Looking for a good small business setup (with possibly MEC/multichassis etherchannel)

Design

I am trying to put together a 'core' for a plastic surgeon/family friend. He has been burned by 'pros'. His recent network has (based on some quick pictures that were sent to me, I plan to visit the site and do a more through dive into the network):

Netgear device with only it's WAN port plugged in (4 LAN ports empty). Not sure what this is doing and if it's a wifi device. It does have an empty USB on the back. Closest thing so far I could find was an N900 router that looks like it.

Luxal AC300 (WXR-3000 or 3150). There only known WiFi device. After the first patient room out of about 8, there is no WiFi. It sits on top of three Sonos Amps. Not sure if they are connected to the Luxal.

TrendNet TEG-S16g with only 2 ports connected/active.

3Com OfficeConnect 16 with 5 devices active (didn't get a picture if more are connected) (3 1G and 2 100MB).

Patch panel with 9 connections.

All the rooms have a drop in them.

Outside of the WiFi being bad, they also have almost no cellular service inside the office and their ISP connection in that whole building is unreliable and they have dropouts many times a day.

As far as I can tell this is just a total flat network, I don't think any of the above devices are L3 capable.

This may be overkill, but this is the way I have done my installs (I work at the mid to usually larger/Enterprise level)

My plan is to find out what their provider is then if it's Comcast or ATT figure out why it's so spotty and if not buy a Comcast and ATT circuit with at least 1 static IP. I'd like to run each circuit to a pair of switches and then each switch to a pair of firewalls in HA. That way they can lose any one device and at least be partially in business (mostly loss of connectivity if a switch dies). This may be overkill and maybe losing the second firewall more cost-effective, I'd still like to stack just from the easier management.

I am debating Meraki vs Fortinet. I don't have a lot of experience with MXs, I do have a lot of experience with Fortigates. I don't have any experience with Fortiswitches, but I have a lot of experience with MS and Meraki stacking. They do need POE. I have a lot of experience with Meraki MR access points and none with Fortinet's.

What I think would be my best option is Fortinet firewall(s) and Meraki MS and MR behind them. Probably a 60F if Fortinet and MX75? if Meraki (assuming he is using 1G circuits, he sent a speedtest of 400Mbps from his phone). I am also open to Cisco AP's (and run Mobility Express) and switches, maybe scoring a pair of 2960X or 3850's as they have some continued support for the next few years and will still at least work after that period.

He has another two practices, but those perform well according to him. After this I plan to look at his phone system, there are 3 Arris boxes and an NEC device running it. They only have about a half dozen phones in that office so I don't know what is going on there.

To top it off "his guy", installed a 'new' server last year or so. It's a Dell Optiplex 7020 tower from 2015! He is not sure what it does (it was powered on though). This is definitely another thing to update.

in networkingby TheRealAlkemyst

100%

9mo

Matt_In_MI

CCNP/NSE7

9mo

I prefer FortiGate to Meraki, but be aware to get MCLAG you need to use the 400 series switches. I don’t love FortiAPs but once you tweak some settings they seem ok.

TheRealAlkemyst

9mo

Yeah FortiAPs are not going to be in my solution. Thinking MR or Cisco with Mobility Express. I have to figure out the pricing difference on Meraki vs Cisco AP's and still waiting on the floor plan for the office, but I can't imagine more than three AP's are needed.

Matt_In_MI

CCNP/NSE7

9mo

For 3 APs, Fortinet would be fine, and give you the single point of management for all network access. If it were any more than 5-8 I’d probably start looking towards Ruckus Cloud or Aruba Central.

TheRealAlkemyst

9mo

Looking into it. I have no experience in Ruckus or Aruba Central.

Matt_In_MI

CCNP/NSE7

9mo

I’m a big Ruckus fan, so I’d probably go with Ruckus Cloud over Aruba Central.

Bitwise_Gamgee

9mo

Before you do anything, make absolutely sure you have a CONTRACT IN PLACE stipulating what you will do, how, by when, and for how much. Do not do any work without a contract.

Another considerating, as a medial practice, your friend MUST comply with HIPAA guidelines (likely PCI-DSS as well).

