate vlans.

If you are running into high network utilization at midnight, is it due to the amount of traffic being sent to/from the servers? Using managed switches may help a little with this. What are the links between the unmanaged switches and your core switch? If they are fiber, can you add another fiber link to increase throughput? If they are ethernet, by using managed switches, you can create a trunk to provide more available throughput between switches.

If the traffic is coming from the servers, can you “bond” multiple nics from the servers?

Regarding what Aldrin mentioned about removing printers and pc’s from your core (main) switch, there is no need to do that. It is a switch.

martinmarquez · 2015-10-19T12:28:59.000Z

PatrickFarrell:

I have a few questions.

The offsite locations, this is strictly fiber switch to switch, there’s no internet in the middle that we have to worry about securing, right?
Correct, no internet, the offsite location is down the street about half a mile, I already have plans on trying to talk our director into setting up a 3rd location across town.

You have a main site and retail site internet connection, but both coming into the same network. They imply that they are going to other sites, but those other sites aren’t in the diagram. Are these just redundant internet connections? If so, you can actually run these both off a single sonicwall or cisco.
The retail site pays a separate bill for their internet to access one server, they are not considered part of our company even though they have the same owner. So they are paying for internet to avoid our bandwidth, but based on our network having everything on the Main Switch, I feel they still may be affected by our network usage. What do you think? (Their network is small, only 7 PC’s and that tends to be my test network as part of my training that I developed for myself.)

You can have multiple subnets with managed switches using vlans, which may… or may not simplify things for you. It will not improve bandwidth on the lan however. If you’re on a class C, you’re getting up there in IP utilization, so separating users from printers/servers might be an option.
Well I was thinking of separating by different sub nets to help manage our various departments. Right now we are at our lowest employee rate, however, there has been a time I heard of when we had about 50 more employees working in the office using PC’s. We also have a new brand put in to the manufacturing line and if it is successful then we might have a handful of new employees to manage that department. I like the separation of users and printers/servers, I might look into that instead of separation of departments.

What are the switch speeds in question, are they 100MB, 1GB, 10GB? What speed are the uplinks? If you’re backing up vm’s across those switches at 1GB, using link aggregation can potentially enhance things by giving you multiple traffic lanes for different streams. (Any individual connection however would still be limited to the single link speed limit). If you are backing up your 3 vm hosts to the off site ctera, that may be an issue. You would need some extra fiber pairs/gbics to create a lag.
Every switch is 1GB.
Uplinks, please elaborate on this question for me.
Are you suggesting link aggregation on the switch or on the server? We have our 2 newest VM servers setup with link aggregation but these connect to our unmanaged switch.
I will create another diagram for the switches with models and ports, but we are backing up everything to off site ctera, I will have to research if our switch allows link aggregation. Our managed switches 4 gigabit sfp ports, that particular one is using 2 so only 2 are available.

For RDP and DSL, that still must go through a firewall before hitting your network. Having it jump through 1 switch or 3 before it gets to your server should not matter at all unless there are some serious network problems. Take a look at your current managed switches. Look at the utilization. Look at the logs. Make sure you don’t have any physical issues such as network loops that are killing your bandwidth.
So far I have not found any loops or major utilization issues, we are a manufacturing plant so with marketing uploading raw images to their storage we see high usage occasionally, otherwise normal traffic throughout the day.

I answered the best I could in bold text above.

I do also want to add I have no previous documentation on this network. So anything I say is to the best of my knowledge from tracing or toning wires myself. Any questions I do not know will require research to figure out and I really appreciate these elaborate questions they help a bunch.

martinmarquez · 2015-10-19T13:15:41.000Z

Bottman:

Is your core switch a single device? If so, it might be worth considering what you would do if that failed (you should try to avoid having a single point of failure).

You might also want to consider switch devices that have the option for multiple power source. You don’t indicate if there are UPS, for a network of this size, I’d suggest that should be a consideration, probably for most of the switches.
Core switch is a NetGear GS752TP, standard managed switch. We have a back up switch on standby but this would require disconnecting all devices and reconnecting to the back up. What are some recommendations for other types of switches, brands models?
We have switch UPS that I did not put into the diagram, but there is one for every switch as well as 3 per server rack, however the UPS that compliment each switch is only APC 500 or equivalent. Do you think these UPS are adequate for each of these Switches?

You also seem to have a mix of fibre and copper for connections from the core switch; I’d suggest that you’ll want to stick to one type. (I’d suggest that you want the edge switches going to the core, nothing else).

I’d definitely recommend getting rid of all unmanaged switches and replace with managed.
I agree with both of your statements, thank you for that.

I’d agree with Aldrin that it might also be worth highlighting the number of hosts, particularly on each segment; it might be appropriate to consider if there is a need to re-balance the way that they are connected.
I will create another diagram with more detailed information and post it at a later time.

BTW, welcome to Spiceworks! I suspect that you’ll find most “rude” comments come from people that are fairly new to the community; they see that elsewhere and expect it here. Although some people on this site can get very passionate, especially about their own area of expertise, overall, we’re a pretty tolerant bunch.
Thank you for this, a couple months back I had tons of questions but I was patient and figured most of them on my own, with both Spiceworks and my companies network. So its great to have a community to come to for help.

martinmarquez · 2015-10-19T13:41:19.000Z

lukasos:

Can you separate offsite location with their own broadband line? You could use one of the Sonicwalls for them. The other Sonicwall can handle both existing lines (like Patrick mentioned). You can then set up site to site vpn and have the offsite location totally independent saving some resources at your main site.
This might be a future possibility but for now finances will not allow us to open up a second broadband line. Also, with our off site being only half a mile down the street, I can not think of a way to approach my superiors with a request for a broadband connection when the connection is already established, their more than likely response would be why waste money monthly when the connection already exists. If you know of a good rebuttal, I would appreciate hearing it. Remember, financials only sears dollar signs, if the rebuttal does not contain savings then they are deaf to it. However the 3rd back up site will have its own broadband because it will to be an already existing isolated site, if they approve.

