Small Business Network Design

The standard SMB topology

           Internet (ISP modem/ONT)
                    │
                    ▼
          ┌─────────────────────┐
          │  Firewall / Router  │  (gateway, NAT, VPN, firewall)
          └─────────────────────┘
                    │
                    ▼
            ┌──────────────┐
            │   Switch     │  (managed Layer 2, PoE, 8-48 ports)
            └──────────────┘
              │   │   │  │
        ┌─────┘   │   │  └─────────┐
        ▼         ▼   ▼            ▼
    Computers  Phones APs    Cameras/POS

Four layers, conceptually:

1. Internet connection. ISP-supplied modem or ONT.
2. Firewall/router (the gateway). All traffic in and out passes here.
3. Switch. Connects everything inside the office, supports VLANs.
4. Endpoints. Computers, phones, APs, cameras, POS terminals.

Bigger offices add more switches (one per floor or per cluster), more APs, and possibly multiple firewalls in high-availability pairs. The conceptual model stays the same.

The gateway: firewall or router?

The device sitting between your network and the ISP modem has many names — router, firewall, security gateway, UTM. For SMBs in 2026, it should be a business-grade unit, not a consumer router. The features that matter:

• Stateful firewall with logging.
• VPN server for remote workers (IPsec, OpenVPN, or WireGuard).
• Site-to-site VPN to connect branches or cloud VPCs.
• VLAN routing between internal segments.
• Intrusion prevention on the WAN edge (optional but valuable).
• Dual-WAN for backup internet failover.
• Content filtering / web filtering for compliance (optional).
• Management dashboard that's actually usable.

Common options:

Avoid: consumer-class routers (Linksys, Netgear consumer line). They lack VLAN support, real firewall logging, and update lifecycles long enough for business use.

Switches: where the network actually lives

The switch interconnects all wired devices. For SMBs:

• Layer 2 managed switch is the default. VLAN support, PoE, decent management interface.
• Layer 3 switch only needed if you have many VLANs and want routing at the switch rather than the firewall — typically 50+ users.
• PoE budget matters. Sum up your APs, phones, and cameras; choose a switch with sufficient total PoE wattage.
• Port count should comfortably exceed current devices — leave 30-50% headroom.
• 1 Gbps ports adequate for most uses; 2.5 Gbps or 10 Gbps uplinks valuable for cross-switch traffic.

Common managed switch options:

WiFi access points

The "consumer router with built-in WiFi" pattern does not scale beyond a few rooms. SMBs use:

• Ceiling-mounted access points connected to the wired network via PoE.
• Multiple APs for coverage (rough rule: one per 1500-2500 sqft for normal-density office use).
• Same vendor across the office for seamless roaming via 802.11k/v/r.
• WiFi 6 (802.11ax) or WiFi 6E for new installations. WiFi 5 is fine for older sites but increasingly outclassed.
• WPA3 for employee SSIDs (with WPA2 fallback if older devices need it).

Recommended AP options:

For larger offices, do a WiFi survey before mounting APs. Free tools (Ubiquiti Design Center, Hamina, NetSpot) let you sketch the floor plan and estimate coverage; predictive surveys catch dead spots before installation.

VLAN segmentation

The single most important security and operational practice in a small business network: do not put everything on the same network. Minimum VLANs for a typical SMB:

Inter-VLAN routing happens at the firewall/router with explicit rules. Common patterns:

• Employee can reach Servers and IoT (with specific port restrictions).
• Guest can reach only the internet.
• VoIP can reach only the SIP provider and DNS.
• POS can reach only the payment processor and updates.
• IoT cannot initiate connections to Employee (only respond to specific protocols).

Detailed WiFi segmentation strategy is in WiFi for small business.

Cabling

Wired infrastructure for new installations in 2026:

• Cat6 cable. Up to 10 Gbps at typical 50m runs; widely available; cheap.
• Cat6a for runs to 100m at 10 Gbps. Overkill for most offices.
• Skip Cat7 and Cat8 for typical office cabling — they target data center applications.
• Run more than you think you need. Two cables per wall outlet is the minimum; four if pulling new cable.
• Fiber between IDFs / building drops. Multi-mode OM4 fiber for runs over 100m or where future-proofing for 25/40/100 Gbps matters.

The labor cost of running cable dominates the material cost. Pull more than you currently need; the marginal cost of an extra pull is small relative to the total job.

Power and UPS

Network equipment needs clean, uninterrupted power. Minimum: a UPS on the gateway, the switch, and the main APs. Sized for at least 15-30 minutes runtime — long enough to gracefully shut down during sustained outages and to ride out short blips.

For a typical SMB stack (gateway + 24-port switch + 3 APs + cameras, drawing ~200W total):

• APC Smart-UPS 750VA-1500VA ($200-400) — sine wave output, network manageable.
• CyberPower 1500VA-2200VA ($150-350) — budget alternative.
• Network shutdown agent integrated with the UPS for graceful shutdowns of servers.

For sites with mission-critical uptime, add a generator with auto-transfer switch — but a UPS is the baseline.

