How do I build a professional network

Build a network for small or medium-sized businesses

How to successfully set up an in-house network!

Building an in-house network for an SME is a complex and exciting challenge. One often hears from newcomers to the field that it is difficult to get an overview of the subject matter and all the important aspects of decision-making. That is why we have tried to compile the most important questions in this area and give a rough overview.

So that further research is no longer so difficult, we have tried to at least briefly outline further aspects so that you have a point of contact.

Which type of connectivity should I prefer?

For many of you who come from the home network area, WLAN is certainly the preferred choice when networking clients with the Internet or with each other.

Undisputedly, a WLAN offers many advantages: spatial independence is probably the greatest, the low costs and the elimination of cabling are also weighty arguments.

Unfortunately, WLANs also have many disadvantages in the corporate sector. In addition to the lower bandwidth, which some can still get over, there is another serious problem with WLANs, and that is called shared medium. In the past, in old hubs, all clients involved in network communication shared a bus, or to put it simply, a cable with many sockets on it. Only one client could send at the same time, so the bandwidth in the network was also limited by the number of clients participating in the communication. Switches almost completely eliminated this problem at the end of the 1990s. In the case of WLANs, attempts have been made to prevent this problem through various channels and other tricks, but since there is only one "ether" in each room, WLANs are also communication in the shared medium. As soon as many clients come together in a small space, as is often the case in office buildings, the bandwidth and the reliability of the communication also decrease here.

In addition, there is the problem of security. Although modern encryption algorithms offer sufficient security for WLANs, one should try to treat particularly high-quality and "expensive" information as discreetly as possible. Cables are clearly the better choice for this.

In order to keep your network clear and expandable, you should plan at least two Ethernet interfaces per intended workstation.

At the workplace, the interface should be made available in the form of a socket, depending on the circumstances in the floor box or a wall strip near the sockets. If you lack the necessary specialist knowledge, you should have this cabling work carried out by an electrician or an installation company. In larger buildings there are many fire protection regulations and poorly connected sockets can lead to a great loss of performance and hidden errors that will cause a lot of headaches later.

In order to be able to change active components easily and to keep track of things, it is advisable in networks of approx. 50 participants or more to let the cables that you lead from the workstations into the network rooms end on so-called patch panels. Here it can be ensured by means of a label corresponding to the cans that you always know what is at the other end of the line.

Your patch panels and network devices should be suitable for installation in a so-called 19 "rack. Such cabinets are available in different sizes and with different equipment. They offer the great advantage that your expensive equipment is reasonably safe from dust and unsuspecting cleaning staff somewhere can be stored centrally and locked.

Although communication in companies should mainly take place via cable, it can make sense to operate a WLAN parallel to the classic network structure, for example for guests, mobile devices for synchronization or for salespeople without their own workstation. Great importance should be attached to security aspects and a configuration that is as restrictive as possible.

Which active network components do I need?

The type and amount of so-called active components (i.e. network devices that have a plug) depends on the size of your network and the security and maintainability requirements that you have.
You will at least need switches to which the cables from the patch panel arrive. If you also want to have internet, then you need one or more routers that are connected to the switches. In very small networks, routers with integrated switches can also be used.

If you want to separate network segments from one another, for example to reduce the size of so-called broadcast domains and thus prevent broadcast storms, then you should rely on manageable switches. These master different VLANS (virtual LANS, completely separate LAN segments that run on a switch) and can set up "trunks" with one another in order to be able to exchange packets from different VLANS across several parts of the building. For example, you can manage all the developers in a company, even if they are not sitting together, in their own LAN with special rights that, for example, commercial employees do not have.

You will probably also want to offer your own services such as e-mail or file servers in your network. These should be connected to their own switch in a master network room. Today, switches can often act as router-on-a-stick (ROAS) and route data from one VLAN to another. If your switches cannot do this, you will have to plan your own router capacities.

Which IP addresses should I choose?

One of the most important decisions in your network is the address structure. Most in-house networks are still operated today with IPv4 and for the

In the beginning you would do well to stick with it. It is important to know that there are specially reserved address areas in the protocol that are "private". These addresses are generally not routed to the Internet by routers; Requests from outside to these addresses are generally rejected by a router. This is an enormous safety gain. If your clients do not have a public IP (which you cannot simply assign, but have to apply for and possibly pay), they should always get an IP from this address range. Depending on the size of your network, you can choose between a Class A, B or C network. The best known are certainly addresses from the 192.168.X.X range, here 254 networks with 254 clients each are possible. Class-B networks are primarily intended for larger organizations in which there should be more than 254 clients in a network (this is achieved through CIDR and subnetting, a topic that is unfortunately too extensive for our article). You will never be able to implement class A networks sensibly in an SME.

With the 254 networks that a Class-C network offers you, you will in most cases be able to make sensitive classifications. Even if you have already separated your network segments with VLANS, it makes sense to use different networks in different areas, just for the sake of clarity. The maintenance of your network is made much easier by such measures.

How do I configure my network?

So when you have decided on an address structure, you should think about whether you want to assign fixed addresses to the clients, or a DHCP server on your switches (or routers, depending on the quality of the switches, these have no option for DHCP ) want to activate. Both have advantages: With fixed addresses you can safely recognize clients, in some situations this will help you with authorization problems. If the clients get their address via DHCP, they are more easily exchangeable and more mobile. In between there are other options, for example a DHCP server that knows its customers and always assigns the same address to known clients. Windows logon scripts that rely on a DHCP server within a Windows server are also a good way of keeping your network tidy.

What you decide on ultimately depends primarily on the size of the network and your budget. It is important that you find a concept that makes the subsequent maintenance of your network, especially the expansion or replacement of clients and the adaptation to changed requirements, as easy as possible.

After you have ensured the connectivity on layers 1 & 2 (ie the "cable layer" and the "house network layer"), you should take care of the configuration of the VLANs in your switches and the connection of the router to your VLANs.

Very simple routers work on the principle that all data that is transported via a previously defined WAN interface should be available for all clients connected to the LAN interfaces. Usually these routers will block all requests from outside and let all requests from inside to the outside unhindered. This behavior is not very useful for corporate routers.

Using a tool called access lists, which are also used on firewalls, you can teach your router exactly which "services" (i.e. communication on which TCP ports) and which IP address ranges are allowed to access which other areas and services. For example, you can regulate access to certain areas on the Internet or ensure that certain clients only reach the servers in the network that are made available to them. In this way, you can also allow some of your servers to be reached from outside, for example to connect sales people or home offices to your network. The instrument of port forwarding is mostly used for this. So you can use a public IP address, which you usually get for free from your ISP, to make several servers accessible.
If you are planning something like this, it is advisable to invest in another router that acts as a firewall and thus offers you the opportunity to set up a real DMZ (a DMZ with only one router can never offer sufficient security for system-theoretical reasons . unlike the advertising of some router manufacturers promises, it is never a DMZ according to the definition but exposed hosts).

How do I keep my network running?

In order to make maintenance possible and to keep track of your network, meticulous documentation is essential. This documentation is almost as valuable as your entire network, without it you can face insoluble challenges with even the smallest problems and you will spend a lot of time looking for known information.

In addition, there are network management tools such as Nagios products that show you your networks and clients on a clear interface and call up errors and status messages from your devices using SNMP. You can even partially reboot from your desk with these tools. In this way you can proactively counteract problems and often fix minor damage before your users even notice anything.