Improving My Home Network/Best Practices/Suggestions

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

NTL1991

New Member
Aug 20, 2018
11
0
1
Rhode Island, USA
Hello,

New member here and I'm happy to find a place where I can get some advice and learn. I've pieced my current network together from what was originally a standalone Cisco lab and tried to expand, solve some home network requirements and tie it all together as well as financially practical since this is just a hobby at present.

I started it way back with a FiOS WAN connection feeding a Cisco 3845 router, which was performing NAT and IPSEC remote access VPN to the network. A Cisco 3560-48 POE layer-3 switch was connecting all my devices including a few NETGEAR routers running DD-WRT. I wanted better VPN throughput and an actual firewall, so I got a Cisco ASA5520 with SSM-4GE.

I mothballed the 3845, and configured the ASA for NATing the FiOS connection, as well as providing VPN connectivity. I wanted to study Cisco WAPs so I scored a Cisco WLC4402 Wireless LAN Controller and 10 Cisco 3502 Lightweight Access Points, 6 of which are actively being used. (One is configured as a wireless bridge feeding a Cisco 3560-8 desktop switch in my office that can't be wired easily)

Reading the configuration docs for the WLC, everything recommended Vlans for efficiency, so I implemented Vlans on the 3560, which is doing all the routing.

I found an older but dirt cheap Cisco MCS-7825-H4 server on eBay. Turns out it's a rebranded HP ProLiant DL320 G5p with a Cisco bezel on the front. I purchased a 4-bay LFF drive cage, maxed out the RAM and CPU and it's currently set up as an ESXi 5.5 server with Cisco Call Manager and Cisco Unity.

Events transpired that necessitated IP Cameras on the property, so I purchased a used HP ProLiant DL360E G8 server with SFF bays, a couple Dahua IP cameras (so far) and Blue Iris software to record and manage.

I was lucky enough to find a free 27U server cabinet, complete with castors, sides and doors for FREE on Craigslist. It's really transformed this whole thing into something much more serious. I wanted better centralized backup power than my home office grade APC UPS, so I found a good used Tripp Lite SmartPro 2200VA 4U UPS.







 
Last edited:

NTL1991

New Member
Aug 20, 2018
11
0
1
Rhode Island, USA
So with the physical description down, here's what I've got going on logically.

The Verizon FiOS ONT is providing a copper feed to the ASA5520 which is obtaining the WAN address via DHCP. This is the OUTSIDE interface. The INSIDE interface of the ASA is 10.1.0.1/24, connecting via MM fiber on the SSM-4GE to the Cisco 3560 GigE interface, IP 10.1.0.2/24.

The Cisco 3560-48 switch is configured with the following Vlans:
-VLAN2 "Managment" (10.1.2.0/24)
-VLAN3 "Access-Points" (10.1.3.0/24)
-VLAN4 "Local Clients" (10.1.1.0/24)
-VLAN5 "IP-Cameras" (10.1.5.0/24)
-VLAN6 "IP-Phones" (10.1.6.0/24)

The switch routes between the Vlans and is the DHCP server for each.

The switch is connected to the Cisco WLC4402 via an EtherChannel trunk on Gi0/1 and 0/2 with MM fiber. The IP Cameras and teamed interface for the 4-port NIC on the DL360e G8 are all on VLAN5. The HP iLO management interface is connected to VLAN4. Wired desktops, media center equipment, etc. is connected through desktop switches to VLAN4.

The DL320 G5p ESXi server is connected to VLAN6, along with two (currently) Cisco 7970 IP Telephones. The HP iLO management interface is connected to VLAN4.

There is one WLAN configured, accessing VLAN4.

So as you can see I've got the switch doing a lot of work. I chose this figuring that one device, with one backplane, switching and routing with ASICs would be the superior way to manage data on the network. That's why I'm thinking that this would be the first device to see an upgrade, possibly to a 3560G to allow for faster throughput. Is this a reasonable theory? Two smaller, separate switches could help me with power management, however, as I could dedicate one to critical devices, while the other could remain unpowered in the event of a utility failure. (Example, leaving 1 central WAP powered by UPS during utility failure vs. 5)

How are the locations of the rack items? I slapped everything in the rack in my excitement but didn't really think too much about where the pieces should go. I still would like to get my hands on a Tripp Lite or HP Console LCD and Keyboard for the rack, so that would ideally be at waist height. Cable management will come once everything is settled in its somewhat-permanent position.

