Network Hierarchy Design
Objective
In this lesson you will design and implement a logical network hierarchy that maps physical sites, buildings, and floors into a consistent VLAN/IP structure. We will create VLANs and SVIs for floors, configure routed uplinks between Core → Distribution → Access, and apply descriptive interface naming so the physical topology is reflected in the logical configuration. In production, a clean hierarchy reduces troubleshooting time, simplifies policy application, and enables predictable routing and fault isolation across multiple buildings and floors.
Real-world scenario: NHPREP is deploying a two-site enterprise network. Each site has multiple buildings and each building has multiple floors. The team requires a naming and addressing scheme that mirrors the physical layout so operators can rapidly identify where a problem is occurring and apply per-floor policies.
Quick Recap
This lesson builds on the physical topology introduced earlier. No new physical devices are added in this lesson — we focus on mapping the existing switches into a logical hierarchy.
ASCII topology (showing interfaces and IPs used in this lesson):
[Core1]
Gi0/1 10.0.0.1/30 10.0.0.2/30 Gi0/1
-------------------------------|-------------------------------
| |
10.0.0.5/30 Gi0/2 10.0.0.6/30 Gi0/2
[DistA] [DistB]
Gi0/2 10.0.1.1/30 | 10.0.1.2/30 Gi0/1 Gi0/2 10.0.2.1/30 | 10.0.2.2/30 Gi0/1
(to AccA-F1) | (AccA-F1) (to AccB-F1) (AccB-F1)
[AccA-F1] | [AccB-F1]
mgmt 192.168.1.2 | mgmt 192.168.3.2
(Layer-3 links used to illustrate mapping)
IP addressing used in this lesson:
| Link / Network | Device A Interface | IP A | Device B Interface | IP B |
|---|---|---|---|---|
| Core ↔ DistA | Core1 Gi0/1 | 10.0.0.1/30 | DistA Gi0/1 | 10.0.0.2/30 |
| Core ↔ DistB | Core1 Gi0/2 | 10.0.0.5/30 | DistB Gi0/1 | 10.0.0.6/30 |
| DistA ↔ AccA-F1 | DistA Gi0/2 | 10.0.1.1/30 | AccA-F1 Gi0/1 | 10.0.1.2/30 |
| DistA SVI Floor1 | DistA Vlan10 | 192.168.10.1/24 | — | — |
| DistA SVI Floor2 | DistA Vlan20 | 192.168.20.1/24 | — | — |
| DistB SVI Floor1 | DistB Vlan30 | 192.168.30.1/24 | — | — |
| Access switch mgmt | AccA-F1 Vlan1 | 192.168.1.2/24 | AccB-F1 Vlan1 | 192.168.3.2/24 |
Device hostnames used in this lab:
| Device | Role |
|---|---|
| Core1 | Core switch/router |
| DistA | Distribution switch — Building A |
| DistB | Distribution switch — Building B |
| AccA-F1 | Access switch — Building A Floor 1 |
| AccA-F2 | Access switch — Building A Floor 2 |
| AccB-F1 | Access switch — Building B Floor 1 |
Key Concepts
- Hierarchical Design (Core / Distribution / Access) — The Core provides fast forwarding and aggregation, the Distribution enforces policies and provides floor SVIs, and Access connects endpoints. Think of the Core as a highway, Distribution as on-ramps/off-ramps, and Access as local streets.
- SVI (Switched Virtual Interface) — An SVI provides the L3 gateway for a VLAN. When you create an SVI, the switch replies to ARP and routes for that subnet; traffic destined off-switch is forwarded to the default gateway or routing peer.
- Routed Uplinks vs. Trunked Uplinks — Using routed point-to-point links between layers reduces broadcast domains and simplifies troubleshooting; trunked uplinks carry multiple VLANs and require consistent VLAN configurations on each connected switch.
- Naming & Documentation — Interface descriptions and VLAN names that include Site/Building/Floor help map logical config to physical cabling and are invaluable when responding to outages.
- Routing Behavior — In this lab we will use static routing between Core and Distribution. When an SVI is up, the distribution switch will advertise reachability (via static route) to the Core; the Core uses static routes to reach floor subnets and forwards traffic to the appropriate Dist interface.
