Back to How To Guides
How To Guide

How to Design a Secure Business Network Layout

A well-designed network is the foundation of business IT security. Proper segmentation and access controls prevent breaches from spreading across your organisation.

Overview

Network design principles apply whether you have 5 or 500 employees. The key concepts are segmentation, defence in depth, and least-privilege access.

Step 1: Network Planning

Map out your network requirements before purchasing any equipment.

1

Assess Requirements

  • Count all devices: computers, phones, printers, IoT devices, cameras
  • Identify departments that need network separation (finance, HR, operations)
  • Map internet usage: bandwidth needs, remote access requirements, cloud services
  • List compliance requirements that affect network design (GDPR, PCI DSS, NHS)
  • Plan for growth: design capacity for at least 2x current device count
  • Document critical services and their network dependencies
2

Design Network Segments

  • Corporate network: Employee workstations, laptops, and business servers
  • Guest network: Visitor devices and personal phones on separate subnet
  • IoT/OT network: Printers, IP cameras, smart devices, HVAC controllers
  • Server/DMZ zone: Public-facing web servers separated from internal services
  • Management network: Switch and router admin interfaces on isolated VLAN
  • Development/Test: Isolated environment for testing (if applicable)
Pro Tip:

Network segmentation limits blast radius. If ransomware hits one VLAN, it cannot easily jump to others without crossing a firewall.

3

Create Network Diagram

  • Use free tools like draw.io or Lucidchart for network topology
  • Document IP address ranges for each VLAN/subnet
  • Map physical cable runs and switch port assignments
  • Include wireless access point locations and coverage areas
  • Note firewall rules between segments
  • Keep diagram updated as changes are made — outdated diagrams cause security gaps
4

Plan IP Addressing

  • Use RFC 1918 private address ranges (10.x.x.x, 172.16-31.x.x, 192.168.x.x)
  • Assign different subnets per VLAN (e.g., 10.10.1.0/24 for corporate, 10.10.2.0/24 for guest)
  • Reserve IP ranges for servers, printers, and infrastructure devices
  • Use DHCP for workstations and static IPs for servers and network equipment
  • Document all static IP assignments in a spreadsheet or IPAM tool

Step 2: Core Components

Essential network infrastructure for a secure business.

1

Firewall and Router

  • Business-grade firewall at the internet edge — not a consumer router
  • Recommended options: pfSense (free, open source), Fortinet FortiGate, SonicWall, Ubiquiti USG
  • Configure default-deny firewall rules: block everything, then allow specific traffic
  • Enable Intrusion Detection/Prevention System (IDS/IPS) on the firewall
  • Set up VPN for remote workers (IPsec or WireGuard)
  • Configure NAT and port forwarding only for essential services
  • Enable firewall logging and send logs to a central syslog server
2

Managed Switches

  • Use managed switches (not unmanaged) for VLAN support
  • Configure port security to limit MAC addresses per port
  • Enable storm control to prevent broadcast storms
  • Set up VLAN trunking between switches using 802.1Q
  • Disable unused switch ports to prevent unauthorised device connections
  • Enable Spanning Tree Protocol (STP) to prevent network loops
3

Enterprise Wi-Fi

  • Deploy enterprise-grade access points (Ubiquiti, Meraki, Aruba, Ruckus)
  • Create separate SSIDs for corporate (WPA3-Enterprise) and guest networks
  • Use RADIUS authentication for corporate Wi-Fi with Active Directory integration
  • Set guest network with bandwidth limits and client isolation
  • Position APs for coverage overlap of 15-20% between zones
  • Use a wireless controller for centralised management and monitoring
4

DNS and DHCP

  • Run internal DNS server for name resolution of local resources
  • Configure DHCP scopes per VLAN with appropriate lease times
  • Set DNS filtering (e.g., Quad9, Cloudflare Gateway) to block malicious domains
  • Reserve DHCP addresses for printers and other infrastructure devices
  • Configure DNS to forward external queries to secure resolvers

Step 3: Monitoring and Maintenance

Keep your network secure and performant over time.

1

Network Monitoring

  • Deploy monitoring tools: PRTG, LibreNMS, or Zabbix
  • Monitor bandwidth utilisation on each VLAN and WAN link
  • Set up alerts for link failures, high utilisation, or device offline
  • Track wireless client counts and signal strength
  • Monitor DHCP pool usage to avoid address exhaustion
2

Security Maintenance

  • Review firewall logs weekly for suspicious activity
  • Update firmware on all network devices quarterly (or when critical patches released)
  • Rotate admin passwords for network devices every 90 days
  • Conduct quarterly network security reviews
  • Perform annual penetration test of network infrastructure
  • Keep network documentation current — review after every change
3

Disaster Recovery

  • Document recovery procedures for each critical network component
  • Keep spare switches and access points on-site
  • Maintain offline backups of all device configurations
  • Test failover procedures for internet connections
  • Define RTO (Recovery Time Objective) for network components

Need Professional Help?

Our engineers provide expert assistance with setup, troubleshooting, and ongoing support for businesses and individuals across Cornwall.

Get in Touch Call 01726 76999

Related Guides

How to Implement Firewall Rules for Office Security

Step-by-step guide with expert tips.

Learn more →

How to Set Up NAS for Centralised Storage

Step-by-step guide with expert tips.

Learn more →

Professional IT Support

Need hands-on help? Our engineers are ready.

Learn more →