Infrastructure

Network infrastructure for SMEs: reliable foundations

Published on Updated on By Dr Ir Hüseyin Cakmak
#infrastructure #network #server #vlan #wifi #sme
Network infrastructure for SMEs: reliable foundations

Network infrastructure is one of the least glamorous IT expenditures — until the day it fails. At that point, it immediately becomes the board's top priority, because the entire business grinds to a halt.

After years of emergency interventions at Belgian SMEs, we have identified a recurring pattern: businesses invest in sophisticated SaaS tools, advanced cloud solutions and modern line-of-business applications — yet their network runs on heterogeneous, unmonitored equipment with a configuration that has not been reviewed since the initial installation five to seven years ago.

This guide is intended for business owners and IT managers at SMEs who want to understand what their network and server infrastructure should be capable of — and how to assess whether it delivers. It sits within our network and server infrastructure offering, which we design and operate for Belgian and Benelux SMEs.

Legacy infrastructure: built layer by layer

Most SME infrastructures were never designed — they accumulated. A server added for accounting in 2018, a NAS to share files in 2020, a second internet line subscribed after a memorable outage, an extra switch plugged in because ports were running out. Each addition solved an immediate problem with no overall view.

The result is an infrastructure whose topology nobody fully understands any more. The dependencies are implicit: this service runs on that server, whose shutdown would affect another service, but none of it is documented anywhere. When an outage occurs, diagnosis takes hours because the workings of the whole have to be mentally reconstructed first.

Map before you rebuild

Before any modernisation, the first step is to map what already exists. You do not rebuild an infrastructure you do not understand. This mapping covers the hardware and software inventory, the IP addressing plan, the traffic flows between applications, the dependencies between servers and services, and the contracts and warranties in force.

This exercise almost always reveals surprises: an ageing physical server hosting a critical service with no redundancy whatsoever, a backup believed to be running that stopped months ago, or end-of-life equipment that no vendor supports any more. This is precisely what a structured infrastructure audit produces.

The four components of a solid SME network

1. Routing and segmentation (VLAN)

A flat network — where all your devices sit on the same segment — was acceptable for a 10-person SME in 2010. Today, with IoT devices (printers, cameras, access control systems, Wi-Fi access points), guest devices and production servers coexisting on the same network, it represents a significant security vulnerability.

VLAN segmentation divides your network into distinct logical zones:

  • Production VLAN: servers, NAS, critical equipment — access restricted to authorised devices only
  • User VLAN: workstations and IP phones
  • IoT VLAN: printers, cameras, control systems — isolated from everything else
  • Guest VLAN: internet access only, no visibility into the internal network

This architecture does not require high-end hardware. Managed switches from Cisco Catalyst, Ubiquiti UniFi or HP Aruba are sufficient for most SMEs of 20 to 150 employees.

2. Professional Wi-Fi

Consumer-grade Wi-Fi (ISP router or home access point) is not suitable for professional environments for several reasons:

Performance: consumer devices do not handle high densities of simultaneous users well. Beyond 15 to 20 connected devices, performance degrades significantly.

Security: most consumer access points do not support client isolation (preventing two Wi-Fi devices from seeing each other) or VLAN segmentation per SSID.

Visibility: when problems occur, you have no insight into what is actually happening on your wireless network.

A professional Wi-Fi deployment (Ubiquiti, Cisco Meraki, Aruba Instant On) allows you to define multiple SSIDs with associated VLANs, centralised monitoring and connectivity reports, and proper device roaming between access points.

3. Redundancy and high availability

What is your business's tolerance for a network outage of 4 hours? Of 8 hours? Of a full day?

For most SMEs, the answer is "none" — or "very low". Yet many operate with a single internet connection and no automatic failover mechanism.

Baseline measures to improve resilience:

Dual internet access: primary connection (fibre) + backup connection (4G/5G or VDSL) with automatic failover. The monthly cost of a 4G backup connection is typically less than the cost of one hour of business downtime.

Redundancy of critical equipment: your core switch should ideally have a redundant power supply. A failed core switch paralyses the entire network even if internet connectivity is intact.

UPS (uninterruptible power supply): your active network equipment (switches, firewalls, Wi-Fi access points) should be on UPS to absorb micro-outages and voltage fluctuations — the leading causes of premature equipment failure.

4. Monitoring and alerting

An unmonitored network is a network whose problems you discover after your users do. Proactive monitoring lets you detect bandwidth saturation, partial failures or security anomalies before they affect operations.

Monitoring tools do not require deep expertise for an SME. Solutions such as PRTG Network Monitor, Zabbix or the built-in dashboards of Ubiquiti/Meraki allow you to configure email or SMS alerts for:

  • Equipment availability (ping)
  • Bandwidth utilisation (alert thresholds at 70% and 90%)
  • WAN link response times
  • Disk space on NAS and servers

Network design: LAN, WAN and SD-WAN

Network design starts with the LAN — the local network of the site. This is where the VLAN segmentation and professional Wi-Fi described above come into play, but also the sizing of the links between switches: an access switch connected to its core switch by a single gigabit link can become a bottleneck as soon as several dozen workstations call on the file server simultaneously.

The WAN concerns links to the outside world: internet access, links between sites, access to cloud resources. For a single-site SME, dual internet access with failover is generally sufficient. For a multi-site organisation, SD-WAN becomes relevant: it allows several links (fibre, VDSL, 4G/5G) to be aggregated and traffic to be steered dynamically according to its nature — for example favouring fibre for file transfers and switching voice to a more stable link. SD-WAN is not a necessity for every SME, and its real value depends on the number of sites and the criticality of inter-site links.

