 What I have here is a ready to ship network deployment. Well, it's not getting shipped too far. Corey is actually going to be installing this This is one of our clients are installed so top to bottom something we own for one of our managed clients and this is for one of their locations and What I have here is a unify 16 port POE switch one two three four five unify AC Pro HDs and One neck gate firewall to be the head end of this now this network rather simple. It's actually going in an arena and What I have here is The whole deployment ready to go because we test everything in office Test it set it up configure it upgrade it see if there's any issues Randomly power cycle it we go through all the steps to make sure there's no problems and technically it's kind of a burn-in period From when we get it to the install date. We should just leave it set up and running That way we know because generally hardware and it's not always the case I know and there's no exact science of this But it does seem to fail frequently in its very earliest stages of deployment If you're gonna have a problem now knock on wood with unify We have had absolutely an excellent track record and we've never had one of these Devices fail out on us and that's pretty amazing But you know that this will reason to be like your product so much is because the reliability has been excellent We've some of these have been sold for you know years and obviously they're not something you turn off You leave your Wi-Fi and all the time and they've been up in ceilings running in offices that we've been deploying for a long time without any issues But I still like to test it I like to test it beforehand and we have no idea in one unit didn't adopt the first time we hit it Adopt we had to hit the reset button and it adopted that was weird. I Can't repeat the problem. I don't know what the error was. I don't know if the new guy because we had him Walking him through all this was it fault at all for one reason or another one didn't adopt after an upgrade Which like I said first time that's ever happened and it was obviously just click the reset And that's way easier to do before these that which are going to be mounted almost Oh 25 feet up in the air before they're deployed. It's always better to have them all up and adopted I could do it in post but probably not the most ideal way to do this That's because to get to some of these a man lift has to be rent rented and then used to put them up So if you're wondering what the blue stickers are this is part of the deployment process so the install and The installer may not be exactly the same person So our wiring team is going to go out and be doing the install We don't know exactly where each one of these will go So instead we just put numbers on them one two three four We put it with this blue tape because it's easy to peel the blue tape off as the installer Which is going to be courier in this place as he puts up each one. He'll name the location He'll be like unit three and it says three on it Was installed in you know East hallway and we have a map of all this And then he'll put that unit exactly where it is He'll send us a picture of it for documentation and in the system because we're remotely managing this to our cloud key We'll name it the name of where it was deployed So that way it the setup process and I was having the new guy do all this when he runs through He just has to put some stickers on him as he adopts them He names them in the system the same as their name right here So it just becomes a very easy way to deploy them and not have to Coordinate the two of them to go. Oh, no that one went over here. I meant west side We wait till the install date to actually name them as we mount them into the hallways and Areas that these places are going into now I have up here and I got to turn it around so you can see the network cables But this is the neck eight SG 3100 and I'm showing you how it's plugged in now at present this client probably won't be Doing redundancy in terms of internet connection. It's a maybe they talked about it They're deciding if they need it or not Because this is a sports venue kind of stadium area. That's also why there's not a bigger switch That's also why we use high density Wi-Fi because a lot of this is dedicated towards their guest network They only need a few things in the office and the neck eight SG 3100 is capable of failover with two internet connections and Certainly capable of gigabit routing despite what people keep telling me. It's not I Tested it. I have it deployed. It works perfectly fine So we're just using the WAN port the opt one is the optional port that can be used for different things We're gonna be using it maybe for redundancy, but for now the clients only getting one internet provider So this is going to be perfectly fine because like I said a lot of this is dedicated to a guest network then we have one cable and that's why I wanted to show you just one cable going out of the Landside with VLANs on it. So you don't necessarily on the SG 3100 now need to do anything These have four ports on here that act as a standard switch ports So this is that technically like one logical port here Then the WAN is a logical port and then the opt ones a logical port that way I can use each of these and program them But then I just set the VLAN to come out here and then it goes right into the unifier We're getting into software setup here in just a second from there One is the mainland which is for the office people and administration Which there's only a handful of there's going to be I think they said seven people In the building that need computer access so pretty minimal there Then the other side is the VLAN is for the guests That is the larger side of the network and of course with the guest network There's a couple rules that we'll talk about we have AP isolation because we don't want the guests to be able to See each other so we have that deployed in here We're not worried about a guest portal They do want a password on there and what they do with their guest access is they have a password up on the wall And then I know someone says it's not the most secure. Yeah, it's not really supposed to be it's a guest network And that's kind of the idea so each guest is isolated but in case you they change the password to be something promotional So that's something to consider. They didn't want to go with the