Tip: In production, prefer a dynamic IGP (like OSPF) between Core and Distribution for scalability — but static routes are fine for small fixed topologies and for learning the mapping.
Step-by-step configuration
Step 1: Create VLANs and SVIs on Distribution switches
What we are doing: Define VLANs that represent floors and create SVIs with the floor gateway addresses. This maps each physical floor to a logical subnet so hosts on a floor share an IP network.
Core1# configure terminal
Core1(config)# exit
DistA# configure terminal
DistA(config)# vlan 10
DistA(config-vlan)# name SITE1-BLDG-A-FLOOR1
DistA(config-vlan)# exit
DistA(config)# vlan 20
DistA(config-vlan)# name SITE1-BLDG-A-FLOOR2
DistA(config-vlan)# exit
DistA(config)# interface Vlan10
DistA(config-if)# description SITE1-BLDG-A-FLOOR1-GW
DistA(config-if)# ip address 192.168.10.1 255.255.255.0
DistA(config-if)# no shutdown
DistA(config-if)# exit
DistA(config)# interface Vlan20
DistA(config-if)# description SITE1-BLDG-A-FLOOR2-GW
DistA(config-if)# ip address 192.168.20.1 255.255.255.0
DistA(config-if)# no shutdown
DistA(config-if)# exit
DistA(config)# end
DistB# configure terminal
DistB(config)# vlan 30
DistB(config-vlan)# name SITE1-BLDG-B-FLOOR1
DistB(config-vlan)# exit
DistB(config)# interface Vlan30
DistB(config-if)# description SITE1-BLDG-B-FLOOR1-GW
DistB(config-if)# ip address 192.168.30.1 255.255.255.0
DistB(config-if)# no shutdown
DistB(config-if)# exit
DistB(config)# end
What just happened: Each VLAN was created and given a descriptive name that includes Site, Building, and Floor. The SVI (interface VlanX) is the L3 gateway for that subnet; it will respond to ARP and forward traffic destined off-subnet. The no shutdown command activates the SVI.
Real-world note: Naming VLANs with site/building/floor makes it much easier for NOC staff to identify where a broadcast domain lives physically.
Verify:
DistA# show vlan brief
VLAN Name Status Ports
1 default active Gi0/10, Gi0/11
10 SITE1-BLDG-A-FLOOR1 active
20 SITE1-BLDG-A-FLOOR2 active
DistA# show ip interface brief
Interface IP-Address OK? Method Status Protocol
Vlan1 unassigned YES unset administratively down down
Vlan10 192.168.10.1 YES manual up up
Vlan20 192.168.20.1 YES manual up up
GigabitEthernet0/1 10.0.0.2 YES manual up up
GigabitEthernet0/2 10.0.1.1 YES manual up up
Step 2: Configure routed uplinks Core ↔ Distribution
What we are doing: Configure L3 point-to-point links between Core1 and each Distribution switch. This provides a clear routing plane and avoids carrying VLANs over the Core.
Core1# configure terminal
Core1(config)# interface GigabitEthernet0/1
Core1(config-if)# ip address 10.0.0.1 255.255.255.252
Core1(config-if)# no shutdown
Core1(config-if)# exit
Core1(config)# interface GigabitEthernet0/2
Core1(config-if)# ip address 10.0.0.5 255.255.255.252
Core1(config-if)# no shutdown
Core1(config-if)# end
DistA# configure terminal
DistA(config)# interface GigabitEthernet0/1
DistA(config-if)# ip address 10.0.0.2 255.255.255.252
DistA(config-if)# no shutdown
DistA(config-if)# exit
DistA(config)# ip route 0.0.0.0 0.0.0.0 10.0.0.1
DistA(config)# end
DistB# configure terminal
DistB(config)# interface GigabitEthernet0/1
DistB(config-if)# ip address 10.0.0.6 255.255.255.252
DistB(config-if)# no shutdown
DistB(config-if)# exit
DistB(config)# ip route 0.0.0.0 0.0.0.0 10.0.0.5
DistB(config)# end
What just happened: Each uplink now carries an IP address and acts as a routed interface. Static default routes on distributions point to Core1 so that any traffic not in the local routing table is forwarded to the Core. Core1 will need routes to the floor subnets (configured in Step 4).
Real-world note: Routed uplinks reduce the risk that a misconfigured VLAN on the Core propagates across sites.
