[SOLVED] Architecture for a small hotel network

[devilonmyfish]

Hello there,

I'm after some advice about how best to configure a network for a small hotel-type business. We're in the process of doing a bunch of building work and I want to take the opportunity to upgrade and future proof the network. I have a reasonable understanding of the basics of networking but its far from my day job so I want to make sure what I have in mind is sensible before we start pulling cable and buying equipment.

The setup:
Approximately ten rooms over two floors on the business (guest) side of the network. These are set up either as single rooms or as small apartments.
The private (owner) side of the network is another ten rooms or so over two floors.
Internet access is currently via a single ADSL broadband connection which is pretty decent speed wise, in that we don't have any issues streaming HD, etc. We do have periodic latency issues which affects things like VOIP in particular which I think is due to our current network architecture (which we inherited - it's basically a large home network with a complete hodge-podge of equipments, all sorts of problems here!)

What I want to achieve:
Segregation of the guest and owner sides of the network for fairly obvious security reasons.
At least an option for segregation between the apartments (they're holiday lets at the moment but they may become commercial lets in the future and the same security considerations would potentially kick in)
The application of QoS or similar technology across the network to ensure that latency sensitive traffic is prioritized when the network is busy. We are expecting FTTP in our area within 12months and I expect this to address any bandwidth issues, I just want to make sure the network is able to take advantage of it.

What I have in mind:
A high-quality dedicated router on the edge of the network to connect to the modem and bring everything else together.
Five sub-networks:

• Owners
• Apartment 1 (if required)
• Apartment 2 (if required)
• Apartment 3 (if required)
• Guests Other (for single rooms, etc.)

I'm after advice on how best to achieve this, and would appreciate any suggestions on hardware.

I understand I have at least two options.

- Option One (which I would be more familiar with) would be to setup each sub-network with it's own router, connected into the edge-router. Seems like overkill but would guarantee isolation. I would select APs with the facility to create a second guest network with it's own SSID, this would allow me to use the same hardware to achieve coverage across the hotel whilst maintaining segregation between the networks.

- Option Two (which seems like it may be more efficient) would be to use one network (a single switch or set of switches connected to the edge-router) with the segregation implemented using VLANs. Not something I have done before but I'm confident I would be able to work my way through it.

Many thanks for your time!

Kind Regards,

George

 

[USAFRet]

"but its far from my day job so "

Why aren't you just the project manager for this, and contract it out to a local network guru.

Just like HVAC, plumbing, elec...
Contract that out.

Getting it wrong is far easier than to get ti right. And much more disastrous.

 

[SamirD]

"but its far from my day job so "

Why aren't you just the project manager for this, and contract it out to a local network guru.

Just like HVAC, plumbing, elec...
Contract that out.

Getting it wrong is far easier than to get ti right. And much more disastrous.

Initially one would think this would be the best approach, but the 'professionals' in this realm can be so pricey and a lot of times still can't do the job. Case in point was the $30k my parents spent on our property on a wifi system that was fickle after a few years and pretty much was abandoned when the guy who originally installed it died.

I basically redid the entire thing using a lot more of the wiring for around $3k and the problems stopped completely. I even took the system with us when we sold the property as the idiots who bought the property were going with another $40k vendor.

That being said, you'll need to look at what you need in terms of network segmentation and then develop the solutions for it. One of the things that will help immensely if you don't already have it is wiring that goes everywhere if possible so you're not trying to make wifi do stuff it really wasn't designed for.

One of the things that is a must in a hotel is completely device segmentation--ie, no 'lan' for devices to connect to each other. This is typically done with some specialized hardware or I think can be done in software as well. This is more easily done via wifi than on the wired part of your network in case you have direct wired segments.

Otherwise, you also need to think about the serious segmentation requirement for the front desk and property management system from the rest of the property as I'm sure it is used for credit card authorizations. These are juicy and easy targets for hackers who can literally stay in a room and hack the property--and you don't want that.

A physical floor plan of the site would be very useful or even a crude drawing. Obviously I've done this before and will end up having a lot more questions, but having been in the hospitality industry most of my life and tasked with either setting up or repairing the Internet access at all our properties, I think I've got some first hand experience you'll find quite valuable.

 

[devilonmyfish]

"but its far from my day job so "

Why aren't you just the project manager for this, and contract it out to a local network guru.

Just like HVAC, plumbing, elec...
Contract that out.

Getting it wrong is far easier than to get ti right. And much more disastrous.

It's a great point (I think I've seen you make it in some other threads with good reason!)

Cost is the main point - and whilst I admit to be far from an expert, I do think I have enough skills to get the job done with a little advice. In much the same way as I'll do most of the carpentry and electrical work for a project but contract too - I guess I know enough to be dangerous

Thanks for the advice

 

[devilonmyfish]

One of the things that is a must in a hotel is completely device segmentation--ie, no 'lan' for devices to connect to each other. This is typically done with some specialized hardware or I think can be done in software as well. This is more easily done via wifi than on the wired part of your network in case you have direct wired segments.

Regarding segmentation - completely agree with the basic security principle of separating the business and commercial sides of the network for good security means. Although worth re-iterating we are a small business, less than a dozen rooms over two floors. All our card transactions are done directly over the PDQ machine so that's already as segmented as it's going to get!

I also feel that for this sort of setup what we are providing is pretty akin to a hotspot you might get in a cafe (although with a reasonable expectation of better performance). In those terms I don't feel obliged to segregate each and every room. What I do want to at least think about (even if its only so the implementation could follow later) is how I might segregate each apartment if they became a permanent residential let - in which case it would be reasonable for them to enjoy a bit more security v every Tom, Dick and Harry on the guest network.

A physical floor plan of the site would be very useful or even a crude drawing. Obviously I've done this before and will end up having a lot more questions, but having been in the hospitality industry most of my life and tasked with either setting up or repairing the Internet access at all our properties, I think I've got some first hand experience you'll find quite valuable.

I really appreciate you taking the time - see attached.

Network Schematic on OneDrive

 

[SamirD]

If the PDQ is still a 'peer' on the network, it is subject to hacking attempts.

I don't know why I didn't think of this before, but the easiest way to do this will be with a ubiquity setup and vlans. You'll be able to easily segment each port that you need to onto its own vlan, and can use their access points to continue the segmentation in the air.

The diagram helped a tremendous amount and really hits home the ubiquiti setup as you're basically needing to provide a 'managed' internet to each apartment, which can be easily done with a single ubiquiti controller and then all the hardware. You can put the controller in the owner's office and they could control the whole thing as needed and the individual port vlans would keep everything segmented including the access points.

 

[devilonmyfish]

If the PDQ is still a 'peer' on the network, it is subject to hacking attempts.

I don't know why I didn't think of this before, but the easiest way to do this will be with a ubiquity setup and vlans. You'll be able to easily segment each port that you need to onto its own vlan, and can use their access points to continue the segmentation in the air.

The diagram helped a tremendous amount and really hits home the ubiquiti setup as you're basically needing to provide a 'managed' internet to each apartment, which can be easily done with a single ubiquiti controller and then all the hardware. You can put the controller in the owner's office and they could control the whole thing as needed and the individual port vlans would keep everything segmented including the access points.

Sorry I wasn't clear - it's on a dedicated telephone line, entirely on it's own 'network'.

I've done some more reading on the Ubiquti products and the configuration options for VLANs, I think it looks like a 'go-er' as well. I'm getting in touch with a local vendor. The ability to configure (and later re-configure) the VLANs in software is really attractive.

Thanks for all your help, it's very much appreciated.