Cisco Campus Network Design Basics

Hi Rene
I have a lot of doubts about LAN packet filtering I know that is to being done in the distribution layer but having many access lists becomes complex to manage.

Waht you recommend for filtering between LAN users do you have any documents about this?

Thanks a lot

Hello Srinivas

Redundancy at the access layer has to parts. One is the uplink from the access layer to the distribution layer. This can be configured so that there is redundancy for each VLAN by having each access switch physically connect to multiple distribution switches (most often 2, but more can be implemented). These links in the vast majority of situations would be trunks, and as such, VLANs can be configured to be allowed on these multiple trunks thus allowing for multiple paths from the access layer to the distribution layer for each VLAN.

The other part of redundancy at the access layer, which I suspect your question was more centred around, has to do with the connection of each end device to the access switches. In most cases, each end device will be connected to an access port and thus will only have one VLAN assigned to it. The only way to have redundancy here is if the end device has multiple NICs and connects to two access ports of the same VLAN. The end device would have to have the ability to do NIC card teaming (which creates a virtual NIC that manages the two links as one) or you would have to configure some routing commands in the end device so that alternate routes, i.e. alternate NIC cards can be used if one of the two goes down. Such a configuration is usually created for servers which have high availability requirements. This is seldom done for end users because of cost (double the port usage, therefore double the number of access switches) and because that kind of redundancy is not necessary for the vast majority of end users.

I hope this has been helpful!


1 Like

Hi Rene,

I am back! lol…

I wanted to explore the comment on recommendations to design VLANs only locally to the switch. We have a basic campus design with the core being in the data center, but managed by myself. we have two stacks of 4 switches. one in the west closet one in the east closet they connect to a double stack of switches that is our distribution switches.

On our access switches we have VLAN for VOIP and for DATA and for Printers and wireless private and wireless guest. So we have a few VLANs for this. If we was to not have VLANs spanning the access switches we would have many more VLANs that would connect up at our distribution switch where we have Switched Virtual Interfaces (SVI). From here we have OSPF that routes to our Core switch in the data center.

we have around 300-380 PC devices which connect into phones on shared cable into the access switches. I am curious as to thoughts on not spanning VLANs over access switches and when this should really be applied as it does add a little bit of complexity to the VLAN design though nothing that is to vexing.

I am just trying to make heads of this recommendation of not to span VLANs and where the grey area is at on this and how to best judge decisions in regards to this in my own mind.

I almost forgot to ask how this would be effected by subnets or would there be no effect. in other words if you had a subnet for your voice traffic would you not have to create another subnet for the new VLAN if you broke your traffic up into different VLANs. The reason I say that is because using a SVI you would need a different gateway for each SVI VLAN so that would mean you would have to have different subnets for each of those VLANs which would create more complexity that I first thought.



Hello Brian

In general it is good practice to keep your VLANs as local as possible. The reason for this is if you have VLANs spanning multiple access switches, then any broadcasts that occur will be using up bandwidth in your distribution layer devices, and maybe even in your core layer devices. Broadcasts can include DHCP requests, routing protocol advertisements and IGMP traffic to name a few.

It is a good idea to break up your network segments so that they are as physically local as possible. That means that each access switch stack will have its own voice VLAN and its own data VLAN and if it needs to communicate with the voice or data VLAN on the other access switch stack, it will have to be routed at the distribution layer via an SVI.

Adding more VLANs will obviously add more administration overhead, so there are cases where you can safely break this rule. For example, the management VLAN can span all your access layer switches for convenience, since very little traffic will be going over the network on this VLAN. It is a delicate balance between network efficiency and ease of administration.

The quick answer to this question is yes, your subnets would be affected. You would require a separate subnet for each local VLAN that you would create. So if you have a voice VLAN 30 on the east access switch stack and a voice VLAN 31 on the west access switch stack, then you’d need a separate subnet for each VLAN, and communication between these two VLANs would require routing via an SVI as your gateway.

As you say, this configuration does add complexity but it allows your network to run more efficiently. Ultimately you must balance complexity with ease of administration so that the result will best provide for your needs.

I hope this has been helpful!


Thanks Laz!

So if I can only sneak this into my network I would. if it was not for the changing of subnets which are server side handles the DHCP it would be pretty easy for me to just upgrade over the weekend and nobody would even be the wiser. However, I would have to come up with subnets and that would be much more noticeable =(

We don’t have a ton of computers so its probably not needed enough to cause a bunch of headaches but its good to understand it in case the change is something we are forced to do later because of traffic or performance. I really want to do it lol…

I am addicted to networking just like a gamer might be addicted to MMO. I even try to find places to volunteer at for free to be around other network people. I am the only network guy at my global company which is a shame but I am just glad I was able to wiggle my way into it as I use to be system administrator on server side only for them but soon as out network engineer left I managed to get my foot into that spot.

I see so many things done wrong and since I am the new guy its harder to get the management to listen to me even on silly things like we should separate the voice traffic in Europe from the data traffic like we do in the US. I will keep banging at it till they give in or I decide to give u the money and just go to a company where I can work with good networker engineers who I can learn from and grow with.

Or maybe I will get lucky and get both!!!

