Network Infrastructure Best Practices

📋 In This Guide

1. Network Architecture Design
2. VLAN Segmentation Standards
3. Redundancy & High Availability
4. Routing Protocol Best Practices
5. QoS for Voice & Video
6. Network Security Hardening
7. IP Address Management (IPAM)
8. Network Documentation Standards

A poorly designed network is not just an IT problem — it is a business continuity problem, a security liability, and a productivity drain. Flat networks with no segmentation are the primary enabler of ransomware lateral movement. Undocumented IP addressing schemes make troubleshooting take hours instead of minutes. Networks built without redundancy become single points of failure that cause complete business outages.

This guide codifies the network design principles and operational standards that EnterWeb IT Firm applies across every enterprise network engagement — regardless of vendor, scale, or industry.

1 Network Architecture Design

Enterprise networks are designed using a hierarchical three-tier model — core, distribution, and access layers — each with a defined role. Collapsing layers is acceptable for smaller environments but the functional separation must still be maintained logically even when physical devices are combined.

CORE LAYER

High-speed backbone — the network's spine The core layer provides high-speed, low-latency switching between distribution layer devices and to the internet/WAN edge. It should never perform packet inspection, QoS classification, or access control — all of that belongs in distribution. Core devices must have hardware-level redundancy (dual power supplies, redundant supervisor modules) and run ECMP or LACP for link redundancy. For most Indian enterprises: a pair of Layer 3 switches (Cisco Catalyst 9300/9400, Aruba CX, or FortiSwitch FS-3032) in a stacked or VSS/VSF configuration. For small offices (under 100 users): core and distribution can be collapsed onto a single Layer 3 switch.

DISTRIBUTION

Policy enforcement — inter-VLAN routing, QoS, access control The distribution layer is where intelligence lives — inter-VLAN routing, QoS policy application, security zone enforcement, summarization of access-layer routes, and traffic filtering. Each distribution switch aggregates uplinks from multiple access layer switches. Deploy in pairs with HSRP/VRRP for gateway redundancy. The distribution layer is also where the firewall connects — all inter-zone traffic passes through the firewall at this layer. FortiGate 100F/200F or MikroTik CCR2004 serve well as combined distribution/firewall devices for medium enterprise environments.

ACCESS LAYER

User and device connectivity — endpoint onboarding Access layer switches connect end devices — workstations, IP phones, printers, APs, IoT devices. Access ports should be configured with port security, 802.1X authentication, DHCP snooping, dynamic ARP inspection, and IP source guard. All access ports are untagged members of their assigned VLAN — never allow all VLANs on access ports. Uplinks to distribution are 802.3ad LACP trunks. PoE access switches power IP phones and APs — plan power budgets carefully. For Indian SMEs: Cisco Catalyst 2960-X, FortiSwitch FS-124F-PoE, or MikroTik CRS328 are cost-effective choices.

Architecture Best Practices: Do's and Don'ts

✅ Do

Design for the network you will have in 3 years, not just today
Deploy devices in redundant pairs at core and distribution
Use /30 or /31 point-to-point subnets for inter-device links
Separate management traffic onto a dedicated management VLAN
Use out-of-band management (console server) for critical devices
Label every cable, port, and patch panel position
Test failover before production — simulate link/device failure
Document every change with date, engineer name, and reason

❌ Don't

Build a flat /16 or /8 network with everything in one broadcast domain
Use consumer-grade routers in production network infrastructure
Allow management access (SSH, HTTP) from user VLANs
Leave vendor default credentials on any network device
Use Telnet — ever. SSH only, minimum SSHv2
Allow all VLANs on trunk ports — only permit needed VLANs
Use STP without BPDU guard on access ports
Deploy without a network diagram — undocumented = unmanageable

2 VLAN Segmentation Standards

VLANs are the foundation of network segmentation — they create logical boundaries between groups of devices, control broadcast domains, and enable firewall-enforced traffic policies between segments. Every enterprise network should have a standardized VLAN numbering scheme documented and applied consistently across all sites.

