One department per floor by default • Layered design (Core/Distribution/Access) • IPv4 plan included
Executive Summary
Design for a 4-floor office building with 4 departments (one per floor). Goals: segregate traffic with VLANs, central firewall and internet edge, resilient switching (stack or MLAG), campus wireless with controller-less or controller-based APs, clear IP addressing and rack layout for the equipment room (MDF).
Single MDF (main distribution frame) in basement or 1st-floor telecom room
Core firewall/router + core switch at MDF
Distribution switches on each floor aggregated uplinks to core
Access switches with PoE for phones and APs
Assumptions & Requirements
~40–80 users per floor (adjust as needed)
10 Gbps fiber uplinks from floor distribution to core (or 1/10Gb copper where budget limited)
Wi‑Fi 6 APs, 2–4 per floor depending on density
IP Telephony (SIP) and some PoE cameras at entrances
Basic security — VLANs, ACLs, NAT, user firewall rules, and logging
Logical Topology (diagram)
IP Addressing Plan (example)
Use RFC1918 private space; /24 per VLAN for simplicity.
VLAN
Role
Subnet
Gateway
10
Floor 1 — HR
10.1.0.0/24
10.1.0.1
20
Floor 2 — Sales
10.2.0.0/24
10.2.0.1
30
Floor 3 — Finance
10.3.0.0/24
10.3.0.1
40
Floor 4 — R&D
10.4.0.0/24
10.4.0.1
99
Infrastructure / Management
10.99.0.0/24
10.99.0.1
100
Guest (Wi‑Fi, captive portal)
172.16.100.0/24
172.16.100.1
Notes: Use DHCP with reservations for servers, printers, phones. Put management addresses in VLAN 99 with strict ACLs.
VLAN & Security Policies
Inter-VLAN routing done at core L3 switch or firewall (split-horizon). Prefer firewall for inter-department filtering.
Default-deny ACLs between departments; allow only required services (DNS, AD, SMB, HTTP/HTTPS to internal app servers).
Guest VLAN uses client isolation and NAT; no access to internal VLANs.
Management VLAN (99) only accessible from admin workstations and jump host via MFA + SSH certs.
Floor-by-Floor Details
Floor 1 — HR
Access: 1 distribution switch (48-port PoE) with 2 access switches per floor or stackable 48-port switches. 2 APs per floor, 1 security camera feed to NVR. Typical devices: desktops, printers, IP phones.
Services
VLAN 10 • DHCP scope 10.1.0.0/24
QoS: DSCP for voice and video
Uplink: 10G SFP+ to MDF core
Floor 2 — Sales
Higher density — add 3–4 APs depending on open space. Sales devices include laptops, softphones, shared printers.
Services
VLAN 20 • DHCP scope 10.2.0.0/24
Guest Wi‑Fi concentrated near conference rooms
Floor 3 — Finance
High security / compliance. Consider private subnets and additional firewall rules and monitoring. Limit USB networked devices; use NAC for endpoint posture.
Services
VLAN 30 • DHCP scope 10.3.0.0/24
Strict ACLs — only approved ports to Finance servers
Floor 4 — R&D
May require lab devices and isolated test networks. Provide a DMZ / lab VLAN if needed for experimentation.
Services
VLAN 40 • DHCP scope 10.4.0.0/24
Optional lab VLAN with firewalling to production
Equipment & Rack Layout (MDF)
1U — ISP fiber demarc / SFP transceivers
1–2U — Edge Firewall / Router (HA pair if budget)
2–4U — Core L3 switch (stackable) with 10G uplinks
1–2U — Wireless controller (or cloud-managed) & NTP server
2–4U — Patch panel and fiber patching shelf
1U — NVR for cameras (if local) and small UPS; plus a rack-mounted UPS (2–3U)
Label ports and maintain a rack documentation spreadsheet. Keep at least 20% spare switch ports or plan for modular growth.
Sample Configuration Snippets
// Example: VLAN and SVI on a Layer-3 switch (Cisco-like)
configure terminal
vlan 10
name HR
vlan 20
name SALES
vlan 30
name FINANCE
vlan 40
name RND
interface Vlan10
ip address 10.1.0.1 255.255.255.0
interface Vlan20
ip address 10.2.0.1 255.255.255.0
interface Vlan30
ip address 10.3.0.1 255.255.255.0
interface Vlan40
ip address 10.4.0.1 255.255.255.0
ip routing
! ACL (pseudo)
access-list 101 permit tcp 10.3.0.0 0.0.0.255 host 10.99.0.50 eq 443
Wireless Design
SSID: Corp (WPA2/WPA3-Enterprise, 802.1X via RADIUS)