Network planning - lots of connected devices

HCHTech

Well-Known Member
Reaction score
4,178
Location
Pittsburgh, PA - USA
I'm re-doing the entire network at my church and have reached the stage where I need to plan the IP schemes.

They have about 35 wired ports scattered around, with maybe 15 wired devices actually connected. We're installing a Ubiquiti USG, a Ubiquiti 24-150 POE switch and a regular 24-port non-POE, non-ubiquiti switch for the overflow. There is a single AC-HD in the sanctuary and 5 AC-Pros scattered around the rest of the building for full coverage.

So....not many wired devices, but a whole ton of wireless clients. I'll be configuring a guest network on a VLAN for the wireless guests, and setting QOS so that network can't take more than X% of the total bandwidth. They've got 150mbps FIOS, so I'll start by carving out 30mbps for the non-guest networks and see how it goes.

The issue is that every parishioner's phone that learns how to connect to the guest wireless WILL connect as soon as they walk through the door. This could easily be 200 connections on any given Sunday. Plus, they rent out the space for events regularly and give out the wifi credentials, so that could add a bunch more depending on the event.

Since I normally deal in small networks, planning for this many connections is out of my bailiwick. How do I setup the IP scheme for the wireless to allow for more than 255 connections? If it were physical networks, I understand it better, just assign multiple LANs and use firewall rules to allow traffic between. Wireless, however is different. Is it as simple as switching from a /24 configuration to a /16 for the wireless? I guess I need to study up on subnetting - dealing with tiny networks all the time has limited my experience, that's for sure.

Also, I'm thinking I should shorten up the lease time to free-up IPs sooner after events. Maybe 8 hours or so?

Suggestions?
 
Also, I'm thinking I should shorten up the lease time to free-up IPs sooner after events. Maybe 8 hours or so?

I'll let others comment on the rest as it is beyond my normal scope but I free up IPs on public guest networks in an hour. No sense having the address tied up when the guest is long gone.
 
Last edited:
In addition to significantly decreasing lease time, personally I'd probably drop it to 1 hour, I'd create 3 wireless VLAN's. Employee, parishioner, and rental and have all password protected. You really don't want to have the rental crowd get parishioner credentials.

I'd also try to have a discussion about QoS. As in what are their expectations, if any? Many places will set a limit of around 1.5-2mb down.
 
The guests shouldn't be streaming Netflix so setting a per-user limit is good. Separate VLANs also has the added benefit of one user group not being able to interact with another one... like guests accessing printers or servers.

On-site equipment should only be accessible to the people who ought to have access.
 
Just do a /23 or /22....
Noticed you mentioned a USG...you're doing a USG Pro or XG right? I try to avoid the regular USGs for networks over 50 users...kinda keep 'em only for little <25 user networks.

Network that large make sure you do the tweaking for lan to wlan broadcast blocking...and do the port isolation on the ports for the APs.
 
Noticed you mentioned a USG...you're doing a USG Pro or XG right?

I might have (cough) possibly (cough) gotten a regular USG. That sounds like a mistake. Is it a deal-breaker? I haven't unboxed it yet, and the price difference between that and a pro looks to be about $225. I could probably swing that. This project has taken on a life of its own. I'm donating installation and configuration time and some of the equipment, other groups have ponied up for the rest of the equipment. The extra would probably be mine. :-(
 
In addition to significantly decreasing lease time, personally I'd probably drop it to 1 hour, I'd create 3 wireless VLAN's. Employee, parishioner, and rental and have all password protected. You really don't want to have the rental crowd get parishioner credentials.

Parishioner and Rental would both be internet-access only, so separation wouldn't add much benefit, IMO. Employee network would be separate, of course, since they would have access to printers, storage, etc.
 
Reading your OP I also thought the USG would be too light for the task. Especially if you want to enable IDS. Go with the Pro as it has more processing power and 4x the RAM (2 GB).

The USG will make it into your next Small Business deployment (or return it).

Also, churches aren't as poor as they have you believe (although you might be very intimate with this church and actually be a member, so you would know best), but don't be afraid to say there were unexpected costs to the tune of $300. It hardly compares to cost overruns that can be incurred with building reno's etc.
 
