Design resilient and scalable campus network architectures using hierarchical and collapsed models
Apply technical and operational constraints to campus network design decisions
Evaluate traditional vs software-defined campus architectures
Select the appropriate redundancy model (FHRP, VSS, StackWise Virtual, routed access) for a given set of requirements
Integrate wireless and QoS into a cohesive campus design
Pre-Study Assessment
Answer these questions before studying the material to gauge your current knowledge.
Pre-Quiz
1. In a three-tier campus hierarchy, which layer is responsible for policy enforcement, route summarization, and VLAN termination?
Access layer
Core layer
Distribution layer
Aggregation layer
2. When should an enterprise migrate from a collapsed core to a three-tier architecture?
When the campus has fewer than two distribution blocks
When cross-campus traffic exceeds the collapsed core's capacity or fault isolation becomes critical
When wireless is first deployed
When QoS policies are first implemented
3. What is the primary advantage of a routed access layer design over a traditional Layer 2 access design?
It allows VLANs to span across multiple access switches
It eliminates the need for STP, FHRP, and EtherChannel at the access-to-distribution boundary
It reduces the cost of access switches
It enables centralized wireless controller placement
4. In a spine-leaf campus architecture, how many hops does traffic traverse between any two leaf switches?
One hop
Three hops
Exactly two hops
Variable, depending on STP topology
5. What is the best achievable convergence time for FHRP with sub-second timer tuning?
50 ms
200 ms
Approximately 800 ms
3 seconds
6. What critical requirement must be met for both members in a StackWise Virtual domain?
They must be in different buildings for geographic redundancy
They must be identical models running the same software version
They must use VSL proprietary links
They must run different IOS versions for diversity
7. In a centralized wireless controller model, what is the primary scalability limitation?
Maximum number of SSIDs supported
WLC uplink bandwidth becomes a bottleneck as wireless throughput increases
The controller cannot support more than 100 APs
CAPWAP tunnels cannot traverse Layer 3 boundaries
8. What is the maximum recommended bandwidth allocation for the Low-Latency Queue (LLQ) priority queue?
10% of link bandwidth
50% of link bandwidth
33% of link bandwidth
75% of link bandwidth
9. What is the maximum horizontal cable run for copper cabling per TIA/EIA-568 standards?
50 meters
100 meters
200 meters
300 meters
10. What does campus QoS primarily protect against?
Sustained WAN congestion
Microburst-induced packet loss on high-speed campus links
DNS resolution delays
ARP broadcast storms
11. In BGP EVPN VXLAN campus fabric, what replaces traditional FHRP for gateway redundancy?
HSRP with sub-second timers
GLBP active/active load sharing
Distributed Anycast Gateway providing active-active gateways on every leaf
Static default routes on each leaf
12. Why must the FHRP active gateway align with the STP root bridge for the same VLAN?
To reduce CPU utilization on the distribution switches
To avoid suboptimal traffic paths where data crosses the inter-switch link unnecessarily
To comply with IEEE 802.1D requirements
To enable PoE on downstream access ports
13. What PoE standard is required for Wi-Fi 6E and Wi-Fi 7 access points?
802.3af (15.4W)
802.3at (30W)
802.3bt (60-90W)
USB-C Power Delivery
14. A hospital wants a flat network but processes electronic health records. What regulatory constraint overrides their preference?
PCI DSS mandates cardholder data isolation
SOX requires change management audit trails
HIPAA requires network segmentation for protected health information
GDPR mandates data residency within the EU
15. What is the primary trade-off of routed access that may require overlay technologies like VXLAN?
Routed access has slower convergence than STP
Routed access cannot support PoE on access ports
VLANs cannot span across access switches, breaking Layer 2 adjacency for host mobility
Routed access requires proprietary hardware
Section 1: Campus Architecture Models
Three-Tier Hierarchical Campus Design
The three-tier model divides the campus into three functional layers governed by hierarchy, modularity, and resiliency:
Access Layer: Connects end devices (PCs, IP phones, APs, cameras). Provides PoE and port security. Operates at Layer 2 in traditional designs.
Distribution Layer: The policy enforcement boundary. Implements FHRP gateway redundancy, QoS, ACLs, route summarization, and VLAN termination. Each distribution pair plus its access switches forms a "functional distribution block."
