Why Network Design Matters
Network design is not simply about plugging cables into switches. It is a deliberate, structured process that determines how data flows through an organisation, how services are protected from threats, and how the infrastructure will cope as the business grows. A poorly designed network might work perfectly well with 20 users, but collapse under the weight of 200 โ or worse, expose sensitive data because segmentation was never planned.
The cost of getting network design wrong is staggering. Industry research consistently shows that unplanned network downtime costs businesses an average of ยฃ5,600 per minute. For financial services, healthcare, and e-commerce organisations, the figure can be significantly higher when regulatory penalties and lost customer trust are factored in. Investing time in proper network design before deployment is orders of magnitude cheaper than retrofitting a live network under pressure.
Good network design starts with understanding the fundamental models and protocols that underpin all modern networking. Whether you are configuring a small office network or architecting a multi-site enterprise infrastructure, the same principles apply: layered architecture, logical addressing, segmentation, redundancy, and thorough documentation. Master these fundamentals and you can design a network for any scale.
The OSI and TCP/IP Models
Every network professional needs a solid understanding of the OSI (Open Systems Interconnection) model โ the seven-layer reference framework that describes how data moves from an application on one computer to an application on another. Each layer has a specific responsibility, and understanding these layers helps you troubleshoot problems systematically, communicate clearly with other engineers, and design networks that are modular and maintainable.
The OSI model was developed by the International Organisation for Standardisation (ISO) in the 1980s as a conceptual framework for understanding network communication. In practice, the internet runs on the TCP/IP model, which consolidates the seven OSI layers into four practical layers. Understanding both models โ and how they map to each other โ gives you the vocabulary to work with any networking technology, from Ethernet switches to cloud load balancers.
The 7 OSI Layers
| Layer | Name | Function | TCP/IP Equivalent |
|---|---|---|---|
| 7 | Application | Provides network services directly to end-user applications. Protocols include HTTP, DNS, SMTP, FTP, and SSH. This is the layer users interact with. | Application |
| 6 | Presentation | Handles data translation, encryption, and compression. Ensures data from the application layer is in a format the receiving system can understand. TLS/SSL operates here. | Application |
| 5 | Session | Manages connections and authentication between applications. Establishes, maintains, and terminates communication sessions between hosts. | Application |
| 4 | Transport | Provides reliable (TCP) or fast (UDP) end-to-end data delivery. Manages port numbers, flow control, error detection, and retransmission of lost packets. | Transport |
| 3 | Network | Handles logical addressing (IP addresses) and routing. Determines the best path for data to travel from source to destination across multiple networks. | Internet |
| 2 | Data Link | Manages MAC addresses and local network communication. Handles frame creation, error detection, and media access control. Switches operate at this layer using Ethernet. | Network Access |
| 1 | Physical | Transmits raw bits over physical media โ copper cables, fibre optics, and wireless radio signals. Defines voltage levels, pin layouts, and physical connectors. | Network Access |
OSI vs TCP/IP: Reference vs Reality
The OSI model is a reference framework โ it is invaluable for understanding concepts, troubleshooting, and communication, but no production protocol follows it precisely. The TCP/IP model is what is actually deployed on the internet and in virtually every business network. TCP/IP collapses the top three OSI layers (Application, Presentation, Session) into a single Application layer, and combines the bottom two (Data Link, Physical) into the Network Access layer. When you encounter a networking problem, use the OSI model to isolate which layer is failing โ then use TCP/IP tools to fix it.
IP Addressing and Subnetting
IP addressing is the logical addressing scheme that allows devices to find and communicate with each other across networks. Every device on a network needs a unique IP address, and how you allocate and organise these addresses has a direct impact on network performance, security, and manageability. A well-planned IP addressing scheme makes troubleshooting straightforward and scaling painless. A poorly planned one creates confusion, address conflicts, and painful migrations.
Subnetting is the practice of dividing a large network into smaller, more manageable segments. Each subnet operates as its own broadcast domain, reducing unnecessary traffic and improving security by isolating groups of devices. Understanding subnetting is essential for any network engineer โ it is tested in every networking certification and used in every production network, from a single-office setup to a global enterprise spanning dozens of sites.
