Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Midsize Enterprise Campus Solution Reference Architecture


The solution reference architecture was designed using a modular approach. Each of the design modules are described in detail in the following sections.

Access Module

The access module is comprised of:

  • Wired access

  • Wireless access

Wired Access

In a campus network, access switches provide network connectivity to end users by connecting IP-enabled devices such as desktops, phones, and printers. Access layer switches typically reside in the wiring closets of each floor in each physical campus facility.

Design recommendations for the access module are:

  • Port density—Needed for client connection, as well as an uplink to the aggregation/core layers to reduce the client-to-uplink oversubscription ratio

  • Scalability—On a need-to-grow basis to help reduce capital and operating expenditures

  • Flexibility—Ability to enable port density and scalability regardless of where the physical infrastructure is located

  • High availability (HA)—Redundant path, always-on power, and nonstop forwarding

  • Power over Ethernet (PoE)—Ability to enable services to devices such as phones, video endpoints, and wireless access points (WAPs) without extra power cabling, reducing capital expenditures and simplifying cabling infrastructure

  • Quality of service (QoS)—Classification, marking, and prioritization of traffic flows

  • Segmentation—Ability to maintain separation of traffic when needed

  • Security infrastructure integration—Access control to prevent unauthorized users and devices

The access layer serves as the pathway to all network services. This layer becomes a primary boundary of access control for security requirements as well. Virtualization capabilities, such as virtual LANs (VLANs) and virtual routers, are important for supporting required segmentation of the access layer network. Virtual chassis provides the flexibility and scalability to support connectivity throughout the closet while simplifying management. In addition, integrating network security with unified access control is another important aspect. As a first line of defense, security controls such as broadcast storm control, Dynamic Host Configuration Protocol (DHCP) snooping, and Address Resolution Protocol (ARP) spoofing protection should be enabled to prevent service disruption to authorized clients. With increasing use of multicast applications, it is also important to consider enabling multicast features such as Internet Group Management Protocol (IGMP) snooping and Multicast Routing Protocol (MRP) support.

Wireless Access

In a campus environment, wireless access points (WAPs) provide network access to end-user devices like access switches. With increased wireless performance and proliferation of mobile devices, wireless connectivity is becoming the primary mode of access on the campus network. Both real-time and bandwidth-demanding applications are running over wireless networks. However, the user expects the same level of network services (security, QoS, accessibility, and HA) as with a wired connection. Wireless access must be robust and reliable to deliver these demands.

Wireless solutions can be divided into two categories:

  • Non-controller-based wireless access points (autonomous WAPs)

  • Controller-based WAPs

Non-Controller-Based WAPs

In a non-controller-based wireless LAN (WLAN) design, only the WAP is required for access. The WAP transmits a radio frequency (RF) signal on a configured set of channels. Wireless clients then associate with the AP to establish a wireless connection. An 802.1Q trunk for the AP to the access switch is configured so that wireless traffic enters the wired network directly on access switches. This WLAN approach can provide comparable performance to a wired connection; however, it is not scalable because each individual WAP must be configured manually.

Without a centralized component that can control and store critical information, several challenges can arise. For instance, as users roam from WAP to WAP, they might experience service disruptions. As a wireless client associates with a WAP, the nearest WAP recognizes the client information and establishes a network connection. If the client roams outside the RF coverage of the associated WAP, the client will experience a dropped connection and then attempt to re-associate with the next nearest WAP. Managing RF spectrum on a per WAP basis becomes cumbersome, where one WAP might impede upon another WAP’s signal, or in other cases not carry enough signal at all. Rogue wireless devices can also become an issue, since it becomes burdensome to locate when unauthorized wireless clients enter the network without a centralized authentication point.

Non-controller-based WLANs were once the only available option. In most cases, these have been updated to controller-based WLANs for the reasons described above.

Controller-Based WAPs

Controller-based wireless access includes a wireless controller. Two hardware components, the wireless controller and the WAP, jointly deliver wireless connectivity. In this approach, WAPs are centrally provisioned and managed by the controller. The WAP is considered a “dumb” device, while the intelligence is provided by the controller. This eliminates the burden of manually configuring each individual WAP. Wireless clients can roaming without disruption, and rogue detection is automatic. There are two ways traffic can flow in a controller-based-WAP environment: wireless traffic can be encapsulated and sent to a centralized controller for forwarding or the traffic can be handled at the access switch where the associated WAP is directly connected. Also, the wireless controller can be either hosted (also known as a cloud-based controller) or be on premises.

Design recommendations for controller-based WLAN access are:

  • Scalability

  • HA

  • QoS

  • Policy orchestration

  • Manageability

  • Security services

  • RF management

  • Traffic inspection and filtering

For controller-based deployments, the WAP and controller have distinct roles and attributes. Here are some WAP and controller attributes:

WAP attributes

  • Connection point for wireless clients to get on network

  • Single/dual radio

  • Houses transceivers (radio components)

  • Converts 802.11a/b/g/n/ac to Ethernet traffic

  • ACL and QoS enforcement

  • PoE

Controller attributes

  • Stores network configuration

  • Mobility domain management

  • Aggregation point for WLAN traffic from WAPs

  • Switches traffic between wireless clients and wired network

  • WAP software management (Images, client load)

  • Seamless roaming

  • RF management (channel and power tuning)

  • Security (intrusion protection, authentication, and authorization)

Aggregation Module

The aggregation layer aggregates connections and traffic flows from multiple access layer switches and wireless networks to provide high-density connectivity to the campus core.

