٩(๑❛ᴗ❛๑)6

Lab 5

7 min read

───✱*.。:。✱*.:。✧*.。✰*.:。✧*.。:。*.。✱ ───

Executive Summary

  • Brewster’s Coffee House is a small café with 2 POS terminals, 1 back-office computer, and a public Wi-Fi service for up to 20 customer devices. The core challenge is delivering simple, reliable Wi-Fi while strictly isolating payment traffic from guests for security purposes.
  • A unified Ubiquiti UniFi stack would be good; a UniFi security gateway for VLAN/firewall segmentation, a managed PoE switch for clean power and port control, and 2 ceiling-mounted Wi-Fi 6 acces points for even coverage. Networks are segmented into Payment, Staff, and Guest VLANS; Guest Wi-Fi uses captive portal and client isolation; QoS favors POS traffic
  • The estimated total cost would be ~$1500 (hardware + contingency), which is well under the $5,000 budget.

Key Benefits

  • Strong segmentation and policy control
  • Reliable Wi-Fi coverage and capacity for a busy café, with redundancy from dual APs
  • Centralized, cloud-managed operations with straightforward updates and monitoring
  • Cost headroom for UPS, cabling, and future expansion (such as extra AP, camera, or dual-WAN)

Scenario Analysis

Business Description

  • A single-floor café (approx 800-1,800 sq ft) with an open seating area, barista counter (two POS), a small back room (office PC, printer), and customer Wi-Fi
  • Internet via business broadband modem terminating to the site gateway

Networking Requirements

Devices

  • 2 POS terminals (prefer wired, static DHCP) on a Payment VLAN
  • 1 back-office PC and printer on a Staff VLAN
  • ≤20 concurrent guest devices on a Guest VLAN/SSID

Policies

  • VLANS → staff (VLAN 10), payment (VLAN 20), guest (VLAN 30)
  • Firewall rules → block guest → LAN; allow staff → printer; restrict payment to outbound HTTPS only
  • Wi-Fi security → WPA3-Personal for staff; guest captive portal with bandwidth caps
  • QoS → prioritize POS and interactive traffic; rate-limit guest per-client and aggregate

Performance Expectations

  • WAN → support 300-1,000 Mbps business broadband; hardware should sustain near-gigabit routing with common features enabled
  • Wi-Fi → smooth browsing/streaming for ~20 guests, low-latency POS traffic, robust roaming with the seating area
  • Switching → gigabit to endpoints; PoE budget sufficient for 2 APs and a VoIP handset if added

Special Considerations

  • Security → segment payment devices and minimize scope; maintain simple, auditable rules
  • RF environment → potential 2.4 GHz interference (microwaves, IoT); prefer 5 GHz
  • Aesthetics → ceiling-mounted, low-profile APs; minimal visible cabling

Hardware Selection and Justification

Network Switches

  • Model and Quantity
    • Ubiquiti UniFi Switch Lite 16 PoE (USW‑Lite‑16‑PoE) — 1
  • Key Specifications
    • 16x 1G RJ45 portals total
    • 8x PoE+ (802.3at) port, 45 W PoE budget
    • Managed Layer 2, VLANs, port profiles, per-port isolation
  • Price and Vendor
    • ~$240-$299 from Ubiquiti Store or authorized resellers
  • Justification
    • This provides enough PoE for two APs and a room for a PoE phone or camera
    • 16 ports cover two POS, back-office PC, printer, AP uplinks, gateway uplink, as well as future growth
    • Managed VLANs let us hard-wire payment devices to the payment network at the port level
    • Quiet, compact form factor suits a small wall-mount rack in the back room

Router(s) / Security Gateway

  • Model and Quantity
    • Ubiquiti UniFi Gateway Ultra (UXG Ultra) — 1
  • Key Specifications
    • Stateful firewall, VLAN routing, inter‑VLAN ACLs, guest network policies
    • IDS/IPS and DPI options; traffic shaping, smart queues
    • Near‑gigabit routing throughput with common features; multiple RJ45 interfaces
    • Managed via UniFi Network application (cloud or on‑prem)
  • Price and Vendor
    • ~$130-$160 from Ubiquiti Store or authorized resellers
  • Justification
    • Delivers the core needs: segmentation, guest isolation, payment lockdown, QoS.
    • Sufficient WAN performance for current and future broadband tiers.
    • Centralized UniFi management keeps operations simple for non‑technical staff.