Enterprise VLAN Standard — EnterWeb Reference Design

VLAN ID Name Subnet Purpose

VLAN 1

⚠️ Native (Unused)

—

Never use VLAN 1 for data — change native VLAN to unused ID (e.g., VLAN 999) on all trunks

VLAN 10

Users — General

10.10.10.0/24

Standard employee workstations, laptops — internet + internal app access via firewall policy

VLAN 20

Servers

10.10.20.0/24

Internal servers — file servers, application servers, print servers

VLAN 30

Databases

10.10.30.0/24

Database servers only — no direct user access, only accessible from VLAN 20 app servers

VLAN 40

VoIP / Phones

10.10.40.0/24

IP phones and voice traffic — QoS marking applied at access port, dedicated DSCP queue

VLAN 50

Management

10.10.50.0/24

Network device management — switch/router/firewall management IPs, NMS servers, jump hosts only

VLAN 60

WiFi — Corporate

10.10.60.0/24

Corporate WiFi SSID — authenticated employees, same access as VLAN 10 via 802.1X

VLAN 70

WiFi — Guest

10.10.70.0/24

Guest WiFi — internet only, isolated from all internal VLANs, client isolation enabled

VLAN 80

IoT / OT Devices

10.10.80.0/24

CCTV, printers, smart devices, building automation — heavily restricted, no internet access by default

VLAN 90

DMZ

10.10.90.0/24

Internet-facing servers — web, mail relay, reverse proxy — two-firewall DMZ architecture preferred

VLAN 100

Security / CCTV

10.10.100.0/24

Physical security systems — NVR, DVR, access control panels — completely isolated VLAN

VLAN 999

Black Hole / Native

—

Unused native VLAN reassignment — no IP, no routing, all untagged trunk traffic lands here harmlessly

VLAN Configuration — FortiSwitch

# FortiSwitch — VLAN configuration via FortiGate (FortiLink managed)
# FortiGate → WiFi & Switch Controller → VLANs

# Create VLANs (CLI method on FortiGate)
config system interface
  edit "VLAN10-Users"
    set vdom "root"
    set ip 10.10.10.1 255.255.255.0
    set allowaccess ping
    set type vlan
    set vlanid 10
    set interface "fortilink"
    set role lan
    set device-identification enable
    set dhcp-relay-service disable
  next
  edit "VLAN50-Mgmt"
    set vdom "root"
    set ip 10.10.50.1 255.255.255.0
    set allowaccess ping https ssh
    set type vlan
    set vlanid 50
    set interface "fortilink"
    set role lan
  next
end

# FortiSwitch port profile — access port for users
config switch-controller managed-switch
  edit "S248EPTF19000001"   # FortiSwitch serial number
    config ports
      edit "port1"
        set vlan "VLAN10-Users"
        set allowed-vlans "VLAN40-VoIP"   # Tagged VoIP VLAN for IP phone passthrough
        set untagged-vlans "VLAN10-Users"
        set poe-status enable
        set storm-control-policy "default"
        set stp-bpdu-guard enable
        set stp-root-guard disable
        set edge-port enable
      next
    end
  next
end

VLAN Configuration — MikroTik (RouterOS v7)

# MikroTik RouterOS v7 — Bridge VLAN Filtering (modern method)
# This is the correct method for RouterOS v7 — NOT the legacy VLAN interface method

# Step 1: Create bridge with VLAN filtering enabled
/interface bridge
add name=bridge1 vlan-filtering=yes protocol-mode=rstp

# Step 2: Add all switch ports to the bridge
/interface bridge port
add bridge=bridge1 interface=ether2 pvid=10    # Access port — Users VLAN
add bridge=bridge1 interface=ether3 pvid=40    # Access port — VoIP VLAN
add bridge=bridge1 interface=ether4 pvid=20    # Access port — Servers VLAN
add bridge=bridge1 interface=sfp-sfpplus1      # Uplink trunk to core

# Step 3: Configure VLAN table
/interface bridge vlan
# Trunk port — carries all VLANs tagged
add bridge=bridge1 vlan-ids=10,20,30,40,50,60,70,80,90 tagged=sfp-sfpplus1
# Access ports — untagged in their VLAN, tagged uplink
add bridge=bridge1 vlan-ids=10  tagged=sfp-sfpplus1  untagged=ether2
add bridge=bridge1 vlan-ids=40  tagged=sfp-sfpplus1  untagged=ether3
add bridge=bridge1 vlan-ids=20  tagged=sfp-sfpplus1  untagged=ether4

# Step 4: Create VLAN interfaces for routing/management
/interface vlan
add interface=bridge1 name=vlan10-users   vlan-id=10
add interface=bridge1 name=vlan20-servers vlan-id=20
add interface=bridge1 name=vlan40-voip    vlan-id=40
add interface=bridge1 name=vlan50-mgmt    vlan-id=50

# Step 5: Assign IP addresses
/ip address
add address=10.10.10.1/24  interface=vlan10-users
add address=10.10.20.1/24  interface=vlan20-servers
add address=10.10.40.1/24  interface=vlan40-voip
add address=10.10.50.1/24  interface=vlan50-mgmt

3 Redundancy & High Availability

Network redundancy eliminates single points of failure — ensuring that any single device failure, link failure, or ISP outage does not cause a complete network outage. Every production network should have redundancy designed in at every critical layer.

