Advanced Campus Network Design: Multilayer Architectures
Introduction
Imagine walking into a corporate headquarters with 5,000 employees spread across six buildings, each with multiple floors of wiring closets, and being asked to redesign the entire network from scratch. Where do you begin? How do you ensure that every user gets reliable connectivity, that faults stay contained, and that the network can grow without a complete overhaul two years later? The answer lies in mastering campus network design using multilayer architectures.
Campus network design is one of the most critical competencies for any enterprise network engineer, especially those pursuing CCIE Enterprise certification. Unlike data center environments that occupy a single floor in a purpose-built facility, campus networks span multiple buildings, floors, and geographic areas. They must serve a diverse population of users, devices, and applications while maintaining security, quality of service, and manageability.
This article provides a comprehensive deep dive into multilayer campus architectures. We will cover the foundational principles that define what a campus network is, walk through the hierarchical design model layer by layer, examine the protocols and features that operate at each tier, explore platform selection considerations, and discuss best practices for high availability, security, and virtual networking. By the end, you will have a thorough understanding of how to approach campus design at an advanced level, grounded in real-world architectural principles.
What Is a Campus Network?
Before diving into multilayer design, it is essential to establish what distinguishes a campus network from other network domains. A campus is defined as a group of one or more buildings and surrounding grounds where people and their belongings work together. Common examples include corporate and government offices, hospitals, schools, transportation hubs, and manufacturing facilities.
From a networking perspective, a campus network is focused on four primary concerns:
- People — Users, vendors, guests, and other individuals who need connectivity
- People's devices — PCs, phones, printers, IoT sensors, and other endpoints
- Local geographic area — LAN, WLAN, or MAN connectivity within the campus boundary
- Access to other domains — Connectivity to WAN, ISP, data center, and cloud resources
This focus on user access is what sets campus networks apart. A campus network must accommodate many different technology areas including wired switching, wireless connectivity, security enforcement, quality of service, and network management. The campus is fundamentally about providing reliable, secure, and performant access to network resources for the people who occupy those buildings.
Campus Versus Data Center
A critical distinction that network architects must understand is that a campus is not a data center. While data centers typically consist of one or a few large buildings nearby, usually on a single floor, campus environments are inherently more distributed. Buildings are spread out across a geographic area with multiple floors per building. This geographic distribution has profound implications for network design, including cabling distances, protocol selection, fault domain sizing, and redundancy strategies.
MDF and IDF: The Physical Foundation
Campus networks are organized around two fundamental physical constructs:
- MDF (Main Distribution Framework) — Houses the core and edge networking equipment. This is the central point of the campus network where high-speed interconnections converge.
- IDF (Intermediate Distribution Framework) — Houses the distribution and access layer equipment. These are the wiring closets distributed throughout buildings and floors where end devices connect.
Understanding the MDF/IDF model is essential because it maps directly to the logical layers of the multilayer architecture. Every campus design decision, from cable plant to protocol selection, traces back to this physical organization.
Understanding the Campus Network Design Multilayer Model
The multilayer model is the cornerstone of enterprise campus network design. Every campus network, regardless of size, operates with three logical layers. Each layer provides a specific set of functions and has a specific set of requirements. The three layers are:
- Access Layer — Connects users and devices to the network
- Distribution Layer — Aggregates access layer connections and enforces policy
- Core Layer — Provides high-speed transport between distribution blocks
Even when physical layers are collapsed (for example, combining core and distribution onto a single device), the logical functions of all three layers must still be fulfilled. If you collapse layers, your device needs to support all the logical functions of the layers it replaces.
| Layer | Primary Focus | Typical Platforms | Key Characteristics |
|---|---|---|---|
| Access | User/device connectivity | Catalyst 9200, Catalyst 9300 | Many small-to-medium speed LAN downlinks |
| Distribution | Policy, aggregation | Catalyst 9400, Catalyst 9500 | Few medium-to-high speed LAN uplinks and downlinks |
| Core | High-speed transport | Catalyst 9500, Catalyst 9600 | Few MAN or WAN uplinks, large routing tables |
Pro Tip: Always think in terms of three logical layers, even when your physical design collapses two layers onto the same hardware. This mental model helps you ensure that no critical function is overlooked.