captive portal They sit down they don't want to make it a challenge just give a password and all the guests that are our fans of ours Can just come in there. That's what they plan now, but we can always change it I know it's captive portal is both supported in unify or we can even put a captive portal into the Netgate device and you can set all that up too. It's in the works and consideration These are these are sometimes things that get changed in post from the client This is what they told us now, but the venue doesn't open for a little while So we're getting on the ground floor and putting all this physical layer stuff in and maybe later It'll change it and that's the beauty of the way this stuff works It's just a few commands to send it back out and modify these to do it. However, they may not change it But it's a pretty simple setup and this is a very common setup And now I'm gonna jump now over to the network side of this and log into the netgate log into the unify and Actually show you the settings that we put in there and kind of walk you through the why of how we set this up And this pretty simple network. Okay, so we'll start at the pf sense and talk about the network settings I know because this is in our internal networks for those of you wondering. This is not a public IP address, of course 192 163 20 like it says plug into like our general network that we have here at the office Here is the LAN that is going into that. It says twenty hundred twenty five hundred base key X full duplex This is the four ports that you have right here for the land So land one land two land three. This is the logical network for it These are the different physical ports that are on there. So when we look at the land We have it set to one nine two one six eight ten dot one I wonder if you're setting up any type of business network Just don't make it one dot one or zero dot one or ten dot one dot one Because ten the ten series pretty much ten dot one dot one if you put it in that it may work But it's also the default for Comcast if you use one nine two one six eight one one That's a default for well a lot of consumer routers and one nine two one six eight zero one is a default for a lot I've seen of the d-link routers I know there's probably a few others that Use this and the problem you run into is if you have to do a VPN later and you end up with another network You want to start out with the business network being something a little bit different because a lot of the home Users connecting when you set up the VPN or if you're an existing network that was kind of amateur setup You frequently see one one well then you have to decide up about how you want the routing to do when you ever want a VPN These networks together that may never happen at this client, but it's still kind of a practice I follow to set this up now slash 24 Like I said, maybe ten devices at most probably I think there's seven people in the office They're not gonna be a ton of users or devices on the business network. There's not a lot of staff there It's pretty basic and straightforward So I don't really have to worry about allocation on there when I set the DHCP server now We're gonna go over here to assignments And we're gonna take a look at the vlan and we built this vlan 20 and we Descriptively called it guest network vlan tag of 20 interface assignments. It's called guest network vlan 20 on Land so MV any TA one is that LAN port? This is vlan 20. So all of that is being shrunked right through So all the vlan data goes through to the unify because it's sharing just that one cable you've seen at the beginning So let me look over here and we go to the guest network interface as we named it And we see that this is a 17 to 16 o dot one and we did a slash 22 And the reason we did a slash 22 and I'll go over here to the DHCP server slash 22 will give us the range of 172 16 oh one through 172 16 3 dot 1 dot 2 5 4 The reason you want a fairly large range because there's a bunch of random people in the majority These are going to be phones that are connecting to this So not a ton of bandwidth, but a lot of devices on there So once again, we're gonna cover in second how we do the AP isolation But you want to have a wide range of people now. This is also gonna Drive over why I'm using these the high density Unify APC HDs because they support up to 500 clients on one and because of the way this is laid out first People may be in the arena area because it's a sporting arena Then they may move over to a large bar area where one of these will be so we have a high density of people kind of Clustered together so there may be a lot of them per device now One of the things that people ask about capacity planning is one make sure you always go a little bigger if you can and in this case These are very reasonably priced and have the support for 500 client connections on there. They're very fast We found them very we deployed these a few times. I found them very reliable Especially with these high density groups of people on there and still able to maintain a good system, but When you kind of ask the question of capacity you also can do things like find out what the fire marshal said is allowed in the building Oh, there's only a maximum capacity of 1,100 people in the building Well, I know and you just can't push in the range of one of these 1,100 people in that dense of an area So we know each area is capacity By listed by the fire marshal so we know there at least be that many people or maximum that many people in there So you can kind of plan accordingly. So we know that we'll never over saturate these But we know potentially spread out through the building because there's more than one arena area and a very large like bar area There's going to be a high density of users. So that's where we chose these because it's able to really have no problems with Wi-Fi and interference, but Whenever you're setting up and just a general rule for subnetting is never put more than a Thousand devices per subnet because it can get noisy and a lot of traffic on there So if you are getting bigger that would go beyond the scale of what I'm deploying right here But for what we're doing on this here It's not likely that every one of these all five of them we get 500 users But it's that density of users moving around That will is why we chose these units. We probably still could have got away with smaller ones But honestly