I’ve recently started a new business. We are all Mac and cloud based. Our physical office is nearing completion. When complete, we want to have:

• Hardwire connections for our computers and VOIP handsets (~6 computers, maybe 8 handsets to start)
• Wireless networks (employee and guest)
• At least 1 networked printer/scanner
• TV & camera(s) for video conferences

We do not need an on-premises file or application server. I’ve had a contractor already install ethernet drops between everywhere we might want them and the server closet. Comcast business will be providing a modem to give us our connection to the outside world.

I’m left to fill in the rest or to hire somebody to do this for me.

I consider myself pretty tech savvy. But this is just a bit more complicated than buying a bunch of Eero pros and calling it a day. So I’m looking for recommendations on whether to proceed on my own or hire somebody. Questions I’m likely to have:

1. Do we need a separate “security device”/hardware firewall (given that we don’t have an on-premises server)?
2. How important/difficult is it to have a separate sub-network for VOIP, wireless, etc. so as to keep everything running happily?

If I hire somebody, what’s a reasonable fee? (The place I’ve talked with so far really wants to sell us expensive managed IT services, which we don’t want or need.) Anybody done this recently? All advice appreciated.

Thanks,

It sounds like you’ll have several people working in this office and as you said, no particularly special security requirements since you’re sharing files via cloud and presumably using a cloud email provider. In my opinion, you absolutely could do 2-3 Eero Pros, use them for your guest and private network, and be okay. You don’t need a separate network for VOIP. You may try toggling SQM on or off but I bet your Internet will be fast enough that it won’t be necessary.

For topology you probably want to connect to the main Eero immediately after the Comcast modem and then split from there to the other units through the Ethernet you’ve run, and put switches after the other Eeros for machines in those rooms to connect to—same as home, basically. Maybe buy +1 unit if that first, main Eero is in a challenging area of the building.

That said, I don’t know your business or local economy; if you’re going to grow quickly or you want a relationship with an IT partner before you need one, you might want to go that route.

Again, just general thoughts intended to confirm that you probably could handle this yourself.

Since you are creating a business environment I’d suggest you perform a risk assessment at least.

• how long can we do without access to the internet?
• What if our macs get compromised?
• Do we have customers with particular privacy concerns? (CCPA f.e.))
• Seeing that cloud does not equal backup, how will we handle our business data resilience?
• etc etc.

This NIST site might help you get started as well.

https://www.nist.gov/itl/smallbusinesscyber

especially this:

I’d base my requirements on the answers to those questions.

Depends on how big your pipe is, in- and externally.
If you would allow customers on your network I’d suggest separating it out.

My suggestion, and probably what a consultant would also do is sit down with a piece of paper and just write down a lot of “what if’s” and base decisions on the picture that emerges.

You have a chance to do it right from the start, would be a shame to have to change the setup later on.

No matter how small the business, the basics still need to be in place.

Would definitely separate VLANs for office, VOIP and Guest and also have a hardware firewall installed.

Same to enable encryption on Macs and ensure encryption is sorted with cloud services (in-transit and at-rest).

Also would ensure basic Mac security is in place (VPN and password manager for strong passwords). That way you have done the minimum. Remember you are as strong as the weakest link in the chain.

As you have no assets in the office you don’t need an inbound VPN. Remember to work out your backup strategy as well. What cloud service are you using? Dropbox, Google Suite, Office365? Remember synced cloud services are not the same as backups even if they offer version history.

Most pro routers offer firewall and VLAN functionality. With WiFi, this becomes a bite more difficult. I would consider an Unifi solution where you can use multi VLAN access points and have an FW router incl. IDP and IPS.

There are many paths to implementation,
riddled with “it depends”.

The Comcast device provides “modem”,
router, firewall. and wireless access.

You can separate those functions with
discrete devices that provide increased
functionality, and enhanced capability.

(I would start with the Comcast device)

You will need to connect your devices and
telephones to the Comcast device. This is
done with a switch. Your devices connect to
the switch, the switch connects to Comcast.

There are two types of switches, managed
and unmanaged. While an unmanaged switch
will certainly connect your devices and
telephones to the Comcast device, a managed
switch is distinguished by having some sort
of control plane that provides centralized
management, monitoring, etc., etc.

While the line of capabilities between
managed and unmanaged switches continues
to blur, the managed switch you choose
has broader implications for the networking
ecosystem, you will be joining.

If you select a Brand Z managed switch, then
when/if you separate your Comacast device,
you would want to continue with a Brand Z
Firewall, a Brand Z router, etc. If you want
to add more wireless capability, you would
want to use a Brand Z wireless device.

Of course you could mix and match components,
and I welcome you to the world of Sys Admin!

Net, you want a switch that will create a VLAN.
A VLAN is a logical networking construct that
essentially creates a “switch within a switch”

This will allow you to separate the voice and
the data. The computers are on the data network
the telephones are on the voice network, all
resident on the same physical network switch.

With respect to the “it depends”, as mentioned
there are unmanaged switched that have (some)
managed capability. You can get an unmanaged
switch that provides VLAN capability, and the
consumer brands (Trendnet, TP-Link, etc) are
all trying to move upstream to prosumer and
enterprise capabilities. You can get fancy
and include PoE (Power over Ethernet) in your
switch. This will provide power to your phones
using the same ethernet cable.

It sounds as if the heavy lifting has been done,
tne cables are in a central location, the Comcast
device is there, now it’s just a “simple” matter
of plugging things in, creating addresses, a VLAN,
and getting the damn SIP trunk to sync.

You can do this! It might take a few hours as
you work your way through unfamiliar territory,
but it is straight forward.

Given your number of devices you DON’T need a
VLAN, but it is a good practice to separate
voice abd data, and a good foundation for
future growth.

Let us know how you make out!

If I were you I’d run all of this through a Unifi system. While very doable on your own I’d highly suggest hiring a pro. Look for Unifi experts in your area.

UDM Pro SE

8 PoE ports
VOIP (Unifi Talk)
Firewall
Cloudkey

It’s really an ideal small business networking system

Thank you all for your input. I’m still looking, but haven’t found a pro that I’m happy with yet. But in the meantime, I’ve been doing some research, and it seems that there are several viable options for small businesses that don’t want to have sys admins, but need more than a consumer-grade experience. These include:

Meraki Go (Cisco’s offering) - Generally thought of having the best hardware and user experience, but at a higher price and with an ongoing subscription cost that, if not paid, renders your hardware worthless.

Ubitquiti - Popular, lower cost, but some have questioned its reliability and security practices (see recent ATP discussion).

Aruba (HP’s offering) - Maybe the sweet spot for me? Less expensive than Meraki, no ongoing costs. Aruba switches were the ones included in the packages in the pro bids I’ve received so far.

If I don’t find a pro I like, I’d be considering getting:

• Aruba Instant On 1930 24-port POE Switch
• 2 x Aruba AP22 Wireless Access Points

I think that would cover my needs between the Comcast Business router and the rest of my office’s devices.

Does anybody have any experience (good or bad) with Aruba’s networking hardware? (Or the management software?)