Network Infrastructure · LAN/WLAN · Bremen
Highly available network infrastructure for mid-sized companies.Performant, resilient and cleanly segmented.
Vendor-neutral. Pragmatic. No hardware margins. I plan and implement your network infrastructure so it holds up: highly available without bottlenecks in LAN, WLAN or WAN, cleanly segmented so outages and attacks cannot spread, and with controlled access so only authorised devices enter the network.
Free initial consultation (30 minutes)
Is your network the stable foundation of your business – or its weakest link?
Four critical questions for your infrastructure. It does not need to be malicious – an infected contractor laptop or an uncontrolled device plugged in is enough to cause serious damage.
Can a compromised office PC reach your production machines?
Ransomware seeks the path of least resistance. In a "flat" network, a careless click in accounting is enough to paralyze manufacturing minutes later. Without strict network separation, your entire company is a single point of failure.
Do you know exactly who and what is currently active in your network?
If someone can simply plug a cable into a network jack and is immediately "in", you have no control. Unknown devices, contractor laptops, or unpatched IoT devices are unpredictable gateways.
Can you prove to your insurance that the network is segmented?
Cyber insurers and regulators (e.g., NIS2) demand verifiable network segmentation as the state of the art. If this cannot be proven when a claim is made, the insurer may refuse coverage – and the company pays for the damage itself.
Is your network hardware still under manufacturer support – and sized for today's demands?
End-of-life switches no longer receive security updates and quickly hit their limits with Wi-Fi 6, VoIP, or video conferencing. No dramatic replacement overnight – but knowing your EOL dates gives you planning certainty before a device failure forces the decision.
A flat network is not a cost advantage – it is a security risk
Historically grown, unstructured networks often run without incident for years. But they are extremely vulnerable to outages, offer zero access control, and make it frighteningly easy for malware to spread when the worst happens.
Chain reaction from simple hardware faults
A broken switch or faulty cabling in the warehouse – in an unstructured network without built-in protection, a local fault can quickly bring the entire company down. Outages at these single points of failure waste time, nerves, and money unnecessarily.
Loss of insurance coverage
Cyber insurers today require concrete proof of segmentation and access control at sign-up or when a claim is made. Anyone who cuts corners here risks, very practically, having their insurer refuse payment in the event of an incident – leaving the company to foot the bill itself.
Blind spots from open doors
Without a basic access check, every free network socket in the building is an open door. Whether it is an external HVAC technician, a machine builder with their maintenance laptop, or a personal device – anyone who plugs in is immediately on the network. The network must proactively verify who is coming in.
How I structure and secure your network
Instead of an opaque patchwork, I design a clean, documented architecture based on proven standards – efficient, secure, and tailored to your specific use case.
Stability & Redundancy
Redundant uplinks · Resilient topology
The best network is worthless if a single faulty device brings down operations. I build to industry standards: redundant connections at every level, a well-structured topology with clear hierarchies – so no single device is ever a single point of failure.
Network segmentation
VLANs · 802.1Q · Zone design
I separate the network into clean zones – office, production, guests, IoT. VLANs are the foundation: they encapsulate the traffic. What is allowed between zones is governed by firewall rules at the boundaries – I plan both: the network base and the matching security layer.
Secure, high-performance WLAN
WPA3-Enterprise · Client Isolation
No more shared Wi-Fi passwords. Employees authenticate personally via WPA3-Enterprise. Guests browse in isolation on their own network. I ensure clean roaming, well-thought-out channel planning, and correct sizing for Wi-Fi 6/6E.
IoT & Shadow IT Control
VLAN isolation · Device profiling
Sensors, cameras, printers, and building tech get their own strictly limited network. Unknown devices automatically land in a quarantine VLAN until approved.
Network Access Control (NAC)
802.1X · RADIUS · Captive Portal
Who plugs what in where? I implement port-based access control (802.1X): company devices are automatically placed in the correct VLAN after certificate verification, unknown devices are blocked or land in a guest network with a captive portal. Works for wired and wireless connections alike.
