Two Parts of a Successful Network #
We break network standards into two categories. Both are required for a stable environment.
- Active Network Standards. Firewalls, switching, wireless, internet design, and configurations.
- Physical Infrastructure Standards. Cabling, patch panels, labeling, racks, and wiring layout.
A high quality firewall cannot fix poor wiring. A perfect cable plant cannot fix weak network design. When both are done well, performance, and reliability become predictable.
Design Levels #
Not every business needs the same level of redundancy. We use three simple levels so expectations stay clear.
| Level | Best For | Goal |
|---|---|---|
| Baseline | Most small and mid-size offices | Secure, stable, and supportable with a single internet provider |
| Recommended | Teams that rely heavily on cloud apps and VoIP | Reduced risk and faster recovery with targeted redundancy |
| Resilient | Operations that cannot tolerate downtime | Automatic failover for critical components and internet |
Visual Quick Guide #
These simple diagrams show the difference between a typical baseline network and a resilient design with redundancy. The goal is clarity, not complexity.
Baseline (Secure and Supportable) #
Best for most small and mid-size offices. One internet provider and one firewall. Great when downtime tolerance is moderate.
[Internet Provider]
|
[Modem/ONT]
|
[Business Firewall]
|
[Core Switch]
|
[Wi-Fi, Users Devices, Printers/VoIP]
- Internet: Single provider
- Firewall: One business-class firewall with security subscriptions
- Switching: Managed switches, VLAN capable
- Wireless: Business-grade access points with separate guest network
Recommended (Improved Reliability and Growth) #
Adds structure for predictable growth. This often includes a core and edge design and a readiness plan for redundancy.
[Internet Provider]
|
[Modem/ONT]
|
[Business Firewall]
|
[Core Switch]
| \
[IDF Switch A] [IDF Switch B]
| |
[Wi-Fi, Users Devices, Printers/VoIP]
- Topology: Hub and spoke from a core switch (often MDF to IDFs)
- Uplinks: Dedicated uplinks from IDFs to core, documented and labeled
- Power: UPS protection for network equipment
- Documentation: VLAN list, SSID list, network diagram, and change tracking
Resilient (Automatic Failover) #
Best for operations that cannot tolerate downtime. Adds redundancy for internet and firewall and typically improves switch uplink resilience.
[ISP #1] [ISP #2]
| |
[Modem] [Modem]
\ /
\ /
[Firewall A] <-> [Firewall B]
(Active) (Standby)
|
[Core Switch]
/ \
[IDF Switch A] [IDF Switch B]
| |
[Wi-Fi, Users Devices, Printers/VoIP]
- Internet: Two providers configured for automatic failover
- Firewall: Two firewalls in high availability (active/standby)
- Switching: Redundant uplinks where appropriate and supported
- Monitoring: Alerts on ISP issues, firewall health, uplinks, and device status
One-Glance Checklist #
| Standard | Baseline | Recommended | Resilient |
|---|---|---|---|
| Business-class firewall with security features | Required | Required | Required |
| Managed switching with VLAN capability | Required | Required | Required |
| Separate guest wireless and segmentation | Recommended | Required | Required |
| UPS protection for network edge equipment | Recommended | Required | Required |
| Documented VLANs, SSIDs, and network diagram | Recommended | Required | Required |
| Second internet provider with auto failover | Optional | Optional | Required |
| Firewall high availability (two firewalls) | Optional | Optional / Ready Design | Required |
| Structured cabling, patch panels, labeling, testing | Required | Required | Required |
| Minimum two drops per wall plate, with office planning | Recommended | Required | Required |
| Enhanced monitoring and audit logging readiness | Recommended | Required | Required |
If you are not sure which design level fits your business, choose Baseline as the minimum and then add redundancy only where downtime would materially impact operations.
Active Network Standards #
Active standards define how the network should be designed and configured for security, performance, and predictability.
Baseline Active Standards #
- Business class firewall with current security subscriptions and vendor support.
- Single internet provider sized for the business and monitored for uptime and performance.
- VLAN capable switching with managed switches and documented port usage (minimum of 3)
- Segmentation for business devices (wired and wireless), guest devices (wireless only), and IoT where applicable (wired and wireless).
- Centralized wireless management with business grade access points.
- Routing at the firewall where appropriate, with clear VLAN design and documentation.
- Monitoring for internet uptime, firewall health, and switch status.
Recommended Active Standards #
- Firewall high availability ready design so a second unit can be added with minimal disruption.
- Switching topology designed for predictable growth, typically hub and spoke from the MDF.
- Redundant power for network stack where feasible, including UPS protection for edge equipment.
- Documented standards for naming, VLANs, SSIDs, and rule changes.
- Quality of service for voice and critical apps when needed.
Resilient Active Standards #
- Redundant firewalls in passive high availability with automatic failover.
- Redundant internet providers configured for automatic failover.
- Switch redundancy designed for the site, such as ring or redundant uplinks with appropriate controls.
