I am stuck on the whole thing

Wow, ok, I can now see it clearer that I downloaded packet tracer.

So, first thing I would do is not what you did. Each of those routers is a floor eh? That's not realistic at all. Same with separating all of the department on their own switch. Let's not do that.  I'm going to upload a different topology to start with. Give me a second.

Please! That would be extremely helpful!

So, this would be a typical (using the term very loosely) for this kind of situation. Nothing is configured yet, I just wanted to give you an idea of the difference. I may change the switches to be a bit more realistic, as I was going for POE for the access points (the wireless requirement) but I can't figure out how to get the controllers to configure in this thing (I'm very familiar with WLC... this just isn't giving me the option ... also, in a "guest" type environment for wireless you would typically anchor in the DMZ... if I can't get to the GUI this isn't going to be very realistic at all...).

I'll throw some config on it here in a moment to give you some more insight.

Hi sir, what version of packet tracer r u using? ?I'm using 7.1.1

For Packet Tracer, it's 7.3.0.

Here's the updated topology with some config. And, now, a rundown on the changes:

First, the DHCP server was added with a few scopes. As a general practice, I do not create a DHCP scope for Servers (this irritates some server admins that try to automate without the proper tools, but hey, I'm the network guy and they can hate me), but I did create one for HR, IT and Marketing. Here's how I broke up the VLANs:

VLAN0010 = IT

VLAN0020 = HR

VLAN0030 = MARKETING

VLAN0040 = INTERNAL_SERVERS

VLAN0999 = MANAGEMENT

The first three make sense, I broke out the Internal servers into their own VLAN as these will be servers used by all VLAN such as DHCP and DNS. The management VLAN is my OCD... never, ever use VLAN0001 as a native. Ever. Even in demos.

Next, I have the aggregation switch in the center of it all. This will be the "router" for internal networking. Why? It's easier, and typically you'll see this in an installation. You could use the firewall, but there isn't really a need for internal workings. Use a management system like ISE and DNA to keep internal traffic safe from internal traffic, but for this example I'm trusting a great deal of security to the access lists I'll add next. So on the aggregation switch I have the VLAN's with the gateway addresses. This is what will forward the DHCP requests (kind of) to the server. The IP helper-address commands on VLAN 10, 20 and 30 are necessary for DHCP to work correctly. Why? Well, a terrible explanation of DHCP is necessary: it uses broadcasts and VLANs separate broadcast domains. So, if I broadcast in VLAN 10, there isn't going to be a response (no DHCP server in VLAN 10). I have to direct the broadcast to the unicast address of someone who will respond; in this case it's 192.168.40.2.

I then trunked the 3 switches on the floors to the Aggregation switch, as well as the Datacenter switch. My OCD then kicked in again and I "pruned" the trunks to only allow the VLANS that are utilizing these switches, so you'll see the command "switchport trunk allowed vlan 10,20,30,40,999" on each trunk. Not necessary but good practice.

So, you can test the DHCP communication (and the communication between all VLANs at this point) by moving the ports connected to the PC to a different VLAN grouping (or changing the vlan on the port they are already connected). I did this for all switches on the floors:

Ports 1/0/1 - 8 : VLAN 0010

Ports 1/0/9 - 16: VLAN 0020

Ports 1/0/10 - 23 VLAN 0030

Next, I'll do the ACL for the VLANs between each other and post that change.

Here we go:

The Access-lists VLAN0020_EGRESS and VLAN0030_EGRESS were added, and the commands issued for the appropriate VLANS. This filters the correct paths as follows:

VLAN0020 clients cannot communicate with VLAN0030 clients.

VLAN0030 clients cannot communicate with VLAN0020 clients.

VLAN0010 clients can communicate with VLAN0020 clients.

VLAN0020 clients can communicate with VLAN0010 clients.

VLAN0010 clients can communicate with VLAN0030 clients.

VLAN0030 clients can communicate with VLAN0010 clients.

ALL can communicate with VLAN0040 clients/servers.

To show, I added two dummy servers to the Datacenter switch, one in VLAN0020 and the other in VLAN0030. The IP addresses are 192.168.20.201 (VLAN0020) and 192.168.30.201 (VLAN0030). All hosts can hit their respective server, but not the other. All hosts can hit the DHCP server (VLAN0040) without issue.

