A fully designed & implemented secure enterprise network for a 3-floor corporate building, featuring firewalls, DMZ, WLC, VLANs, HSRP redundancy, VoIP, cloud connectivity, and ISP failover.
High-level logical view showing how ISP connectivity, security zones, core switching, access layers, and enterprise services interact in a production-grade network.
┌─────────────────────────┐
│ CLOUD / INTERNET │
│ External Clients (USA) │
│ External Clients (CN) │
└───────────┬─────────────┘
│
┌─────────────────────┴─────────────────────┐
│ │
┌───────────────┐ ┌───────────────┐
│ ISP 1 │ │ ISP 2 │
│ (Seacom) │ │ (Safaricom) │
└───────┬───────┘ └───────┬───────┘
│ │
┌─────▼────────┐ ┌────────▼───────┐
│ Cisco 2911 │ │ Cisco 2911 │
│ Edge Router │ │ Edge Router │
└─────┬────────┘ └────────┬───────┘
└───────────────┬─────────────────────────┘
│
┌──────────▼──────────┐
│ ASA Firewall – 1 │
│ Outside / DMZ / LAN │
└──────────┬──────────┘
│
┌──────────▼──────────┐
│ ASA Firewall – 2 │
│ Redundant Pair │
└──────────┬──────────┘
│
┌────────────────┴────────────────┐
│ CORE LAYER │
│ HSRP + EtherChannel │
└───────────────┬─────────────────┘
┌───────────┴───────────┐
│ │
┌────────▼────────┐ ┌────────▼────────┐
│ Core Switch 1 │ │ Core Switch 2 │
│ Cisco 3650 │ │ Cisco 3650 │
│ HSRP Active │ │ HSRP Standby │
└────────┬────────┘ └────────┬────────┘
│ │
─────────┴──────EtherChannel ─────────────
│ │
┌────────▼────────┐ ┌────────▼────────┐
│ Access Switches │ │ Access Switches │
│ Cisco 2960 │ │ Cisco 2960 │
└────────┬────────┘ └────────┬────────┘
│ │
┌────────────────┼──────────────┬────────┼─────────────────┐
│ │ │ │ │
▼ ▼ ▼ ▼ ▼
VLAN 20 VLAN 70 VLAN 50 VLAN 90 VLAN 10
LAN Users VoIP Phones WiFi APs Internal Servers Management
PCs / Printers IP Phones WLC AD / DNS / DHCP SSH / SNMP
INTERNET
│
┌──────▼──────┐
│ ASA FW │
│ DMZ Zone │
└──────┬──────┘
│
┌─────────────┼──────────────────┐
│ │ │
Web Server Mail Server FTP Server
Public Site Email Services File Uploads
┌───────────────────────────┐
│ Cisco 2504 WLC │
│ VLAN 50 (WLAN) │
└─────────────┬─────────────┘
│
┌─────────┴─────────┐
│ │
Lightweight AP Lightweight AP
Floor 1 Floor 2 / 3
┌────────────────────────┐
│ Cisco 2811 Voice GW │
│ CME + TFTP │
└──────────┬─────────────┘
│ VLAN 70
┌────────────┼──────────────┐
│ │ │
IP Phone IP Phone IP Phone
Dept A Dept B Dept C
This project simulates a real enterprise-class secure network infrastructure for a cloud-technology company with 600+ employees, multiple floors, department segmentation, redundancy, VoIP services, wireless infrastructure, server rooms, and DMZ hosting.