Wireless Access Points

  • Model(s) and Quantity
    • Ubiquiti UniFi U6+ — 2
  • Coverage and Capacity
    • Dual‑band Wi‑Fi 6 (2x2 MIMO); 802.11ax efficiency for dense, bursty café traffic.
    • Two APs distribute clients better than one, reduce contention, and provide redundancy.
    • Mount centered over seating and near the counter to balance coverage; use low transmit power to reduce co‑channel interference.
  • Security Features and Standards
    • WPA3‑Personal, guest portal with client isolation, band steering, airtime fairness.
    • VLAN‑mapped SSIDs (Guest VLAN 30, Staff VLAN 10, optional hidden Payment SSID if needed)
  • Price and Vendor
    • Approx. $129 each; total ~$258
  • Justification
    • Excellent price/performance for cafés; supports modern clients efficiently
    • PoE power via the switch simplifies install and avoids wall‑warts

Additional Components

  • Patch Panel and Rack
    • 24-port Cat6 patch panel ($60) and 6U wall-mount rack with shelf ($120)
    • Keeps terminations tidy, labels VLAN-specific ports, improve serviceability
  • Cabling
    • Bulk Cat6 (500 ft) + keystone jacks/plates ($180) and 12 patch cables ($60)
    • Hardwire both POS and the office PC for stability and lower latency
  • Power Protection
    • UPS 900-1000 VA for gateway + switch (~$170) and a surge protected power strip (~$30)
    • Ride through short outages and prevent POS disconnects during brownouts
  • Controller/Management
    • Use UniFi Network Application in the cloud or on an existing PC/NAS ($0)
    • Optional Cloud Key Gen2 Plus (~$200-$230) if you want on-site controller or plan to add cameras
  • Installation and Setup Considerations
    • Ceiling‑mount APs; run Cat6 home‑runs to the switch; label both ends
    • Configure VLANs → 10 Staff, 20 Payment, 30 Guest.
      • POS ports → untagged VLAN 20 (Payment), block inter‑VLAN
      • Office PC/printer → untagged VLAN 10 (Staff)
      • AP uplinks → trunks carrying VLANs 10/20/30
    • SSIDs
      • STAFF_SSID → VLAN 10, WPA3‑Personal
      • GUEST_WIFI → VLAN 30, captive portal, client isolation, per‑client cap (e.g., 10/2 Mbps), network cap (e.g., 50–100 Mbps)
      • No Wi‑Fi for Payment; keep POS wired to constrain scope
    • Firewall/QoS
      • Deny Guest → LAN; allow Guest → WAN only
      • Payment VLAN → allow outbound TCP/443; deny local subnets; optionally allow NTP/DNS to trusted servers
      • Prioritize POS traffic; enable Smart Queues if uplink is the bottleneck
    • RF Tuning
      • Prefer 5 GHz for Guest; optionally disable 2.4 GHz on Guest if noisy
      • Use non‑overlapping channels and moderate power

Budget Analysis

  • Itemized Components
    • UniFi Gateway Ultra (UXG Ultra) → $149
    • UniFi Switch Lite 16 PoE (USW‑Lite‑16‑PoE) → $269
    • UniFi U6+ APs (Qty 2) → $258
    • 6U wall‑mount rack + shelf → $120
    • 24‑port Cat6 patch panel → $60
    • Bulk Cat6 + keystones/plates → $180
    • Cat6 patch cables (assorted) → $60
    • UPS 900–1000 VA → $170
    • Surge‑protected power strip → $30
  • Hardware → ~$1,296
  • Contingency (tax/shipping) → ~$130-$195
  • Estimated Total → $1,430-$1,490
  • Against Budget → $3,500+ headroom
  • Trade-offs
    • Chose 2x U6+ over 1x U6 Enterprise for better client distribution and redundancy
    • PoE budget sized for two APs; adding many cameras later would require a higher‑PoE switch
    • Skipped on‑site Cloud Key to reduce cost/complexity; can be added if local management or NVR is needed
  • Future Upgrades
    • Add third AP if floorplan expands or density increases
    • Introduce dual‑WAN (secondary ISP or LTE) for POS continuity
    • Upgrade to a higher‑PoE switch if adding cameras or additional PoE devices
    • Consider DNS/content filtering and centralized logging for enhanced security posture

Conclusion

  • Solution Fit → the proposed UniFi stack meets Brewster’s needs by cleanly separating payment devices from public Wi‑Fi, delivering reliable coverage with two Wi‑Fi 6 APs, and simplifying day‑to‑day operations through centralized management. It remains far under budget while leaving clear upgrade paths.
  • Reflection → the procurement exercise highlighted how VLAN design and firewall policy directly manage risk, how PoE and a small managed switch streamline deployment, and why two APs often outperform a single higher‑end unit in real spaces.
  • Lessons Learned → map requirements to capabilities (segmentation, QoS, management), design for the typical failure modes (power blips, noisy 2.4 GHz), and preserve budget for resilience (UPS, extr a AP capacity). This approach produces a secure, reliable, and maintainable café network that can grow with the business.

───✱*.。:。✱*.:。✧*.。✰*.:。✧*.。:。*.。✱ ───

Graph View