Network Infrastructure

Two Internet connections from different providers, such as Comcast and AT&T. 
Two Fortigate firewalls in HA (high availability) configuration. This will protect the network from security threats and ensure that it remains up and running even if one of the firewalls fails.
Two Meraki MS225-48P switches. These switches will provide PoE power for the access points and other devices in the network.
6-12 Meraki MR33 access points. These access points will provide reliable and secure WiFi coverage for the entire office, depends on floor space/plan

Physical Security

Depending on the building, I'd get cameras. Ubiquiti UniFi Protect G4 Dome cameras can be mounted both inside and out, buy in bulk and keep a few around for backups.

I'd also take a good look at key fobs and other electronic building access means as a way to document who comes and goes.

Server

Redundant servers, such as a Dell PowerEdge T440 or T640. This server will be used to run the practice's VMs, container applications, and store data.

Phone System

A new phone system, such as a Mitel MiVoice Connect or Avaya IP Office. This phone system will provide reliable and easy-to-use phone service for the practice.

Practical considerations for the network:

The network should be VLAN'd to separate different types of traffic, such as guest WiFi, employee traffic, and medical records.
The network should be actively monitored to detect and respond to security threats.
The network should be backed up daily to protect data in case of a disaster.

TheRealAlkemyst

9mo

My friend is the surgeon / owner. He's been in practice for decades. He is aware of all the compliance issues. I always use contracts, however; in this case I do not need one. He will purchase all devices and I am trading for some of his services for my wife and I in return for my labor.

I was going to do Cisco WebEx calling as I find it a great solution.

I would do MS210's and they only have about 9 ports being used now so dual 48 ports would be a waste. Also with only about 10 rooms total and most of those rooms patient rooms, having 6-12 AP's would be overkill.

The physical security is handled by the building, they use keys for access.

Definitely going to break out VLANs and have a separate Guest network.

bc-squared

9mo

I'd probably go Fortinet over Meraki solely based on the fact that the Fortinet gear can continue to run if licenses expire. Not sure if you are planning on managing this network long-term and keeping up with renewals. If not, I wouldn't be surprised if renewals are missed and the last thing you want is the network to drop because of that.

Based on the info provided, I'd start with a design like this:

WAN Switches - 2x Fortinet FortiSwitch 108F
- One for each ISP (assuming you get a second)
- Terminate the WAN handoff from each ISP into their respective switch and then cable a full mesh with the WAN ports on the FortiGate HA Pair
- Personally, I'd manage the WAN switches standalone vs. FortiLink but you can go with FortiLink if you want everything managed from single-pane.
Firewalls - 2x Fortinet FortiGate 71F
- Go with the "1" model for the internal SSD and greater log retention especially if you will be supporting this at all
- 71F over 61F. It is newer and has double the memory
- SD-WAN for optimizing performance to internet across both ISPs
- Firewall is L3 gateway for any and all internal networks
Access Switches - 2x Fortinet FortiSwitch 148F-FPOE
- I'd lean towards the 148F-FPOE switches cabled in a ring for this deployment. I'm not sure that MCLAG is really necessary for this size of a network
- Manage the switches via FortiLink. Be sure to enable FortiLink Split-Interface if cabled in a full ring
- If you truly need MCLAG or desire dual power supplies, bump up to 448E-FPOE
Wireless - Fortinet FortiAP 231F
- Doesn't sound like there are any high density needs so the 231F model should suffice BUT I would strongly suggest some form of wireless survey to determine proper quantity and placement.

Just a starting point from my perspective!

EDIT - Oh, don't forget about Rackmount.IT for the non-rack-mountable FortiStuff :)

TheRealAlkemyst

9mo

Just need a collapsed core model here. Only about 9 ports in play with 12 - 16 total needed to handle the new APs and redundant circuits. I have been thinking of going beyond the 60F myself since I use a minimum of a 100F at most of the branches I support and 200F at the HQ sites. In the past, my HQ and Branches were much larger spec'd.

With MCLAG that I am used to you need at least two switches and two firewalls.

ISP1 to switch 1 and switch 2 (which are stacked), ISP2 to switch 1 and switch 2. Bundle ISP1 across both switches and run one to WAN1 on FW1 and WAN1 on FW2, repeat for ISP2. Same with ISP2. Then if any switch fails you still have redundancy for both ISPs as well if any one FW dies.