Redundancy by Layer

Layer	Redundancy Method	Failover Time	Implementation
ISP / WAN	Dual ISP with BGP or policy routing	< 30 seconds (BGP) / < 5 sec (SD-WAN)	Primary ILL + backup MPLS or 4G/5G failover
Firewall	Active-Passive HA cluster	< 10 seconds	FortiGate HA, Cisco ASA failover, Sophos HA
Core Switch	Stack or VSS/VSF	< 1 second (stack)	Cisco StackWise, Aruba VSF, FortiSwitch stack
Distribution Switch	HSRP/VRRP gateway redundancy	3–10 seconds	HSRP on Cisco, VRRP on MikroTik/FortiGate
Uplinks	LACP 802.3ad link aggregation	< 1 second	Bond two physical links — doubles bandwidth + redundancy
Internet Gateway	ECMP or SD-WAN load balancing	< 5 seconds (SD-WAN health check)	FortiGate SD-WAN, MikroTik ECMP, Cisco PBR
Power	UPS + generator + dual PSU on critical devices	Instant (UPS) / < 60 sec (generator)	Online UPS for network room, APC/Eaton recommended

FortiGate HA Configuration

# FortiGate Active-Passive HA — configure identically on both units
# Primary unit:
config system ha
  set group-name "EnterWeb-HA-Cluster"
  set group-id 1
  set mode a-p                      # Active-Passive
  set password "HAClusterPass!2026" # Must match on both units
  set hbdev "port9" 50 "port10" 50  # Heartbeat interfaces (dedicated links)
  set session-pickup enable          # Maintain sessions during failover
  set session-pickup-connectionless enable
  set ha-mgmt-status enable
  set ha-mgmt-interface "mgmt"       # Independent management access per unit
  set ha-mgmt-interface-gateway 10.10.50.1
  set override disable               # Primary does NOT auto-reclaim after recovery
  set priority 200                   # Higher priority = preferred primary (secondary = 100)
  set monitor "port1" "port2"        # Fail over if these interfaces go down
end

# Secondary unit — same config but:
# set priority 100   (lower = secondary)
# HA sync happens automatically over heartbeat links
# Verify sync: diagnose sys ha showcsum
# Force failover for testing: diagnose sys ha reset-uptime

MikroTik VRRP for Gateway Redundancy

# MikroTik VRRP — Virtual Router for gateway redundancy
# Deploy on two MikroTik routers sharing the same gateway IP

# ── Router 1 (Primary — higher priority) ─────────────────
/interface vrrp
add interface=vlan10-users name=vrrp-vlan10 vrid=10 priority=200
add interface=vlan20-servers name=vrrp-vlan20 vrid=20 priority=200
add interface=vlan40-voip name=vrrp-vlan40 vrid=40 priority=200

/ip address
# Physical IP — unique per router
add address=10.10.10.2/24 interface=vlan10-users
# VRRP virtual IP — shared, floats to active router
add address=10.10.10.1/24 interface=vrrp-vlan10

# ── Router 2 (Secondary — lower priority) ────────────────
/interface vrrp
add interface=vlan10-users name=vrrp-vlan10 vrid=10 priority=100
# Lower priority = standby
/ip address
add address=10.10.10.3/24 interface=vlan10-users   # Unique physical IP
add address=10.10.10.1/24 interface=vrrp-vlan10    # Same virtual IP

# Clients use 10.10.10.1 as gateway — Router 1 owns it normally
# If Router 1 fails → Router 2 takes over 10.10.10.1 within 3 seconds
# Verify: /interface vrrp print   (shows master/backup status)

4 Routing Protocol Best Practices

Routing protocol selection determines how network devices discover paths, respond to failures, and scale as the network grows. Choosing the wrong protocol — or misconfiguring the right one — causes routing loops, slow convergence, and suboptimal traffic paths.

