Creating a reliable and scalable network diagram is one of the most critical tasks for any
network security engineer. Before touching a single device or drawing the first node, you need
answers — from the business, from the stakeholders, and from the existing infrastructure.
This tutorial walks you through a structured questionnaire covering every dimension of a modern
network: organisational context, technical requirements, security posture, and budget reality.
Use this as a living checklist before every network design engagement.
PART 01
Organisational Overview
// Set the foundation — understand the business before designing the network
Q_01
What type of business does the company operate?
Data-driven, service-oriented, or hybrid? This shapes throughput priorities and data-flow patterns — a data warehouse operation needs very different backbone capacity than a retail POS network.
Q_02
How many employees or users are there?
User count directly informs network load capacity, DHCP pool sizing, switch port requirements, and licence counts for managed solutions.
Q_03
Where are the company’s branches located?
Multi-site operations typically require WAN, SD-WAN, or site-to-site VPN architecture. Geographic spread also affects latency requirements and ISP redundancy planning.
Consider MPLS vs. SD-WAN cost trade-offs early if there are 3+ sites.
Q_04
Is the company data-driven, service-focused, or both?
Core business priorities determine whether latency, throughput, or uptime is the primary KPI — and which network tier receives the most hardening.
Q_05
Who are the key stakeholders, sponsors, and end-users?
Prioritise network resources for decision-makers and identify who signs off on design changes. This also clarifies change-management and approval workflows.
Q_06
What is the physical size of the main offices and branches?
Floor plans affect AP placement, cable run lengths, IDF/MDF locations, and whether riser cabling or conduit is needed.
Q_07
Does the network support the business, is it the business, or both?
If the network IS the business (SaaS, fintech, e-commerce), redundancy and high-availability are non-negotiable.
HA pairs, VRRP/HSRP, and dual-ISP BGP are justified when the network IS the business.
PART 02
Network Characteristics & Capabilities
// Assess current state and define target state — each answer maps to a design decision
Q_01
What is the current state of the network?
Establish a baseline — topology, hardware age, known bottlenecks — before proposing changes. This is the gap-analysis starting point.
Q_02
Are there existing network documents and consistent standards in use?
Documentation reveals maturity level: named VLANs, IP addressing schemes, and consistent port labelling all accelerate your gap analysis.
Q_03
Do users need to connect remotely (from home)?
Remote access drives the need for SSL VPN, Zero Trust NAC, or IPSec tunnel design. The question is scale and security model.
For 50+ remote users, consider a dedicated VPN concentrator or ZTNA platform.
Q_04
Will users primarily connect via wireless or wired?
Wireless-heavy environments need robust AP density planning, SSID segmentation per VLAN, WPA3 enforcement, and a wireless controller or cloud NMS.
Q_05
Is Voice over IP (VoIP) needed?
VoIP requires dedicated VLANs, QoS policy (DSCP EF for voice, AF41 for video), and sub-150ms one-way latency. Confirm PBX type: on-prem (Asterisk, 3CX) or hosted (MS Teams, RingCentral).
Mark voice traffic at the ingress edge: class-map VOIP → set dscp ef
Q_06
Own DNS/email server, or cloud (M365 / Google Workspace)?
On-premise means managing MX, SPF, DKIM, and DMARC. Cloud shifts the ops burden but requires reliable egress and updated firewall rules for SaaS endpoints.
Q_07
Are ERP or EMS servers running within the network?
Critical internal servers influence VLAN segmentation, redundant uplinks, failover planning, and backup bandwidth. ERP downtime is direct revenue loss.
Q_08
Is cloud computing required?
Cloud workloads need Internet breakout with SD-WAN, or Direct Connect / ExpressRoute links. Firewall egress policy must account for cloud-provider CIDRs.
Q_09
What devices will users connect from?
BYOD vs. managed devices changes NAC policy, MDM requirements (Intune, Jamf), certificate deployment, and 802.1X supplicant configuration.
Q_10
What are the security and redundancy needs?
Defines firewall tiers (perimeter, internal, DMZ), IDS/IPS placement, dual-ISP failover, UPS requirements, and whether a SOC/SIEM is in scope.
Q_11
Will the entire network be centrally managed?
Requires a dedicated out-of-band management VLAN and a defined tools stack.
