Office Network Disasters We Have Fixed in Nairobi (and How to Avoid Them)

The call came in at 10:14am on a Tuesday. An insurance company in Upper Hill. Forty-three people sitting at their desks unable to do anything. No email. No internet. No access to their internal claims system. The office manager described it as "everything just stopped."

We drove there. It took 22 minutes to find the problem. Somebody had plugged a single Ethernet cable into two ports on the same switch.

CloudSpinx is a network infrastructure and managed IT provider based in Nairobi, Kenya. We design, deploy and manage office networks for over 40 businesses across East Africa. Over the years, we have seen some truly creative ways for networks to fail. Here are seven of the best ones.

1. The Switching Loop That Killed an Entire Floor

Back to that insurance company. Here is what happened.

A staff member needed a network port for a visitor's laptop. The nearest wall socket was dead (because nobody had labelled or documented the patch panel, but that is a different problem). So they grabbed a loose Ethernet cable and plugged both ends into the switch under their desk.

Instant broadcast storm.

Every packet on the network started looping infinitely. The switches could not cope. CPU usage on the main switch hit 100% within seconds. The entire floor went dark.

What we did: Unplugged the offending cable. Enabled Spanning Tree Protocol (STP) on every managed switch in the building. Here is the basic config for a Cisco switch:

spanning-tree mode rapid-pvst
spanning-tree portfast default
spanning-tree portfast bpduguard default

BPDU Guard is the important part. If someone plugs a cable into two ports again, the port shuts down instead of taking the whole network with it.

Lesson: If your switches do not have STP enabled, a single cable can take out your entire office. This is a 5-minute configuration change that prevents hours of downtime.

2. Forty-Seven Devices, One Flat Network

A marketing agency in Westlands called us because "the internet is slow." Their Safaricom fibre connection tested fine. Speed tests from the router showed 100Mbps down.

But users were getting 2-8Mbps at their desks.

We looked at the network. Forty-seven devices, all on a single flat 192.168.1.0/24 network. Laptops, phones, printers, the CCTV system, the smart TV in the boardroom, two NAS drives, and what turned out to be someone's personal Chromecast. All sharing the same subnet. All broadcasting ARP requests to every other device. All competing for bandwidth with zero traffic prioritisation.

The CCTV system alone was pushing 15Mbps of constant video traffic across the same network segment as the staff doing client video calls.

What we did: VLANs. Separated the network into segments:

VLAN 10 - Staff (192.168.10.0/24)
VLAN 20 - Guests (192.168.20.0/24)
VLAN 30 - CCTV (192.168.30.0/24)
VLAN 40 - VoIP/Video (192.168.40.0/24)
VLAN 50 - Printers (192.168.50.0/24)

Added QoS rules to prioritise video conferencing traffic. Isolated the CCTV traffic so it stopped flooding the staff network. Speed at desks went from 2-8Mbps to a consistent 80-90Mbps.

The redesign included a new managed switch and our configuration time. The agency had been losing an estimated 30 minutes per employee per day to slow network performance. The investment paid for itself within weeks.

3. The Consumer Router Running an 80-Person Office

A logistics company on Mombasa Road. Eighty-three employees. The entire office network was running through a TP-Link Archer C7 that someone bought from a shop in Luthuli Avenue for about KES 8,000.

The router was supposed to handle 83 wired and wireless connections, run DHCP for the entire office, act as the firewall, and manage the VPN connection to their Mombasa branch office.

It was rebooting itself every 3-4 hours when the NAT table overflowed.

Look, consumer routers are fine for your house. They are designed for maybe 15-20 devices. When you push 80+ devices through one, the CPU overheats, the memory fills up, and it just gives up. We have seen this more times than we can count in Nairobi offices.

What we did: Replaced it with a MikroTik RB4011 for routing and firewall duties (about KES 35,000), plus Ubiquiti UniFi switches and access points for the LAN and WiFi. Proper enterprise gear that is still affordable for a Kenyan SME.

The VPN to Mombasa, which had been dropping 4-5 times per day, has not gone down once in seven months.

Lesson: If you have more than 20 devices in your office, you need business-grade networking equipment. It does not have to be Cisco Meraki at KES 200,000. MikroTik and Ubiquiti give you enterprise features at a fraction of the cost. Our network and connectivity team can spec the right equipment for your office size and budget.