- Separate power paths when the facility supports it, plus UPS and surge protection.
- Monitoring and alerting with clear escalation and response expectations.
Internet Service Standards #
Internet quality impacts everything. Cloud apps, VoIP, and remote work depend on reliable bandwidth and stable latency.
- Right-size bandwidth based on users, cloud usage, and voice or video reliance.
- Business class service where available, including support SLAs and modem handoff clarity.
- Failover plan for critical operations, including optional second provider for resilient environments.
- Visibility into uptime and performance through monitoring.
- Validation into the quality, performance, and reliability of the connection in comparison to your paid services.
Wireless Standards #
- Business grade access points with centralized management.
- Separate guest wireless from business wireless, using segmentation.
- Site aware placement based on building layout, not guesswork.
- Consistent naming for SSIDs and documentation for passwords and access policies.
Documentation Standards #
Documentation is part of stability. Without it, environments drift and become harder to support.
- Current network diagram showing ISP handoff, firewall, core switching, IDFs, and wireless.
- VLAN list with purpose, IP ranges, and routing notes.
- Switch inventory with model, location, uplinks, and key ports.
- Wireless inventory with locations and coverage notes.
- Change log for firewall rule changes, VLAN changes, and major updates.
Physical Infrastructure Standards #
Physical standards define how wiring and network spaces should be installed and maintained so the environment stays clean and predictable. This reduces downtime and makes expansions easier.
Structured Cabling Standards #
- Use recognized cabling categories such as Cat6 or Cat6A for copper runs.
- New builds and major rewires should standardize on Cat6A for best long term flexibility.
- Use solid copper cable intended for in-wall installation, plus proper rated jackets for the environment.
- Avoid inconsistent labeling and avoid unlabeled cables entirely.
Note on terminology. “Cat6e” is commonly used in marketing, but it is not a formal cabling category in the same way Cat6 and Cat6A are. For clarity and consistency, we recommend standardizing on Cat6A for new runs.
Fiber vs Copper #
- Copper is ideal for end user drops and shorter runs inside the same wiring area (300 ft or less)
- Fiber is ideal for longer distances, electrical isolation, and uplinks between MDF and IDF locations
- Use fiber when distance, interference, or future bandwidth needs make copper less practical.
MDF and IDF Standards #
A clean network space reduces failures and speeds up troubleshooting.
- MDF is the main network location and should host the primary rack, firewall, core switching, and ISP handoff.
- IDF is a secondary wiring location that services a zone of the building and uplinks back to the MDF.
- Both should be secured, well ventilated, and kept clean.
- Include UPS protection for active equipment with humidity and temperature monitoring.
Patch Panels, Racks, and Cable Management #
- Terminate all permanent cabling to patch panels, not directly into switches.
- Use proper cable management so patching stays neat and serviceable.
- Use appropriate length patch cables to avoid excess slack and tangled bundles.
- Use consistent labeling on patch panels, wall plates, and switch ports.
- Use high quality brands for wiring (pure 23AWG copper, jacket rating/shielding matched), patch panels (Leviton), and wall plate connections such as keystone jacks (Leviton)
Labeling and Testing #
- Label every drop using a consistent naming standard that maps to the patch panel and wall plate.
- Test every run and document the results.
- Certification testing is recommended for new builds and major rewires.
Office Drop Standards #
Under-wiring causes ongoing problems. It increases reliance on Wi-Fi for fixed devices and limits office flexibility.
- Minimum. Two network drops per wall plate.
- Minimum per office. Two wall plates in a standard square office when feasible.
- Preferred. Three wall plates in offices where layout or future flexibility matters.
- Conference rooms. Plan for table devices, wall displays, VoIP, and room systems.
- Print and copier areas. Provide dedicated drops for printers and management interfaces.
- Wireless access points. Provide dedicated drops and plan for PoE needs.
Compliance and Performance Expectations #
Compliance requirements often increase the amount of monitoring, logging, and security controls running across the network. This is valuable. It improves visibility and accountability during a cyber event or audit. The most common issue is not the compliance tooling itself. The issue is older design choices that were never built for visibility. When auditing and monitoring are turned on for the first time, weak points often show up first.
What Changes in a Compliance Environment #
- More log collection and longer retention requirements.
- More monitoring and alerting.
- More segmentation and access control.
- More change tracking and documentation expectations.
How This Impacts Network and Internet Design #
- Networks with outdated hardware or weak configurations may show performance limitations sooner.
- Properly sized business class equipment typically handles the additional load without user impact.
- Redundancy becomes more important when operations and audits depend on continuous data collection.
The goal is simple. Build the network so security and visibility can be enabled without slowing down operations.
Simple Policy Summary #
- Use business class network equipment with current support and subscriptions.
- Design for segmentation and documentation from day one.
- Baseline means stable and secure with one ISP. Resilient means automatic failover with redundancy.
- Install structured cabling with patch panels, labeling, testing, and clean rack layout.
- Plan enough drops per office so the building stays flexible for years.