Popular stacks: PRTG, LibreNMS, Zabbix, Grafana + Prometheus.
Q_12
Does the company require a public IP address block?
Provider-independent (PI) space needs ARIN/RIPE/APNIC allocation and BGP. Provider-aggregatable (PA) space is simpler but tied to your ISP.
Q_13
How much internet bandwidth does the company currently have?
Capture the committed information rate (CIR) and burst capacity from the ISP contract — your baseline for upgrade planning and WAN link sizing.
Q_14
Is the ISP connection static or dynamic?
Static IPs are required for inbound services (web, mail, VPN). Dynamic connections need DDNS or a reverse-proxy/cloud gateway.
Q_15
Do they need content filtering and traffic control?
Drives firewall policy, proxy deployment (explicit or transparent), and DNS filtering (Cisco Umbrella, Pi-hole, Cloudflare Gateway) for category-based blocking.
Q_16
Security priority vs. uninterrupted fast access?
SSL inspection adds ~5–15ms of latency. Both goals can coexist with proper QoS and dedicated SSL offload hardware — it’s an architecture decision, not a compromise.
Q_17
Is zero downtime critical for operations?
Requires HA pairs (active/active or active/passive), VRRP/HSRP for gateway redundancy, dual-ISP BGP failover, and a documented RTO/RPO.
Define RTO and RPO before specifying HA hardware — they drive the entire cost model.
PART 03
Budget & Vendor Dependencies
// Constraints shape architecture — surface these before any design decision
Q_01
What is the budget for the network infrastructure?
Budget ceiling determines whether you spec Cisco Catalyst / Palo Alto (high-end), Fortinet / HPE Aruba (mid-range), or Ubiquiti / open-source (cost-constrained).
Q_02
Are there any device or vendor dependencies?
Existing Cisco / Fortinet / Palo Alto investments may restrict or simplify technology choices. Confirm licences, support contracts, and end-of-life timelines.
Q_03
Internal IT team or external MSP?
MSP-managed networks need simpler ops models, robust remote-access tooling, and clear RACI boundaries. Internal teams can handle complexity but need thorough runbooks.
CMD REF
Quick Reference — Discovery Commands
// Run during network discovery and post-implementation validation
| Purpose | Command |
|---|---|
| Trace network path | traceroute <destination-ip> |
| Check DNS resolution | nslookup <domain> / dig <domain> |
| Scan open ports | nmap -sV -p 1-1024 <target-ip> |
| Show routing table | ip route show / route print (Win) |
| Interface statistics | ip -s link show <iface> / ifconfig |
| Test VPN tunnel | ping <remote-gateway-ip> (inside VPN) |
| Bandwidth test | iperf3 -c <server-ip> / speedtest-cli |
| Active connections | ss -tulnp / netstat -ano |
| VLAN check (Cisco) | show vlan brief |
| Trunk interfaces (Cisco) | show interfaces trunk |
| ARP table | arp -a / ip neigh show |
| BGP neighbours (Cisco) | show bgp neighbors |
| Spanning-tree state | show spanning-tree summary |
| OSPF neighbours | show ip ospf neighbor |
| Packet capture | tcpdump -i eth0 -w capture.pcap |
Conclusion
Answering these questions before touching any design tool transforms a network diagram from a generic topology into a strategic blueprint. It aligns your architecture with real business requirements, surfaces gaps early, and gives stakeholders a shared language for discussing infrastructure decisions.
Save this questionnaire. Run through it with every new client or project. The 30 minutes spent here will save you days of re-work later.
Answering these questions before touching any design tool transforms a network diagram from a generic topology into a strategic blueprint. It aligns your architecture with real business requirements, surfaces gaps early, and gives stakeholders a shared language for discussing infrastructure decisions.
Save this questionnaire. Run through it with every new client or project. The 30 minutes spent here will save you days of re-work later.
📄 Download this guide as PDF Full questionnaire + command reference — formatted for offline use and client handoffs.
↓ Download PDFNeed help with your network design?
Whether you’re building from scratch, hardening an existing infrastructure, or preparing for a security audit — I offer consulting tailored to your organisation’s specific needs.
Tags:
cloud networking
Firewall
Infra
network design
network diagram
network questionnaire
network security
QoS
SD-WAN
VLAN
VoIP
VPN
msa_ad
Great work