Design recommendations for the aggregation module are:

  • Scalability

  • High-performance and throughput

  • HA

  • Network services integration

  • QoS support

  • Full N + 1 or N + N hardware redundancy

  • Control plane redundancy

  • Ability to upgrade the software while in-service

  • Link aggregation/multichassis link aggregation (MC-LAG)

  • Ability to combine physical chassis into a single, logical control plane

Aggregation layer switches must offer high-density ports to provide maximum scalability, along with wire-rate forwarding for maximum throughput. Also, a non-blocking architecture at the aggregation layer is important to minimize the oversubscription ratio, because a large number of client connections are supported through these devices. Therefore, it is critical to have HA hardware and software features that deliver reliability and robustness. For device-level redundancy, the aggregation hardware should be deployed in pairs. The primary function of the aggregation layer infrastructure is to provide high throughput and non-blocking switching/routing fabric. The dynamic routing protocol support, high-performance control plane, and high-capacity data plane are important features of aggregation layer devices.

In a midsize enterprise campus, the aggregation layer is not as distributed as the access layer, which makes it easier to place your security defenses and introduce segmentation using virtual routers or VLANs to contain threats. Traffic control with QoS capabilities, such as multiple queues, queue capacity, and integration help run real-time applications and prioritize critical applications appropriately. For multicast applications support, Multicast Routing Protocol (MRP) and efficient multicast replication techniques are important in aggregation layer devices.

The aggregation switch has the primary responsibility of multiplexing a large set of access ports into a smaller set of ports that can be consumed by the core switch. Because the aggregation switch multiplexes a high number of access ports, the scale requirements increase linearly for every access port it aggregates. For example, if an access switch supports 10,000 MAC addresses and the aggregation switch consolidated 100 access switches, the total MAC scale required at the aggregation switch is 10,000 x 100 = 1,000,000 MAC addresses.

Core Module

The core layer provides a fabric for high-speed packet switching between multiple sets of aggregation devices, or the access layer devices in a collapsed aggregation/core layer deployment. The core layer serves as the gateway where all other modules meet, such as the WAN edge and remote access. Functionally, the core layer is where high-speed connections to all campus networks occur—such as different buildings, departments, and server areas—and connects these to a perimeter or WAN edge network.

The following attributes should be considered for core layer design:

  • High performance

  • High throughput

  • High availbility (HA)

As the name implies, the core layer serves all campus users; therefore, any failure at the core layer should be minimized. HA software features such non-stop service software upgrade (NSSU), nonstop forwarding/routing, graceful restart capabilities, and a modular operating system design should be enforced to limit the impact of any module failure. For link bandwidth and redundancy, core connections should deploy aggregated links in multiples of 10-Gigabit Ethernet connections from aggregation layer devices.

Core layer devices should be deployed in pairs corresponding to each aggregation layer device. Device-level redundancy capabilities like redundant power supply, fan modules, control modules, and switching fabrics are required at core layer devices. Since any performance degradation at the core layer affects the entire campus network, high-performance, non-blocking switching/routing architecture is extremely important.

Depending on the size of the network, the aggregation and core layer functionality can be collapsed within one set of devices, since it reduces capital and operating expenditures and reduces latency of the traversing traffic. The integration of network services at the collapsed core/aggregation layer should have a minimum impact on performance of core layer devices.

Edge Module

The edge module is the gateway for remote access to the campus network. Also, the edge module aggregates, inspects, and encapsulates all traffic coming in and out of campus core to the Internet. The edge is viewed as the primary path for all campus network egress and ingress.

The edge module is comprised of:

  • Edge firewall

  • Edge router

Edge Firewall

An edge firewall provides perimeter security services such as traffic inspection, access policies, network address translation (NAT), and IPSec. All traffic leaving out of and arriving into the campus must pass through the edge firewall. This is enforced through physically cabling the edge firewall between the edge routers and core switch as well as the capability to permit and deny certain types of traffic.

The edge firewall must address the following security and tunneling considerations:

  • Ability to create granular firewall filters that can inspect Layer 2 through Layer 4 traffic

  • Support unicast reverse path forwarding modes: loose, strict, and VRF

  • Support SSH

  • IPSec

  • GRE

To resolve IP address conflicts and bridge IPv6 islands, the edge firewall must support a wide variety of Network Address Translation (NAT) protocols:

  • Basic NAT44

  • NAPT44

  • NAPT66

  • Twice NAT44


To provide HA and reliable services, edge firewalls support clustering with active/passive failover. In active/passive failover one firewall node remains active and handles all control plane processing and data plane forwarding. In the event of a failure, the secondary node takes over and then becomes the primary node.

Edge Router

An edge router connects the campus network to the service provider for Internet access. HA must be a priority at the edge router, because the router serves as the primary connection between the campus network and the Internet. It is also considered the first line of defense for attacks coming from the Internet.

  • Ability to limit what type of traffic can access the control plane

  • Ability to determine specific types of ingress control plane traffic and enforce packets per second (PPS) limitations

  • Ability to police traffic to a certain bandwidth and penalizing excess traffic by changing the forwarding class or simply discarding the traffic

  • Ability to create granular firewall filters that can inspect Layer 2 through Layer 4 traffic

  • Support unicast reverse path forwarding (URPF) modes: loose, strict, and VRF

  • Full N + 1 or N + N hardware redundancy

  • Control plane redundancy

  • Ability to upgrade the software while still remaining in-service

  • Link aggregation

  • Multichassis link aggregation

  • Loop-free alternates

  • Default gateway redundancy

There are various network protocols coming from the Internet to the edge router. The following protocol families must be supported on the edge router:

  • IPv4

  • IPv6

  • ISO

  • MPLS

The edge router must also support widely deployed routing protocols. The following routing protocols must be supported on the edge router:

  • Static routes

  • RIP

  • OSPF


  • OSPFv3

  • IS-IS

  • BGP

Related Documentation