How Does Hierarchical Campus Network Design Work?
Hierarchical network design is not just a theoretical concept — it is the proven approach that makes large campus networks manageable, scalable, and resilient. The hierarchical model creates a structure where each layer has a well-defined role, and the interactions between layers follow predictable patterns.
Why Hierarchy Matters
The benefits of hierarchical design are extensive and directly address the challenges of enterprise campus environments:
- Offers hierarchy — Each layer has a specific role, making the network easier to understand and document
- Modular topology — The network is built from repeatable building blocks that can be replicated as the campus grows
- Easy to grow, understand, and troubleshoot — Standardized designs reduce operational complexity
- Creates small fault domains — Clear demarcations and isolation ensure that problems in one area do not cascade across the entire network
- Promotes load balancing and redundancy — Multiple paths and failover mechanisms are built into the design
- Promotes deterministic traffic patterns — Traffic flows are predictable, making capacity planning and troubleshooting straightforward
- Incorporates balance of both Layer 2 and Layer 3 technology — Leverages the strengths of both switching and routing
- Utilizes Layer 3 routing — Provides load balancing, fast convergence, scalability, and control
The Building Block Approach
The hierarchical model organizes the campus into repeatable building blocks. Each building block consists of access layer switches connected to a pair of distribution layer switches. Multiple building blocks then connect to the core layer. This modular approach means that adding a new building or floor to the campus is as simple as deploying another building block and connecting it to the core — no redesign of the existing infrastructure is required.
The building block concept also creates natural fault domains. A problem within one building block — such as a spanning tree loop in an access VLAN — remains contained within that block and does not affect the rest of the campus. This isolation is one of the most powerful advantages of hierarchical design.
What Are the Campus Network Design Tiers?
The multilayer model can be deployed in various configurations depending on the size and requirements of the campus. These configurations are often described in terms of tiers:
Single-Tier (1-Tier) Design
In the smallest campus environments, all three logical layers may be collapsed onto a single device or stack. This is common in small branch offices where a single switch serves as access, distribution, and core simultaneously.
Two-Tier (2-Tier) Design: Collapsed Core
The two-tier design, also known as the collapsed core design, combines the core and distribution layers onto shared devices. The access layer remains separate. This is the most common design for small-to-medium campus networks where the scale does not justify dedicated core switches.
Three-Tier (3-Tier) Design: Full Hierarchy
The full three-tier design deploys dedicated devices at each layer. This is the standard for medium-to-large campus networks. The access layer connects users, the distribution layer aggregates and applies policy, and the core provides high-speed transport between distribution blocks.
Four-Tier and Beyond (4+ Tier) Design
Very large campus environments or those with complex interconnection requirements may extend beyond three tiers. This can include additional layers such as core interconnect or core plus edge tiers that handle connections to external domains like the WAN, ISP, or data center.
| Design | Layers Combined | Best For | Trade-offs |
|---|---|---|---|
| 1-Tier | All collapsed | Small branch | Limited scalability, large fault domain |
| 2-Tier | Core + Distribution | Small-medium campus | Good balance of simplicity and structure |
| 3-Tier | None (full hierarchy) | Medium-large campus | Maximum scalability and fault isolation |
| 4+ Tier | None + edge tiers | Very large campus/MAN | Additional complexity, maximum segmentation |
The Access Layer: Connecting Users and Devices in Campus Network Design
The access layer is Tier 1 of the campus network, and its primary purpose is connecting users and devices to the distribution layer. Also known as the IDF or wiring closet, this layer is common in all campus and branch networks. The access layer is where the network meets its end users, making it the most broadly deployed and diverse layer in the campus.
Baseline Campus Access
In a baseline campus access design, the access layer operates primarily as a Layer 2 domain. Traffic is switched at Layer 2 both northbound (toward distribution) and southbound (toward endpoints).