I've used some rack filler panels that I had lying around, as well as a very old (1985), very unique 6-fan tray that uses about 450W, which will probably only stay for nostalgia. Should every space be filled for optimal airflow? How many spaces should there be between devices?

The patch panel is a keystone-style. I currently have them segregated by function. Grey patch cables on left are to APs, Black to Local Clients, Grey/Blue on right to IP-Camera. Should these all be aligned to one side? Same for the switch ports. Should they be connected sequentially instead of divided up by function as I have them now?

I'd love any feedback, suggestions, tips, comments, anything.

Thanks,
Nick
 
Last edited:

NTL1991

New Member
Aug 20, 2018
11
0
1
Rhode Island, USA
Any ideas?

My first course of action will be to upgrade the Fast Ethernet 3560-48-PS with a Gigabit 3750G-48-PS. This will allow gigabit throughput to each access point and all the local clients (90% of them support Gigabit Ethernet).

When I purchased the ASA, I specifically bought the unit I did because it had the 4GE-SSM. I was under the assumption that I could create an EtherChannel with the fiber interfaces on the module, but it turns out this is a limitation.

With the new switch, would I be better off keeping the single 1GE fiber connection (inside interface of the ASA) to the switch, or using the 4 onboard 1GE copper connections in a 4Gig EtherChannel as the Inside interface, and moving the Outside interface (single 1Gig connection to the FiOS ONT) to the SSM? I've read that the ASA has two separate busses, one for the onboard ports and a second bus for the SSM. Cisco recommends laying out the network so that traffic enters through one bus and exits through the other.
 

Jeggs101

Well-Known Member
Dec 29, 2010
1,529
241
63
Just taking a look, you've got a clean setup. More power and networking than servers!

If you are going to upgrade, go 10G for the higher-end switching. Then use cheap switches for management interfaces and the cameras. 10G they've got to be low power these days. At 1G there isn't that much of a difference between copper and fiber with those short runs. 10G is where copper and fiber diverged hugely.

Perhaps this should be in the networking section?
 
  • Like
Reactions: Tha_14

NTL1991

New Member
Aug 20, 2018
11
0
1
Rhode Island, USA
Thank you! Yes, definitely more power and networking space taken up than those little servers. Maybe a mod could move this to the networking section. I wish I had a rack full of servers, but I've got to balance the power usage too. It's not too bad currently, that G8 Server (The IP Cam NVR) is only using ~75W. If the NVR software had better compatibility, I'd be running it under ESXi to get more use out of the server.

Fiber connections look neat and clean but you're right, there's not much need for it for my lower speeds. I used them just to get a little experience with using SFPs. The WLC requires SFPs, and fiber was much cheaper than the copper variety.

I'd like to get a better idea on suggestions for device placement too; where I should be positioning them in relation to other devices and cable management.

Does anything stand out that needs correction, or any obvious changes that I should be making?
 
Last edited:

chilipepperz

Active Member
Mar 17, 2016
212
64
28
54
Are you going to get denser? You have a lot of blanking panels. If you want to go denser, I'd keep the networking stuff together and get some cable organizers.
 

NTL1991

New Member
Aug 20, 2018
11
0
1
Rhode Island, USA
I'd like to keep the option open for another 1 or 2U server, but I've got no immediate plans. As I read more threads here that may change! :) I would like to add a 1U LCD/keyboard console if/when I find a used unit cheap enough. Either way I think I have more than enough space to grow. Should I be separating the servers/networking more. How would you guys arrange this stuff?

I slapped everything in the night I got the rack home, so I didn't really think too much about placement of the devices, blanking plates, etc.
 

NTL1991

New Member
Aug 20, 2018
11
0
1
Rhode Island, USA
Just a little update: I upgraded the switch to a 3750G that I got a good deal on, installed a couple brush-type cable management panels and replaced the mismatched patch cables.

I also played around with swapping the 1GE fiber connection between the ASA and switch with a 4-link PortChannel for redundancy.

I’m looking for a DL380E G8 with a LFF drive cage to use as my main network storage solution. That’ll be installed in place of the 3845 router.






Nick
 
Last edited:

NTL1991

New Member
Aug 20, 2018
11
0
1
Rhode Island, USA
More updates!