Routing Protocol Selection Guide

Protocol	Use Case	Convergence	Complexity
Static Routes	Simple single-site networks, default routes to ISP, specific route injections	Manual (no auto-failover)	Low
OSPF	Single-organization multi-site networks, campus networks, datacenter routing	Fast (<1 second with BFD)	Medium
BGP (iBGP)	Large enterprise multi-site, SD-WAN overlay routing, datacenter fabrics	Medium (tunable)	High
BGP (eBGP)	Multi-homed ISP connections, internet routing, cloud connectivity (AWS Direct Connect)	Medium (BFD improves to <1 sec)	High
RIP v2	Not recommended for new deployments — legacy only	Slow (up to 3 minutes)	Low

OSPF Best Practices

# OSPF Best Practices — Cisco IOS example
# (Same principles apply on FortiGate and MikroTik)

router ospf 1
  router-id 1.1.1.1             # Explicit router-id — never let it auto-select
  auto-cost reference-bandwidth 100000  # Set to 100Gbps for modern networks
                                         # Default 100Mbps causes all GE links = same cost
  passive-interface default     # ⭐ Best practice: passive by default
  no passive-interface GigabitEthernet0/1   # Only enable OSPF on inter-router links
  no passive-interface GigabitEthernet0/2   # NOT on user-facing interfaces
  area 0 authentication message-digest      # MD5 authentication — prevent rogue routers

# Interface-level OSPF settings
interface GigabitEthernet0/1
  ip ospf 1 area 0
  ip ospf hello-interval 5       # Faster hello (default 10s)
  ip ospf dead-interval 15       # Dead = 3× hello (default 40s)
  ip ospf network point-to-point # For /30 or /31 links — no DR/BDR election needed
  ip ospf authentication message-digest
  ip ospf message-digest-key 1 md5 OSPFSecretKey2026
  bfd interval 300 min_rx 300 multiplier 3  # BFD for sub-second failure detection

Multi-ISP BGP on MikroTik

# MikroTik RouterOS v7 — BGP with two ISPs
# ISP1: AS 9829 (BSNL), ISP2: AS 45609 (Airtel)
# Your ASN: 65001 (private ASN for iBGP)

/routing bgp connection
# ── ISP1 Session ────────────────────────────────────────
add name=ISP1-BSNL remote.address=103.x.x.1 remote.as=9829 \
    local.role=ebgp hold-time=90 keepalive-time=30 \
    input.filter=ISP1-IN output.filter=ISP1-OUT \
    .accepted-prefix-limit.limit=800000 \
    .accepted-prefix-limit.action=discard

# ── ISP2 Session ────────────────────────────────────────
add name=ISP2-Airtel remote.address=122.x.x.1 remote.as=45609 \
    local.role=ebgp hold-time=90 keepalive-time=30 \
    input.filter=ISP2-IN output.filter=ISP2-OUT \
    .accepted-prefix-limit.limit=800000 \
    .accepted-prefix-limit.action=discard

# ── Route Filters ────────────────────────────────────────
/routing filter rule
# Prefer ISP1 by setting lower LOCAL_PREF via ISP2
add chain=ISP2-IN rule="set bgp-local-pref 80; accept"  # ISP1 default = 100
add chain=ISP1-IN rule="set bgp-local-pref 100; accept"
# Advertise only your own prefixes outbound — never transit
add chain=ISP1-OUT rule="if (dst == 203.x.x.0/24) { accept } else { reject }"
add chain=ISP2-OUT rule="if (dst == 203.x.x.0/24) { accept } else { reject }"

5 QoS for Voice & Video

Quality of Service (QoS) ensures that latency-sensitive traffic — VoIP calls, video conferencing, and real-time applications — receives prioritized treatment over bulk traffic like file downloads and backups. Without QoS, a large file transfer can degrade call quality to the point of unusability.