Virtualisation and server consolidation

Running each application on its own physical server is costly, space-hungry and fragile. Virtualisation — with a hypervisor such as VMware vSphere, Proxmox or Microsoft Hyper-V — allows several virtual servers to be consolidated onto a reduced number of physical machines.

The benefits are tangible: better use of hardware, isolation of environments, and above all operational flexibility. A virtual machine can be saved as a snapshot, moved from one physical host to another, or restored in minutes rather than reinstalling a server from scratch. For many SMEs, two correctly sized virtualisation hosts advantageously replace a fleet of five or six ageing physical servers.

Consolidation does have its limits, however: concentrating too many services on too little hardware recreates a single point of failure. This is why virtualisation goes hand in hand with thinking about high availability.

High availability and business continuity

High availability consists of eliminating single points of failure — those elements whose failure is enough to halt a critical function. In practice, this means doubling up what can be doubled: redundant power supplies, two virtualisation hosts rather than one, RAID storage, a dual network link to critical equipment.

Beyond day-to-day availability, the business continuity plan (BCP) and the disaster recovery plan (DR) answer a different question: what happens in the event of a major incident — fire, water damage, ransomware encrypting the entire storage? Two indicators frame this thinking: the RTO (maximum acceptable downtime) and the RPO (maximum volume of data you are willing to lose). Defining these two values together with management drives all the technical and budgetary choices, because aiming for recovery within an hour costs appreciably more than aiming for recovery within a day.

Backups that are actually tested

A backup that has never been restored is not a backup — it is an assumption. We regularly encounter SMEs convinced they are protected whose last usable backup is several months old, either because the job had silently stopped, because the media was full, or because the backed-up files turned out to be corrupt on the day they had to be restored.

The reference rule remains the 3-2-1 rule: three copies of the data, on two different types of media, with one copy off-site. In the ransomware era, an immutable or offline copy is often added, which an attacker cannot encrypt even if they take control of the network. But the 3-2-1 rule only has value if restores are tested regularly: a quarterly, documented restore test is the only real proof that your setup works.

Hybrid: connecting on-premise and cloud

The "all cloud" versus "all on-site" debate is largely outdated for SMEs. Most organisations work better with a hybrid architecture, where each workload is placed where it makes most sense. Email and office productivity live naturally in the cloud (Microsoft 365), while a line-of-business application that is latency-sensitive or subject to regulatory constraints may remain on-premise.

The challenge of a hybrid architecture is the connection: connectivity between the site and the cloud, consistency of identities and access, and a backup strategy that covers both worlds — including data hosted in the cloud, which the vendor does not always back up on your behalf. A well-executed migration to the Azure cloud relies precisely on a healthy network infrastructure beforehand.

Documentation you own

The final pillar is often the most neglected: documentation. An up-to-date network diagram, an addressing plan, an equipment inventory with warranty end dates, restore procedures and the contact details of providers constitute an asset that belongs to the business — not to the technician or provider who holds the information in their head.

This documentation is also the foundation of a sound security posture: you cannot protect what you have not inventoried. It combines naturally with an approach to cybersecurity and GDPR compliance, which relies on the same precise knowledge of the estate.

When your network needs an overhaul

These are the signals that indicate it is time to audit your network infrastructure:

  • Your users regularly complain about slowness with no identified cause
  • You have added cloud services (Microsoft 365, SaaS ERP) without reviewing your network architecture
  • You have no network documentation (IP addressing plan, equipment inventory, cabling diagram)
  • Your firewall is the same router your ISP installed
  • You have received no alerts from your network in 6 months — not because everything is fine, but because there is no alerting system

Our approach at ITOPS.be

We conduct network infrastructure audits that produce a tangible deliverable: a status report with gaps identified against best practices, and a prioritised roadmap with cost estimates.

We work primarily with Cisco, Ubiquiti and Fortinet equipment, but our advice is vendor-independent — we recommend what fits your organisation's budget and needs, not what maximises our margin.

If you have doubts about the health of your network infrastructure, contact us for a 30-minute assessment call. We will ask a few structured questions that allow us to evaluate together whether a more comprehensive audit is warranted.

Frequently asked questions

On-premise, cloud or hybrid for an SME?

There is no single answer. Office productivity, email and collaboration are generally simpler and more economical in the cloud. Conversely, a line-of-business application that is latency-sensitive, subject to regulatory constraints or tightly integrated with local equipment may stay on-premise. Most SMEs end up with a blend of the two. The right starting point is to map your applications and their constraints before deciding.

How do we avoid single points of failure?

A single point of failure is an element whose failure is enough to halt a critical function: a single internet connection, a single core switch, a single server hosting a key application. You reduce them by doubling up what can be doubled — redundant power supplies, a dual network link, a second virtualisation host, RAID storage, a backup internet connection with failover. The aim is not to duplicate everything, but to identify the genuinely critical elements and target investment accordingly.

What is a 3-2-1 backup and do we need it?

The 3-2-1 rule recommends keeping three copies of your data, on two different types of media, with one copy off-site. Today an immutable or offline copy is often added to withstand ransomware. Yes, any organisation that depends on its data needs it — but only if restores are tested regularly, otherwise the backup is no more than an unverified assumption.

How long does an infrastructure audit take?

It depends on the size and complexity of the environment. For a single-site SME of 20 to 50 workstations, the data-gathering and mapping phase typically takes a few days to one or two weeks, followed by writing the report and the roadmap. Multi-site or highly heterogeneous environments take longer. We set the scope and timeline during the preliminary call, so you know what to expect before committing.