How to Design a Hospital Network in Cisco Packet Tracer

To design a hospital network in Cisco Packet Tracer, you build isolated VLANs for each department, sit them on a redundant core of two multilayer switches, and lock the clinical and server traffic behind ACLs so a wide-open ward PC can't reach the patient-records server. The goal of this kind of project is twofold: the network has to keep running when a link dies (uptime), and sensitive systems have to stay walled off (isolation). Let's build the whole thing — generate a working .pkt with NetPilot that you can open, and a design you can actually defend when your instructor asks "why two core switches?"

What this hospital project needs

A hospital network in Cisco Packet Tracer is really a small enterprise network with two non-negotiable themes: availability and segmentation. Patients don't tolerate a network that goes down, and patient data can't leak between departments. So before placing a single switch, a Packet Tracer hospital project usually expects you to deliver:

• Departmental VLANs — Wards, Radiology, Admin, Pharmacy, and a dedicated Servers VLAN (EHR, DNS, DHCP). Each gets its own broadcast domain so a problem in one department doesn't ripple into another.
• A redundant core — two multilayer (Layer 3) switches with redundant links so any single cable or switch can fail without taking the hospital offline.
• Routing between the core and the distribution/access layer so VLANs can talk to the services they're allowed to reach.
• Services — DHCP scopes per VLAN, plus DNS, hosted on the Servers VLAN.
• Security — ACLs that isolate clinical and medical-device traffic from general office traffic, and that protect the EHR server.

That's the rubric. Now let's get it built quickly, then take it apart so you understand every line.

The fast way: describe it to NetPilot

The fastest path is to describe the hospital in plain English and let NetPilot's AI agent design it for you. Drop this into the chat at app.netpilot.io:

Design a hospital network with five VLANs — Wards, Radiology, Admin, Pharmacy, and Servers (EHR, DNS, DHCP). Use two multilayer core switches with EtherChannel and HSRP for gateway redundancy, OSPF single-area routing, DHCP per VLAN, and ACLs that block the ward and office VLANs from reaching the EHR server. Export it as a Packet Tracer file.

NetPilot reads that, designs the topology, writes the per-device Cisco IOS configuration for every switch, and exports a working .pkt you open directly in Cisco Packet Tracer — and it explains why it made each choice as it goes. That .pkt round-trip is the part a text-only tool like ChatGPT can't do: it can describe a config, but it can't read or write the binary Packet Tracer file you actually submit.

And you're never locked into the generated answer. Direct CLI is always available too — NetPilot runs a real Cisco IOL CLI in your browser (bring your own Cisco image), so you can paste any config in by hand, change it, and confirm show ip ospf neighbor or show etherchannel summary returns what you expect before you trust it. The agent gets you a correct starting point fast; the CLI lets you prove it to yourself.

The design, explained

Topology layers

Think of the network in two layers. The core is two multilayer switches (Core-A and Core-B) cross-linked to each other and to every distribution switch. The access layer is the per-floor or per-department switches the actual ward PCs, radiology workstations, and pharmacy terminals plug into. The redundancy lives in the core: if Core-A dies, Core-B keeps routing. Here's why we double up only the core — it's the single point every department depends on, so it's where a failure hurts most.

VLAN and IP-addressing plan

Each department is its own VLAN and its own subnet. Keeping them separate is what lets your ACLs later say "Wards can't reach Servers" — you can only filter traffic you can name, and a VLAN gives each department a name.

Notice the Servers VLAN has no DHCP scope — the EHR, DNS, and DHCP servers get static addresses so their IPs never change and your ACLs can target them reliably. NetPilot generates the VLAN and SVI config, and here's what it means:

vlan 10
 name Wards
vlan 20
 name Radiology
vlan 30
 name Admin
vlan 40
 name Pharmacy
vlan 50
 name Servers
!
interface Vlan10
 ip address 10.10.10.2 255.255.255.0
 standby 10 ip 10.10.10.1
 standby 10 priority 110
 standby 10 preempt
!
interface Vlan20
 ip address 10.10.20.2 255.255.255.0
 standby 20 ip 10.10.20.1
 standby 20 priority 110
 standby 20 preempt
!
interface Vlan30
 ip address 10.10.30.2 255.255.255.0
 standby 30 ip 10.10.30.1
 standby 30 priority 110
 standby 30 preempt
!
interface Vlan40
 ip address 10.10.40.2 255.255.255.0
 standby 40 ip 10.10.40.1
 standby 40 priority 110
 standby 40 preempt
!
interface Vlan50
 ip address 10.10.50.2 255.255.255.0
 standby 50 ip 10.10.50.1
 standby 50 priority 110
 standby 50 preempt

The standby lines are HSRP. Both core switches share the virtual IP 10.10.10.1 that the ward PCs use as their gateway. Core-A has the higher priority, so it's active; if it fails, Core-B takes the virtual IP over in seconds and the wards never know.

The redundant core: EtherChannel and STP

The two core switches are joined by two physical cables bundled into one EtherChannel. Why bundle? A single link is both a bottleneck and a single point of failure; EtherChannel gives you double the bandwidth and a built-in spare in one logical link.

interface range GigabitEthernet0/1 - 2
 switchport trunk encapsulation dot1q
 switchport mode trunk
 channel-group 1 mode active
!
interface Port-channel1
 switchport trunk encapsulation dot1q
 switchport mode trunk

Because you now have redundant paths between switches, you also have potential loops — and that's exactly what STP/RSTP is for. Rapid PVST+ (spanning-tree mode rapid-pvst) blocks the loop while keeping a backup path ready to unblock the instant the main one drops. Loops in a hospital would mean a broadcast storm freezing every department, so this isn't optional.