Visibility & Inventory
LLDP · SNMP · Syslog
I ensure transparency. You can see at a glance which device is connected to which switch port. IP address conflicts and "lost" hardware belong to the past.
Pragmatic standards over vendor lock-in
I value solid craftsmanship and clean configuration, not glossy brochures. The hardware used must fit your budget and the real-world capabilities of your IT team.
Areas & focus topics
Experience from real operations
I have not just designed networks on paper – I have been managing them for years in critical environments. I know the moments when grey theory collides with hard reality in the server room. I build your infrastructure so you can sleep soundly while it runs.
Vendor-independent consulting
Because I do not sell hardware, there are no hidden margins. I recommend exactly what fits your use case: whether Ubiquiti UniFi in a classic office environment, Aruba/HPE for more complex requirements, or proven core switches in the server room. We make that decision together.
Access control via open standards
Secure network ports do not require unaffordable software platforms. Using established standards such as 802.1X and RADIUS – whether via Microsoft NPS, FreeRADIUS, or cloud-based approaches – we secure your connections using certificates (EAP-TLS) or via your Active Directory.
Sensible sizing
I plan your switch sizing with foresight and matched to actual needs: sufficient uplink bandwidth between distribution layers, a cleanly calculated PoE budget for modern Wi-Fi access points and IP phones. This prevents bottlenecks before they arise.
I earn exclusively from my consulting and implementation work. You purchase your hardware and licenses fully transparently directly from the distributor or your existing preferred supplier.
Open-heart surgery – safely planned
Network modifications in a live environment worry every IT department. My process guarantees absolute predictability, minimal downtime, and an honest assessment of what is pragmatically achievable in your environment.
Inventory & topology
Before we touch a single cable, we look at what is really there: which switches are running in the network, where do single points of failure exist, which VLANs are in place and where is data flowing freely between departments? The result is an unvarnished picture of the current state.
Pragmatic target concept
Based on the facts, we design the new structure together: logical zones, IP subnets, and routing paths. You receive a clearly documented design for review and sign-off before the actual configuration work begins.
Phased migration during maintenance windows
VLANs and segmentation come first – that delivers immediate security without huge overhead. Strict access control (802.1X) is built up step by step. Critical adjustments are scheduled flexibly during production-free times.
Clean documentation for Day-2 operations
A network without documentation is worthless in daily operations. After project completion, you receive complete topology diagrams, port allocation plans, and IP concepts. This allows your internal team to take over operations immediately, seamlessly, and without errors.
Solid craftsmanship for your network
I bring proven network standards to the mid-market – completely vendor-independent, transparent, and without the sales pressure of a system house.
Experience from critical environments
In my main job, I manage complex infrastructures in the European aerospace sector under the highest stability requirements. Exactly this thoroughness flows into your network architecture.
Vendor-independent, no margins
I do not care which logo is on your switches – whether Cisco, Aruba, HPE, or Ubiquiti UniFi. What matters is that the hardware is solid, supports open standards, and fits your budget. You purchase directly; I advise without any sales agenda.
Network & Security designed together
Clean VLAN segmentation fizzles out if the rule set at the central gateway has gaps. As a vendor-certified Security Engineer, I design your logical network structure so that its interplay with your firewalls works seamlessly and securely.
Transparent handover
After the project, every VLAN, every uplink, and every RADIUS policy is comprehensively documented. I do not leave you with proprietary knowledge that only exists in my head – I leave you with a cleanly structured environment that your IT team immediately understands.
The direct line
Short communication channels instead of ticket swamps: you speak directly with the technician who plans your infrastructure and physically and logically configures your switches – no first-level support, no call centres.
Bremen & Remote
On-site in Bremen and the surrounding area for the baseline assessment, remote nationwide for staging and preparation. Critical switch-overs (cut-over) are scheduled flexibly in the late evening hours or at the weekend.
The before-and-after comparison
The transformation from a chaotic switch cluster to a controlled, auditable infrastructure.
A flat network where ransomware immediately spreads to everything (backups, OT).
Strict barriers (VLANs) – an infected device remains isolated.