Verify:
Core1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
GigabitEthernet0/1 10.0.0.1 YES manual up up
GigabitEthernet0/2 10.0.0.5 YES manual up up
...
Core1# show ip route
Codes: C - connected, S - static, R - RIP, O - OSPF, etc.
S 192.168.10.0/24 [1/0] via 10.0.0.2
S 192.168.20.0/24 [1/0] via 10.0.0.2
S 192.168.30.0/24 [1/0] via 10.0.0.6
C 10.0.0.0/30 is directly connected, GigabitEthernet0/1
C 10.0.0.4/30 is directly connected, GigabitEthernet0/2
(Note: Core static routes to 192.168.* networks will be added in Step 4.)
Step 3: Configure Distribution ↔ Access links and access VLANs
What we are doing: Map each access switch uplink as a routed link to the distribution switch, and configure the access switch with the appropriate VLAN and access ports for the floor. We also set a management IP for the access switch SVI to allow remote management.
DistA# configure terminal
DistA(config)# interface GigabitEthernet0/2
DistA(config-if)# ip address 10.0.1.1 255.255.255.252
DistA(config-if)# no shutdown
DistA(config-if)# description UPLINK-TO-AccA-F1
DistA(config-if)# exit
DistA(config)# end
AccA-F1# configure terminal
AccA-F1(config)# interface GigabitEthernet0/1
AccA-F1(config-if)# ip address 10.0.1.2 255.255.255.252
AccA-F1(config-if)# no shutdown
AccA-F1(config-if)# description UPLINK-TO-DistA
AccA-F1(config-if)# exit
AccA-F1(config)# vlan 10
AccA-F1(config-vlan)# name SITE1-BLDG-A-FLOOR1
AccA-F1(config-vlan)# exit
AccA-F1(config)# interface Vlan1
AccA-F1(config-if)# ip address 192.168.1.2 255.255.255.0
AccA-F1(config-if)# no shutdown
AccA-F1(config-if)# exit
AccA-F1(config)# interface GigabitEthernet0/2
AccA-F1(config-if)# switchport mode access
AccA-F1(config-if)# switchport access vlan 10
AccA-F1(config-if)# description ACCESS-PORT-FLOOR1-USER
AccA-F1(config-if)# end
What just happened: The Dist ↔ Access uplink is a routed L3 link (10.0.1.1/30 ↔ 10.0.1.2/30). The access switch has VLAN 10 for the floor and an access port assigned to VLAN 10. The access switch also has a management SVI (Vlan1) for out-of-band management. With this mapping, hosts on AccA-F1 Gi0/2 in VLAN 10 will use 192.168.10.1 (DistA SVI) as their gateway; the access switch forwards inter-VLAN traffic to the distribution when necessary.
Real-world note: Some designs use trunked uplinks with SVIs at the distribution; routed uplinks are simpler for labs and provide clear L3 boundaries.
Verify:
AccA-F1# show ip interface brief
Interface IP-Address OK? Method Status Protocol
Vlan1 192.168.1.2 YES manual up up
GigabitEthernet0/1 10.0.1.2 YES manual up up
GigabitEthernet0/2 unassigned YES unset up up
AccA-F1# show vlan brief
VLAN Name Status Ports
1 default active Gi0/1
10 SITE1-BLDG-A-FLOOR1 active Gi0/2
Step 4: Add static routes on the Core to reach floor subnets
What we are doing: Tell the Core how to reach each floor subnet by adding static routes that point to the Distribution switches. This step closes the routing plane so traffic from other sites or shared services can reach floor networks.
Core1# configure terminal
Core1(config)# ip route 192.168.10.0 255.255.255.0 10.0.0.2
Core1(config)# ip route 192.168.20.0 255.255.255.0 10.0.0.2
Core1(config)# ip route 192.168.30.0 255.255.255.0 10.0.0.6
Core1(config)# end
What just happened: The Core now has specific routes for each floor subnet that point to the distribution uplink IP addresses. When the Core receives traffic destined to a floor subnet, it forwards the packets to the correct Distribution router which then delivers to the SVI and the access network.
Real-world note: In larger networks, an IGP (like OSPF) would dynamically advertise these networks and handle failover. Static routes are simple but require manual changes when topology changes.
