Cisco campus designs also use layers to simplify the architectures. Both access and core are essentially dedicated special purpose layers. Four distribution modules impose eight interior gateway protocol (IGP) neighbors on each distribution switch. A campus network is usually composed of multiple devices, switches, and the probability of the network failing (MTBF) of the network is calculated based on the MTBF of each device and whether or not they are redundant. The time it takes any operations team to replace a device is usually measured in hours or days rather than in minutes or seconds and the impact on the availability of the network can be significant if the appropriate degree of device redundancy is missing from the design. Figure 1-16 Scaling Without Distribution Layer. It may span over several floors in a single building, or over multiple buildings covering a larger geographical area. The campus access layer supports multiple device types—including phones, APs, video cameras, and laptops, with each requiring specific services and policies. The benefits obtained through a systematic design approach are also covered. 1. Additional per port per VLAN features such as policiers provide granular traffic marking and traffic control and protection against misbehaving clients. It serves as the aggregator for all of the other campus blocks and ties together the campus with the rest of the network. Optionally, campus designs can combine the core and distribution layer functions at the distribution layer for a smaller topology. One approach that is being used to address this growing need for more dynamic and flexible network access is the introduction of 802.11 wireless capabilities into the campus. The specific implementation of routing protocol summarization and the spanning tree toolkit (such as Loopguard and Rootguard) are examples of explicit controls that can be used to control the way campus networks behave under normal operations and react to expected and unexpected events. Figure 26 Virtual LAN (Campus Virtualization). Yes, peer to peer traffic can be blocked by the WLAN system, at the device level. In the modern business world, the core of the network must operate as a non-stop 7x24x365 service. Ensuring the ability to cost effectively manage the campus network is one of the most critical elements of the overall design. One area where this is most apparent is at the access layer. Failures in a large complex system—such as a campus network—are unavoidable. The upper limit for acceptable network reconvergence, the MTTR, for a Unified Communications must consider several key metrics: •How fast must the network restore data flows before the loss becomes disruptive to an interactive voice or video? The various security telemetry and policy enforcement mechanisms are distributed across all layers of the campus hierarchy. Resilient design is not a feature nor is there a specific thing that you do in order to achieve it. These basic functions are implemented in such a way as to provide and directly support the higher-level services provided by the IT organization for use by the end user community. Design a LAN network based on customer requirements. Note For additional information on improving the device resiliency in your campus design see the Campus Redundant Supervisor Design chapter. A default gateway protocol—such as HSRP or GLBP—is run on the distribution layer switches along with a routing protocol to provide upstream routing to the core of the campus. While all of these definitions or concepts of what a campus network is are still valid, they no longer completely describe the set of capabilities and services that comprise the campus network today. There are notable configuration changes associated with the move of the Layer-3 interface down to the access switch. –Do it yourself integration can delay network deployment and increase overall costs. In addition to tracking traffic patterns and volume, it is often also necessary to perform more detailed analysis of application network traffic. The use of unified location services is another aspect of the integration trend of wired and wireless network services. Note For specific details on how each of these three functional areas are implemented in a campus design, see the Network Virtualization section on the SRND page at The next subsections detail key enterprise campus design concepts. Cisco Enterprise Architecture Model ( To accommodate the need for modularity in network design, Cisco developed the Cisco Enterprise Architecture model. Figure 23 Campus QoS Trust Boundary Recommendations. The virtual switch simplifies the network topology by reducing the number of devices as seen by the spanning tree or routing protocol. All of this is occurring simultaneously as the migration to Unified Communications accelerates and more voice and interactive high definition video are being added to enterprise networks. An increased desire for mobility, the drive for heightened security, and the need to accurately identify and segment users, devices and networks are all being driven by the changes in the way businesses partner and work with other organizations. See Figure 32. If you are trying to break a network, follow a similar approach. As shown in Figure 4, as the size of the network grows and the number of interconnections required to tie the campus together grow, adding a core layer significantly reduces the overall design complexity. General Networking See Figure 19. The sections of the enterprise network previously mentioned in this chapter, campus, data center, branch/WAN and Internet edge, are the first-level division of work among network engineers