Get rid of unmanaged switches.
Great idea.

What is the main switch?
NetGear GS752TP, I beleive it is a standard managed switch with 4 port sfp. What are your thoughts on it?

What are the Sonicwall models and how fast is your fiber line?
Main Site Sonic WALL is a NSA 3500, RDP DSL Line is TZ 400.
Fiber speed is 50mbps.

martinmarquez · 2015-10-19T13:59:53.000Z

Tom2338:

Just to reiterate, replace the unmanaged switches.
Yup.

Once you do this, you can then segment into separate vlans.
Which ones specifically did you have in mind?

If you are running into high network utilization at midnight, is it due to the amount of traffic being sent to/from the servers? Using managed switches may help a little with this. What are the links between the unmanaged switches and your core switch? If they are fiber, can you add another fiber link to increase throughput? If they are ethernet, by using managed switches, you can create a trunk to provide more available throughput between switches.
Yes I believe Patrick mentioned Link Aggregation between the switches so I am considering this and creating trunk lines as well from the Server Rack switches to the Main Switch.

If the traffic is coming from the servers, can you “bond” multiple nics from the servers?
Our newest servers offer the LAG option but I will put something in the works for the Switch LAG. As for the older servers, its just a matter of waiting for finances to be right and upgrade.

Regarding what Aldrin mentioned about removing printers and pc’s from your core (main) switch, there is no need to do that. It is a switch.
I understand your point, I think from a management stand point it would be best to isolate these devices to their own switch and not have to worry about accidental mishaps on the backbone switch when attempting to configure end user restrictions. Is my thinking reasonable on this situation?

robhall · 2015-10-19T18:07:07.000Z

Definitely can those unmanaged switches. They’re a L2 broadcast storm waiting to happen.

If it’s in the budget, go 10Gbe for your core. I’d build out the server room section (racks/core) with a pair of Nexus 5548P switches with L3 modules, and plumb 2148T or 2248 FEXs in at ToR switches in the racks. That way you can manage them all as one switch, and you have redundancy.

For the access layer, something like 2960X’s would work - you can run the two 10Gb uplinks back to the Nexus core using a vPC, running one link on each switch for redundancy. These are also stackable, so you can expand them fairly easily.

Definitely segregate the production groups by VLAN. There’s no reason for Marketing to have access to the printers in Manufacturing, etc. Not to mention it’ll free up your IP ranges some.

Are there any honest-to-goodness routers in the topology, or just the sonicwalls?

martinmarquez · 2015-10-19T18:52:52.000Z

robhall:

Definitely can those unmanaged switches. They’re a L2 broadcast storm waiting to happen.
I will work on this, thank you.

If it’s in the budget, go 10Gbe for your core. I’d build out the server room section (racks/core) with a pair of Nexus 5548P switches with L3 modules, and plumb 2148T or 2248 FEXs in at ToR switches in the racks. That way you can manage them all as one switch, and you have redundancy.
Would this option be the same as link aggregation?

For the access layer, something like 2960X’s would work - you can run the two 10Gb uplinks back to the Nexus core using a vPC, running one link on each switch for redundancy. These are also stackable, so you can expand them fairly easily.
Without solid financial savings I would not be able to upgrade anything to 10Gb. I am sure this will allow for a more smooth network but if link aggregation can provide the same results then we might end up moving that route.
After reviewing our current switches, 2 of the 6 are not 10Gb capable, 1 of the 2 is the backbone switch. Hmm, thank you for this recommendation I will look into it more.

Definitely segregate the production groups by VLAN. There’s no reason for Marketing to have access to the printers in Manufacturing, etc. Not to mention it’ll free up your IP ranges some.
I am going to look into this some more, I have to be careful because our Loftware and other manufacturing programs rely on the IP address to relay print jobs. Some of these programs are very stubborn and do not like change.

Are there any honest-to-goodness routers in the topology, or just the sonicwalls?
No, this does worry me and am needing to know if that device is reliable enough to handle this network along with any upgrades we add, such as 10Gb. I did not know Sonic WALL existed until I started working here and was completely dumbfounded by it, but I really don’t feel comfortable with having a firewall run routes, non the less it being a Dell.

robhall · 2015-10-19T19:10:53.000Z

It’s not exactly the same as link aggregation - the 2000 series Fabric Extenders do use LAG to connect back to the parent device(s) (virtual Port Channel/mLAG if two parent devices), but once they connect, they show up on the parent device as a line card. They’re dumb devices with no configuration of their own, and they cannot be used as standalone switches. When you connect one, it’s configured through the parent device, as if its interfaces were directly connected.

As long as your application doesn’t communicate via broadcast, then you shouldn’t have an issue segregating traffic by VLANs - if it does, there are other methods like ip helpers that can get around that issue.

For routing, it depends on what the network’s functions and end goals are - i’m personally not a fan of the sonicwalls.