Verify:
Core1# show ip route
Codes: C - connected, S - static, R - RIP, O - OSPF, B - BGP
S 192.168.10.0/24 [1/0] via 10.0.0.2
S 192.168.20.0/24 [1/0] via 10.0.0.2
S 192.168.30.0/24 [1/0] via 10.0.0.6
C 10.0.0.0/30 is directly connected, GigabitEthernet0/1
C 10.0.0.4/30 is directly connected, GigabitEthernet0/2
Core1# ping 192.168.10.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.10.1, timeout is 2 seconds:
!.!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/2 ms
Step 5: Apply descriptive interface naming and document hierarchy
What we are doing: Add descriptive interface descriptions and ensure VLAN names include Site/Building/Floor. This is pure documentation in the config but critical operationally — when a NOC engineer sees an interface description they immediately know the physical termination point.
DistA# configure terminal
DistA(config)# interface GigabitEthernet0/1
DistA(config-if)# description UPLINK-TO-Core1_SITE1
DistA(config-if)# exit
DistA(config)# interface Vlan10
DistA(config-if)# description SITE1_BLDG_A_FLOOR1_GW
DistA(config-if)# exit
DistA(config)# end
AccA-F1# configure terminal
AccA-F1(config)# interface GigabitEthernet0/2
AccA-F1(config-if)# description Access-User-Desk-Floor1-BldgA
AccA-F1(config-if)# exit
AccA-F1(config)# end
What just happened: Descriptions were added and are visible in various show commands. Descriptive naming does not change packet forwarding but dramatically improves maintainability and troubleshooting.
Real-world note: Operators often standardize descriptions (e.g., SITE-BLDG-FLR-RACK-PORT) and enforce them via scripts or templates.
Verify:
DistA# show interfaces description
Interface Status Protocol Description
GigabitEthernet0/1 up up UPLINK-TO-Core1_SITE1
GigabitEthernet0/2 up up UPLINK-TO-AccA-F1
Vlan10 up up SITE1_BLDG_A_FLOOR1_GW
Vlan20 up up SITE1_BLDG_A_FLOOR2_GW
AccA-F1# show interfaces GigabitEthernet0/2 description
Interface Status Protocol Description
Gi0/2 up up Access-User-Desk-Floor1-BldgA
Verification Checklist
- Check 1: SVIs present and up on Distribution — run
show ip interface briefon DistA/DistB; expect the VLAN interfaces to beup upwith the configured IPs. - Check 2: Routed uplinks are up and have correct IPs — run
show ip interface briefon Core1 and Distribution; expect the /30 addresses to match the diagram. - Check 3: Core has routes to all floor subnets — run
show ip routeon Core1; expect static routes to 192.168.10.0/24, 192.168.20.0/24, 192.168.30.0/24 pointing to the correct Dist addresses. - Check 4: Access ports are in correct VLANs — run
show vlan briefon access switches; expect floor VLANs and ports assigned.
Common Mistakes
| Symptom | Cause | Fix |
|---|---|---|
| SVIs show as "administratively down" | no shutdown not applied to interface VlanX | Enter interface VlanX and use no shutdown |
| Core cannot reach floor subnets | No static routes or IGP entries on Core for floor networks | Add ip route on Core pointing to Dist uplink IP (as shown) |
| Access hosts cannot reach gateway | Access port assigned to wrong VLAN or VLAN missing on Distribution | Verify show vlan brief on access/dist and ensure access port is in the right VLAN and SVI exists |
| Interface descriptions not informative | No naming convention used | Standardize descriptions to SITE-BLDG-FLR-ROLE and apply to uplinks/access ports |
Key Takeaways
- A clear hierarchical mapping from site → building → floor into VLAN names, interface descriptions, and addressing makes operations and troubleshooting far easier in production.
- Use SVIs on the distribution layer to represent floor gateways; ensure they are up (
no shutdown) and reachable from the Core. - Routed point-to-point uplinks keep VLAN scope limited and simplify the control plane — on larger networks move to an IGP like OSPF.
- Consistent naming conventions and documenting interface descriptions are low-effort, high-value practices that save time during outages.
Final tip: After you finish configuring, take a backup of the running configuration and save an inventory spreadsheet that maps physical rack/port to the logical names you used here. This saves hours during real incident response.