Core Layer: High-speed, highly resilient transport between distribution blocks. Must never perform filtering or marking that would slow traffic.
Figure 9.1: Three-Tier Hierarchical Campus Architecture with Two Distribution Blocks
Animation: Packet traversal through three-tier hierarchy -- show a frame entering at the access layer, being policy-checked at distribution, and routed through the core to a second distribution block.
Key Points -- Three-Tier Hierarchy
Each layer has a defined role: access connects, distribution controls, core transports.
A "functional distribution block" (distribution pair + access switches) is the modular unit of the campus.
The core must never perform packet manipulation -- its purpose is speed and resilience.
Fault domains are confined to individual blocks, enabling independent changes and upgrades.
Collapsed Core and Two-Tier Designs
When the campus is small (no more than 2-3 distribution blocks), core and distribution functions combine into a collapsed core. Migrate to three-tier when cross-campus traffic exceeds capacity, distribution blocks multiply, or fault isolation becomes critical.
Attribute
Collapsed Core (Two-Tier)
Three-Tier
Cost
Lower (fewer devices, less cabling)
Higher (dedicated core switches)
Scalability
Limited; full-mesh complexity grows rapidly
Highly scalable via modular distribution blocks
Fault Isolation
Reduced; collapsed layer is a shared failure domain
Figure 9.2: Decision Flowchart -- Collapsed Core vs. Three-Tier
Key Points -- Collapsed Core
Appropriate when fewer than 3 distribution blocks and cross-campus traffic is manageable.
Acts like a small town's Main Street serving as both local road and highway bypass -- works until growth demands separation.
Migrate to three-tier when capacity, block count, or fault isolation requirements grow.
Routed Access Layer Design
Routed access moves the Layer 2/Layer 3 boundary down to the access switch. Each access switch becomes a Layer 3 routing node with point-to-point routed uplinks (OSPF or EIGRP).
What it eliminates: STP, EtherChannel bundling, FHRP (HSRP/VRRP/GLBP), VSS/StackWise Virtual.
What it provides: Sub-200 ms convergence, per-flow ECMP load balancing, simpler configuration.
The trade-off: VLANs cannot span across access switches. If host mobility requires Layer 2 adjacency across switches, overlay technologies (VXLAN, campus fabric) are needed.
graph TD
subgraph Eliminated["Protocols Eliminated by Routed Access"]
STP["Spanning Tree\nProtocol"]
FHRP["FHRP\n(HSRP/VRRP/GLBP)"]
EC["EtherChannel\nBundling"]
VSSn["VSS / StackWise\nVirtual"]
end
RA["Routed Access\nDesign"] -->|removes| STP
RA -->|removes| FHRP
RA -->|removes| EC
RA -->|removes| VSSn
RA -->|provides| ECMP["ECMP Load\nBalancing"]
RA -->|provides| Conv["Sub-200 ms\nConvergence"]
RA -->|provides| Simp["Simplified\nConfiguration"]
style RA fill:#1e8449,color:#fff
style STP fill:#c0392b,color:#fff
style FHRP fill:#c0392b,color:#fff
style EC fill:#c0392b,color:#fff
style VSSn fill:#c0392b,color:#fff
style ECMP fill:#2e86c1,color:#fff
style Conv fill:#2e86c1,color:#fff
style Simp fill:#2e86c1,color:#fff
Figure 9.3: Routed Access -- Protocols Eliminated and Capabilities Gained
Animation: Side-by-side comparison of STP-based access (blocked ports, FHRP failover delay) vs. routed access (all links active, ECMP distribution).
Key Points -- Routed Access
Single most impactful simplification: eliminates STP, FHRP, and EtherChannel at the access-to-distribution boundary.
Sub-200 ms convergence via standard routing protocol tuning.
VLANs are local to each access switch -- no cross-switch Layer 2 adjacency without overlays.
Hybrid designs are common: routed uplinks but StackWise Virtual at distribution for MEC support.
Spine-Leaf Campus Architectures
Originally a data center topology, spine-leaf is increasingly used in campus networks as "campus fabric." Every leaf connects to every spine; traffic between any two leaves traverses exactly two hops with predictable latency. ECMP routing replaces STP entirely.
