NAME

Overview This project was about rebuilding the entire enterprise infrastructure for a 500+ endpoint environment. The old network was a patchwork of unmanaged switches, no VLANs, and no real monitoring, basically a ticking time bomb with ISP devices. The goal was to create a stable, scalable, and secure network that could handle multiple ISPs, hybrid workloads, and ISO 27001 compliance without needing babysitting every hour.

The backbone runs on Cisco Catalyst for core switching and Cisco access switches for edge connectivity. FortiGate firewalls sit at the perimeter, handling routing, SD-WAN, and security services. Wireless is covered with Cisco WLC, all tied to VLAN segmentation handled by the core layer. The WAN side connects six dedicated CIR ISPs into a FortiGate SD-WAN cluster with SLA monitoring and automated failover. All routing logic uses performance-based path selection with link probes and P2P ISP peering from different POPs for redundancy. On the authentication layer, the Wi-Fi network uses 802.1X with Windows NPS and Active Directory for dynamic VLAN assignment. This way, every user and device connects under identity-based access instead of static credentials.

I built everything from scratch, starting with a clean topology plan: one distribution layer, two redundant cores, and separate management and guest networks. Zabbix handles SNMP monitoring for switches, servers, and firewalls, while Graylog collects syslogs from every network device. Wazuh sits on top as the SIEM engine, analyzing everything from firewall traffic to Windows event logs. Slack and Microsoft Teams are wired into the alerting system for instant notifications on link failures, high CPU events, or authentication anomalies. For Wi-Fi, Cisco WLCs manage the APs, and FortiGate handles VLAN handoff, DHCP relay, and traffic shaping. Every configuration is backed up nightly through custom bash scripts, versioned, and stored in a secure repo. Servers are backed up by Veeam for image-level recovery and version retention.

The environment follows ISO 27001 controls for access, network segregation, and monitoring. Nessus runs monthly vulnerability scans that feed into Wazuh, creating a single pane for alerts and compliance tracking. AD groups are linked to role-based access, so internal users and contractors are separated at both the network and identity levels. All administrative access (SSH, RDP, or console) is logged through a management VLAN isolated from production.

The monitoring stack uses Zabbix, Graylog, and Wazuh in sync. Zabbix visualizes infrastructure health and link performance, Graylog parses logs from FortiGate and Cisco gear, and Wazuh correlates security events with known threat signatures. Automated Slack/Teams alerts fire for failed authentication attempts, high latency on any WAN link, or offline APs.

After deployment, the entire environment stabilized. The SD-WAN handled link drops seamlessly, authentication became traceable through AD, and ISO 27001 audits passed without any technical gaps. The best part: the network became self-reporting, if anything misbehaves, Zabbix and Wazuh shout before users even notice. This is only a surface-level breakdown; the real configurations stay offline for obvious reasons.