IT Support Impact Summary
Designed a segmented campus network that improves day-to-day troubleshooting by isolating user, server, guest, printer, and management traffic. The design limits the impact of misconfigured or compromised devices and makes it easier to identify, contain, and resolve connectivity issues without disrupting other users.
This project models a secure small enterprise campus in Cisco Packet Tracer. I built a switched network with user, server, guest, printer, DMZ, and management segments, then applied access controls and hardening measures designed to reduce lateral movement and make support issues easier to isolate.
My role
Designed the VLAN structure, defined ACL logic, configured Layer 2 hardening, and documented how the network should behave when issues occur.
IT support relevance
Shows that I understand why clean segmentation matters when devices fail, users lose access, or support teams need to narrow down where a problem actually lives.
Network segmentation plan
| VLAN | Name | Purpose | Default gateway | Subnet |
|---|---|---|---|---|
| 10 | USERS | Internal staff PCs | 10.10.10.1 | 10.10.10.0/24 |
| 20 | SERVERS | Critical infrastructure | 10.10.20.1 | 10.10.20.0/24 |
| 30 | PRINTERS | Network print services | 10.10.30.1 | 10.10.30.0/24 |
| 40 | GUEST_WIFI | Internet-only guest access | 10.10.40.1 | 10.10.40.0/24 |
| 50 | DMZ | Public web services | 10.10.50.1 | 10.10.50.0/24 |
| 99 | MGMT | Infrastructure administration | 10.10.99.1 | 10.10.99.0/24 |
Hands-on proof
- Built access and security zones to separate user, guest, management, and public-facing traffic.
- Applied ACLs to keep guest traffic from reaching internal RFC1918 networks.
- Used port security, DHCP snooping, PortFast, and BPDU Guard to harden edge ports.
- Placed public services in a DMZ behind a Cisco ASA firewall.
ip access-list extended GUEST_ISO_ACL permit udp 10.10.40.0 0.0.0.255 any eq 53 permit udp any any eq 67 deny ip 10.10.40.0 0.0.0.255 10.10.0.0 0.0.255.255 permit ip any any interface vlan 40 ip access-group GUEST_ISO_ACL in
This ACL is a small example of how I limited guest access while preserving needed services like DNS and DHCP.
Risk and mitigation matrix
| Threat | Risk | Mitigation | Implementation |
|---|---|---|---|
| Unauthorized hardware | High | Port security | Sticky MAC + shutdown violations |
| Lateral movement | High | Segmentation | ACLs on Layer 3 SVIs |
| VLAN hopping | Medium | Trunk hardening | Dedicated native VLAN 99 |
| DHCP spoofing | Medium | DHCP snooping | Untrusted edge ports |
| External breach | Critical | DMZ isolation | ASA policy filtering |
What this proves
I think this project shows that I can build networks in a way that supports both security and support operations. The segmentation and policy choices are there to reduce blast radius, shorten troubleshooting time, and make escalation cleaner when something breaks.