Attribute
Three-Tier Hierarchical
Spine-Leaf
Loop prevention
Spanning Tree Protocol
ECMP routing
Path predictability
Variable (STP-dependent)
Deterministic (always 2 hops)
Traffic pattern fit
North-south (client-server)
East-west (lateral, server-server)
Scalability model
Add distribution blocks + core capacity
Add spine or leaf switches independently
Modern campus fabric: BGP EVPN VXLAN replaces STP with EVPN multihoming, replaces FHRP with Distributed Anycast Gateway, uses VXLAN to encapsulate L2 in L3, and distributes MAC/IP via MP-BGP.
SD-Access is an alternative using LISP (control), VXLAN (data), and CTS/SGT (policy).
Figure 9.4: Spine-Leaf Campus Topology with Full-Mesh ECMP
Key Points -- Spine-Leaf
Every leaf-to-leaf path is exactly 2 hops -- deterministic, predictable latency.
BGP EVPN VXLAN unifies control plane (MP-BGP), data plane (VXLAN), and eliminates STP and FHRP.
Best fit for east-west traffic patterns; scales by adding spines or leaves independently.
For very large deployments, Multi-Site overlay design is needed to contain blast radius.
Section 2: Campus Resilience and Scalability
Redundancy Models: FHRP, VSS, StackWise Virtual
First Hop Redundancy Protocols (FHRP)
Protocol
Type
Load Sharing
Key Characteristic
HSRP
Cisco proprietary
Active/Standby per group
Most widely deployed; per-VLAN load sharing via multiple groups
VRRP
Industry standard (RFC 5798)
Active/Standby per group
Master owns the virtual IP directly
GLBP
Cisco proprietary
Active/Active via AVG/AVF
True load sharing but risks asymmetric routing
Critical design rules: Best convergence ~800 ms with sub-second timers. Preemption delay should be set to boot time + 50% for routing table convergence. FHRP active gateway must align with STP root bridge to avoid suboptimal paths. FHRPs belong at the distribution layer only.
VSS (Legacy) and StackWise Virtual (Modern)
VSS (Catalyst 4500/6500) combined two switches into one logical entity with a proprietary VSL interconnect. It is superseded by StackWise Virtual (Catalyst 9000), which uses standard Ethernet SVL links.
StackWise Virtual provides: single control plane (Active/Standby), SSO for hitless switchover, NSF for continuous forwarding, MEC for cross-chassis port channels, and DAD for split-brain prevention.
Critical: Both members must be identical models running the same software version.
FHRP active gateway must align with STP root bridge; misalignment causes suboptimal forwarding.
StackWise Virtual requires identical models and same software version on both members.
DAD (Dual Active Detection) prevents split-brain if the SVL link fails.
SVL is typically deployed at core and distribution layers, not access.
STP vs. Routed Access Trade-offs
Attribute
STP-Based (Layer 2 Access)
Routed Access (Layer 3)
Loop prevention
STP (blocked ports = wasted bandwidth)
Routing protocol (all links active)
Convergence
Seconds (RSTP) to tens of seconds (classic STP)
Sub-200 ms with tuned OSPF/EIGRP
Gateway redundancy
FHRP required
Not needed; each switch is its own gateway
VLAN spanning
VLANs can span multiple access switches
VLANs local to each access switch
Host mobility
L2 adjacency preserved across switches
Requires overlay (VXLAN) for cross-switch mobility
STP still appropriate: Legacy apps requiring L2 adjacency, embedded devices that cannot support L3, brownfield migrations. Routed access wins: Greenfield deployments, converged voice/data, large campuses where STP complexity is a risk.
Wireless Integration and Controller Placement
Centralized (CAPWAP): All AP traffic tunnels to a WLC placed in the data center or core boundary. Simple but WLC uplink becomes a bottleneck with Wi-Fi 6/6E/7.
Distributed data plane (SD-Access Wireless / Fabric): Control plane remains centralized; data plane uses VXLAN from fabric APs directly to access switches. Wireless bandwidth scales with number of switches.
