So your assignment says "design a small office network for a company with several departments," and you're staring at a blank Cisco Packet Tracer workspace wondering where to even start. Here's the short answer: you'll carve the office into VLANs (one per department), route between them, hand out IP addresses with DHCP, give everyone internet through NAT, and lock down the guest network with an ACL. In this guide we'll build exactly that — and you can generate a working .pkt file with NetPilot to open in class and a real understanding of why each piece is there, so you can defend every design choice if your instructor asks.
What this office network project needs
Before you drop a single device, let's scope what a Cisco Packet Tracer office network project actually expects. Most small-office assignments want the same ingredients, even if the wording differs:
- Department segmentation — separate broadcast domains for Sales, HR, and IT so a chatty printer in one department doesn't flood another, and so you can apply different policies per group.
- A Guest/Wi-Fi VLAN — visitors get internet but no reach into internal systems.
- Inter-VLAN routing — VLANs can't talk to each other on their own; something has to route between them.
- Addressing via DHCP — nobody hand-types IPs on 60 PCs; a server or the router hands them out.
- Internet access — NAT/PAT translates your private addresses to one public address at the ISP edge.
- Core services — a DNS/web server in its own server VLAN.
- Security — an ACL keeping Guest out of internal subnets, plus port security on access ports so a random laptop can't hijack a port.
That's the whole blueprint. The reason it's structured this way: a real office is a set of trust boundaries, and VLANs plus ACLs are how you draw those boundaries in the network.
The fast way: describe it to NetPilot
If you want to skip the tedious clicking and get straight to a working topology you can study, describe the office to NetPilot's AI in plain English and let it build the lab for you:
Build me a small office network in Cisco Packet Tracer with VLANs for Sales, HR, IT, a Server VLAN, and a Guest VLAN. Use router-on-a-stick for inter-VLAN routing, DHCP pools per VLAN, NAT to an ISP router for internet, a DNS/web server, an ACL that blocks Guest from internal subnets, and port security on the access ports. Use 192.168.x.0/24 subnets.
NetPilot designs the topology, writes the per-device Cisco IOS configuration, exports a working .pkt you can open in Packet Tracer, and — this is the part that matters for learning — explains why it made each choice. That last bit is what separates building it from understanding it. And because NetPilot reads and writes the binary .pkt format directly, you get a file you can actually open, not just a wall of text — something a plain text chatbot can't produce.
You're never locked into the AI, either. Direct CLI access is always available: bring your own Cisco IOL image and you can open a real Cisco IOS terminal in the browser to verify every command, break things on purpose, and see what happens. The agent gets you to a correct starting point fast; the CLI lets you prove to yourself that you understand it. Complementary, not either/or.
The design, explained
Now the real walkthrough. Whether NetPilot generated it or you built it by hand, here's what's going on under the hood.
Topology layers
Keep it simple and layered: PCs connect to an access switch, the switch connects to a router (router-on-a-stick) or a layer-3 switch, and the router connects out to an ISP router that represents the internet. The server lives on its own switchport in the Server VLAN. This mirrors the classic access → distribution shape, scaled down for a small office.
VLAN and IP-addressing plan
Each department gets its own VLAN and its own /24 subnet. A clean, predictable plan makes troubleshooting trivial — when you see 192.168.30.x, you instantly know it's HR.
| VLAN | Name | Subnet | Gateway | DHCP range |
|---|---|---|---|---|
| 10 | Sales | 192.168.10.0/24 | 192.168.10.1 | .10–.200 |
| 20 | IT | 192.168.20.0/24 | 192.168.20.1 | .10–.200 |
| 30 | HR | 192.168.30.0/24 | 192.168.30.1 | .10–.200 |
| 40 | Server | 192.168.40.0/24 | 192.168.40.1 | static |
| 50 | Guest | 192.168.50.0/24 | 192.168.50.1 | .10–.200 |
The Server VLAN uses static addresses on purpose — you want your DNS/web server reachable at a fixed address so DHCP clients can always find it.
On the switch, you create the VLANs and tag the uplink to the router as an 802.1Q trunk so all VLANs ride a single cable:
vlan 10
name Sales
vlan 20
name IT
vlan 30
name HR
vlan 40
name Server
vlan 50
name Guest
!
interface FastEthernet0/24
switchport mode trunkThe trunk is the key idea: instead of running five cables to the router, one cable carries all five VLANs, each frame tagged with its VLAN ID. That's what dot1q (802.1Q) does — it stamps a VLAN tag onto every frame. On a 2960 the access switch is dot1Q-only, so switchport mode trunk is all you need; on a 3560/3650 you must run switchport trunk encapsulation dot1q before switchport mode trunk (IOS rejects mode trunk while encapsulation is still auto — a classic Packet Tracer ordering gotcha).
Inter-VLAN routing (router-on-a-stick)
VLANs are isolated by design, so Sales literally cannot reach HR without a router in the path. Router-on-a-stick solves this with subinterfaces — one logical interface per VLAN on a single physical router port, each with encapsulation dot1Q matching the VLAN tag:
interface GigabitEthernet0/0.10
encapsulation dot1Q 10
ip address 192.168.10.1 255.255.255.0
!
interface GigabitEthernet0/0.20
encapsulation dot1Q 20
ip address 192.168.20.1 255.255.255.0
!
interface GigabitEthernet0/0.30
encapsulation dot1Q 30
ip address 192.168.30.1 255.255.255.0
!
interface GigabitEthernet0/0.40
encapsulation dot1Q 40
ip address 192.168.40.1 255.255.255.0
!
interface GigabitEthernet0/0.50
encapsulation dot1Q 50
ip address 192.168.50.1 255.255.255.0Every VLAN needs its own subinterface gateway — including the Server (40) and Guest (50) VLANs, or DNS and the guest ACL below have nothing to route through. Each subinterface's IP becomes the default gateway for that VLAN. When a Sales PC sends traffic to HR, it goes to 192.168.10.1, the router moves it across to 192.168.30.1, and back down. (A layer-3 switch with SVIs does the same job faster — but router-on-a-stick is the textbook version most assignments expect.)