I will need more than one AP as the doctor has plaster walls (with wire mesh backing). I could possibly get by with 2 APs but the corridor is U shaped and my second AP may get clipped. I am thinking an AP at each part of the "U" (sides and bottom). High density is not a factor at most you may have about 16 people in that office and most will not be doing much online except staff (about 6 people).

I may just cut this all back to still having the dual ISPs with one home ran to Switch 1 and the other switch 2 and then run Switch 1 to WAN1 and Switch 2 to WAN2. Then forego stacking for a traditional bundled trunk.

bc-squared

9mo

Ah, I see. Maybe go with 2x FS-124F-FPOE switches then?

Are you expecting the ISPs to deliver more than 1 handoff each? I was assuming each would offer a single handoff which is why I recommended landing each in a separate switch.

TheRealAlkemyst

9mo

Each ISP a single handoff. I just never have been able to accomplish having a port channel setup between two switches without stacking them. With one firewall this would work fine, but with two firewalls I think I need a port channel. Also thinking this deeper, without dual handoffs from each ISP I don't really get true redundancy in this plan.

I think I will just stick to a single FW and trunked (or stacked if not too much more $$$) set of two switches for now. I propose a plan with dual handoffs and dual firewalls that would give true redundancy should a switch fail (barring clients on the failed switch).

bc-squared

9mo

You do not need a port-channel (Trunk in Fortinet's vocabulary) even with 2 firewalls. Please review the "HA-mode FortiGate units managing a stack of several FortiSwitch units" in the following link. https://docs.fortinet.com/document/fortiswitch/7.0.8/devices-managed-by-fortios/801190/ha-mode-fortigate-units-managing-a-stack-of-several-fortiswitch-units

You can achieve ISP redundancy with single-handoffs. Just make sure that each ISP terminates into difference switches. If one switch dies, the other ISP can stay up and running. This is why I mentioned 2 FS-108F as dedicated WAN switches. Each switch acts as an ISP fault domain.

TheRealAlkemyst

9mo

Agreed, I meant still having ISP failover should one switch fail.

bc-squared

9mo

Oh, gotcha!

TheRealAlkemyst

9mo

I found out the 200 series can also do MCLAG. Seems a great bang for buck and $560 cheaper than a MS120 (and 1/2 the price of an MS210)

bc-squared

9mo

Yes it can. I typically skip the FS-200 series due to lack of 10G interface but perhaps that isn’t needed in your situation.

TheRealAlkemyst

9mo

With 8 users and whatever patients I think I can get by without 10G, I plan to stack the pair so probably won't even use the SFPs. The difference in price is like $700 with one year support but jumps to $1400 difference at 5 years!

TheRealAlkemyst

9mo

UPDATES:

Still putting together the details as all I received was photos of there current setup (which doesn't make sense). The current gear is in the OP.

TrendNet TEG-S16 (16 port unmanaged) Correction from OP, 2 connections only

3COM OfficeConnect 16G (16 port unmanaged) 6 devices connected

Luxal AC300 WiFi router one device connected

My plan is to bring in two ISP's (probably AT&T and Comcast 1G circuits).

So about 9 network ports in play which matches how many connections their patch panel has.

The proposed network:One Fortinet FG60F, I could probably get by with the horsepower of a 40F; but it doesn't have enough LAN ports to run both switches to it, both WAN circuits and the WIFI OFFNET VLAN to keep guest traffic separate nor future heartbeat incase they upgrade to HA later on.

Either a pair of Meraki MS120-24P in virtual stacking or a pair of Fortswitch FS-224D-FPOE ($560 cheaper than the Meraki and can do real stacking/multi-chassis etherchannel). Not sure if going to the MS210 would be worth the additional costs.

For AP's 4 Meraki MR36's (one in the lobby/front desk and then one every other exam room. I will do a survey when I get onsite as I may be able to get by with 3).

I plan to run ISP1 to Switch1 and ISP2 to Switch2 and then both trunked to the Fortigate. If possible add redundant ISP links to each (ISP2 to Switch1 and ISP1 to Switch2).

I don't have experience with FortiSwitch nor virtual stacking in Meraki.

stratospaly

9mo

Cisco CBS250 POE switch (if phones need POE) or Unifi Pro switch, Unifi Pro WAP, Ubiquiti Edge router. This combo is fairly cheap, has good features, and works really well. If you want a router\firewall better than Edge I would go with Sonicwall.