AP Generation
PoE Standard
Power Requirement
Wi-Fi 5 (802.11ac)
802.3af/at
15-25W typical
Wi-Fi 6 (802.11ax)
802.3at (30W)
25-30W typical
Wi-Fi 6E / Wi-Fi 7
802.3bt (60-90W)
30-50W+ typical
Design implication: Wi-Fi 6E/7 upgrades may force access switch replacement if existing switches lack 802.3bt support.
Key Points -- Wireless Integration
Centralized WLC: simple management but creates bandwidth bottleneck at controller uplinks.
Fabric wireless distributes the data plane to access switches, scaling bandwidth per-switch.
Wi-Fi 6E/7 requires 802.3bt (PoE++) -- may force access switch hardware refresh.
Campus QoS Design
Campus QoS manages microburst-induced packet loss, not sustained congestion. Voice degrades from brief queue overflows, not steady-state overload.
Traffic Class
Max One-Way Delay
Max Jitter
Max Packet Loss
Voice
150 ms
30 ms
1%
Interactive Video
150 ms
50 ms
0.1%
Streaming Video
4-5 sec (buffered)
N/A
0.1-1%
Trust boundary model: Infrastructure ports trust DSCP. IP phones/cameras conditionally trust CoS. User PCs/IoT reset DSCP to 0 with optional policing.
flowchart LR
subgraph Sources["Traffic Sources"]
SW["Switch-to-Switch\n(Infrastructure)"]
Phone["IP Phone /\nManaged Camera"]
PC["User PC /\nPrinter / IoT"]
end
SW -->|"Trust DSCP"| Net["Network\nForwarding"]
Phone -->|"Trust CoS\nfrom device"| Net
PC -->|"Reset DSCP to 0\nApply policer"| Net
style SW fill:#1e8449,color:#fff
style Phone fill:#d4ac0d,color:#000
style PC fill:#c0392b,color:#fff
style Net fill:#1a5276,color:#fff
Figure 9.6: QoS Trust Boundary Model
Queuing rules: LLQ priority queue max 33% of link bandwidth. Best Effort gets minimum 25%. Disable WRED on priority queues. Use policers at ingress (drop immediately), shapers at egress (buffer excess).
Key Points -- QoS
Campus QoS protects voice/video from microburst packet loss, not sustained congestion.
LLQ priority queue: max 33% of bandwidth; exceeding this starves other classes.
Policers at ingress (immediate drop), shapers at egress (buffer with added delay).
Section 3: Campus Design Constraints
Physical Infrastructure and Cabling
Copper (Cat 5e/6/6a): 100m max horizontal run (TIA/EIA-568). Cat 6a needed for 10GBASE-T and better PoE performance.
PoE distance: Power dissipation increases with length. Long runs to Wi-Fi 6E APs may need PoE extenders.
Multi-mode fiber (MMF): Up to ~550m at 10G (OM3/OM4). Cost-effective between adjacent buildings.
Single-mode fiber (SMF): Several kilometers at 10G/40G/100G. Higher transceiver cost but future-proof.
IDF/MDF Closet Challenges
Common problems: inadequate cooling, insufficient power circuits (especially with 802.3bt PoE budgets), no physical security, no space for growth.
Animation: IDF closet power budget calculator -- slide showing how 48-port 802.3bt switches can exceed 2,000W and overwhelm standard circuits.
Power, Cooling, and Environmental
A 48-port 802.3bt switch at full load can draw over 2,000 watts. Design must consider per-port PoE class, N+1 power supply redundancy, UPS capacity, and generator feeds for critical closets.
Cooling: Every watt consumed becomes a watt of heat. A fully loaded switch stack generates 3,000-5,000W. Passive ventilation is insufficient for modern high-density deployments.
IEEE 802.3az (Energy-Efficient Ethernet): Ports enter low-power idle when no traffic. Verify compatibility with latency-sensitive applications before enabling.
Regulatory and Compliance Constraints
Regulation
Industry
Network Design Impact
HIPAA
Healthcare
Segmentation for PHI; access controls; audit logging
PCI DSS
Retail/Financial
Isolated cardholder data environment; firewalls between trust zones
SOX
Publicly traded
Change management controls; audit trails for network changes
GDPR
Any org (EU data)
Data residency constraints; encryption requirements
Regulatory requirements often mandate segmentation the business would not otherwise request. A hospital wanting a flat network must still segment EHR traffic from guest Wi-Fi. These requirements are primary design inputs, not afterthoughts.