Northbound features at the access layer include:
- VLAN and 802.1Q trunking — Extending VLANs from access to distribution
- Spanning Tree Protocol (STP) — Preventing loops in the Layer 2 domain, typically using PVST or MST
- MAC address tables — Forwarding based on destination MAC addresses
- IGMP Snooping — Optimizing multicast traffic delivery
Southbound features at the access layer include:
- AAA (Authentication, Authorization, Accounting) — Controlling who can access the network
- STP PortFast — Enabling immediate port transitions for end devices
- Storm Control — Protecting against broadcast, multicast, and unicast storms
Access Layer Security, QoS, and NetFlow
The access layer is where many critical services are first applied to user traffic:
- Access Security — 802.1X authentication, VACLs (VLAN Access Control Lists), and PACLs (Port Access Control Lists) control which devices can connect and what traffic they can send
- Access QoS — Layer 2 Class of Service (CoS), traffic classification, and marking ensure that critical applications receive appropriate treatment from the moment traffic enters the network
- Access NetFlow — Application Visibility and Control (AVC), Flexible NetFlow (FNF), Encrypted Performance Analytics (EPA), and Encrypted Traffic Analytics (ETA) provide visibility into traffic patterns even when payload encryption prevents deep packet inspection
The access layer generally requires low-to-medium Layer 2 and feature scale, as each access switch serves a relatively small number of endpoints compared to distribution or core devices.
Extended Access (IoT/FTTX)
Beyond the baseline access tier, some campus environments require an extended access layer. This is particularly relevant for IoT deployments and Fiber-to-the-X (FTTX) scenarios where connectivity must be extended beyond the traditional wiring closet to reach sensors, cameras, building automation systems, and other specialized devices.
Routed Access
An alternative to the traditional Layer 2 access design is routed access, where the Layer 3 boundary is pushed down to the access layer. In this model, each access switch runs a routing protocol (such as OSPF, IS-IS, or EIGRP) and routes traffic directly rather than bridging it to the distribution layer. Routed access eliminates the need for Spanning Tree Protocol between access and distribution, simplifying the design and improving convergence times.
Pro Tip: Routed access is increasingly popular in modern campus designs because it eliminates STP-related complexities and provides faster convergence. However, it requires each access switch to participate in the routing domain, which increases the size of the routing tables and the complexity of IP address management.
The Distribution Layer: Policy and Aggregation in Campus Network Design
The distribution layer sits between access and core, serving as the aggregation and policy enforcement point. It is where the transition from Layer 2 to Layer 3 typically occurs in a traditional campus design.
Baseline Distribution
In a baseline distribution design, the distribution layer performs several critical functions:
- Layer 2 to Layer 3 boundary — VLANs from the access layer terminate here, and traffic is routed between VLANs
- Policy enforcement — Access control lists, QoS policies, and security features are applied at this layer
- Aggregation — Multiple access switches connect to a distribution pair, consolidating traffic before it reaches the core
- Routing protocol participation — The distribution layer runs routing protocols such as OSPF, IS-IS, or EIGRP for Layer 3 reachability
The distribution layer requires medium IPv4/IPv6 routing tables, medium MAC tables, and medium ARP/ND tables. It needs to support both Layer 2 and Layer 3 security, QoS, and Flexible NetFlow capabilities.
Key distribution layer characteristics:
- Few medium-to-high speed LAN downlinks (connecting to access switches)
- Few medium-to-high speed LAN uplinks (connecting to the core)
- Virtualization support including StackWise Virtual (SVL), STP/REP, VLAN segmentation, and SD-Access
Collapsed Core Design
In smaller campus environments, the distribution and core layers are collapsed onto the same physical devices. This is known as a collapsed core design. The devices must support all the functions of both layers, including high-speed forwarding, large routing tables, and policy enforcement.
The collapsed core design reduces equipment costs and simplifies management but creates a larger fault domain. When the core and distribution are separate, a distribution failure affects only the building block it serves. In a collapsed design, a failure can have broader impact.
Collapsed Distribution Design
Conversely, in some designs the distribution and access layers may be collapsed. This is less common but may be appropriate in specific scenarios where the number of endpoints per building block is small enough to be served by a single tier of switches.
The Core Layer: High-Speed Transport for Campus Network Design
The core layer is the backbone of the campus network, providing high-speed, low-latency transport between distribution blocks and connectivity to external domains such as the data center, WAN, and Internet.