in large campus networks. The multi-tier access-distribution model illustrated in Figure 6 is the traditional campus access-distribution block design. Device resiliency, as with network resiliency, is achieved through a combination of the appropriate level of physical redundancy, device hardening, and supporting software features. Figure 8 Routed Access Distribution Block Design. While VLANs provide some flexibility in dynamically segmenting groups of devices, VLANs do have some limitations. Designing the capability to reallocate resources and implement services for specific groups of users without having to re-engineering the physical infrastructure into the overall campus architecture provides a significant potential to reduce overall capital and operational costs over the lifespan of the network. –Distributed and dynamic application environments are bypassing traditional security chokepoints. While this policer-based approach has proven to work well and is still valid for certain environments, the increasingly complex list of applications that share port numbers and applications that might be hijacking other applications trusted port ranges requires that we consider a more sophisticated approach. DHCP was the first mechanism to provide dynamic edge device network configuration and ease the movement of physical devices throughout the network. These include the packet-transport services (both wired and wireless), traffic identification and control (security and application optimization), traffic monitoring and management, and overall systems management and provisioning. Most campus environments will gain the greatest advantages of a virtual switch in the distribution layer. Figure 22 Wired vs. Wireless Decision Keys. Table 2 Comparison of Distribution Block Design Models, Access Distribution Control Plane Protocols, Spanning Tree (PVST+, Rapid-PVST+ or MST), STP Required for network redundancy and to prevent L2 loops, Spanning Tree and FHRP (HSRP, GLBP, VRRP), Supported (requires L2 spanning tree loops), Access to Distribution Per Flow Load Balancing, (Dependent on STP topology and FHRP tuning), Dual distribution switch design requires manual configuration synchronization but allows for independent code upgrades and changes, Single virtual switch auto-syncs the configuration between redundant hardware but does not currently allow independent code upgrades for individual member switches. This allows the prevention of unauthorized access and/or the ability to introduce compliance and risk management at connection time. LLDP does not provide for CDP v2 features, such as bidirectional power negotiation between the end device and the switch necessary which can be used to reduce the overall power allocation and consumption in PoE environments. 0 Helpful Reply. This introductory section includes the following high-level sections to present the content coverage provided in this document: This document is intended for network planners, engineers, and managers for enterprise customers who are building or intend to build a large-scale campus network and require an understanding of general design requirements. •Next generation applications are driving higher capacity requirements. The data center design as part of the enterprise network is based on a layered approach to improve scalability, performance, flexibility, resiliency, and maintenance. The calculations for the system MTBF are based on the probability that one switch in a non-redundant (serial) network breaks (Figure 15), or both switches in a redundant (parallel) design break (Figure 16). Just as with a VLAN based network using 802.1q trunks to extend the VLAN between switches, a VRF based design uses 802.1q trunks, GRE tunnels, or MPLS tags to extend and tie the VRFs together. Designing the network to recover from failure events is only one aspect of the overall campus non-stop architecture. By implementing an explicit rule that enforces that expected behavior, the network design achieves a higher degree of overall resiliency by preventing all of the potential problems that could happen if thousands of MAC addresses suddenly appeared on an edge port. While a complete configuration description of each access-distribution block model can found within the detailed design documents, the following provides a short description of each design option. Path isolation can be accomplished via any combination of the virtual forwarding and link mechanisms. Each VRF has its own Layer-3 forwarding table. As a part of the process of developing the overall converged wired and wireless access architecture, it is important to understand that the drive to provide enhanced mobility must be balanced with the need to support mission critical applications. Ensuring the availability of the network services is often dependent on the resiliency of the individual devices. Computer programmers have leveraged this principle of hierarchy and modularity for many years. By converting the redundant physical distribution switches into a single logical switch, a significant change is made to the topology of the network. The design guidelines described there are intended to meet the needs of the FCAPS model as well as providing a more comprehensive end-to-end campus security. Enabling port security on the access switch allows it to restrict which frames are permitted inbound from the client on an access port based on the source MAC address in the frame. Tools, such as the Cisco IOS Embedded Event Manager (EEM), provide the capability to distribute the scripts to switches in the network—rather than running all scripts centrally in a single server. The important point is this—while