Key Points -- Design Constraints
Copper max 100m per TIA/EIA-568; Cat 6a for 10GBASE-T and optimal PoE.
802.3bt PoE can draw 2,000W+ per switch -- IDF power circuits and cooling must be designed accordingly.
SMF is future-proof for inter-building runs; MMF suitable for shorter campus backbone links.
Regulatory segmentation (HIPAA, PCI DSS) overrides business preferences for flat networks.
Physical constraints (cabling distance, power, cooling) and regulations are primary design inputs identified at project start.
Post-Study Assessment
Now that you have studied the material, answer the same questions again to measure your improvement.
Post-Quiz
1. In a three-tier campus hierarchy, which layer is responsible for policy enforcement, route summarization, and VLAN termination?
Access layer
Core layer
Distribution layer
Aggregation layer
2. When should an enterprise migrate from a collapsed core to a three-tier architecture?
When the campus has fewer than two distribution blocks
When cross-campus traffic exceeds the collapsed core's capacity or fault isolation becomes critical
When wireless is first deployed
When QoS policies are first implemented
3. What is the primary advantage of a routed access layer design over a traditional Layer 2 access design?
It allows VLANs to span across multiple access switches
It eliminates the need for STP, FHRP, and EtherChannel at the access-to-distribution boundary
It reduces the cost of access switches
It enables centralized wireless controller placement
4. In a spine-leaf campus architecture, how many hops does traffic traverse between any two leaf switches?
One hop
Three hops
Exactly two hops
Variable, depending on STP topology
5. What is the best achievable convergence time for FHRP with sub-second timer tuning?
50 ms
200 ms
Approximately 800 ms
3 seconds
6. What critical requirement must be met for both members in a StackWise Virtual domain?
They must be in different buildings for geographic redundancy
They must be identical models running the same software version
They must use VSL proprietary links
They must run different IOS versions for diversity
7. In a centralized wireless controller model, what is the primary scalability limitation?
Maximum number of SSIDs supported
WLC uplink bandwidth becomes a bottleneck as wireless throughput increases
The controller cannot support more than 100 APs
CAPWAP tunnels cannot traverse Layer 3 boundaries
8. What is the maximum recommended bandwidth allocation for the Low-Latency Queue (LLQ) priority queue?
10% of link bandwidth
50% of link bandwidth
33% of link bandwidth
75% of link bandwidth
9. What is the maximum horizontal cable run for copper cabling per TIA/EIA-568 standards?
50 meters
100 meters
200 meters
300 meters
10. What does campus QoS primarily protect against?
Sustained WAN congestion
Microburst-induced packet loss on high-speed campus links
DNS resolution delays
ARP broadcast storms
11. In BGP EVPN VXLAN campus fabric, what replaces traditional FHRP for gateway redundancy?
HSRP with sub-second timers
GLBP active/active load sharing
Distributed Anycast Gateway providing active-active gateways on every leaf
Static default routes on each leaf
12. Why must the FHRP active gateway align with the STP root bridge for the same VLAN?
To reduce CPU utilization on the distribution switches
To avoid suboptimal traffic paths where data crosses the inter-switch link unnecessarily
To comply with IEEE 802.1D requirements
To enable PoE on downstream access ports
13. What PoE standard is required for Wi-Fi 6E and Wi-Fi 7 access points?
802.3af (15.4W)
802.3at (30W)
802.3bt (60-90W)
USB-C Power Delivery
14. A hospital wants a flat network but processes electronic health records. What regulatory constraint overrides their preference?
PCI DSS mandates cardholder data isolation
SOX requires change management audit trails
HIPAA requires network segmentation for protected health information
GDPR mandates data residency within the EU
15. What is the primary trade-off of routed access that may require overlay technologies like VXLAN?
Routed access has slower convergence than STP
Routed access cannot support PoE on access ports
VLANs cannot span across access switches, breaking Layer 2 adjacency for host mobility