Parishioner and Rental would both be internet-access only, so separation wouldn't add much benefit, IMO. Employee network would be separate, of course, since they would have access to printers, storage, etc.

First, I agree with the others. The Pro is more appropriate for this situation given the number of potential users. One can argue that the majority of the back office use will probably occur during regular business hours so the impact of parishioners and rentals will probably not coincide with business hours. But still the just the potential size of the parishioner and rental group could be large. Didn't you post about this site before about AP's and placement? Or maybe I'm thinking of another post.

Here's a link discussing USG vs USG Pro. https://community.ubnt.com/t5/UniFi-Routing-Switching/How-much-can-USG-handle/td-p/1574906

On the internet only for parishioner and rental. Got to think about the future as well. How big is the church in terms of members/worshipers? The unfortunate reality is that organized religious activity has and will probably continue to decrease in the US. So an increase in participants, at least dramatic, will probably not happen any time soon.

But one thing is certain. This follows along what I call the Law of Garage Space. You can replace Garage with Hard Drive and Network as well. The contents will quickly expand to occupy the available capacity. So that's why I mentioned separating parishioner from rental. I could easily see where the powers that be decide to add content things for parishioners via wireless. So you'd want to keep that separate. Not to mention that a common practice is to separate groups anyways. Once separated it's easy to add them to resources/content as needed.
 
Good move. You can unload the regular USG down the road on another job.
It's not so much just the "throughput"...but the ability for the USG to have resources to handle many other things on the network.
 
Here's a "before" pic just for fun. More than half of the runs were never terminated on either end, an ancient 10/100 switch hanging on a couple of nails, a beat up patch panel that was clearly someone's cast off, and a lonely FIOS modem leaning against the wall providing wifi for most of the building. Oh, and the wires were tagged with orange electrical tape written on by a sharpie about 10 years ago, long since faded into illegibility. Everything had to be re-toned. Luckily only 3 runs were orphaned. I'm sure they are coiled up in the ceiling somewhere, or sealed up in a wall. They were definitely ripe for a re-do. :eek:

I regret not buying a cable comb, but I've ordered one now, just to have one for the next time.
upload_2019-1-6_8-42-14.png
 
Here's a "before" pic just for fun. More than half of the runs were never terminated on either end, an ancient 10/100 switch hanging on a couple of nails, a beat up patch panel that was clearly someone's cast off, and a lonely FIOS modem leaning against the wall providing wifi for most of the building. Oh, and the wires were tagged with orange electrical tape written on by a sharpie about 10 years ago, long since faded into illegibility. Everything had to be re-toned. Luckily only 3 runs were orphaned. I'm sure they are coiled up in the ceiling somewhere, or sealed up in a wall. They were definitely ripe for a re-do. :eek:

I regret not buying a cable comb, but I've ordered one now, just to have one for the next time.
View attachment 10300

Now that's what I'm used seeing in so many places. LOL!!!
 
I'm re-doing the entire network at my church and have reached the stage where I need to plan the IP schemes.

They have about 35 wired ports scattered around, with maybe 15 wired devices actually connected. We're installing a Ubiquiti USG, a Ubiquiti 24-150 POE switch and a regular 24-port non-POE, non-ubiquiti switch for the overflow. There is a single AC-HD in the sanctuary and 5 AC-Pros scattered around the rest of the building for full coverage.

So....not many wired devices, but a whole ton of wireless clients. I'll be configuring a guest network on a VLAN for the wireless guests, and setting QOS so that network can't take more than X% of the total bandwidth. They've got 150mbps FIOS, so I'll start by carving out 30mbps for the non-guest networks and see how it goes.

The issue is that every parishioner's phone that learns how to connect to the guest wireless WILL connect as soon as they walk through the door. This could easily be 200 connections on any given Sunday. Plus, they rent out the space for events regularly and give out the wifi credentials, so that could add a bunch more depending on the event.

Since I normally deal in small networks, planning for this many connections is out of my bailiwick. How do I setup the IP scheme for the wireless to allow for more than 255 connections? If it were physical networks, I understand it better, just assign multiple LANs and use firewall rules to allow traffic between. Wireless, however is different. Is it as simple as switching from a /24 configuration to a /16 for the wireless? I guess I need to study up on subnetting - dealing with tiny networks all the time has limited my experience, that's for sure.