This project demonstrates:
- Enterprise LAN design
- Multi-layer switching
- Firewall zone segmentation
- Server deployment
- Wireless LAN controller infrastructure
- VoIP telephony setup
- ISP redundancy & cloud customer access
- Full security hardening
- Scalable and future-proof network build
✔ Provide secure connectivity for all departments
✔ Segment the network using VLANs & firewalls
✔ Support cloud-based client access
✔ Enable VoIP communication
✔ Provide high availability (HSRP + EtherChannel)
✔ Allow wireless mobility via WLC + LAPs
✔ Secure critical servers using DMZ + Internal Zones
- ISP1 – Seacom
- ISP2 – Safaricom
- Each connects to the company through Cisco 2911 routers
- Provides dual-homing Internet redundancy
- Two Cisco ASA 5506-X Firewalls
- Configured with three security zones:
- Outside Zone (ISP links)
- DMZ Zone (public servers)
- Inside Zone (internal LAN)
- Two Cisco 3650 Multilayer Switches
- Running:
- HSRP (Gateway redundancy)
- OSPF / Static Routing
- Layer-3 SVI interfaces
- EtherChannel (LACP) between core switches
- Cisco 2960 switches across 6 departments:
- Sales & Marketing
- HR & Logistics
- Finance & Accounts
- Admin & Public Relations
- ICT Department
- Server Room
Each access switch includes:
- VLAN trunk uplinks
- Wireless AP uplinks
- PC, IP Phone, Printer connections
| VLAN | Name | Purpose |
|---|---|---|
| 10 | MANAGEMENT | Switch, WLC, Firewall mgmt |
| 20 | LAN (Wired Users) | PCs & wired hosts |
| 50 | WLAN | Access points + wireless clients |
| 70 | VOICE | IP Phones + Voice Gateway |
| 90 | SERVER-INSIDE | AD, DHCP, DNS, RADIUS |
| 199 | BLACKHOLE | Disabled & unused ports |
- Cisco 2504 Wireless LAN Controller
- Lightweight Access Points (LAPs)
- Centrally managed Wi-Fi SSIDs for VLAN 50
- Mobility + Scalability for future expansion
| Server | Function |
|---|---|
| Active Directory | User authentication & Group Policy |
| DHCP Server | IP distribution for VLAN 10 / 20 / 50 |
| DNS Server | Internal name resolution |
| RADIUS Server | 802.1X & device authentication |
| Server | Function |
|---|---|
| Web Server | Public website |
| Email Server | Corporate mail |
| FTP Server | Customer data uploads |
| App Server | Cloud application services |
| File Storage | Publicly accessible storage |
- Cisco 2811 Voice Gateway
- IP Phones on all departments
- Voice VLAN 70
- Numbering format:
4XXper department - DHCP Option 150 for TFTP auto-config
- Strict ACLs between:
- Inside ↔ DMZ
- Inside ↔ Outside
- DMZ ↔ Outside
- Public services exposed only via DMZ
- Internal services never accessible from outside
- BPDU Guard
- PortFast
- Blackhole VLAN for all unused ports
- SSH access restricted to Management VLAN only
- HSRP failover
- OSPF internal segmentation
- Static routes for DMZ + ASA
Automatic switching if ISP1 fails.
Core-1 = active for VLAN 10 & 20
Core-2 = active for VLAN 50 & 90
Each becomes standby for the other → load balanced gateway.
Three physical links bundled for:
- Faster throughput
- Stability
- Instant link failover
A simulated cloud router connects:
- External USA client
- External China client
These clients can securely access DMZ public services.
The project includes the following configurations:
- VLAN creation + SVI interfaces
- Trunking
- EtherChannel (LACP)
- BPDU Guard, PortFast
- DHCP relay using IP helper-address
- Inter-VLAN routing
- HSRP VIPs
- Static routes
- OSPF for internal distribution
- Inside, Outside, DMZ interfaces
- NAT rules
- ACLs
- Static routes
- Security levels
- Pools for Management, LAN, WiFi, Voice
- Excluded addresses
- Option 150 for IP Phones
- Dial-peers
- Telephony service
- Phone registration
- Voice VLAN assignments
This project demonstrates a fully functional, enterprise-level secure network with:
- Redundancy
- Security zones
- Wireless infrastructure
- VoIP telephony
- Cloud access
- Modern industry-standard architecture