Routing between layers

For VLANs to reach shared services, the core needs to route between them. A single-area OSPF setup is the clean choice here — it adapts automatically when a redundant link changes, which fits the "stay up no matter what" theme:

router ospf 1
 router-id 1.1.1.1
 network 10.10.10.0 0.0.0.255 area 0
 network 10.10.20.0 0.0.0.255 area 0
 network 10.10.30.0 0.0.0.255 area 0
 network 10.10.40.0 0.0.0.255 area 0
 network 10.10.50.0 0.0.0.255 area 0

If your assignment specifically asks for static routing, that works too — but OSPF is worth defending because it reroutes around a failed core link on its own, with no manual intervention.

Services: DHCP per VLAN

Each department's devices pull an address automatically from a per-VLAN scope so you're not hand-numbering hundreds of ward PCs. The excluded-address keeps the gateway and any statics out of the pool:

ip dhcp excluded-address 10.10.10.1 10.10.10.9
ip dhcp pool WARDS
 network 10.10.10.0 255.255.255.0
 default-router 10.10.10.1
 dns-server 10.10.50.10

The DNS server lives on the Servers VLAN at 10.10.50.10 — every scope points there.

Security: ACLs that isolate clinical traffic

This is the part that makes it a hospital network and not just five VLANs. Patient records on the EHR server should be reachable only by the clinical departments that treat patients — Wards and Radiology — and blocked from the general office (Admin) VLAN. An ACL on the Servers SVI enforces that:

ip access-list extended PROTECT-EHR
 permit tcp 10.10.10.0 0.0.0.255 host 10.10.50.20 eq 443
 permit tcp 10.10.20.0 0.0.0.255 host 10.10.50.20 eq 443
 deny   ip  10.10.30.0 0.0.0.255 host 10.10.50.20
 permit ip  any any
!
interface Vlan50
 ip access-group PROTECT-EHR out

The EHR server sits at 10.10.50.20 (the DNS box stays at .50.10, so wards and radiology can still resolve names). Read it top to bottom: the Wards and Radiology clinical VLANs reach the EHR server over HTTPS, but the general office/Admin VLAN (30) is explicitly denied, and everything else flows normally. ACLs are evaluated in order and stop at the first match, so the specific clinical permits sit above the deny. And — the step everyone forgets — an ACL does nothing until it's bound to an interface: here we apply it outbound on the Servers SVI (ip access-group PROTECT-EHR out) so it filters everything heading toward the server VLAN.

Cisco Packet Tracer quirks to watch for

• Use a 3650 (or 3560) multilayer switch for the core. A plain 2960 is Layer 2 only — it can't run the SVIs, OSPF, or HSRP this design needs. Pick the wrong switch model and half your config won't even accept.
• ip routing is off by default. On each multilayer core switch you must enter ip routing in global config, or your inter-VLAN traffic silently dies even though every interface looks right.
• EtherChannel modes must match. Both ends need compatible modes — active/active (LACP) or desirable/desirable (PAgP). Mixing active with desirable leaves the bundle down, which Cisco Packet Tracer reports only as a quietly amber link.
• HSRP preempt is easy to forget. Without standby 10 preempt, the higher-priority core won't reclaim the active role after it recovers — your redundancy "works" once and then sticks to the backup. Add preempt so failover is repeatable.

FAQ

How do I segment hospital departments into VLANs in Cisco Packet Tracer?

Create one VLAN per department in Cisco Packet Tracer (Wards, Radiology, Admin, Pharmacy, Servers), give each its own subnet, and assign access ports to the matching VLAN. In Packet Tracer you add the VLANs on the switch, then set each access port with switchport access vlan 10, and trunk the uplinks so the tagged traffic reaches the routing core.

Why does a hospital network need two core switches instead of one?

A hospital network needs two core switches because the core is the single point every department routes through, and patient care can't pause when one switch or cable fails. With HSRP and EtherChannel across the pair, the second switch takes over the gateway and routing in seconds, so wards, radiology, and pharmacy stay online during the failure.

How do I stop the office or Admin VLAN from reaching the EHR server in my Cisco Packet Tracer hospital project?

Apply an extended ACL in your Cisco Packet Tracer hospital project that denies the office/Admin VLAN to the EHR server's IP while permitting the clinical departments (Wards, Radiology) that legitimately need it. In Packet Tracer, build the ACL on the multilayer switch and apply it inbound on each source VLAN's SVI, or outbound on the Servers VLAN's SVI (the worked example above uses ip access-group PROTECT-EHR out on the Servers SVI) — an inbound ACL on the Servers SVI only filters traffic the servers send. Remember the first matching line wins.

Should I use OSPF or static routing for a hospital network design in Cisco Packet Tracer?

Use OSPF for a hospital network design in Cisco Packet Tracer if uptime matters, because it automatically reroutes around a failed redundant link with no manual fix. Static routing also works in Packet Tracer and is simpler to read, but you'd have to update routes by hand after a topology change, which undercuts the whole point of a redundant core.

Can NetPilot build the hospital .pkt with the ACLs and HSRP already configured?

Yes — describe the hospital, its VLANs, the redundant core, and the EHR isolation rule, and NetPilot generates the full per-device Cisco IOS config and exports a working .pkt with the ACLs and HSRP in place. You then open it in Cisco Packet Tracer, and because the CLI is right there, you can verify each piece with show standby and show access-lists so you understand it rather than just submitting it.

Build it, then understand it

A hospital network is the project that finally makes redundancy and segmentation click — once you've seen Core-B grab the gateway after you shut Core-A, the "why" stops being abstract. Describe yours to NetPilot, get the working .pkt and the per-device configs in minutes, then open the CLI and prove every line to yourself.

Browse more builds on the Packet Tracer projects hub, get unstuck on any step with the Cisco Packet Tracer helper, and try it free at app.netpilot.io.