Network closet / equipment rack

Even a small office benefits from a dedicated location for network equipment:

• A wall-mounted rack (4U-12U) or a small closet.
• Adequate ventilation — switches and firewalls produce real heat.
• Labeled cable terminations on a patch panel.
• Documented cable runs from patch panel to wall outlets.
• Locked physical access — limit who can plug into the network or unplug things.

Avoid the "everything in the receptionist's desk drawer" pattern. The hour you spend setting up a proper rack saves dozens of hours of troubleshooting later.

Remote access

Employees working from home need access to internal resources. Options:

• VPN to office network. Traditional. Firewall hosts the VPN server (WireGuard, OpenVPN, IPsec). Clients connect, get internal IP, route as if on-site.
• Zero Trust Network Access (ZTNA). Modern alternative. Per-application access via identity-based broker (Cloudflare Access, Tailscale, ZScaler, Twingate). No VPN tunnel; just authenticated access to specific resources.
• Bastion host. SSH or RDP via a hardened jump server. Useful for technical users; awkward for non-technical ones.

For 2026, ZTNA via Tailscale or Cloudflare Access is the simplest pattern for most SMBs — no VPN to configure on employee laptops, no firewall holes to manage, identity-based access via your existing SSO. Traditional VPN is still appropriate for offices with strong existing identity infrastructure or legacy applications.

Monitoring and management

Network problems are easier to fix when you can see them. Minimum monitoring:

• Gateway / firewall logs retained for at least 30-90 days.
• Bandwidth usage per VLAN and per user — catches abuse and capacity issues.
• WAN uptime monitoring from outside (UptimeRobot, Pingdom, free tools) — alerts you to outages from the customer's perspective.
• Switch port utilization — diagnose congestion.
• WiFi client health — signal strength, retry rates, roaming events.

Ubiquiti UniFi, Aruba Instant On, and Meraki Dashboard all provide these in a single management UI as part of their platforms. Self-hosted alternatives (LibreNMS, Zabbix) work but require more setup.

Documentation

The "person who set it up left two years ago and nobody knows how it works" problem is universal. Minimum documentation for any SMB network:

• Network diagram showing physical and logical topology.
• VLAN list with IP ranges and purpose.
• Inventory of equipment: make, model, serial, location, firmware version.
• Cable map: patch panel ports to wall outlets.
• WiFi SSID configuration and credentials (stored in password manager, not the network closet wall).
• Admin credentials in shared password vault.
• ISP contact info, account numbers, after-hours support number.
• Backup and restore procedures for firewall and switch configs.

Frequently Asked Questions

What equipment do I need for a 10-person office?

At minimum: a business-grade router/firewall (Ubiquiti UDM-Pro, Fortinet FortiGate 40F, Cisco Meraki MX67 — $300-1500), a managed Layer 2 switch with PoE (8-24 ports depending on devices; $200-600), and 1-2 ceiling-mounted WiFi access points (Ubiquiti U6-Pro, Aruba Instant On AP25 — $150-300 each). Total hardware budget for 10 people: $1000-3000. Skip consumer-grade equipment — managed devices with VLAN support and decent WiFi coverage are worth the premium for any business with employees.

Do I need VLANs in a small office?

Yes once you have more than one network function. At minimum, separate guest WiFi from employee devices (PCI compliance and basic security require this if you process payments). Add separate VLANs for: VoIP phones (QoS isolation), IoT devices (cameras, printers, smart sensors — limit lateral movement if compromised), point-of-sale terminals (PCI scope reduction). A flat network without VLANs is acceptable only for a one-person home office with no payment processing.

What is PoE and why do business networks need it?

PoE (Power over Ethernet) delivers electrical power along with data over the same Ethernet cable, eliminating the need for separate power outlets at each device. Business networks use PoE for ceiling-mounted WiFi access points, VoIP desk phones, IP security cameras, and digital signage. PoE switches add minor cost ($30-50 more per 8 ports) but save substantial installation effort and electrical work. PoE+ (30W per port) handles most devices; PoE++ (60-90W per port) is needed for high-power devices like PTZ cameras and large displays.

Should I use Cat5e, Cat6, or Cat6a cable?

Cat6 for new installations. Cat5e is adequate up to 1 Gbps over 100 meters and is cheaper, but new cable should be Cat6 to support 10 Gbps over shorter runs and to leave headroom for future upgrades. Cat6a is required only for 10 Gbps over the full 100-meter run; for typical 100-meter-or-less office runs at 10 Gbps, Cat6 works fine. Don't waste money on Cat7 or Cat8 for typical office runs — they're for specialty applications.

How many WiFi access points does my office need?

Rough rule: one access point per 1500-2500 square feet for office-density use (computers, phones), or per 800-1200 sqft for high-density use (conference rooms, classrooms). A 5000 sqft typical office needs 2-3 APs. Mount on ceilings, not walls. Use the same WiFi vendor for the entire site to enable seamless roaming. Per-AP coverage depends on building materials (concrete and metal block 5 GHz dramatically); always survey before final placement.