QoS Design Principles

Classify at the edge: Mark traffic with DSCP values as close to the source as possible — on the access switch port for IP phones, on the application server for business-critical apps. Trust DSCP markings only from known, controlled sources
VoIP requirements: One-way latency <150ms, jitter <30ms, packet loss <0.5%. Any degradation beyond these thresholds produces perceptible call quality issues. Dedicate a strict-priority queue (DSCP EF — Expedited Forwarding) exclusively for RTP voice streams
Video conferencing: Teams, Zoom, Google Meet — mark as AF41 (DSCP 34). These tolerate slightly more jitter than VoIP but require consistent bandwidth. Allocate 25–30% of WAN bandwidth for video during business hours
Bandwidth limit bulk traffic: Apply traffic shaping to back up jobs, Windows Update, and large file transfers — schedule heavy transfers during off-hours or rate-limit them during business hours to 20% of WAN capacity
DSCP end-to-end: QoS markings must be preserved from the access layer all the way through the WAN to be effective — verify that your ISP honours DSCP markings on ILL circuits (most do; best-effort broadband does not)

FortiGate QoS — Traffic Shaping Policy

# FortiGate Traffic Shaping — QoS for VoIP and Video
# Policy & Objects → Traffic Shapers

# Step 1: Create traffic shapers
config firewall shaper traffic-shaper
  # Strict Priority shaper for VoIP — maximum priority, minimum latency
  edit "VoIP-Priority"
    set guaranteed-bandwidth 2048   # 2 Mbps guaranteed
    set maximum-bandwidth 10240     # 10 Mbps maximum
    set priority high
    set per-policy disable
    set diffserv enable
    set diffservcode 101110         # DSCP EF (46) in binary
  next
  # Assured forwarding for video conferencing
  edit "Video-AF41"
    set guaranteed-bandwidth 10240  # 10 Mbps guaranteed
    set maximum-bandwidth 51200     # 50 Mbps maximum
    set priority medium
    set diffserv enable
    set diffservcode 100010         # DSCP AF41 (34) in binary
  next
  # Bulk traffic limiter
  edit "Bulk-Limit"
    set guaranteed-bandwidth 1024
    set maximum-bandwidth 10240     # Cap bulk at 10 Mbps
    set priority low
  next
end

# Step 2: Create traffic shaping policy (applied on WAN interface)
config firewall shaping-policy
  edit 1
    set name "VoIP-High-Priority"
    set service "SIP" "H323" "RTP-VoIP"
    set dstintf "wan1"
    set traffic-shaper "VoIP-Priority"
    set traffic-shaper-reverse "VoIP-Priority"
    set status enable
  next
  edit 2
    set name "Video-Conferencing"
    set application 15832 16480 34124  # Zoom, Teams, Meet application IDs
    set dstintf "wan1"
    set traffic-shaper "Video-AF41"
    set status enable
  next
  edit 3
    set name "Bulk-Limit"
    set service "SMB" "FTP" "BACKUP"
    set dstintf "wan1"
    set traffic-shaper "Bulk-Limit"
    set status enable
  next
end

6 Network Security Hardening

Network device hardening reduces the attack surface of every router, switch, and firewall in the network — eliminating unused services, enforcing strong authentication, encrypting management traffic, and enabling comprehensive logging.

Universal Device Hardening Checklist

# ── AUTHENTICATION ────────────────────────────────────────
□ Change ALL vendor default credentials (admin/admin, admin/password, etc.)
□ Set minimum 16-character strong passwords for all admin accounts
□ Create named admin accounts — delete shared "admin" account
□ Enable MFA for management access where supported (FortiGate, Cisco with TACACS+)
□ Configure TACACS+ or RADIUS for centralized admin authentication

# ── MANAGEMENT ACCESS ─────────────────────────────────────
□ Disable HTTP/Telnet management — SSH only (SSHv2 minimum)
□ Restrict management access to management VLAN only
  FortiGate: config system interface → set allowaccess ssh https
             Only on management interface, not on user-facing interfaces
□ Configure management ACL — only permit admin workstations/jump hosts
□ Set SSH idle timeout: 10 minutes maximum
□ Disable unused management protocols (SNMP v1/v2 if not needed, use SNMPv3)
□ Configure SNMPv3 with authPriv security level (auth + encryption)

# ── SERVICES — DISABLE UNUSED ─────────────────────────────
□ Disable CDP/LLDP on internet-facing and user access ports
  (OK to keep on inter-switch trunk ports for network discovery)
□ Disable IP directed broadcasts
□ Disable proxy ARP on routed interfaces (unless specifically needed)
□ Disable source routing: no ip source-route (Cisco)
□ Disable finger, bootp server, small servers if present