4. The Failover That Never Failed Over

A financial services firm in Upperhill. They were paying for two ISP connections, Safaricom fibre as primary and JTL as backup. Good thinking. The whole point was that if Safaricom went down, JTL would take over automatically.

Except it never did.

When Safaricom had an outage (which happens, it is just reality), the office went offline. The "failover" was configured on the router, but nobody had tested it. Turned out the failover was set to ping the Safaricom gateway IP to check if the connection was alive. When Safaricom went down, the gateway IP went down too, so the ping failed. But the failover script had a bug: it interpreted "ping failed" as "connection is working but slow" and did nothing.

The company had been paying KES 25,000 per month for a JTL line that had literally never carried production traffic.

What we did: Configured proper health checks that ping external IPs (not the ISP gateway), set up weighted failover with automatic and manual triggers, and added monitoring alerts so the IT team knows the exact second a failover happens.

# MikroTik failover check - ping Google and Cloudflare DNS
/ip route
add distance=1 gateway=196.201.x.x check-gateway=ping
add distance=2 gateway=41.90.x.x check-gateway=ping

/tool netwatch
add host=1.1.1.1 interval=30s down-script="/ip route set [find distance=1] disabled=yes" \
    up-script="/ip route set [find distance=1] disabled=no"

Then we tested it. Unplugged the Safaricom cable. Traffic switched to JTL in under 30 seconds. Plugged it back in. Traffic returned to Safaricom.

Lesson: An untested failover is not a failover. It is a second bill. Test your backup connection monthly. Better yet, have your managed IT provider test it for you.

5. DNS: The "It Works But Everything Is Slow" Problem

A tech company in Kilimani. Staff complained that websites "feel sluggish." Speed tests looked fine. Downloads were fast. But loading any new website had a noticeable 2-3 second delay before anything started happening.

DNS. It is always DNS.

Someone had configured every machine in the office to use 8.8.8.8 (Google DNS) as the only resolver. No secondary. No local caching. Every single DNS lookup for every single device was going all the way to Google's servers and back.

From Nairobi, the round-trip time to Google's nearest DNS server was about 35ms. Not terrible, but multiply that by the 40-60 DNS lookups that happen when you load a modern website, and you get noticeable delay.

What we did: Set up a local DNS resolver on the MikroTik router with caching enabled. Used Cloudflare (1.1.1.1) and Google (8.8.8.8) as upstream resolvers. First lookup takes 35ms. Every subsequent lookup for the same domain: under 1ms.

# Proper DNS configuration for a Kenyan office
Primary DNS: Local router/server (caching resolver)
Secondary DNS: 1.1.1.1 (Cloudflare)
Tertiary DNS: 8.8.8.8 (Google)

Also added the Safaricom DNS servers (196.201.214.100 and 196.201.214.102) as additional upstreams, since they resolve Kenyan domains faster than international resolvers.

Page load times improved noticeably across the office. No hardware changes. No extra cost. Just proper DNS configuration.

6. The Printer That Became a DHCP Server

This one is our favourite.

A law firm in the CBD. Random devices in the office kept losing internet connectivity. Not all at once. Not on a schedule. Just randomly, throughout the day, different people would lose connectivity for 10-20 minutes and then it would come back.

We spent two hours tracing the problem. It turned out that an HP LaserJet printer had somehow enabled its built-in DHCP server. We still do not know how. Maybe a firmware update. Maybe someone poked around in the printer's web interface.

The printer was handing out IP addresses on the 10.0.0.x range. The actual DHCP server was using 192.168.1.x. Whenever a device's DHCP lease expired and it tried to renew, there was a race condition between the real DHCP server and the rogue printer. If the printer won the race, the device got an address on the wrong subnet and lost connectivity.

It was maddening. Intermittent, unpredictable, and impossible to reproduce on demand.

What we did: Disabled DHCP on the printer. Then, critically, enabled DHCP snooping on the switches so that only the authorised DHCP server could hand out addresses. No rogue device, printer or otherwise, can ever do this again.

Lesson: DHCP snooping should be enabled on every managed switch in your office. Period. It takes 5 minutes to configure and prevents an entire category of bizarre, hard-to-diagnose problems. If you are on our managed IT plan, this is enabled by default.