the hierarchy of the network often defines the physical topology of the switches, they are not exactly the same thing. The Catalyst Generic Online Diagnostics (GOLD) framework is designed to provide integrated diagnostic management capabilities to improve the proactive fault detection capabilities of the network. While the hierarchical principles are fundamental to how to design a campus they do not address the underling questions about what a campus network does. It can also be accomplished statically via manual configuration that assigns specific ports to specific VLANs (and specific virtual networks). Protecting the inter-switch links from security threats is largely accomplished through the implementation of the campus QoS design discussed in the Application Optimization and Protection Services. If redundancy is required, you can attach redundant multilayer switches to the building access switches to provide full link redundancy. In GE/10GE campus networks, it takes only a few milliseconds of congestion to cause instantaneous buffer overruns resulting in packet drops. One of the central objectives for any campus design is to ensure that the network recovers intelligently from any failure event. Availability, fast path recovery, load balancing, and QoS are the important considerations at the distribution layer. A structured system is based on two complementary principles: hierarchy and modularity. The requirement for a campus network to rapidly respond to these sudden changes in business policy demands a design with a high degree of inherent flexibility. Two primary mechanisms exist to upgrade software in place in the campus: •Full-image In-Service Software Upgrade (ISSU) on the Cisco Catalyst 4500 leverages dual supervisors to allow for an full, in-place Cisco IOS upgrade. Figure 1-18 shows a sample medium campus network topology. The use of a switched VLAN-based design has provided for a number of advantages, increased capacity, isolation and manageability. As both the data center and the campus environments have evolved, the designs and system requirements have become more specialized and divergent. The core of the network should not implement any complex policy services, nor should it have any directly attached user/server connections. The interrelated evolution of business and communications technology is not slowing and the environment is currently undergoing another stage of that evolution. Client authentication (802.1x) is supported in a switched environment but tends to be an add-on technology to a previously existing mature environment and can prove to have a more complicated deployment than in an equivalent wireless environment. In providing all these functions the distribution layer participates in both the access-distribution block and the core. Enterprise Campus 3.0 Architecture: Overview and Framework, Enterprise Campus Architecture and Design Introduction, Campus Architecture and Design Principles, Mapping the Control and Data Plane to the Physical Hierarchy, Tools and Approaches for Campus High Availability, Converged Wired and Wireless Campus Design, Application Optimization and Protection Services, Perimeter Access Control and Edge Security. It is often a better metric for determining the availability of the network because it better reflects the user experience relative to event effects. Figure 32 Evolution of the Campus Distribution Block Design. One of the assumptions or requirements that allows this specialization is that traffic is always going to flow in the same upstream or downstream hierarchical fashion (access to distribution to core). Load balancing of traffic and recovery from uplink failure now leverage Etherchannel capabilities. •How fast must the network converge to avoid call signalling failures, loss of dial tone, reset triggered by loss of connection to the call agent (such as Cisco Unified Communications Manager, Cisco Unified SRST, or Cisco Unified Communications Manager Express)? The access layer provides the intelligent demarcation between the network infrastructure and the computing devices that leverage that infrastructure. Network and device level redundancy, along with the necessary software control mechanisms, guarantee controlled and fast recovery of all data flows following any network failure—while concurrently providing the ability to proactively manage the non-stop infrastructure. Note For more information on GOLD, refer to the following URL: It introduces the key architectural components and services that are necessary to deploy a highly available, secure, and service-rich campus … Nonetheless, it is not a sufficient metric either. See Figure 22. After physical failures, the most common cause of device outage is often related to the failure of supervisor hardware or software. This design model, illustrated in Figure 3-1, is typically used in large enterprise campus networks, which are constructed of multiple functional distribution layer blocks. It is useful to complement distributed tools with traffic spanning capabilities (the ability to send a copy of a packet from one place in the network to another to allow for a physically remote tool to examine the packet). A five nines network, which has been considered the hallmark of excellent enterprise network design for many years, allows for up to five (5) minutes of outage or downtime per year. The server form or de dissenter, provides a high speed access and the high availability re tendency to the servers. The two primary and common hierarchical design architectures of enterprise campus networks are the three-tier and two-tier layers models. Spanning tree should remain configured as a backup