# ── LOGGING & MONITORING ──────────────────────────────────
□ Configure syslog to central syslog server / SIEM
  FortiGate: config log syslogd setting → set server [SIEM-IP]
  MikroTik: /system logging action → add remote=[SIEM-IP]
□ Log all authentication events (success + failure)
□ Log all configuration changes with admin username
□ Enable NTP synchronization — time accuracy critical for log correlation
  Use: pool.ntp.org or local NTP server (Windows Server NTP)
□ Set log retention: minimum 90 days on device, 1 year in SIEM

# ── SPANNING TREE HARDENING ───────────────────────────────
□ Enable PortFast (edge port) on all access ports
□ Enable BPDU Guard on all access ports — shuts port if BPDU received
  (Prevents unauthorized switches from connecting and disrupting STP)
□ Enable Root Guard on distribution uplinks — prevents root bridge hijacking
□ Use RSTP (802.1w) or MSTP — not legacy STP
□ Set explicit root bridge priority: priority 4096 on distribution switches

# ── DHCP SNOOPING & ARP INSPECTION ───────────────────────
□ Enable DHCP snooping on all VLANs
  Mark only uplinks to DHCP server as trusted ports
  Prevents rogue DHCP servers on user segments
□ Enable Dynamic ARP Inspection (DAI) — prevents ARP spoofing/MITM attacks
□ Enable IP Source Guard on access ports — validates source IP against DHCP binding

🚨 Most Common Network Security Failures: In EnterWeb IT Firm's network audits, the three most frequent critical findings are: (1) Default credentials — network devices still running vendor default username/password, accessible from user VLANs; (2) Flat networks — all devices in a single /16 or /24 with no VLAN segmentation, meaning a ransomware infection on one workstation can reach every server directly; (3) No management isolation — SSH/HTTPS management access open from all VLANs, meaning any compromised user workstation can attempt brute-force attacks against network infrastructure. Fix these three before anything else.

7 IP Address Management (IPAM)

IP address management — maintaining an accurate, up-to-date record of every IP assignment across the network — is one of the most neglected operational practices in enterprise networks. Poor IPAM causes IP conflicts, makes troubleshooting take hours, and creates security blind spots.

IP Addressing Best Practices

Use RFC 1918 private ranges consistently: 10.0.0.0/8 for enterprise networks — the large address space allows structured allocation by site, function, and VLAN without overlap. Avoid 192.168.x.x for enterprise — overused in home routers, causes VPN conflicts
Structured allocation scheme: Allocate address space by site and function — e.g., Site A = 10.10.0.0/16, Site B = 10.20.0.0/16. Within each site, allocate /24 subnets per VLAN (10.10.10.0/24 = Users, 10.10.20.0/24 = Servers). This makes routing summarization simple and troubleshooting intuitive
Reserve addresses consistently: In every subnet — .1 = Gateway, .2 = Secondary gateway/VRRP standby, .3–.9 = Infrastructure devices, .10–.19 = Servers (static), .20–.99 = Printers and fixed devices (static), .100–.254 = DHCP pool
Use /31 for point-to-point links: RFC 3021 allows /31 subnets for point-to-point links — saves IP addresses compared to /30 (2 usable vs 2 usable, but /31 wastes no broadcast/network address)
Deploy a real IPAM tool: Excel spreadsheets are not IPAM. Use phpIPAM (free, self-hosted), NetBox (free, self-hosted), or Infoblox (enterprise) — these provide DNS/DHCP integration, utilization tracking, and conflict detection

NetBox Deployment (Free IPAM)

# Deploy NetBox via Docker — self-hosted IPAM/DCIM solution
# Recommended for any network with 50+ devices

git clone https://github.com/netbox-community/netbox-docker.git
cd netbox-docker

# Edit docker-compose.override.yml — set your domain and secret key
cat > docker-compose.override.yml << EOF
version: '3.4'
services:
  netbox:
    ports:
      - "8080:8080"
    environment:
      - SUPERUSER_NAME=admin
      - SUPERUSER_EMAIL=network@enterweb.in
      - SUPERUSER_PASSWORD=NetBoxAdmin!2026
      - ALLOWED_HOSTS=ipam.enterweb.local netbox.enterweb.local
EOF

docker compose pull
docker compose up -d

# Access: http://your-server:8080
# Default login: admin / NetBoxAdmin!2026

# NetBox key features for network teams:
# ✅ IP prefix/address tracking with utilization graphs
# ✅ VLAN management with site assignment
# ✅ Device inventory with rack diagrams
# ✅ Cable and patch panel documentation
# ✅ Circuit tracking (ISP connections)
# ✅ REST API for automation integration
# ✅ Integration with Ansible, Terraform, Nautobot

8 Network Documentation Standards

Network documentation is not optional — it is a core operational requirement. When a network failure occurs at 2 AM, the engineer on call must be able to understand the network topology, find the affected device, and execute a fix without relying on institutional memory. Good documentation makes this possible; poor documentation makes it impossible.