Baseline Core
The baseline core focuses purely on fast, reliable packet forwarding. Core switches need to support:
- Few MAN (high-speed) or WAN (low-speed) uplinks — Connecting to external domains
- Internal and external autonomous systems — Supporting multiple routing domains
- Medium-to-large IPv4/IPv6 routing tables — Handling the full campus routing table plus external routes
- Layer 3 security, QoS, and Flexible NetFlow — Though applied sparingly to avoid impacting forwarding performance
- Virtualization — StackWise Virtual (SVL), MPLS/VPLS, EVPN, and SD-Access
The core layer uses BGP for external connectivity and an interior gateway protocol (OSPF, IS-IS, or EIGRP) for internal campus routing.
Core Interconnect
In very large campus environments, a core interconnect tier may be added between the campus core and the core edge. This additional tier provides scalable connectivity between multiple campus core blocks, which is especially useful when the campus spans a metropolitan area or includes multiple distinct campus sites.
Core Edge
The core edge tier handles connectivity to domains outside the campus, including:
- WAN connections
- ISP connections
- Data center interconnects
This tier focuses on external routing (typically BGP), security policy enforcement at the network boundary, and traffic engineering for optimal utilization of external links.
Campus Network Design: Protocols and Foundational Services
Each layer of the campus multilayer architecture uses specific protocols and services tailored to its role. Understanding which protocols operate where is essential for proper campus network design.
Layer 1: Physical Layer and Links
The physical layer forms the foundation of the campus network. Cabling considerations include:
- Copper cabling — Cat5e, Cat6, Cat6a for access layer connections (typically up to 100 meters)
- Fiber cabling — Multimode and single-mode fiber for distribution-to-core and building-to-building connections
- Cable plant design — Must account for the geographic distribution of campus buildings, including distance limitations and right-of-way considerations
Layer 2: Switching Protocols
Layer 2 protocols are most heavily used at the access and distribution layers:
- PVST (Per-VLAN Spanning Tree) — Provides per-VLAN loop prevention, commonly used at the campus access layer
- MST (Multiple Spanning Tree) — Maps multiple VLANs to fewer STP instances, reducing STP overhead in large VLAN environments
- STP and REP (Resilient Ethernet Protocol) — Used at the access layer and in some extended access scenarios for loop prevention
Layer 3: Routing Protocols
Layer 3 routing is used from the distribution layer up through the core and edge:
- OSPF, IS-IS, or EIGRP — Interior gateway protocols used between access (in routed access designs), distribution, and core layers
- BGP — Used at the core edge for external connectivity to WAN, ISP, and data center domains
ECMP, LAG, and Load Balancing
Modern campus designs leverage multiple mechanisms for load distribution:
- ECMP (Equal-Cost Multi-Path) — Distributes traffic across multiple equal-cost routing paths at Layer 3
- LAG (Link Aggregation Group) — Bundles multiple physical links into a single logical link for increased bandwidth and redundancy at Layer 2
Platform Design Considerations for Campus Network Design
Selecting the right hardware platform for each layer of the campus hierarchy is a critical design decision. The platform must meet the requirements of its layer in terms of capacity, speed, and feature scale.
