If you’re building a network for a brand new company, you have something most of us never get: a clean slate. No legacy switches crammed in a closet, no mystery VLANs nobody can explain, no “temporary” firewall rules from 2017 that somehow became permanent. I’ve inherited enough of those messes to know how rare and valuable a fresh start is. So if you’re in this position, take a breath and plan it right. The choices you make now will either save you hundreds of hours over the next few years or haunt you every time a ticket comes in.
Here are the things I wish someone had told me before my first greenfield deployment.
How Should a New Company Plan Its IP Addressing?
This is the least exciting part of network design and also the part that causes the most pain when you get it wrong. I’ve seen startups grab a /24 for the whole company, run out of addresses in 18 months, and then spend a weekend renumbering everything while the CEO sends passive-aggressive Slack messages.
Start with more space than you think you need. Use RFC 1918 private address space (10.0.0.0/8 gives you over 16 million addresses) and carve it into a logical hierarchy. I like to break it down by site, then by function. Something like 10.SITE.FUNCTION.HOST. So 10.1.10.0/24 might be Site 1, data VLAN. 10.1.20.0/24 is Site 1, voice VLAN. 10.2.10.0/24 is Site 2, data. You get the idea.
Document it from day one. A spreadsheet works. A proper IPAM tool like phpIPAM works better. The point is that six months from now, when someone asks “what’s on 10.1.40.0/24,” you should be able to answer without logging into a switch.
And don’t skip IPv6 planning. You don’t have to deploy it on day one, but leave room for it in your design. Dual-stack is coming whether we want it or not, and retrofitting it into a network that was never designed for it is genuinely painful.
Segment Early With VLANs
Flat networks are fast to deploy and terrible to manage. One compromised device can see everything. A broadcast storm takes down the entire company. A single misbehaving IoT thermostat can saturate your whole network with garbage traffic. I’ve seen all three of these happen.
Even for a 30-person startup, segment from the start. At minimum, you want separate VLANs for employee workstations, servers or infrastructure, guest Wi-Fi, VoIP phones (if you have them), and any IoT or building management devices. That’s five VLANs and five subnets. Not complicated, but it gives you isolation, easier troubleshooting, and a foundation for security policies.
Put your inter-VLAN routing on a Layer 3 switch or your firewall, depending on your throughput needs. For a small office with under 200 users, a decent firewall can handle the routing and give you the ability to write security policies between VLANs at the same time. Once you start pushing serious east-west traffic between server VLANs, move that routing to a Layer 3 switch and keep the firewall for north-south inspection.
What Network Hardware Does a Small Company Actually Need?
New companies love to either over-buy or under-buy. I’ve walked into startups with a $40,000 Cisco Catalyst 9500 stack serving 25 people, and I’ve walked into others running consumer-grade TP-Link switches from Amazon.
For most new companies under 100 employees in a single office, you need a business-class firewall (Fortinet, Palo Alto, or even a Cisco Firepower 1010 for smaller deployments), one or two managed switches with PoE for access points and phones, enterprise Wi-Fi access points (not consumer routers), and a small UPS to keep everything running during brief power blips.
The key word is “managed.” Unmanaged switches are cheaper, but you can’t configure VLANs, you can’t see port statistics, and you can’t troubleshoot anything remotely. The price difference between a managed and unmanaged 24-port PoE switch might be $200. Spend the $200. If you’re choosing between Cisco and other brands, that decision depends on your team’s skill set and your budget, and there’s more to consider with physical infrastructure than just the switches themselves.
Don’t Treat Wi-Fi as an Afterthought
I see this constantly. A company will spec out a great wired backbone and then stick two consumer access points on a shelf and call it done. Wireless is the primary connection method for most employees now. Laptops, phones, tablets, conference room displays. If your Wi-Fi is unreliable, your users don’t care that your switch stack has redundant power supplies.
Do a basic site survey before you mount anything. You don’t need a $15,000 Ekahau setup for a single office. Walk the space with a free tool like the NetSpot free tier and identify dead zones, interference sources, and the materials your walls are made of. Concrete and metal kill 5 GHz signal fast.
