Network Project 0 - Designing a Secure and Scalable Enterprise Network

Introduction

In today’s digital landscape, secure network design is not just about connectivity; it’s about resilience, visibility, and scalability. When I took on the challenge of designing a new network infrastructure for Cloud Compute Ltd, a global cloud services provider preparing to move into a new three-storey headquarters, I wanted to create a design that could stand the test of performance, security, and growth.

The brief was simple but ambitious: connect 500+ employees across multiple departments, integrate dual ISPs for redundancy, protect critical assets through a multi-zone firewall strategy, and ensure seamless access to internal and external services, all within a simulated environment using Cisco Packet Tracer.

My approach followed a hierarchical design model, ensuring redundancy at every level: core, distribution, and access.

Two Cisco ASA 5506 firewalls formed the security perimeter, defining the inside, outside, and DMZ zones. Within the DMZ, public servers, such as web, email, and FTP, were isolated from internal systems, including AD, DHCP, and RADIUS.

The 2 Layer 3 distribution switches handled inter-VLAN routing, ensuring cross-departmental communication while maintaining logical segmentation. I configured OSPF for dynamic routing, HSRP for gateway redundancy, and EtherChannel (LACP) for link aggregation. Wireless access was centrally managed through Cisco WLC, and voice traffic was delivered via a Cisco Voice Gateway supporting 4xx-series extensions.

Security was prioritised from the ground up: standard ACLs restricted SSH access to the management network, Port Security, DHCP Snooping, STP PortFast and BPDU Guard were applied to prevent loops, and all configurations followed the principle of least privilege.

In essence, this project was not just an exercise in design; it was a practical reflection on past networking projects and how security, scalability, and performance can harmonise within a well-architected network.

Executive Summary

Cloud Compute Limited, a global provider of innovative cloud solutions, embarked on a major digital transformation initiative to support its rapid growth and new operational headquarters. With a workforce of 500+ employees distributed across multiple business units, the company required a secure, scalable, and highly available network infrastructure capable of sustaining business-critical operations, cloud service delivery, and cross-departmental collaboration.

This project involved the design and simulation of a next-generation enterprise network using Cisco technologies and industry-standard security architectures. The resulting design not only meets Cloud Compute’s immediate connectivity and performance needs but also lays a foundation for future cloud integration, remote access, and digital resilience.

Download project files (Cisco Packet Tracer and Configuration Commands): GitHub Repo

Business Context and Objectives

Cloud Compute’s expansion into a new three-storey headquarters demanded a network capable of:

Supporting business continuity with zero downtime.
Ensuring secure segmentation between internal systems, public services, and management networks.
Delivering high-performance connectivity for applications, cloud platforms, and VoIP services.
Enabling scalable infrastructure growth aligned with the company’s global service roadmap.

The project was designed to simulate a real-world enterprise-grade network, following Cisco’s Hierarchical Network Design Model (Core, Distribution, Access) and incorporating core security principles inspired by least privilege principles.

Network Overview

Building Layout and Departmental Distribution

The new headquarters consists of three interconnected floors with departmental segmentation:

First Floor: Sales & Marketing, Human Resources, and Logistics
Second Floor: Finance & Accounts, Administration, and Public Relations
Third Floor: IT Department and Data Centre

Design Approach and Architecture

1. Multi-Layer Network Architecture

A three-tier hierarchical architecture ensures optimal scalability, redundancy, and performance:

Core Layer: Dual Cisco ASA 5506 firewalls providing high-availability perimeter defence and multi-zone segmentation (Inside, DMZ, Outside).
Distribution Layer: Layer-3 Catalyst 3650 switches handling inter-VLAN routing, OSPF dynamic routing, and HSRP redundancy.
Access Layer: Catalyst 2960 switches connecting end-user devices, IP phones, and wireless access points.

This structure supports efficient fault isolation, simplified troubleshooting, and seamless network scalability.

2. Redundancy and High Availability

To minimise downtime and ensure continuous service:

Dual ISPs (SEACOM & SAFCOM) provide internet redundancy; Router configuration commands.
Hot Standby Router Protocol (HSRP) offers failover at the gateway level, configured on Layer 3 switches; Layer 3 Switch configuration commands.
EtherChannel (LACP) aggregates bandwidth and mitigates single-link failures.
Virtualised servers run key services (AD/DHCP, DNS, RADIUS) on redundant hypervisors for maximum uptime.

3. Security Architecture

Security formed the backbone of the network design:

Three security zones (Outside, DMZ, Inside) managed by dual ASA firewalls; Firewall configuration commands.
DMZ isolation for public-facing servers (Web, Email, FTP, App, and NAS).
Internal zone for sensitive infrastructure (AD/DHCP, DNS, RADIUS).
Access Control Lists (ACLs) restrict SSH access to the management subnet only.
STP PortFast and BPDU Guard enhance switch-level protection and prevent broadcast storms; Layer 2 Switch configuration commands.
Port Security to prevent unauthorised network devices from connecting to the company network.
DHCP Snooping to prevent 'rogue' DHCP servers from connecting to the network, mitigating disruptions and DHCP-related cyber attacks.

This layered security approach reduces attack surface and aligns with defence-in-depth strategies.

4. Wireless and VoIP Infrastructure

The network integrates:

One Cisco Wireless LAN Controller (WLC) is managing Lightweight Access Points (LAPs) across all floors; WLC configuration commands.
Segmented SSIDs for corporate users, guests, and auditors.
Cisco Voice Gateway with VoIP support, assigning internal extensions (4xx) and enabling unified communications; VoIP configuration commands.

5. Addressing and Routing Strategy

Routing is handled through OSPF for dynamic path selection and efficient route advertisement across all network devices, ensuring fast convergence and optimal data flow.

Testing and Validation

Post-deployment, the simulation underwent comprehensive validation (see screenshots below) to ensure:

Successful communication between VLANs and departments.
Automatic failover during simulated ISP and gateway outages.
Correct DHCP lease distribution.
Access control policies are enforced across the inside and DMZ zones.
VoIP and Wi-Fi performance verified under normal and failover conditions.

Business Impact and Outcomes

Operational Continuity: Redundant firewalls, ISPs, and virtual servers guarantee near-zero downtime.
Enhanced Security: Segmentation and multi-zone defence significantly reduce attack surface and lateral movement risk.
Scalability: Modular design supports seamless integration of future departments and cloud resources.
Optimised Productivity: High-speed wired and wireless access enhances employee collaboration and system responsiveness.