IP Addressing Fundamentals
| Concept | Description | Practical Example |
|---|---|---|
| IPv4 Structure | A 32-bit address written in dotted decimal notation. Provides approximately 4.3 billion unique addresses, which have been exhausted โ driving the transition to IPv6. | 192.168.1.100 โ a common private address used in small office and home networks |
| IPv6 Structure | A 128-bit address written in hexadecimal notation separated by colons. Provides 340 undecillion addresses โ effectively unlimited for any foreseeable deployment. | 2001:0db8:85a3:0000:0000:8a2e:0370:7334 โ a full IPv6 address with eight groups |
| Private Address Ranges | Reserved address ranges that are not routable on the public internet. Used for internal networks and translated to public addresses via NAT at the network boundary. | 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16 โ the three RFC 1918 private ranges |
| Subnet Masks and CIDR | Defines which portion of an IP address identifies the network and which identifies the host. CIDR notation (e.g., /24) replaced classful addressing for flexible allocation. | /24 gives 254 usable hosts, /25 gives 126, /26 gives 62 โ each additional bit halves the hosts |
| DHCP | Dynamic Host Configuration Protocol automatically assigns IP addresses, subnet masks, default gateways, and DNS servers to devices when they connect to the network. | A DHCP server assigns 192.168.1.50-192.168.1.200 dynamically, reserving .1-.49 for static devices |
| DNS | Domain Name System translates human-readable domain names into IP addresses. Without DNS, users would need to memorise numeric addresses for every service. | qualifynation.com resolves to an IP address โ internal DNS maps server names to private IPs |
Plan Your IP Scheme Before Deploying
One of the most common mistakes in network design is assigning IP addresses ad hoc without a documented plan. This leads to address conflicts, wasted address space, and painful renumbering projects when the network grows. Before deploying any network, create a written IP addressing plan that documents every subnet, its purpose, the DHCP range, static reservations, and the default gateway. Allocate address space generously โ it costs nothing to reserve a /22 for future growth, but renumbering a live /24 because you ran out of addresses disrupts the entire organisation.
VLANs and Network Segmentation
Network segmentation is the practice of dividing a network into isolated segments, each with its own broadcast domain, security policies, and access controls. Without segmentation, every device on a flat network can communicate with every other device โ meaning a compromised workstation in reception can reach the finance server, the CCTV system, and the CEO's laptop without any barriers.
Virtual LANs (VLANs) are the primary tool for implementing segmentation on modern switched networks. A VLAN is a logical grouping of switch ports that behaves as if the ports were on separate physical switches. Traffic between VLANs must pass through a router or Layer 3 switch, where firewall rules and access control lists can be applied. This gives network engineers granular control over which devices can communicate with which services.
Network Segmentation Strategies
| Strategy | Purpose | Security Benefit | Implementation Notes |
|---|---|---|---|
| VLAN by Department | Separate HR, Finance, IT, and other departments into dedicated VLANs to contain broadcast traffic and enforce access policies per business unit. | Finance data stays within the Finance VLAN. HR systems containing sensitive employee records are isolated from general staff. | Assign VLAN IDs logically (e.g., VLAN 10 = IT, VLAN 20 = Finance, VLAN 30 = HR). Configure trunk ports between switches. |
| VLAN by Function | Group devices by their role โ servers, printers, VoIP phones, IoT sensors โ regardless of physical location, ensuring each device type gets appropriate policies. | IoT devices with known vulnerabilities are isolated from production servers. Printer traffic cannot traverse to sensitive data stores. | Use 802.1Q trunking across the switch fabric. Apply QoS policies per VLAN โ prioritise VoIP, throttle IoT bulk transfers. |
| Guest Network Isolation | Provide internet access to visitors and contractors without granting any access to internal resources, applications, or file shares. | Guest devices cannot discover or communicate with internal hosts. Eliminates the risk of visitor devices spreading malware internally. | Create a dedicated Guest VLAN with its own DHCP scope. Route directly to the internet via a separate firewall zone. Apply bandwidth limits. |
| DMZ for Public Servers | Place web servers, email gateways, and other public-facing services in a demilitarised zone between the external firewall and the internal network. | If a public server is compromised, the attacker is contained in the DMZ and cannot pivot directly into the internal network. | Use dual firewalls or a multi-zone firewall. DMZ traffic is inspected in both directions. Only specific ports are permitted inbound. |
| Management VLAN | Separate network administration traffic โ switch management interfaces, SNMP, syslog, and firmware updates โ from user and production data traffic. | Prevents users from accessing switch and router management interfaces. Protects against configuration tampering and reconnaissance. | Assign a dedicated VLAN for all infrastructure management. Restrict access via ACLs to authorised admin workstations only. |
Segmentation: The Single Most Effective Network Security Control
The UK National Cyber Security Centre (NCSC) and every major security framework โ including Cyber Essentials, ISO 27001, and NIST โ recommend network segmentation as a foundational security control. Segmentation limits the blast radius of a breach, prevents lateral movement by attackers, and makes it significantly harder for ransomware to spread across an organisation. If you implement only one security improvement on your network this year, make it proper VLAN segmentation with enforced inter-VLAN access control lists.