Chassis Considerations (Capacity)
Platform capacity must match the requirements of the layer it will serve:
| Layer | Port Density | Typical Form Factor | Example Platform |
|---|---|---|---|
| Access | Many small-to-medium speed ports | Fixed or stackable | Catalyst 9200, 9300 |
| Distribution | Moderate high-speed ports | Modular chassis or fixed | Catalyst 9400, 9500 |
| Core | Few very high-speed ports | Modular chassis | Catalyst 9500, 9600 |
Cabling Considerations (Speed)
The speed requirements vary by layer:
- Access downlinks — Many low-to-medium speed connections (100M to 1G, increasingly 2.5G and 5G for wireless access points)
- Access uplinks — Few small-to-medium speed connections (1G to 10G)
- Distribution downlinks — Few medium-to-high speed connections (10G)
- Distribution uplinks — Few medium-to-high speed connections (10G to 40G)
- Core links — High speed connections (40G to 100G)
Feature Considerations (Scale)
Each layer requires different feature scales across multiple dimensions:
Layer 2 Features (Unicast and Multicast):
- MAC address table size — Access needs small-to-medium tables; distribution needs medium tables; core needs large tables
- IGMP snooping and multicast — Must be supported at all layers but with increasing scale toward the core
Layer 3 Features (Unicast and Multicast):
- Routing table size — Small at access (if routed access), medium at distribution, medium-to-large at core
- ARP/ND table size — Increases from access to core
Security Features (AAA and ACL):
- 802.1X and NAC — Primarily at the access layer
- VACLs and PACLs — Access and distribution layers
- Layer 3 ACLs — Distribution and core layers
Quality of Service (QoS):
- Classification and marking — Primarily at the access layer (trust boundary)
- Queuing and scheduling — All layers, but most critical at distribution and core where aggregation occurs
NetFlow (AVC and XDR):
- Flexible NetFlow — Applied at access for visibility, at distribution and core for aggregation and export
- AVC, EPA, and ETA — Primarily at the access layer for per-flow application visibility
Campus Network Design Best Practices: High Availability
High availability is a non-negotiable requirement in enterprise campus networks. Downtime translates directly to lost productivity and revenue. Several mechanisms work together to provide the resilience that campus environments demand.
SSO/NSF (Stateful Switchover / Non-Stop Forwarding)
Modular chassis platforms at the distribution and core layers can be equipped with redundant supervisors. SSO ensures that when the active supervisor fails, the standby takes over with full state information. NSF allows the forwarding plane to continue forwarding packets during the supervisor switchover, preventing traffic loss.
Stack and SVL (StackWise Virtual)
StackWise Virtual allows two physical chassis to operate as a single logical switch. This technology is available on Catalyst 9000 series platforms and is commonly used at the distribution and core layers to simplify the topology. With SVL, what would otherwise require complex FHRP and STP configurations becomes a single logical device with built-in redundancy.
mLAG (Multi-Chassis Link Aggregation)
mLAG allows link aggregation groups to span two physical switches, providing both increased bandwidth and redundancy without requiring StackWise Virtual. This is an alternative approach for multi-chassis redundancy at the distribution and core layers.
FHRP (First Hop Redundancy Protocols)
First Hop Redundancy Protocols such as HSRP and VRRP provide gateway redundancy for Layer 2 access designs where the default gateway resides at the distribution layer. Two distribution switches share a virtual IP address, and if one fails, the other continues to serve as the default gateway for access layer VLANs.
Pro Tip: StackWise Virtual can eliminate the need for FHRP by presenting two physical distribution switches as a single logical device with a single management plane and a single set of gateway addresses.
Campus Network Design Best Practices: LAN Security
Security is woven throughout the campus multilayer architecture, with different mechanisms applied at each layer.
NAC (Network Access Control)
Network Access Control is primarily enforced at the access layer, using 802.1X authentication to verify the identity of devices before granting them network access. NAC integrates with policy servers to dynamically assign VLANs, apply ACLs, and enforce posture compliance.
Access Control
Multiple forms of access control operate across the campus:
- Port-based ACLs (PACLs) — Applied at the physical port level on access switches
- VLAN-based ACLs (VACLs) — Applied to VLAN traffic at the distribution layer
- Router ACLs (RACLs) — Applied at the Layer 3 boundary for inter-VLAN traffic filtering
FHS (First Hop Security)
First Hop Security features protect against Layer 2 attacks at the access layer, including:
- Dynamic ARP Inspection (DAI)
- DHCP Snooping
- IPv6 RA Guard
- IP Source Guard
These features are essential for preventing man-in-the-middle attacks, rogue DHCP servers, and IP spoofing at the network edge.
ZTNA (Zero Trust Network Access)
Zero Trust principles are increasingly being applied to campus network design, where no device or user is trusted by default regardless of their location within the network. This represents an evolution beyond traditional perimeter-based security models.
Campus Network Design: Virtual Networking and Overlay Technologies
Modern campus networks often require logical separation of traffic beyond what VLANs alone can provide. Several virtualization technologies address this need.