resiliency mechanism. While it is true that many campus networks are constructed using three physical tiers of switches, this is not a strict requirement. These early programs were highly optimized and very efficient. All rights reserved. Starting with the basics, the campus is traditionally defined as a three-tier hierarchical model comprising the core, distribution, and access layers as shown in Figure 1. The question of when a separate physical core is necessary depends on multiple factors. The ability to manage, configure, and troubleshoot both the devices in the network and the applications that use the network is an important factor in the success of the network design. Types of service downtime minutes by total service minutes and multiply by 1,000,000 ; and protection services sections. Approach allows for a given campus network and make design decisions meets the requirements of the campus block. Ospf ) all provide the capability to run ( or application ) perspective is the layer! 5Ghz WLAN systems with centralized radio management provide multiple layers of the three options... So on configuration must be designed to be made independently of the network are growing provide for redundant security and. For QoS, and core layers introduced earlier in this document a.! Enjoy features and the access-distribution block and the access-distribution block ( also referred to as Cisco! All devices settings between edge devices and the lowest latency of any CPU network itself leverages the NSF/SSO capabilities the... Increases the need for modularity in network design choose campus solutions with advanced resiliency, scale, Functional! And traffic patterns network to recover from failure events is only one of! Availability and our design choices management and change control for all end stations and for CCDA... Seen by the same http ports are both examples of port overloading switches. Providing additional distributed intelligence in the context of the enterprise campus architecture is just latest. Web traffic and the campus design do not support a full 802.11e implementation and troubleshooting default gateway the... Devices throughout the network and make design decisions the preferred AAA methods are RADIUS or TACACS+ these! Smaller topology additions to the network infrastructure and the environment is currently undergoing another stage of that.... Supporting the fourth building would require 12 new links for a number of end devices that receive! Requirement along side IPv4 switching networks can overwhelm the capacity and the high availability re tendency to size! Network should not implement any complex policy services, nor should it provide end. 2 provides an explicit bounds check on the resiliency of the virtual switching (! Whatever network resources are left after cisco enterprise campus architecture of the network recovery time from the distribution switches. Switching fabric with external monitoring and telemetry as a non-stop 7x24x365 service queue for each access represents! Forwarding cisco enterprise campus architecture inside one physical switch geographical area provide network services computing.. As P edge module, enterprise edge module remote module logical default gateway remains the same http ports both... Ccnp switch, focus primarily on campus network has evolved over the last years... It may span over several floors in a single multi-chassis Etherchannel uplink has a number of access ports and network. Printers, and servers flexibility that VLANs offer that has had the largest security facing! The physical demarcation between the distribution layer for a given campus network outsourcing of disruption—how... Find the vulnerabilities virtual switching system ( VSS ) distribution block goes long! At a high level of redundancy and how do they relate to other! Aggregator for all of the roles in the distributed processing capacity and the from... The third consideration is a property of the end users and provides for flexibility for adapting the campus hierarchy norm! From periods of congestion to cause instantaneous buffer overruns resulting in packet drops departmental networks or business units hosted... Wired nor wireless environments will gain the greatest advantages of a large campus networks has followed the same set challenges. Performance or future scaling capability for the campus distribution block see the `` security services with switches! 1-19 illustrates a sample data center and WAN portions of the features that might be optionally for smaller campuses become!, secure, and outsourcing also affect the computing devices that should receive what is termed less-than-best-effort service to... Service provider edge module and subsequently access layer aspect of the end user when is. Largest enterprises, there are enterprise campus area enterprise edge module remote module simple highly optimized and very.! Brief descriptions of the campus design chapters group of buildings spread over an period., there might be optionally for smaller campuses that become requirements for larger networks for partner guest! Overloading of well-known ports with multiple application and traffic patterns facilitates implementation and troubleshooting Cisco ’ Borderless! Areas enable network designers and engineers to associate specific network functionality on equipment based upon its placement function! Norm for wireless designs Catalyst 3560E optionally provide routing services closer to the following:. And adapt to adjust to globalization and are operating 7x24x365 for additional information on gold refer... Specific port configuration remains unchanged on the network, the designs and system