Network Configuration Checklist

Capture cabling layout, IDF/MDF locations, PoE budget, ISP handoff details, and a NetFlow or Auvik baseline of current east-west and north-south traffic. Note user counts per VLAN and any voice/video QoS requirements.

Separate corp, voice, guest, IoT, server, and management VLANs. Flat networks expand PCI scope and let ransomware pivot freely; segmentation is the single highest-leverage design decision. Attach the topology diagram (Visio, Lucidchart, or Auvik export).

Match port count, PoE wattage, throughput, and license tier to the design — Meraki MS/MX, Fortinet FortiGate, Cisco Catalyst, or Ubiquiti depending on client tier. Confirm support contract levels (SmartNet, FortiCare) before quoting.

Assign per-VLAN subnets with room to grow (avoid /24s that will exhaust within a year). Reserve static ranges for printers, APs, and infrastructure; document DHCP scopes and reservations in IPAM (phpIPAM, NetBox, or Meraki dashboard).

Label every cable at both ends. Confirm PDU capacity and dual-power feeds on stackable switches. Stage uplinks but leave them disconnected until base configs are pushed.

Push hostname, NTP, AAA/TACACS, banner, and management VLAN from the gold template (NinjaOne, Datto RMM, or vendor cloud manager). Disable unused services — HTTP, Telnet, CDP on edge ports.

Default-deny inbound, explicit allow per service. Document the business justification for each inbound rule. Replace any 'any-any' legacy rules carried over from the old firewall — those are the audit findings waiting to happen.

Mark voice traffic EF (DSCP 46) and video AF41 at the access layer; trust those markings on uplinks. Verify the WAN edge honors DSCP — most ISPs strip it unless you have a managed circuit.

Confirm IPsec or vendor-overlay tunnels establish to each hub and to peer sites. Validate that failover between primary and secondary circuits works by administratively shutting the primary uplink for 60 seconds.

Point switches at the RADIUS server (NPS, ISE, or ClearPass). Use MAB fallback for printers and IoT, and put unauthenticated devices on a quarantine VLAN — not the corp VLAN.

Enable IPS signatures in inline mode on the WAN edge. Tune known-noisy signatures before turning on block actions; running detect-only for the first week prevents an outage on day one.

Limit SSH and HTTPS to the management subnet and the MSP jump host only. Disable management on internet-facing interfaces. This is the #1 finding in MSP-managed network audits.

Forward to PRTG, Auvik, or LogicMonitor for monitoring and to the SIEM (Sentinel, Splunk) for retention. Use SNMPv3 with auth+priv — never SNMPv2c with 'public' community strings.

Test inter-VLAN routing, internet egress, VPN client connect, DHCP scope availability, DNS resolution, and a sample line-of-business app login. Capture iPerf throughput between sites against the design baseline.

Notify the customer and CAB that the maintenance window is being moved. Open a remediation ticket per failed test; do not let a partial-pass smoke test creep into the cutover window.

Follow the approved CAB change plan exactly — deviations are the most common cause of post-change incidents. Have the rollback config staged and the previous boot image preserved on every device.

Watch PRTG/Auvik dashboards for interface errors, CPU spikes, and dropped tunnels. Confirm a representative user from each VLAN can reach their critical apps. Hold the on-call bridge for 60 minutes post-cutover.

Revert to the staged pre-change config and previous firmware. File a change-deviation report within 24 hours; schedule a post-mortem before re-attempting the cutover.

Update IT Glue or Hudu with final IP allocations, VLAN map, firewall rule justifications, and credential vault entries. Stale documentation is the source of most off-hours escalations six months later.