Switching, Routing, and Wireless Planning
With your addressing scheme and segmentation strategy in place, the next step is selecting and configuring the core network infrastructure โ switches, routers, and wireless access points. Each of these devices operates at a different layer of the network stack and serves a distinct purpose. Understanding when to use Layer 2 switching versus Layer 3 routing, and how to plan wireless coverage properly, is essential for building a network that performs well under real-world conditions.
Modern business networks increasingly rely on wireless connectivity as the primary access method for end users. Laptops, smartphones, tablets, and an ever-growing number of IoT devices all connect via Wi-Fi. A poorly planned wireless deployment results in dead zones, interference, dropped connections, and frustrated users. Proper wireless planning requires a systematic approach that accounts for coverage, capacity, channel allocation, and security.
Switching, Routing, and Wireless Technologies
| Technology | Layer | Function | Key Protocols and Standards |
|---|---|---|---|
| Layer 2 Switching | Data Link | Forwards frames based on MAC addresses within a single VLAN or broadcast domain. Provides fast, low-latency local connectivity between devices on the same network segment. | Ethernet (802.3), Spanning Tree Protocol (STP/RSTP), LLDP, 802.1Q VLAN tagging |
| Layer 3 Routing | Network | Forwards packets between different networks based on IP addresses. Determines the optimal path using routing protocols and enables inter-VLAN communication. | OSPF, BGP, EIGRP, static routes, policy-based routing, VRF for route isolation |
| Wireless (Wi-Fi 6) | Physical / Data Link | Provides cable-free network access using radio frequencies. Wi-Fi 6 (802.11ax) delivers higher throughput, better performance in dense environments, and improved power efficiency. | 802.11ax (Wi-Fi 6), WPA3, OFDMA, MU-MIMO, BSS Colouring, Target Wake Time |
Wireless Planning Considerations
| Consideration | Why It Matters | Best Practice |
|---|---|---|
| Coverage | Every area where users work, meet, or move must have reliable signal strength. Dead zones frustrate users and push them to use personal hotspots, bypassing security controls. | Conduct a professional site survey using tools like Ekahau or NetSpot. Map signal strength at desk height across all floors and outdoor areas. |
| Capacity | Coverage alone is not enough โ each access point has a finite number of concurrent clients it can serve efficiently. Overcrowded APs cause slow speeds and connection drops. | Design for device density, not just area coverage. Conference rooms and lecture halls need more APs per square metre than corridors or storerooms. |
| Channel Planning | Adjacent access points on the same channel cause co-channel interference, degrading performance for all connected devices. Proper channel assignment eliminates this problem. | Use non-overlapping channels (1, 6, 11 on 2.4 GHz). Prefer the 5 GHz band for capacity. Use automatic channel selection on controllers or plan manually. |
| Security (WPA3) | Wireless signals extend beyond building walls. Without strong authentication and encryption, attackers can intercept traffic or connect to your network from a car park. | Deploy WPA3-Enterprise with 802.1X authentication and RADIUS. Disable WPA2 where possible. Use separate SSIDs for corporate and guest access. |
| Guest Access | Visitors and contractors need internet access but must not be able to reach internal resources, applications, or network management interfaces. | Create a dedicated guest SSID mapped to the Guest VLAN. Apply bandwidth limits, DNS filtering, and a captive portal for acceptance of terms. |
Always Conduct a Site Survey Before Deploying Wireless
Deploying wireless access points based on guesswork or floor plan calculations alone is a guaranteed path to poor performance. Building materials, furniture, partitions, and even the number of people in a room all affect wireless signal propagation. A professional site survey โ using spectrum analysis tools to measure real signal strength and interference โ is the only reliable way to determine AP placement, channel assignment, and power levels. The cost of a site survey is a fraction of the cost of troubleshooting and repositioning APs after deployment. Do the survey first, every time.
