Skip to main content
Cisco CCNA Prep – Complete Beginner to Intermediate Guide
CHAPTER 20 Intermediate

Build a Complete Enterprise Network

Updated: May 16, 2026
45 min read

# CHAPTER 20

Build a Complete Enterprise Network

1. Introduction

You have completed the theoretical and practical journey of the CCNA curriculum. You have studied the OSI layers, calculated binary subnets, configured switch access ports, mapped OSPF routing, and defended the perimeter with Firewalls and ACLs. However, in the real world, these technologies do not exist in isolation. They are intertwined gears in a massive machine. In this final capstone chapter, you will transition from student to Network Architect. We will design and logically configure a complete, end-to-end Enterprise Network for a fictional company, synthesizing every core concept learned in the previous 19 chapters into a single cohesive deployment.

2. The Final Project Scenario

The Client: GlobalCorp HQ The Requirements: GlobalCorp has leased a new building. You must design the network from scratch.
  1. 1. Segmentation: The network must support two isolated departments: Employees and Guests.
  1. 2. IP Addressing: You are assigned the 10.0.0.0/16 Private IP block.
  1. 3. Core Routing: The building has a Core Router connected to a Layer 2 Switch.
  1. 4. Internet Access: The Core Router connects to an ISP Router via a /30 link. Internal users must be able to browse the internet securely.

3. Phase 1: Subnet and IP Design

You must divide the 10.0.0.0/16 space efficiently using VLSM.
  • VLAN 10 (Employees): Needs 200 IPs.
  • Subnet: 10.0.10.0 /24 (Supports 254 hosts).
  • Default Gateway: 10.0.10.1
  • VLAN 20 (Guests): Needs 50 IPs.
  • Subnet: 10.0.20.0 /26 (Supports 62 hosts).
  • Default Gateway: 10.0.20.1
  • WAN Link (HQ Router to ISP): Needs exactly 2 IPs.
  • Subnet: 203.0.113.0 /30

4. Phase 2: Layer 2 Switch Configuration

We must configure the switch to isolate the departments and send traffic up to the router. *(Command syntax for the core switch)*
bash
12345678910111213141516171819202122 
enable
configure terminal
hostname HQ-Switch

# Create the VLANs
vlan 10
 name Employees
vlan 20
 name Guests

# Assign Access Ports for the PCs
interface FastEthernet0/1
 switchport mode access
 switchport access vlan 10

interface FastEthernet0/2
 switchport mode access
 switchport access vlan 20

# Configure the Trunk Port pointing to the Router
interface GigabitEthernet0/1
 switchport mode trunk

5. Phase 3: Router-on-a-Stick (Inter-VLAN Routing)

The router needs to act as the Default Gateway for both VLANs using a single physical cable. We create "Sub-interfaces." *(Command syntax for the HQ Router)*
bash
1234567891011121314151617 
enable
configure terminal
hostname HQ-Router

# Turn on the physical port
interface GigabitEthernet0/0
 no shutdown

# Configure Sub-interface for VLAN 10
interface GigabitEthernet0/0.10
 encapsulation dot1Q 10
 ip address 10.0.10.1 255.255.255.0

# Configure Sub-interface for VLAN 20
interface GigabitEthernet0/0.20
 encapsulation dot1Q 20
 ip address 10.0.20.1 255.255.255.192

6. Phase 4: Dynamic Routing and NAT

The HQ Router must route traffic to the ISP and translate Private IPs to Public IPs using NAT Overload (PAT).

Step 1: OSPF Routing

bash
123 
router ospf 1
 network 10.0.0.0 0.0.255.255 area 0
 default-information originate

*(This tells OSPF to advertise internal networks and share the default route).*

Step 2: Default Static Route

bash
1 
ip route 0.0.0.0 0.0.0.0 203.0.113.2

Step 3: Configure PAT (NAT Overload)

bash
1234567891011 
# Define who is allowed to be translated
access-list 1 permit 10.0.0.0 0.0.255.255

# Apply the NAT rule to the Outside interface
ip nat inside source list 1 interface GigabitEthernet0/1 overload

# Define Inside vs Outside interfaces
interface GigabitEthernet0/0
 ip nat inside
interface GigabitEthernet0/1
 ip nat outside

7. Phase 5: Security (ACLs)

The Guest network (VLAN 20) should reach the internet, but must be blocked from reaching the Employee network (VLAN 10).
bash
1234567 
# Create Extended ACL
access-list 100 deny ip 10.0.20.0 0.0.0.63 10.0.10.0 0.0.0.255
access-list 100 permit ip any any

# Apply it Inbound on the Guest Sub-interface
interface GigabitEthernet0/0.20
 ip access-group 100 in

8. Phase 6: Verification

The architecture is built. How do you prove it works?
  1. 1. Log into an Employee PC (10.0.10.5).
  1. 2. Type ping 8.8.8.8 (Simulating the internet).
  • *Result: Success.* (Proves Routing and NAT are working).
  1. 3. Log into a Guest PC (10.0.20.5).
  1. 4. Type ping 10.0.10.5 (Trying to hack the Employee PC).
  • *Result: Destination Host Unreachable.* (Proves the Security ACL is working perfectly).

9. Course Conclusion

You have reached the end of Cisco CCNA Prep – Complete Beginner to Intermediate Guide. You have successfully evolved from understanding basic LAN topologies to architecting a fully functional, secure, routed enterprise network utilizing VLSM, Router-on-a-Stick, OSPF, and NAT.

Network Engineering is not about memorizing commands; it is about understanding the systemic flow of data. When you can visualize a packet leaving a web browser at Layer 7, being encapsulated with a TCP segment, stamped with an IP address, tagged with an 802.1Q VLAN header, swapped via NAT, and blasted out a physical fiber optic cable—you have become an engineer.

You are now equipped with the foundational knowledge required to tackle the official Cisco 200-301 CCNA certification exam. Build your home labs, practice your CLI commands, and trust your troubleshooting methodology.

Congratulations on completing the course!

Finish this Chapter

Save your progress on your learning path and prepare for coding interview challenges.

Previous Chapter CCNA Practice Labs and Interview Questions

Discussion

Join the discussion

Log in or create a free account to participate.

Sort: ·

Explore More

📖 Related Tutorials 4

🗺️ Related Roadmaps 1