Network Design for Small Business
A practical guide to designing IP networks for small businesses, covering subnet sizing, VLAN segmentation, DHCP scoping, and growth planning.
Starting with Requirements
Before assigning a single IP address, gather requirements:
- How many employees? Count current and plan for 2-3 year growth.
- What devices? Workstations, phones, printers, servers, IoT, access points.
- Security zones? Separate guest Wi-Fi, internal network, servers, and management.
- Remote access? VPN users need non-conflicting IP ranges.
A typical 50-person office might need 150+ IP addresses when you count all devices.
Recommended Architecture
For a small business with 20-100 users, a clean VLAN-based design provides security and manageability:
| VLAN | Name | Subnet | Purpose | DHCP Range |
|---|---|---|---|---|
| 10 | Corporate | 10.10.10.0/24 | Employee workstations | .50 -- .250 |
| 20 | Servers | 10.10.20.0/24 | Internal servers | Static only |
| 30 | VoIP | 10.10.30.0/24 | IP phones | .50 -- .250 |
| 40 | Guest | 10.10.40.0/24 | Guest Wi-Fi | .50 -- .250 |
| 50 | Management | 10.10.50.0/28 | Switches, APs, UPS | Static only |
Why 10.10.x.x?
Avoid 192.168.0.0/24 and 192.168.1.0/24 -- these are the default ranges for virtually every consumer router. When employees connect via VPN from home, overlapping subnets cause routing failures. Using 10.10.x.0/24 avoids this conflict.
DHCP Best Practices
Reserve the first 49 addresses in each DHCP subnet for static assignments:
.1 -> Default gateway (router)
.2 -- .10 -> Network infrastructure (switches, APs)
.11 -- .20 -> Printers and shared devices
.21 -- .49 -> Reserved for future static needs
.50 -- .250 -> DHCP pool
.251 -- .254 -> Reserved
Set DHCP lease times appropriately:
- Corporate wired: 8 hours (employees leave at night)
- Guest Wi-Fi: 2 hours (visitors come and go)
- VoIP: 12 hours (phones are always on)
Guest Network Isolation
The guest VLAN (40) should have no access to any other VLAN. On the firewall:
- Allow VLAN 40 to reach the internet (ports 80, 443, DNS)
- Block VLAN 40 from accessing 10.10.0.0/16 entirely
- Rate-limit guest traffic to prevent abuse
- Enable client isolation on guest SSIDs (prevents guests from seeing each other)
Growth Planning
Design for where you will be in 3 years, not today. Using /24 subnets gives each VLAN 254 addresses -- enough for most small businesses. If a VLAN outgrows its /24, you can either resize to /23 or add a second /24 and route between them.
Keep a network documentation spreadsheet with every static IP assignment, VLAN ID, and subnet. This single document prevents IP conflicts and makes troubleshooting far easier.