Use a controller-based or cloud-managed system so you can push configuration changes across all APs at once. Set up separate SSIDs for corporate and guest traffic, map them to different VLANs, and make sure guest traffic goes straight to the internet without touching your internal network. WPA3 Enterprise with 802.1X authentication is the gold standard, but WPA3 Personal with a strong PSK works fine for smaller shops that don’t have a RADIUS server yet.
Build Security Into the Design, Not On Top of It
Security bolted onto a flat, unmanaged network is like putting a deadbolt on a screen door. The segmentation I mentioned earlier? That’s security. Your IP addressing scheme that separates IoT from workstations? That’s security. Using managed switches with 802.1X port authentication so rogue devices can’t just plug in? Also security.
For a new company, the baseline should include a next-generation firewall with IPS and content filtering enabled, DNS filtering (either on the firewall or through a service like Cisco Umbrella), MFA on every admin interface and every cloud service, and a documented policy for who can access what.
The NIST Cybersecurity Framework is a good starting reference even if you’re not in a regulated industry. You don’t have to implement every control on day one. But having the framework in mind while you’re designing means you won’t have to rip things apart later when your first enterprise customer sends you a security questionnaire.
Plan for Growth and Remote Sites Now
Startups grow in unpredictable ways. You might open a second office in six months. You might go fully remote. You might acquire another company and suddenly inherit their network. Your design should accommodate all of these without a complete rebuild.
This is where SD-WAN comes in, even for small companies. Traditional site-to-site VPNs work, but they’re static and annoying to manage as you add locations. SD-WAN solutions from Cisco (Viptela/Catalyst SD-WAN), Fortinet, or VMware give you centralized policy management, automatic failover between ISP connections, and application-aware routing. If you’re already looking at how the network admin role is shifting toward cloud and SD-WAN skills, this is a good place to start building that experience.
Even if you only have one site today, set up your firewall and routing with multi-site in mind. Use a consistent VLAN numbering scheme. Keep your DHCP scopes organized. Make your naming conventions systematic (e.g., SW-NYC-01, AP-NYC-CONF-01). When site two shows up, you’ll extend the pattern instead of inventing a new one.
Automate and Document From the Beginning
I know. For a ten-person startup, writing Ansible playbooks to configure three switches feels like overkill. But the documentation habit matters more than the automation tooling. Every VLAN, every firewall rule, every static route should exist somewhere outside the device config.
Start simple. A shared Git repository with your running configs, backed up weekly. A network diagram in draw.io that you update every time something changes. A spreadsheet of firewall rules with a “justification” column so you know why each rule exists. These aren’t glamorous, but they’re the difference between a smooth handoff when you hire your second network person and a two-week archeological dig through CLI output.
If you want to start automating early, Cisco’s Meraki dashboard or Fortinet’s FortiManager can handle policy-based management without scripting. When you’re ready for real automation, Python with Netmiko or Nornir is where most of us end up.
The One Thing Most New Companies Get Wrong
They treat the network like plumbing. Something that just works in the background and doesn’t need attention until it breaks. By the time it breaks, the network has grown organically with no plan, no documentation, and no segmentation. And the person they hire to fix it (hi, that’s been me more than once) has to untangle years of quick fixes before they can even start improving things.
You don’t need a perfect design. You need a deliberate one. Allocate IP space with room to grow. Segment with VLANs from the start. Buy managed gear. Treat Wi-Fi as primary infrastructure. Build security into the architecture. Document everything, even when it feels unnecessary.
Six months from now, when the company doubles in size and someone asks you to add a second office, you’ll either be extending a clean design or tearing out a mess. I’ve done both. One of them involves a lot less weekend work.
Network Professional | CCNA Certified
Ashley Miller is a 35-year-old networking professional with a proven foundation in Cisco technologies. She is CCNA certified and currently advancing her expertise by working toward the Cisco Certified Network Professional (CCNP) certification. With a passion for designing and maintaining efficient, secure network infrastructures, Ashley brings both technical skill and real-world experience to every project.