Anyone can plug into an empty network jack and has full access.
Port Security (802.1X NAC) – Access only for certified and verified company devices.
A shared Wi-Fi password that ex-employees and guests still know.
Personalized Wi-Fi access (Enterprise) and clean client isolation.
IoT devices, smart cameras, and servers hang unfiltered in the same network.
Microsegmentation – IoT only talks to the services exactly intended for it.
A switch failure halts half the company for hours.
Redundant uplinks and optimized routing prevent single points of failure.
No documentation. Troubleshooting involves "pulling cables".
Complete topology plans and transparency on which device is on which port.
What you are probably wondering
Clear answers to the most important questions about LAN, WLAN, and NAC.
Very often, no! Almost all manageable business switches from the last 10 years support basic VLANs and 802.1X. We check what your hardware can do during the inventory. I only recommend a hardware refresh if absolutely necessary (e.g., for PoE power for new WLAN or end-of-life).
That is decided by the use case, not the vendor label. For classic office networks and typical SME environments, I often recommend Ubiquiti UniFi: cost-effective, stable, and with an excellent centralised management controller. For more complex requirements, higher PoE budgets, or OT-adjacent segments, we use Aruba/HPE or Cisco. In any case, you do not purchase hardware through me – you buy directly from the distributor or your existing supplier without any mark-up.
A certain amount of interruption is unavoidable when moving cables or reconfiguring switch ports. However, we plan this precisely. Segmentation (VLAN setup) runs in parallel in the background. The final port cut-over happens segment by segment outside your core working hours.
VLANs encapsulate the network into logical segments – they are the foundation, not access control. What is allowed between segments is decided by firewall rules and ACLs at the boundaries. NAC (Network Access Control, usually 802.1X) is the bouncer function before that: Who is allowed into the network in the first place? Both complement each other – an unknown device cannot get past the NAC, and even if it does, it is isolated in the correct segment (e.g., guests).
After clean initial setup, very little. In a Windows environment, certificate distribution via Active Directory (GPO) works fully automatically. When a new employee receives a company laptop, it is immediately and invisibly authorized. Third-party devices are consistently blocked.
NAC with 802.1X and EAP-TLS requires your company devices to have certificates and a RADIUS server to be in place. If both are missing, it quickly becomes a project in its own right. My recommendation: we start with VLANs and segmentation – that delivers immediate security without a PKI project. Access control is then introduced step by step: using Active Directory integration (EAP-MSCHAPv2) or, where a PKI is not realistic, via pragmatic alternatives such as an internal GlobalProtect portal that controls device access based on identity and compliance posture.
No. System houses often do an excellent job with end-user support (laptops, printers, Office 365). I act as a specialized network engineer. We work cooperatively to elevate your network to the next security level.
This depends heavily on the size of your company and the current state of your network. A manageable office network (1 site, up to ~50 devices, no NAC) typically takes 5–10 weeks. Larger environments with multiple buildings, production areas, or a NAC rollout should be planned at 12–20 weeks, divided into milestones that do not disrupt day-to-day operations. I deliver projects outside my regular working hours – which means a realistically planned schedule without rushing.
No. My scope covers the planning, configuration, and commissioning of active network equipment – switches, access points, RADIUS, VLANs. Structural work such as cable laying, flush-mounted installations, or installing network sockets is the domain of an electrician or structured cabling contractor. I carry out neither of these trades myself, nor do I refer contractors. If you already have an electrician engaged, I am happy to provide a written specification of my requirements (cable types, lengths, socket positions) in advance – so there is no rework needed.
Your network was built when the company was half its size. Since then, departments, machines, and sites have been added – and somehow everything got plugged together, as long as it worked. No one ever asked whether that is still architecturally justifiable.
Who controls your segment boundaries?
VLANs draw logical boundaries, but without a firewall actively enforcing and monitoring them, they exist only on paper. For attackers, they are no obstacle.
Are your access rights as clean as your network?
The most strictly isolated network is useless to you if someone logs in with compromised, completely excessive Active Directory rights. At that point, network segments are the least of your problems.