Reference Architecture
The same Omada build at three sizes. One front door running intrusion prevention, one managed switching core, ceiling Wi-Fi, and traffic split into lanes that can’t reach each other — sized to the headcount, on equipment you own outright.
What good looks like
Every choice further down serves these four. A build that satisfies them is defensible at 10 seats or 500; one that misses any of them is exposed no matter what it cost.
Each size gets one recommended pick per class, plus the one alternate worth considering. Choosing a size updates the build and the diagram below it.
| Class | The pick — and the alternate | Qty | Ext. |
|---|---|---|---|
| Hardware, all-in — before cabling, rack, and UPS | |||
The shape is identical at every size — only the box on each rung changes. Internet lands on the firewall; the firewall feeds a PoE core; the core powers the Wi-Fi and feeds the desk switching; and every device, wired or wireless, comes up inside a walled-off lane.
The hardware is the easy part. These four are what actually reduce risk, and all four are configured once, centrally, from the controller.
The firewall runs IDS/IPS against a maintained signature database and inspects traffic at the application layer (DPI). Hits land on the Threat Management page, where an attacking IP can be blocked or the device isolated on the spot. Inspection costs throughput — which is why every size here buys gateway headroom rather than the cheapest box that fits.
Staff, devices, and guest ride the same cabling as separate VLANs. A compromised printer or a stranger’s laptop has no path to a file server. This is the highest-value control on the page, and it costs nothing but configuration.
WPA3 on the wireless, and 802.1X against RADIUS on both Wi-Fi and switch ports — so an unknown device plugged into a conference-room jack lands nowhere. Every device gets unique credentials: one shared local-admin password across the estate turns a single foothold into all of them. Departing staff are revoked centrally, not by rotating a passphrase everyone knows.
The hardware controller keeps management on your LAN rather than depending on a vendor cloud. It’s what turns firmware and threat-signature updates into an automatic push instead of a forgotten chore — which is how most of these networks actually get breached — and it’s where the ongoing monitoring lives: client history, threat logs, and alerts in one place, so hardening is a routine, not a rescue.
IDS/IPS and DPI are real features here, not marketing — but turning them on measurably reduces routing performance, and the effect is most visible on the entry-level gateways. Size the router for the speed you want with inspection enabled, not the speed printed on the box. Confirm the feature is live on your exact model and firmware, too: the rollout was staggered, and datasheets ran ahead of shipping code.
Omada’s switch catalog hides three easy ways to buy the wrong box. Every switch on this page is deliberately SG-series for that reason.
TP-Link has been under US federal scrutiny, with a proposed ban floated for their consumer routers. It targets the retail line, not Omada, and nothing is final — but if you’re regulated or sell to government, weigh it before standardizing on the platform. Ubiquiti UniFi is the closest equivalent without that overhang.