for the price difference In everything we went ahead and went with these HDs because they're very reasonably priced. They're not substantially more MSRP of 349 you can frequently find these for I think we paid under 300 for them when we got them on sale So or if you buy them in bulk you buy five at a time or four at a time in a bulk pack You you know get them cheaper as well So that's the ones we went with here these UAP HDs. So now I'm gonna go back over to the settings and And We just use pretty much the whole network. So we started at 172 16 0 10 172 16 3 2 50 So there's quite a few IP addresses that can be assigned there for different devices that jump on and off the network Now in a way it works here in pfSense We have the LAN network and then the guest network or separate I like to put when I'm doing a separate like guest network any completely different range 172 range it just makes it really easy if you're ever doing any troubleshooting, you know if it begins with 172 It belongs to the guest network. There's no hard fast rule about this This is kind of a convenience thing for when I've set up a lot of networks I know right away if I see some problem or I'm just generally looking through logs 172 is stuff coming from the guests 192 is coming from the office And if I were had to build out another separate network for the office Let's say for like a credit card network or a point sales system network We could build a like LAN to another office network and still keep it into 192 range And just not use the dot 10 use something else credit another vlan and the same thing It keeps kind of a consolidated way that I view things And I wanted to make sure I mentioned it on the guest network We do allow access and we have this which means they can't access the LAN net So here's your guest network versus LAN and we want to give them internet access But not access to local networks now normally I would have done this in an alias And you alias in all the different LAN networks, but there's only one So we simply and I'll edit the rule real quick here and show you We allow the source to be any invert match means LAN network I they cannot get to the LAN network Now this is also further protected by the routing within the unified devices Which also would only apply guest network policies Stop them from seeing both each other and other local devices through exclusions set in the guest policies Now that's pretty much it for the firewall setup Not a lot to it. It's pretty like I said straightforward. There's not a lot on here I will probably load pf blocker on here That's about all they really need to make this system work And like I said potentially fail over if they add it later Now let's jump into the unified side of the configuration. So in the 16 port POE We have the one uplink port, which is this one here so this is actually where I plugged it in for the uplink and This is where all the data is coming in from the PF sense box. So Just to follow me on the VLAN setup here We have the four ports the switch ports on the PF sense We have one cable coming out of that and going into this port, which becomes the uplink port There is no special settings on this Switch profile all so we do see the LAN and guess what you actually want the the full all profile because we're not at this time splitting out any of the POE ports or ports in general on the 16 port POE switch To be their own VLAN because if you wanted to you could plug in the Wi-Fi and use the example of like this port here Me close that And we could look at this port and we can edit this port and we could say hey port 3 has one of the Wi-Fi devices plugged in We could say hey make that only the guest network But ideally the reason we don't do that is because you want them to be able to get all the profiles because you want to do the actual VLAN setup inside of the devices themselves So let's show you how we do that. So first we're gonna hear settings. I go here to networks So here in networks, we have our guest network VLAN only and we have our LAN And how do we create this was pretty easy you can literally hit create network and Hit VLAN only and put the VLAN ID in there pretty straightforward So we'll actually edit this one real quick to show you we named it guest network because that's what it is This is just our own naming convention Vlan 20 which matches Vlan 20 right here. So, you know, you have to keep all that matching So guest network Vlan only Vlan 20 Pretty straightforward. Here's the corporate network LAN and we just left this at 192 and 6x10 dot 1 slash 24 So it knows what the network settings are. So we have the LAN corporate here So that's set and configured and that's gonna get everything now. Here's where we build the wireless networks I have one called guest network one called office network This is not the names you'll get in actual deployment But for the nature of this video and really put the company name in there So guest at work WPA personal and we do have a password on it The other thing we checked here is apply guest policies cap to portal guests authentication You set the guest control policies We have it set just for really the isolation and that's an important piece So that's in the guest settings. I'll give that one second This is the part that is important use VLAN and then what the VLAN number is so we use VLAN 20 That slices off all the data coming to there So all the data goes from the PF sense out of the port into The 16 port POE with all the VLAN data the whole is a virtue as a trunk data So everything comes through then it goes through all the way to the Wi-Fi devices So the access points get all the data and then they can slice out the VLAN Which is Vlan 20 and they slice it out and put it on its own SSID So when we creates this guest network SSID Vlan 20 is sliced out of there and that becomes that one seven two network And go back over here to wireless networks and with the office network What we're doing here is not using a VLAN because we do the office now If we were to set up another office network or you wanted to create further isolation But the office network is the trusted network per se You could create a separate VLAN just for the office network that way you have a management network and office network If you really wanted to break things down really tight like that But it doesn't really need to be in this use case There's gonna a few computers on there for