Small-office networks punch above their weight. The stakes are lower than a datacenter, but the tolerance for downtime is often higher — there's no redundant everything, and the person fixing the problem is usually also in a meeting.
The topology I keep reaching for
Dual-WAN at the edge, a firewall with DPI-SSL, a core switch, access switches on each floor or wing, and WAPs in a mesh for easy roaming. Three VLANs: corporate, BYOD/guest, and infrastructure. IoT gets its own VLAN once the first camera or printer is onboarded.
Why mix Meraki and UniFi
Meraki is expensive per port but the license model forces cloud management and the dashboard is excellent for remote operations. UniFi is cheap, the controller is flexible, and the hardware punches well above its price. I mix them at the access layer (UniFi) and keep Meraki at the perimeter (MX + a couple of MRs for corporate wifi) for the remote-manage benefits.
SSIDs
- Corp-WPA3 — 802.1X via Entra ID, certificate-based where possible.
- Corp-BYOD — PSK rotated quarterly, captive portal with T&Cs, isolated VLAN.
- Guest — PSK rotated weekly, internet-only, no lateral.
- IoT — hidden SSID, device-specific PSKs via Private PSK where supported.
Failover patterns
Dual-WAN isn't failover unless you've tested it. My test: unplug the primary WAN during the Monday stand-up (with warning, once) and time how long until sessions recover. If it's over 30 seconds, tune the DPD intervals and the failover detection on the firewall.
Expect 1–5 seconds of failover for TCP sessions when dual-WAN is configured well. UDP (VoIP) will blip. VPN tunnels to cloud resources usually renegotiate within 10 seconds if IKEv2 with MOBIKE is in play.