Services: DHCP and DNS
Rather than typing IPs by hand, let the router hand them out with one pool per VLAN. Notice we exclude the gateway and server addresses so DHCP never gives away an address that's already taken:
ip dhcp excluded-address 192.168.10.1 192.168.10.9
!
ip dhcp pool SALES
network 192.168.10.0 255.255.255.0
default-router 192.168.10.1
dns-server 192.168.40.10The dns-server points every client at the DNS box living in the Server VLAN — that's why the server got a static address earlier. Repeat the pool for IT, HR, and Guest.
Security: ACL and port security
The Guest VLAN should reach the internet but never the internal departments. An ACL enforces that — deny Guest to the internal subnets, permit everything else:
access-list 110 permit udp 192.168.50.0 0.0.0.255 host 192.168.40.10 eq 53
access-list 110 deny ip 192.168.50.0 0.0.0.255 192.168.40.0 0.0.0.255
access-list 110 deny ip 192.168.50.0 0.0.0.255 192.168.10.0 0.0.0.255
access-list 110 deny ip 192.168.50.0 0.0.0.255 192.168.20.0 0.0.0.255
access-list 110 deny ip 192.168.50.0 0.0.0.255 192.168.30.0 0.0.0.255
access-list 110 permit ip any anyApply it inbound on the Guest subinterface (ip access-group 110 in). Order matters — an ACL is first-match, top-down: we permit just DNS (port 53) to the server, then deny the rest of the Server VLAN (.40) and every department, before the catch-all permit. Without the .40 deny, the final permit ip any any would let guests reach the internal DNS/web server. The wildcard mask 0.0.0.255 is the inverse of a /24 — it means "match the first three octets, any host." Then add port security on access ports so only a known MAC can use each port, shutting down anyone who plugs in a rogue device.
For internet, NAT/PAT (ip nat inside/outside plus overload) translates all your private addresses to the single public address on the link to the ISP router.
Cisco Packet Tracer quirks to watch for
A few things in Cisco Packet Tracer trip up almost everyone on an office project. Once you know them, Packet Tracer behaves:
- Trunk encapsulation order matters on older switch models — on a 2960, ports are dot1Q-only and
switchport trunk encapsulationmay be rejected; just setswitchport mode trunkand move on. - The router port must be
no shutdown— subinterfaces inherit the physical interface state, so if the parentGig0/0is down, every VLAN's gateway is dead. Bring up the physical interface explicitly. - DHCP needs the pool and the gateway reachable — if a PC shows "APIPA" (169.254.x.x), the client couldn't reach the DHCP service; check the trunk and the subinterface IP first.
- Server VLAN devices need manual config — Packet Tracer servers don't auto-pull DHCP unless you flip them to DHCP; for the static server, set the IP, mask, gateway, and DNS by hand.
FAQ
How do I set up VLANs for different departments in a Cisco Packet Tracer office network?
In Cisco Packet Tracer, create one VLAN per department on the switch (Sales, HR, IT, Guest), assign each access port to its VLAN with switchport access vlan X, and trunk the uplink to the router. In Packet Tracer the order is: define VLANs, assign access ports, then build the router-on-a-stick subinterfaces so the departments can actually route to each other.
Why won't my office PCs get an IP address from DHCP in Cisco Packet Tracer?
If office PCs show a 169.254.x.x address, they couldn't reach the DHCP service — usually a broken trunk or a down subinterface in your Cisco Packet Tracer file. Confirm the switch uplink is a trunk carrying every VLAN, the router's physical interface is no shutdown, and each ip dhcp pool has the matching default-router for that subnet.
How do I stop the Guest VLAN from reaching internal departments in this office network?
Apply an extended ACL inbound on the Guest subinterface that denies Guest traffic to the Sales, IT, and HR subnets and permits everything else, so guests get internet but no internal reach. Build it once in your Cisco Packet Tracer project and test it by pinging from a Guest PC to an HR PC — a correct config drops that ping while internet still works.
Can ChatGPT give me a finished office network .pkt file I can open in Packet Tracer?
No — ChatGPT outputs text, so it can't read or write the binary .pkt format that Cisco Packet Tracer needs, which is exactly the gap NetPilot fills. NetPilot generates the configs and exports a real .pkt you can open, then explains each choice so you can rebuild and defend it yourself rather than pasting a black box.
Should I use router-on-a-stick or a layer-3 switch for inter-VLAN routing in my office project?
Use router-on-a-stick for most Cisco Packet Tracer office assignments — it's the textbook method and shows you understand subinterfaces and 802.1Q encapsulation. A layer-3 switch with SVIs routes faster and scales better, so mention it as the "real-world" alternative if your assignment asks you to compare designs.
How do I add internet access to my Cisco Packet Tracer company network?
Add an ISP router connected to your edge router, configure NAT/PAT with ip nat inside/ip nat outside and an overload statement, and point a default route at the ISP. In a Cisco Packet Tracer company network this lets every private VLAN share one public address — the same way a real office hides behind a single internet IP.
Build the office network, then make sure you can explain every line — that's the difference between a grade and a skill. Walk through more buildouts on the Cisco Packet Tracer projects hub, get unstuck on a specific config with the Packet Tracer helper, and when you're ready to generate a working .pkt and learn the why behind it, try it free at https://app.netpilot.io.