The management VLANs for the switches were given IP addresses so they can find the other networks. 

I guess I should tell you the IP scheme now:

VLAN0010 = 192.168.10.0/24, Gateway 192.168.10.1

VLAN0020 = 192.168.20.0/24, Gateway 192.168.20.1

VLAN0030 = 192.168.30.0/24, Gateway 192.168.30.1

VLAN0040 = 192.168.40.0/24, Gateway 192.168.40.1

VLAN0999 = 10.1.1.0/24, Gateway 10.1.1.200 (yeah, I just wanted to be different here)

So, this will bring us to the DMZ, followed by the wireless and you're square.

Do me a favor: do not implement this in production. While this will work, there are a lot of liberties going on with some security practices. While this is more secure than a lot of networks I have seen (just given the fact that it isn't flat in VLAN, that there are actually access control lists, and VLAN pruning happened), I try to steer people away from using things are not up to my standards of "at least a little bit secure".

Alright, I lied. Here's the deal: Packet Tracer is not really conducive to operating in this capacity. I cannot configure the ASA at all, and the AIR-2504/3504 doesn't configure well either.

So, I'll walk you through the "real-world" solution at the end of this, just so you can have an answer to your question.

DMZ Requirement:

I'm going to assume this is a budget-constrained implementation, or at least a low-level implementation, because believe me there is a MUCH deeper dive we can go into with APC, APIC, ISE, DNS, FirePower, ESA, WSA, CSA, and blah, blah, blah. We'll go old-school, 4-tuple firewall without intent-based networking (though, I suppose you could use faux implements of Class-of-Service on the ISR and Zone-based Firewalling, but this is ....meh, in comparison).

With the outline I gave you, you'd have 2 ASA5506. These are routed firewalls, and would require some networking. We'll change that to one ASA5506 (you'd go bigger if this was a larger implementation) and one FP2110 (NGFW). Reason being is this: passthrough connections that filter threats and malware should be placed close to your internal network, and this should filter out anything but database calls to the appropriate servers from the appropriate servers. Simple enough to do with a FP2110, expensive (both monetarily and CPU) with a ASA.

On the ASA you would create another VLAN on a subinterface and route through to the aggregation switch. I would recommend a IGRP on the Aggregation router with authentication, but static works just as well. Create another subinterface on another interface for the wireless controller (next section) and give it a different VLAN. Make sure that routes to the Aggregation switch as well. Secure these in this manner:

Internal networks should communicate with the application server ONLY.

Application servers (the DMZ servers) should communicate back ONLY on web ports.

Application servers should only communicate unsolicited to database or data repositories. I prefer not profiling this, and explicitly defining the rules (severe downside to this is human error... i make a lot of them).

Wireless Controller B (in the DMZ) should only communicate to Wireless Controller A (in Data Center) over UDP ports 16666 and 16667. That is all that is required to anchor (I think... now that one has been a while... double-check that).

Wireless Guest Access Requirement:

Alright, all access points will be manged by Wireless Controller A. You'll need to create a DHCP pool for Wireless management interfaces for the Managed Access Points (don't call them "WAPs"... this means at least 3 other things in networking...). This pool will require a DHCP option that points to the wireless controller's management IP address for association. This is a bit advanced in concept; just know it has to be done and done so in a manner that utilizes Hex formatting of addressing. Then, Wireless Controller B will be configured with a management IP address (should be another network) and that address will be allowed through the firewalls and routed in a way that it can see Wireless Controller A and vice versa. Then the bridge will be configured. This encapsulates all wireless traffic in the anchored bridge to go straight to that device and not anywhere else (secure).

That's all you need!

As a quick note, I totally messed up the DMZ in the diagrams. The internal ASA should not be connected to the switch; only the switch should hook up to the ASA closest to the router only. This will force all traffic going inside to hope through both firewalls, where the perimeter firewall will be "less strict" than the one closest to the internal network. That was just a bad, bad connection I did.

Hope this helps. I'm stepping away for a bit, as I just got a notification that one of my sites is seeing some serious noise that appears to be an attack and I am now "essential" and must travel.... Yay. Good luck with Networking!

Thank you for your efforts! Appreciate it