Redundancy, High Availability, and Documentation
A network that works perfectly under normal conditions but fails catastrophically when a single link or device goes down is not well designed. High availability (HA) is the practice of eliminating single points of failure so that the network continues to operate even when individual components fail. The standard enterprise target is 99.99% uptime โ often called "four nines" โ which translates to no more than 52 minutes of unplanned downtime per year.
Equally important โ and far more often neglected โ is network documentation. A network without documentation is a network that only one person understands, and when that person is unavailable, every troubleshooting task takes three times longer. Comprehensive documentation reduces mean time to repair (MTTR), enables new team members to become productive quickly, and provides the audit trail that compliance frameworks like ISO 27001 and Cyber Essentials require.
High Availability Strategies
| Strategy | What It Protects Against | How It Works |
|---|---|---|
| Redundant Links (Dual ISP) | Internet service provider failure or last-mile circuit outage. A single ISP connection is the most common single point of failure for internet access. | Connect to two different ISPs using separate physical paths. Configure automatic failover with BGP or policy-based routing. Use SD-WAN for intelligent path selection. |
| Link Aggregation (LACP) | Individual link failure between switches or between a server and a switch. Also increases available bandwidth by bonding multiple physical links. | Bundle two or more physical Ethernet ports into a single logical channel using IEEE 802.3ad (LACP). If one link fails, traffic continues on the remaining links. |
| Spanning Tree Protocol | Network loops caused by redundant Layer 2 paths. Without STP, a loop creates a broadcast storm that can bring down the entire switched network within seconds. | STP (802.1D) or Rapid STP (802.1w) blocks redundant paths during normal operation and activates them automatically when the primary path fails. RSTP converges in under 2 seconds. |
| HSRP / VRRP | Default gateway failure. If the router serving as the default gateway for a subnet fails, all devices on that subnet lose connectivity to other networks. | Two or more routers share a virtual IP address that serves as the default gateway. The active router handles traffic; the standby takes over automatically if the active fails. |
| UPS and Generator Backup | Power failure. Network equipment requires continuous power โ even a brief outage causes switches, routers, and access points to reboot, disrupting all connected users. | Deploy uninterruptible power supplies (UPS) on all critical network equipment. For extended outages, a diesel generator provides power until mains supply is restored. |
Essential Network Documentation
| Document | What It Contains | Why It Matters |
|---|---|---|
| Network Diagrams (Logical) | Logical topology showing VLANs, subnets, IP ranges, routing protocols, firewall zones, and traffic flows between network segments. | Enables engineers to understand the network architecture at a glance. Essential for troubleshooting, capacity planning, and onboarding new team members. |
| Network Diagrams (Physical) | Physical topology showing device locations, rack layouts, cable runs, patch panel mappings, and connections between buildings or floors. | Critical for hardware maintenance, cable tracing, and disaster recovery. Shows exactly where every device is and how it connects physically. |
| IP Address Management (IPAM) | A complete register of all IP address allocations โ subnets, DHCP scopes, static reservations, DNS entries, and available address space. | Prevents address conflicts, identifies available space for new deployments, and provides a single source of truth for every IP assignment on the network. |
| Change Management Log | A chronological record of every configuration change, including what was changed, who changed it, when, why, and a rollback procedure. | Enables rapid fault correlation โ when something breaks, the change log reveals what changed recently. Required by ISO 27001 and ITIL frameworks. |
| Configuration Backups | Automated backups of switch, router, firewall, and access point configurations stored in a version-controlled repository. | Enables rapid restoration after a device failure or misconfiguration. Without backups, rebuilding a complex switch configuration from memory takes hours. |
Documentation: The Most Neglected Aspect of Network Engineering
Ask any experienced network engineer what they wish they had more of, and the answer is almost always documentation. Networks evolve constantly โ new VLANs are added, firewall rules are modified, IP addresses are reassigned โ and without up-to-date documentation, the gap between what the network actually does and what people think it does grows wider every day. Treat documentation as a first-class engineering deliverable, not an afterthought. Update diagrams and IPAM records as part of every change, not "when you get time." The hour you invest in documentation today saves ten hours of troubleshooting tomorrow.
Advance Your Network Engineering Career
Ready to design, build, and secure professional business networks? Our accredited Network Engineering course covers the OSI model, switching and routing, wireless deployment, network security, and the hands-on skills UK employers are actively hiring for. Turn your networking knowledge into a recognised qualification.
Explore Our Network Engineering Course