I've found a use for that DL320 server... I've deployed an ESXi image of Cisco vWLC in place of the hardware WLC 4402 appliance. The 4402 is no longer supported, and the last version of software dates to 2015. The vWLC supports the latest releases, I'm now using 2018 software which has improved my wireless performance Dramatically. The server is also home to the Cisco CUCM and CU deployments for my VoIP lab.

Using the server full-time has also got me thinking about centralized network storage. My current mediocre storage solution is using a workstation, a ProLiant ML110 G6 with 4 x 1TB SATA drives in a JBOD configuration. Not nearly ideal...

The DL320 has an older, but higher-end for the time, P800 SAS controller. I plan on populating the server with 4 x 2TB SAS drives in RAID5, giving me 6TB of centralized storage in the rack. At some point I plan on replacing the DL320 with a newer, more efficient, LFF DL380 G8 so I can take advantage of the existing drives and expand the storage capacity.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
NFR license might be an option if you Can get your hands on one..
That or the L-AIR-CTVM-5-K9 is $750 retail price just getting the similar % as my corporate discount would make it reasonably priced but it’s kind of overkill for 2 or 3 AP’s when even one AP can control the others and a home environment is not too loaded... VM is tiny though !
 

NTL1991

New Member
Aug 20, 2018
11
0
1
Rhode Island, USA
Haven’t looked much into the license options as I’m using the 3 month evaluation right now. I currently have 6 APs configured, one being a MeshAP Bridge feeding an 8-port 3560 in my difficult-to-wire office.

Do multiple autonomous Cisco APs play well together? I’ve never tried but I do have another half dozen 3502i’s I could play around with.

It was a pain manually TFTPing software to each of the 6 APs after realizing they wouldn’t associate with the newer vWLC because their onboard software was too old. But that’s how you learn, I guess.

I could opt for a 2504 or 5508 appliance (the 5508 can actually be found cheaper...) but I do love that TINY VM. ESXi reports it’s using all of 50Mhz, currently.
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
VM is default 5 AP license I see...
5508 is 12 AP’s

1800/2800 series AP using mobility express is currently what i was playing with. So not autonomous, the AP’s elect their own master to act as essentially a WLC with limited function.
 

NTL1991

New Member
Aug 20, 2018
11
0
1
Rhode Island, USA
I’m happy to say that I’ve been getting phenomenal results with the new wWLC deployment over the previous WLC appliance, with absolutely no lag that I was experiencing before.

I have rearranged my office and pulled 3 runs of network cabling, eliminating the inefficient wireless bridge/C3560-8 setup setup I previously had. This provides management vlan connectivity to my office computer’s iLO interface (through the switchport of my IP phone), a data vlan port, and a port for an WAP.

I’ve had such good results with the vWLC that I’m looking now into possibly deploying Cisco’s ASAv in place of the ASA5520. We’ll see how it goes.
 

NTL1991

New Member
Aug 20, 2018
11
0
1
Rhode Island, USA
Thank you Kal! This will end up just being an exercise then... Are all versions (9.2.x-9.10.x) using this same rate limiter?

I see the ASAv5 (limited to 100Mbps) is roughly $2300 and ASAv10 (capable of 1Gbps throughout) is about $2700.
 

Kal G

Active Member
Oct 29, 2014
160
44
28
44
Thank you Kal! This will end up just being an exercise then... Are all versions (9.2.x-9.10.x) using this same rate limiter?

I see the ASAv5 (limited to 100Mbps) is roughly $2300 and ASAv10 (capable of 1Gbps throughout) is about $2700.
I'm not sure about 9.2, but 9.3 and newer are definitely limited. I'd recommend against messing with 9.2 for production use as it lacks support for newer encryption protocols.

I never understood why Cisco felt the need to overprice their virtual ASAs. You can buy an ASA 5506-X for $600-800 from a Cisco partner (less on the grey market) which can do up to 300 Mbps for stateful inspection.

If you're interested in virtualizing your firewall, you may want to look into pfSense.

* Edited to use more realistic metric for 5506 throughput
 

Evan

Well-Known Member
Jan 6, 2016
3,346
598
113
Given the size of network pipes in 2018 all these security products seem under done and over priced, I do understand manufactures need to up sell to make some $$ but for the average small business or home you end up paying a lot of $$ for very limited bandwidth.