Also, I'm thinking I should shorten up the lease time to free-up IPs sooner after events. Maybe 8 hours or so?

Suggestions?


To me this is a very small network. Speaking from experience, it is nicest by far to keep the network small. Personally, I would recommend you skip directly at a 48-port switch if you are going to be doing various VLANS; since, your overflow switch is unlikely to support 802.1q tagging/trunking if it is just a dumb switch, and even if it did that would be more configuration overhead.

I am not a fan of Ubiquiti, but it should work fine. Regardless, one of the big lessons in life I have learned is to not mix and match equipment from different vendors unless you really have to do that. While certainly all devices will be sending Ethernet_II frames and support auto-crossover detection regardless of vendor, there are subtle differences in things like neighboring protocols etc. Moreover, you will surely at the very least have a different configuration methodology for different families of devices.

I completely agree that it is a good idea to restrict the bandwidth available to the Guest WiFi. I notice you said you are creating a guest VLAN, and you discussed how many connections are possible. Realistically speaking, you would probably terminate a subnet within the guest VLAN expressly for that purpose. Essentially, you are not hammered down to having one giant subnet, but it is common to use the VLANS as containers whereby one or more subnet is contained within each VLAN. Provided the Ubiquiti is a layer-3 device, these subnets would show up as directly-connected routes reachable via their respective VLAN. Presumably, the only configuration required to make this routing work would be to configure the software virtual interface for each VLAN where you assign an IP and subnet or CIDR mask. This would provide the default-gateway and the subnet size for the routing-table.

During routing, the packet is removed from the Layer-2 frame (i.e. the VLAN info is stripped off)... then when it is delivered to the appropriate VLAN it is re-packaged within the proper layer-2 frame. Hence, VLANS are not for security purposes.

If you create different firewall zones, you would have to configure whatever access you want between them.

You certainly could use /16 for the wireless network vs /24. Moreover, there is never a need to use contiguous subnets if you use multiple subnets. In fact you could use 10.0.0.0/8, 172.16.0.0/12, or 192.168.0.0/16 and mix and match them. The routing process will still work.
 
With a /21 subnet you would get 2,046 usable hosts. 3 hour lease time perhaps?

https://www.tunnelsup.com/subnet-calculator/

Random thread on the topic from the Ubuquiti forums:
https://community.ubnt.com/t5/EdgeRouter/Expand-DHCP-pool-size/td-p/796332

I gave it a like because you are correct, but generally, I would avoid recommending someone who builds smaller networks to use a /21 or other CIDR mask that isn't a multiple of /8 because it is confusing for someone without a network background to break subnets that do not fall evenly on an octet. While I completely realize a /16 is a huge waste RFC1918 of space, if the op uses the /21 you recommend he will need to recognize the subnet mask is 255.255.248.0 and that each 8 is border of a new network.

For example 10.1.0.0 - 10.1.255.255 would be a subnet 10.1.0.0/21 of 2048 IPs (obviously the first and last not usable except for routing-table entries and broadcast, respectively)... the next network would then be 10.1.8.0/21.

When I recommend this to folks, I generally just suggest they go with /16.
 
The guests shouldn't be streaming Netflix so setting a per-user limit is good. Separate VLANs also has the added benefit of one user group not being able to interact with another one... like guests accessing printers or servers.

On-site equipment should only be accessible to the people who ought to have access.


Not necessarily. VLANS in and of themselves do NOT provide security. Take your average Layer-3 Device and put two VLANS on it (similar to two virtual switches). Now configure the SVI for each respective VLAN applying an IP address and mask. Suddenly, you have two directly-connected routes available via their respective VLAN. If you send something to another printer, server, whatever it happens to be on that other subnet, your computer sends it to the default-gateway, which is the SVI within your attached VLAN.

From there, the switch strips all layer-2 examining the packet (layer-3) and finds a route to said subnet of server or printer is in its routing table as a directly-connected route via VLAN 1234 or whatever. It drops that packet onto the appropriate VLAN re-writing a new layer-2 Ethernet_II frame and presto you are browsing file shares, printing, etc. across VLANS.

VLANS are NOT security! For security, op would need to setup firewall rules and define zones.
 
Back
Top