Required Documentation — Minimum Viable Set

Network topology diagram: Layer 2 and Layer 3 diagrams showing all devices, interconnects, IP addresses on links, VLAN assignments, and WAN connections. Updated within 48 hours of any change. Stored in draw.io, Visio, or Lucidchart — exported as PDF for offline access
Device inventory: Every network device listed with hostname, management IP, model, firmware version, location (rack, floor, building), purchase date, warranty expiry, and support contract. NetBox or a maintained spreadsheet — reviewed quarterly
VLAN and IP address register: Complete IPAM record — every subnet, VLAN ID and name, gateway IP, DHCP range, and purpose. Every static IP assignment documented with device name and owner
Firewall policy documentation: Every firewall rule listed with source, destination, service, action, business justification, owner, and last review date. Rules with no documented justification are candidates for removal
Change log: Every configuration change recorded — date, time, engineer, devices affected, description of change, and ticket/change request reference. Even emergency changes must be logged within 24 hours
Runbooks for common procedures: Step-by-step procedures for the 10 most common tasks — adding a VLAN, replacing a failed switch, ISP failover procedure, adding a firewall rule, onboarding a new site. Runbooks must be written so a competent engineer unfamiliar with this specific network can execute them successfully

Network Change Management Template

# NETWORK CHANGE RECORD
# Change ID:    CHG-2026-0142
# Date/Time:    2026-03-08 22:00 IST (Saturday maintenance window)
# Engineer:     [Name]  |  Approved by: [Manager Name]
# Ticket:       JIRA-NET-2891

CHANGE DESCRIPTION:
  Add new VLAN 85 (IoT-Printers) on Floor 3 access switches
  Assign subnet 10.10.85.0/24 with gateway on FortiGate

DEVICES AFFECTED:
  - FortiGate-200F (FW-PROD-01) — new VLAN interface + DHCP pool + firewall policy
  - FortiSwitch FS-248E-FP-01 (Floor 3) — new VLAN, assign ports 1-8 to VLAN 85
  - FortiSwitch FS-248E-FP-02 (Floor 3) — same as above

PRE-CHANGE CHECKLIST:
  [x] Change approved in change management system
  [x] Maintenance window confirmed with business
  [x] Rollback procedure documented (see below)
  [x] Backup taken: FortiGate config exported 21:45 IST

IMPLEMENTATION STEPS:
  1. Create VLAN interface on FortiGate (vlan85-iot-printers, 10.10.85.1/24)
  2. Configure DHCP pool (10.10.85.50–10.10.85.200)
  3. Create firewall policy: VLAN85 → Internet (print services only)
  4. Create firewall policy: VLAN10-Users → VLAN85 (printing protocols)
  5. Configure VLAN 85 on FortiSwitch trunk
  6. Assign access ports 1–8 to VLAN 85 on both switches
  7. Test: connect printer, verify DHCP, verify print from user VLAN

ROLLBACK PROCEDURE:
  1. Remove VLAN 85 from FortiSwitch ports
  2. Delete VLAN 85 from trunk
  3. Delete firewall policies referencing VLAN 85
  4. Delete VLAN interface from FortiGate
  OR: Restore pre-change config backup from 21:45

POST-CHANGE VERIFICATION:
  [x] Printer received IP via DHCP: 10.10.85.51
  [x] Print test from user VLAN successful
  [x] No unintended traffic between VLAN 85 and Servers/DBs (verified in firewall log)
  [x] NetBox updated with new VLAN and IP assignments
  [x] Network diagram updated

Need a Network Infrastructure Review?

EnterWeb IT Firm conducts comprehensive network architecture assessments — identifying design gaps, security vulnerabilities, redundancy failures, and documentation deficiencies — then implementing the improvements across FortiGate, MikroTik, Cisco, and multi-vendor enterprise environments.

Request Network Assessment View Network Services