updating scores and things like that that the office people will be using but all that data is coming through that wireless network and So we don't need to break this one out It's gonna pull the 192 network and so back to a little bit how VLANs work All the data comes down the pipe and we're using the access point to slice out that VLAN and remove that tag data So it is carrying over one single cable And if we ever needed to have more bandwidth these do have the dual cable support So you can bond them together if there was a speed issue But you got to remember that too is that on the physical side of it one cable is carrying both networks It's just segmented out inside the VLAN now the last little thing I want to cover here is the user group is guest network not default now this is because we're using the access points themselves as a layer of protection For not giving them full bandwidth and they generally don't you got a bunch of people there because this is gonna be a lot of kids playing sports And it's a lot of Parents who are going to be taking pictures and sending them and uploading them That's why they need the guest network on there and that's what this user group is for but we have a user group called guest network So default is unlimited bandwidth limit bandwidth to two megs limit upload bandwidth to two megs and what this is doing is Slowing down their network. So this the service are getting is a 500 meg circuit going in here And you don't necessarily want all the users to have full all the time now They don't all the time phones are somewhat efficient unless they're watching youtuber Netflix They're somewhat efficient about their data usage because you know, they kind of expect over 3g But you don't want to give them just a full pipe on there So each one of these limit it download bandwidth to two limit download bandwidth to two and away we go and we're good Later we may do if if needed and this is actually the second deployment This is another location for this particular client if needed We can also have pf sent to some traffic shaping but at the other location we haven't had an issue and they have quite a few guests on the network and it hasn't Really caused any problems, but an option we can do is traffic shaping where we prioritize one network over another and That's reasonably easy to do inside of pf sense You can also just put restrictions on that network like hard limits and say this network can never exceed this much bandwidth and Then everyone just can the phones can all fight it out for the available bandwidth on there But so you have to do though because we're gonna start at the unify at least limiting So no one phone can have more bandwidth and two mags is not super fast But it's fast enough for them to you know update Facebook and tweet out pictures and Instagram things So it's good enough for that it'll get the job done and that's one of the nice things about things like Instagram It does cut the resolution down making that a little bit more less of a challenge getting the data out So that's pretty much it for the setup here It's pretty straightforward and like I said, you can see how we did the naming scheme Naming them putting the blue stickers on them. So now once they get installed We just go through each one and are gonna rename them as they get installed But pretty easy to do this will be called, you know hallway or wherever it goes And each location then we overlay the map on there and then the system is deployed and we manage it It's pretty straightforward setup, but that's it for the video Hopefully this was in sightening. This is literally a job that's going to be installed I believe the job is scheduled for Thursday right now If I have a chance, I'll film some onsite there getting this built out, which would be pretty cool But I don't always have time to do that So I at least want to show you the prep work that goes into a deployment like this prior to The deployment so these these are all the things we have to get ready in the office For this and we do this sometimes for other technicians So in this case, this is a job from top to bottom That's ours and it's another location for an existing client doing the same thing You know having a stadium venue where they do sports training And you know a lot of parents they're bringing her kids to the sporting event This is like I said a repeat of something we've already done before so we know this whole setup works perfectly fine But we do do this as well for other technicians that just want to do the physical layer and have us help with the setup work Because managing this is not too hard to do a lot of it does come down to getting it set up as the important part and kind of thinking through All right, this is how I want to do it. This is the layout I want to do So hopefully this was enlightening or maybe you have comments concerns or things you think I could be doing better I'm always you know listening to feedback because How we do things is always shaping and changing over time and we're always trying to you know improve processes and become more efficient When we do this, but this is gonna sit on a desk running for like I said a couple days until it gets to the deployment time and from there It gets sent out and works. So that's it. Thanks Thanks for watching if you liked this video go ahead and click the thumbs up leave us some feedback below to let Us know any details what you like and didn't like as well because we love hearing a feedback or if you just want to say Thanks, leave a comment if you wanted to be notified of new videos as they come out Go ahead and to subscribe and the bell icon that lets YouTube know that you're interested in notifications Hopefully they send them as we've learned with YouTube Anyways, if you want to contract us for consulting services You go ahead and hit launch systems comm and you can reach out to us for all the projects that we can do and help you We work with a lot of small businesses It companies even some large companies and you can farm different workout to us or just hire us as a consultant to help design your network Also, if you want to help the channel in other ways, we have a patreon. We have affiliate links You'll find them in the description You'll also find recommendations to other affiliate links and things you can sign up for on Lawrence systems comm once again Thanks for watching and I'll see you in the next video