7. The WiFi Dead Zone Factory

A co-working space near Sarit Centre. They had invested in six Ubiquiti access points. Good hardware. Plenty of coverage for the space. But half the building had terrible WiFi while the other half had perfect signal.

All six access points were mounted within 10 metres of each other, clustered around the main reception area. The person who installed them apparently decided that more antennas in one spot meant better coverage.

That is not how WiFi works. Those six APs were interfering with each other, fighting over channels, and drowning out their own signals. Meanwhile, the meeting rooms at the far end of the building had zero coverage.

What we did: Redistributed the access points across the building using a proper site survey. Assigned non-overlapping channels (1, 6, 11 on 2.4GHz). Reduced transmit power on each AP so they covered their designated zone without bleeding into the next one.

The result: consistent 150-200Mbps WiFi coverage across the entire building instead of 400Mbps in reception and zero everywhere else.

Lesson: WiFi coverage is about placement, not quantity. Three well-placed access points will outperform ten badly placed ones every time. A proper WiFi site survey costs KES 15,000-30,000 and pays for itself immediately. We include this in every network assessment we do.

The Common Thread

Every single one of these disasters has the same root cause: the network was set up once, by someone who did not specialise in networking, and never reviewed again.

Even small offices benefit from getting the basics right, STP enabled, VLANs configured, proper DNS. The setup is lighter for a 5-person team, but the principles are the same. And the moment your business grows beyond 15-20 people, network infrastructure needs the same attention as your cybersecurity and server management. A single day of network downtime for a 50-person company costs roughly KES 500,000 in lost productivity. A proper network design and setup costs a fraction of that. We work with offices of all sizes, reach out and we will scope what makes sense for you.

If any of these stories sound familiar, we should talk. You can reach us at [email protected] or WhatsApp 0713 403 044. We will come to your office, find out what is actually going on, and fix it properly.

Frequently Asked Questions

How much does a professional network setup cost for a Kenyan office?

It depends on your office size, layout, and requirements. The cost covers equipment (switches, access points, firewall), plus installation, configuration, site survey, VLAN setup, and documentation. Contact our network team for a free assessment and quote specific to your office.

Should we use Cisco, MikroTik, or Ubiquiti for our office network?

For most Kenyan SMEs, we recommend MikroTik for routing and firewall, Ubiquiti UniFi for switches and WiFi. This gives you enterprise features at roughly 30-40% of the cost of equivalent Cisco gear. Cisco makes sense for large enterprises with in-house networking staff and existing Cisco infrastructure.

How often should office network equipment be replaced?

Switches and routers last 7-10 years typically. WiFi access points should be upgraded every 4-5 years as WiFi standards evolve (WiFi 6/6E makes a real difference). Replace immediately if your equipment is consumer-grade and you have more than 20 devices.

Do we need a separate guest WiFi network?

Yes. Always. Guest devices should never be on the same network as your staff computers, printers, and internal systems. A guest VLAN with internet access only takes 15 minutes to configure and is a basic security requirement.

What internet speed do we need for a 50-person office?

Minimum 100Mbps dedicated (not shared) fibre from Safaricom, JTL, or Liquid. If your team does a lot of video conferencing or cloud-based work, go for 200Mbps. Always have a secondary ISP connection for failover. The cost difference between 100Mbps and 200Mbps in Kenya is usually only KES 5,000-10,000 per month.

Why is our WiFi slow even though we have fast internet?

Nine times out of ten: too many devices on a single access point, APs placed too close together causing interference, or APs configured on overlapping channels. Less commonly: devices stuck on 2.4GHz when 5GHz is available, or the AP hardware simply cannot handle the number of connected clients.

Can we manage our own network or should we outsource?

If you have a dedicated IT person with networking certifications (CCNA or equivalent), you can manage it in-house. If your "IT person" is the office manager who happens to know how to restart the router, outsource it. Network issues are the kind of problem that takes an expert 20 minutes and a generalist 2 days.

How do we know if our network needs an upgrade?

Warning signs: frequent disconnections, slow speeds despite fast internet, staff using mobile hotspots instead of office WiFi, devices taking a long time to get an IP address, or the classic "it works fine in the morning but gets slow after lunch." Any of these warrant a network assessment.