The corporate network is the circulatory system of any digital organisation: when it works, no one notices it; when it fails, everything grinds to a halt. Designing a robust network infrastructure requires balancing three demands that often pull in opposite directions: performance, security and cost. In this technical guide we walk through the building blocks of a modern enterprise network, from the building's LAN to the VPNs and the SD-WAN architecture that connects distributed sites, along with the design decisions that separate a reliable network from one that drags chronic problems behind it.
The local area network: the base on which everything is built
The LAN (Local Area Network) connects the devices within a single site. Its design determines the latency, the capacity for growth and the resilience of the entire organisation. The classic hierarchical model distinguishes three layers: access (where end devices connect), distribution (which aggregates traffic and applies policies) and core (the high-speed backbone). An essential practice is segmentation through VLANs (virtual local area networks), which logically separate traffic (for example, voice, user data, servers and guests) over the same physical infrastructure. Segmentation not only improves performance by reducing broadcast domains, it is also the first line of containment in a security incident: a compromised device on the guest VLAN should not be able to reach the server VLAN.
Securely connecting sites and remote users: VPN
A VPN (Virtual Private Network) creates an encrypted tunnel over a public network such as the Internet, allowing sites and remote users to access corporate resources as if they were on the local network. It is worth distinguishing two modes. The site-to-site VPN permanently interconnects two or more locations, usually through the IPsec suite of protocols. The remote-access VPN connects individual users, increasingly through modern solutions based on TLS or the WireGuard protocol, which is lighter and more efficient than traditional options. Encryption must rely on current algorithms (AES-256, robust key exchange) and on rigorous certificate management, because a misconfigured VPN is an open door with the appearance of a wall.
SD-WAN: redefining connectivity between sites
The SD-WAN (Software-Defined Wide Area Network) technology has transformed the way distributed offices are connected. Instead of relying on costly dedicated MPLS links, SD-WAN combines several types of connection (broadband, fibre, 5G) and, through a software-centralised control layer, routes each type of traffic over the optimal path according to policies. A critical video call can take the lowest-latency link while a backup uses the cheapest one. Its advantages are cost reduction compared with MPLS, centralised management of the entire WAN from a single dashboard, automatic failover when a link fails, and greater agility in onboarding new sites. It is also the natural enabler of SASE architectures, which integrate networking and security into a service delivered from the cloud.
Perimeter security and the Zero Trust model
The traditional perimeter (a firewall at the edge separating the "trusted interior" from the "hostile exterior") has been superseded by remote work and the cloud. The current paradigm is Zero Trust: never trust, always verify. Under this model, no user or device is trusted merely for being inside the network; every access is continuously authenticated, authorised and encrypted, applying the principle of least privilege. The defensive components are still necessary (next-generation firewalls, intrusion detection and prevention systems IDS/IPS, multi-factor authentication and microsegmentation), but their logic changes: it is assumed that the threat may already be inside. The ISO/IEC 27001 standard provides the information security management framework for governing all these controls in a coherent and auditable way.
Comparative table: MPLS versus SD-WAN
| Aspect | Traditional MPLS | SD-WAN |
|---|---|---|
| Cost | High (dedicated link) | Lower (uses Internet and 5G) |
| New-site deployment | Weeks | Days or hours |
| Management | Per device | Software-centralised |
| Failover | Limited | Automatic between links |
| Per-application optimisation | Scarce | By traffic policies |
Step-by-step design of a network infrastructure
- Gather requirements. Number of sites and users, critical applications, latency needs and regulatory requirements.
- Design the addressing and segmentation. A coherent subnet and VLAN plan, with room for growth.
- Size the redundancy. Duplicate links and equipment at the critical points to eliminate single points of failure.
- Define the WAN connectivity. Choose between MPLS, SD-WAN or a hybrid model according to cost and criticality.
- Apply the security layer. Firewalls, segmentation, VPN and Zero Trust controls from the design stage, not as an afterthought.
- Instrument the monitoring. Traffic visibility, alerts and logging before putting the network into production.
Availability, monitoring and observability
A robust network is not only one that is well designed, but one that you know how to watch over. Availability is expressed in "nines": 99.9% availability allows for almost nine hours of downtime per year, while 99.99% reduces it to about 52 minutes. Each additional nine raises the cost of the architecture considerably, so the target level must be set according to the real criticality of the business and captured in service level agreements (SLAs), both internal and with providers. High availability is achieved by eliminating single points of failure through redundancy of equipment, links and routes, together with automatic failover and load-balancing mechanisms.
Proactive monitoring is what turns a potentially catastrophic incident into an alert handled in time. Protocols such as SNMP and flows such as NetFlow provide visibility into the state of the equipment and into traffic patterns; observability platforms correlate metrics, logs and events to diagnose the cause of a problem in minutes rather than hours. Setting sensible alert thresholds (neither so strict that they generate constant noise, nor so lax that they let the important things slip by) is an art refined through operational experience. A network that is only checked when users complain has already failed at its most basic task: warning before it goes down.
Common mistakes in corporate networks
The first is the flat, unsegmented network, where a single incident spreads without barriers across the whole organisation. The second is failing to plan for redundancy in critical links and equipment, leaving single points of failure that sooner or later paralyse the business. The third is treating security as an add-on instead of integrating it from the design stage. The fourth is operating without monitoring, discovering problems through user complaints rather than through system alerts. The fifth is documenting the topology poorly or not at all, which turns every change into a risky operation.
Frequently asked questions
Does SD-WAN completely replace MPLS? Not always. Many organisations adopt hybrid models that keep MPLS for the most critical, latency-sensitive traffic and use SD-WAN for the rest, taking advantage of its flexibility and lower cost.
What is the difference between a VPN and Zero Trust? The VPN grants access to the entire network once the user is authenticated; Zero Trust grants access only to specific resources and reverifies continuously, drastically reducing the attack surface in the event of compromised credentials.
How is the reliability of a network measured? Through availability indicators (percentage of operational time), latency, packet loss and jitter, contrasted with the committed service level agreements (SLAs).
Is it safe to use the Internet instead of dedicated links? Yes, provided the traffic travels encrypted through robust tunnels and the appropriate controls are applied. SD-WAN is designed precisely to use the Internet in a secure and resilient way.
What is microsegmentation and why does it matter? It is the practice of dividing the network into very small segments, even down to the individual workload level, applying granular security policies between them. It limits an attacker's lateral movement: even if they compromise one device, they cannot move freely to the rest. It is a pillar of Zero Trust architectures in data centres and cloud environments.
How does IPv6 affect network design? IPv6 drastically expands the address space and simplifies addressing, but it requires planning for coexistence with IPv4 (through dual stack or transition mechanisms) and reviewing security policies, because many controls designed for IPv4 do not automatically apply to the new protocol.
Conclusion
A well-designed network infrastructure is recognised not by its technological sophistication but by its ability to go unnoticed while it sustains every business operation without outages or bottlenecks. The decisions that make the difference are taken at the outset and are almost always the least flashy: segment to contain, build redundancy to withstand, encrypt to protect and monitor to anticipate. SD-WAN and the Zero Trust model have shifted the old perimeter towards a more flexible network, verified at every access, but the underlying principles remain. At Summum Systems we design and implement network infrastructures that balance performance, security and cost, aligned with ISO/IEC 27001, so that connectivity stops being a concern and goes back to being what it should be: invisible and reliable.