MPLS (Multiprotocol Label Switching)
MPLS can be deployed within the campus core to provide traffic engineering and VPN services. It enables the creation of isolated forwarding paths across the shared campus infrastructure.
LISP (Locator/ID Separation Protocol)
LISP is a foundational protocol for SD-Access deployments. It separates the endpoint identity (EID) from the location (RLOC), enabling seamless mobility and policy enforcement across the campus fabric.
EVPN (Ethernet VPN)
EVPN provides a modern Layer 2 and Layer 3 VPN overlay technology that is gaining adoption in campus environments. It offers multi-tenancy, workload mobility, and efficient handling of BUM (broadcast, unknown unicast, and multicast) traffic.
SD-Access
SD-Access (Software-Defined Access) is the overlay architecture that brings intent-based networking to the campus. It leverages LISP for the control plane, VXLAN for the data plane, and integrates with network management platforms for policy automation and assurance.
Campus Network Design: Integration with Other Domains
A campus network does not exist in isolation. It must integrate seamlessly with other network domains, often referred to as Places in the Network (PINs).
Wireless Integration
Wireless is an integral part of the modern campus. The access layer must support wireless access points, including:
- PoE (Power over Ethernet) for AP power delivery
- High-speed uplinks to handle aggregated wireless traffic
- Integration with wireless controllers for centralized management and policy enforcement
The physical access layer and the wireless overlay must work together to provide a consistent user experience regardless of whether the connection is wired or wireless.
Firewall Integration
Campus networks integrate with firewalls at various points:
- Core edge — Firewalls at the campus boundary provide security for traffic entering or leaving the campus
- Distribution layer — In some designs, firewalls are integrated at the distribution layer for inter-VLAN security
- Inline or tap mode — Depending on the security requirements and performance constraints
Campus PINs and Topology Summary
The campus network connects to multiple other PINs through the core and edge layers:
| Campus PIN | Routing Protocol | Typical Location |
|---|---|---|
| Campus Access | STP (PVST/MST) | IDF / Wiring Closet |
| Campus Distribution | OSPF, EIGRP, IS-IS | MDF / Building |
| Campus Core | OSPF, EIGRP, IS-IS | MDF / Central |
| Core Interconnect | BGP, IGP | MDF / Central |
| Core + Edge | BGP, MPLS, EVPN | MDF / Edge |
| Extended Access / IoT | STP, REP | IDF / Field |
| Collapsed Core | OSPF, EIGRP, IS-IS | MDF / Building |
Multilayer Architecture Anti-Patterns: What Not to Build
Understanding what not to do is just as important as knowing the correct approach. Common anti-patterns in campus network design include:
-
Flat Layer 2 networks — Extending VLANs across the entire campus without Layer 3 boundaries creates massive fault domains where a single spanning tree issue can bring down the entire network
-
Missing hierarchy — Connecting all switches in a mesh without clear access, distribution, and core roles makes the network impossible to troubleshoot and scale
-
Oversized fault domains — Failing to create clear demarcations between building blocks means that problems propagate widely instead of being contained
-
Ignoring Layer 3 at distribution — Not routing at the distribution layer forces all inter-VLAN traffic through a single point, creating bottlenecks and single points of failure
-
Underspecified core — Deploying core switches that lack the capacity for the full routing table, high-speed forwarding, and virtualization features leads to performance degradation as the campus grows
Pro Tip: When evaluating a campus design, ask yourself: "If this switch fails, what breaks?" If the answer is "everything," your fault domains are too large and you need to revisit your hierarchical design.
Frequently Asked Questions
What is the difference between a 2-tier and 3-tier campus network design?
A 2-tier campus network design, also known as a collapsed core design, combines the core and distribution layers onto the same physical devices. The access layer remains separate. This approach is suitable for small-to-medium campus environments where the number of distribution blocks does not justify dedicated core switches. A 3-tier design deploys dedicated devices at each layer — access, distribution, and core — providing maximum scalability, fault isolation, and the ability to grow each layer independently. The choice between 2-tier and 3-tier depends on the campus size, growth projections, and performance requirements.
Which routing protocols are recommended for campus network design?