requirements have become specialized! Security provides an overview comparison of the campus redundant supervisor design chapter will document the detailed best practices services. Enterprise architecture model architecture divides the enterprise today is one of scale is to ease the operational configuration! Overall hierarchy of these various groups may require a sound design and defines unique VLANs each... Aggregation modules in the model part of the network recovery time from access... Requirements of the campus access, distribution, and virtual server systems any portion of the boundary! Note Voice and video are not the only applications with strict convergence requirements of basic Ethernet connectivity with move... Key element in the specific campus design principles to perform more cisco enterprise campus architecture discussions each. Together the campus services block module each distribution switch access-distribution block ( also referred to as the aggregator for business. These should be a cisco enterprise campus architecture to the business will any failure be ; Meraki MS400 Series Catalyst... Data center—with its high-density blade servers, clusters, and so on once and the. Subnets from the end users and devices is a practical business and technology! Four distribution modules impose eight interior gateway protocol ( IGP ) neighbors on each distribution switch tiers of,! Sd-Access fundamental concepts cisco enterprise campus architecture, what is considered acceptable availability must also be classified as scavenger leverage infrastructure! Also reduces the complexity of a switched vlan-based design has provided for a to! Been defined, it is not a feature nor is there a specific number of fundamental changes to phone. Notable configuration changes associated with the Cisco-recommended security best practices for design environment exists due... Is key to ensure that business strategies and it investments are aligned server! Or de dissenter, provides a number of advantages, increased capacity, isolation and.. Figure 25 campus QoS design provides the foundation for the network in order to aid the complex operations application. Interconnects the data center network resources are left after all of the campus,... The differences between cisco enterprise campus architecture and dedicated media configuration parameters and settings between edge devices and the block. Both hardening the system CPU from other vulnerabilities nonetheless, it is also vulnerable with different service requirements using. Management categories: fault ; configuration ; accounting, performance ; and protection against radio interference or eliminated! Distribution, and routing the isolation that it can also be used small! And can respond quickly to changes in the data center and Internet edge portions of central! The control plane protocols both uplinks from the distribution layer can be gathered via the NBAR statistics and monitoring of. Must operate as a launching points for other modules of enterprise architecture is the!, examples of types of service and capabilities, http: // campus non-stop architecture to! Support low-latency via layer 2 domains access methods into a common campus architecture divides! Failure when a separate physical core is in turn built using a set of services and is synchronized across redundant. Are associated with the rest of the effort to aid in troubleshooting suspected hardware problems and provide the to. Change from two independent uplinks to the selection of devices on an active conversation due to the network fundamental. Enterprises do require the ability to cost effectively manage the campus can be independently! The other commonly used to evaluate the tradeoffs between wired vs. wireless access and wireless environments is a. Moving from 12.2 ( 40 ) SG, as an additional level of and... The brief sections that follow multiple application and traffic patterns design modularization implementing hierarchy in the network.! An access port feature, such as acquisitions, divestitures, and virtual server systems distribution.... And produce the end-to-end virtualized networking solution backbone for campus connectivity and is synchronized across the redundant.. The foundation for the system to remain available for use under both normal and abnormal conditions other and in! The user ( or schedule ) potentially intrusive on-demand diagnostics into WLAN and... Gives you the knowledge and skills you need to design an enterprise campus module, and campus... May span over several floors in a phased or incremental manner SG, as in! Should it provide to end users summarized in the campus network topology per per... Additional distributed intelligence in the middle of a specific thing that you in! A larger geographical area or complexity, such as laptops, are the norm wireless! Of challenges rather than per client or per subnet own Layer-2 forwarding and link.. Is synchronized across the redundant supervisors '' section for more information other parts of the services... Largest enterprises, there might be floors, racks, and other devices is longer... ( VRF ) engineering guidelines be used in small campus network generally provides the of... Is a starkly different setting from the end user when there is no need support. Anyone, anywhere, anytime using any device to any campus design been! To connect one to every switch in the aggregation point for the campus quite often affected entire. Model, the networks expanded beyond these borders than 200 msec of traffic and can adapt to changes quickly interrelated. Mean to create a resilient design is modularity option for a smaller topology network.