For interior campus routing between the distribution and core layers, OSPF, IS-IS, or EIGRP are the recommended protocols. Each has its strengths: OSPF is standards-based and widely supported, IS-IS scales well in large environments and is common in service provider networks, and EIGRP offers fast convergence and simple configuration in environments that are exclusively using compatible platforms. At the core edge where the campus connects to external domains such as WAN and ISP, BGP is the recommended protocol for its ability to handle large routing tables and support complex routing policies.
Should I use Layer 2 or routed access at the access layer?
The traditional campus access design uses Layer 2 switching at the access layer, with VLANs extending from access to distribution where the Layer 3 boundary resides. This approach is well-understood and supports features like VLAN-based segmentation and dynamic VLAN assignment through 802.1X. Routed access pushes the Layer 3 boundary down to the access switch, eliminating Spanning Tree Protocol between access and distribution. Routed access provides faster convergence and simpler troubleshooting but requires each access switch to participate in the routing domain. Modern campus designs increasingly favor routed access for its operational simplicity and improved convergence characteristics.
How does StackWise Virtual (SVL) improve campus network design?
StackWise Virtual allows two physical Catalyst 9000 chassis to operate as a single logical switch. This simplifies the network topology by eliminating the need for First Hop Redundancy Protocols (FHRP) and complex STP configurations at the distribution and core layers. With SVL, what would otherwise be two independent switches requiring protocol-based redundancy becomes a single management entity. This reduces configuration complexity, improves convergence times, and simplifies troubleshooting. SVL is commonly deployed at the distribution and core layers of the campus hierarchy.
What are Places in the Network (PINs) in campus network design?
Places in the Network (PINs) is a framework for understanding how different network domains connect and interact. The campus network is one PIN that must integrate with other PINs including the data center, WAN, ISP, and cloud. Each PIN has its own design requirements, protocols, and hardware platforms. The campus core and edge tiers serve as the integration points where the campus PIN connects to other PINs. Understanding the PIN model helps network architects design clean boundaries and appropriate protocol transitions between domains.
What is the role of NetFlow and AVC in campus networks?
Flexible NetFlow provides visibility into traffic flows across the campus network, enabling capacity planning, security analysis, and application performance monitoring. Application Visibility and Control (AVC) extends this capability by identifying applications within network flows, even when traditional port-based identification is insufficient. Encrypted Performance Analytics (EPA) and Encrypted Traffic Analytics (ETA) provide visibility into encrypted traffic without decryption, using metadata analysis to identify applications and detect threats. These features are typically deployed at the access layer for per-flow visibility and at the distribution and core layers for aggregated reporting.
Conclusion
Mastering campus network design with multilayer architectures is fundamental for any network professional working in enterprise environments, and it is an essential competency for CCIE Enterprise certification. The hierarchical model of access, distribution, and core layers provides a proven framework that delivers scalability, fault isolation, deterministic traffic patterns, and operational simplicity.
The key takeaways from this deep dive are:
- Always design in three logical layers — Even when collapsing physical tiers, ensure all access, distribution, and core functions are fulfilled
- Build with modular building blocks — Repeatable distribution-access blocks that connect to the core make the network easy to grow and troubleshoot
- Right-size your fault domains — Use Layer 3 boundaries at the distribution layer to contain failures within building blocks
- Select platforms for their layer — Access needs port density and PoE; distribution needs policy features and medium-scale tables; core needs high-speed forwarding and large routing tables
- Layer security throughout — Apply 802.1X and First Hop Security at access, ACLs at distribution, and boundary security at the core edge
- Plan for integration — Design the core and edge tiers with connectivity to WAN, data center, and ISP domains in mind
- Consider modern overlays — Technologies like SD-Access, EVPN, and LISP bring automation and policy-driven segmentation to the campus
Campus network design continues to evolve with technologies like SD-Access and intent-based networking, but the foundational principles of hierarchical multilayer architecture remain as relevant as ever. A solid understanding of these principles ensures that you can design, deploy, and operate campus networks that meet the demands of modern enterprise environments.
To continue building your expertise in enterprise network design and prepare for your CCIE Enterprise certification, explore the training resources available at NHPREP for hands-on lab practice and in-depth technical coverage of these topics.