Hello Brian

It really sounds like you’re a hard core networking guy. That’s great! You know, I’d say that Cisco engineers in general share a unique camaraderie that’s unlike anything else. Others can’t understand why we like networking so much! It’s just cool! I understand you completely.

As for the opposition you face when suggesting best practices in networking, it’s usually the case where you’d have the administration opposing changes “since everything already seems to work.” It’s when things fail because of lack of redundancy, or voice and data on the same VLAN or other similar issues that they come back and say “well why didn’t we do it right the first time?” It’s a matter of making them understand the issue in simple terms, which is not always easy! :slight_smile:

I’m glad we can be of help to you here at Networklessons. This really is a great place for network-loving engineers to dig deeper into the things we like so much…

Keep at it and looking forward to continuing our discussions!


1 Like

Hello Laz,
I have a OSPF design question mainly and I am going to use the below topology as the reference.

In this design, I have a pair of Campus core and a pair of data center core routers. Here I am running OSPF area 0 between Campus core and Data center core devices. Also I am using different areas between Core switches and different Distribution blocks. I am configuring Totally NSSA in all the areas other than area 0 so every area will have only the default route from the core switches. Core routers will advertise each other only the summary routes of different distribution blocks. For instance, Campus core pairs will advertise summary of different distribution blocks to the Data center core routers and vice versa. Therefore, every distribution switch will have only one route in their routing table that is only the default route and core routers will advertise only the summary routes of different distribution blocks to each other. What do you think about this design? Do you think I should modify anything or it is one of the best practices?

Thank you so much in advance.

Best Regards,

Hi Azm,

Using totally NSSA on your distribution layer is fine, these devices only need a default route to get anywhere else. You need to take a closer look at your core layer though…

There’s the “build triangles, not squares” saying. For example, your data center core1 router will always use campus core 1 to get to distribution layer 1 or 3. If you have an additional link from data center core 1 to campus core 2 then it can use both campus core 1 + 2 and load balance traffic. The same thing applies for data center core 2 to campus core 1.


1 Like

Thanks a lot Rene…


I just went through the lesson. I don’t understand the part which says that - “layer 2 links should be configured between the distribution layer”. The reasons are given. But i don’t understand that part. Could you please help me with it ?

Hi Sriguruprassad,

Let’s look at just one example why you might want to use L2 between the distribution layer switches. Consider this design:

In this design, we have VLAN 10 on both access layer switches. All links on the distribution and access layer are layer two links.

Think for a minute about spanning-tree…let’s say that the left distribution switch is the root bridge. What will be the root port on all of our switches? Something like this:


Now imagine we have an L3 link in between the distribution layer switches:


Since the link in between the distribution layer switches is now L3, the distribution layer switch on the right side will select another interface as the root port for VLAN 10.

Now imagine you configure something like VRRP…this means that all VRRP traffic from the right distribution layer switch goes through the access layer to get to the left distribution layer switch. Not a good idea :smile:

Hope this helps!


Hi Rene,
i was struggling with the parts:

If one of the uplinks from the access to the distribution layer fails, VLAN 10 could become isolated.

The switches on the distribution layer will use a protocol to create a virtual gateway IP address. We need layer two connectivity for this.

If the link from Access switch 1 (left) towards Distribution Switch 1 (left) fails, then the link Access Switch 1 -> Distribution switch 2 is used. If there is no L2 link, the link Distribution Switch 2 -> Access Switch 2 will become the root port and traffic is forwarded to the Distribution Switch 1 (HSRP active node). This is not a good design, but the Vlan 10 would not be isolated.

Please correct me if i’m wrong.

Many thanks,

Hello Oliver,

You are correct, VLAN 10 won’t be isolated since it can still go through the distribution layer switches. Here’s a picture to visualize this in case anyone wonders what this is about:


In the picture above, there is no L2 link between the distribution layer switches and one uplink from the access layer to distribution layer switches failed. If the left distribution layer switch is the root then traffic will go through the access layer like this.

I just removed the sentence about isolation, thanks for sharing!


Hello Rene,

thanks a lot for clarifying. :slight_smile:


what is the backplane in the specification and the word require high bandwidth and throughput, what does exactly mean

Hello Pipat

The backplane is the name given to the internal circuitry of a switch which acts as the pathway between individual ports. If you have a switch with 48 1Gbps ports, and you have computers connected to all of those ports, theoretically, you should be able to have 24 computers each sending 1 Gbps of information to the other 24 computers simultaneously. This requires an internal bandwidth on the backplane of the switch of 24 Gbps in each direction, for a total of 48 Gbps. If the switch has additional uplink ports, those must also be taken into account as they can add traffic to the backplane.

The total backplane bandwidth should be high enough in order to accommodate the expected traffic on a switch. Now the total bandwidth of all interfaces is usually higher than the available backplane bandwidth, because a simultaneous usage of full bandwidth on all ports is highly unlikely. A balance is struck providing enough backplane bandwidth to accommodate most situations.

I hope this has been helpful!


Hello. Why are layer 3 switches used in access layer? (according to the first chart of recomended models).
Thank you!

1 Like

Hi Eilu,
Hope you are doing good:smiley:
(according to the first chart of recomended models).
which chart you are talking? can you paste the screen shot here ? actually i am trying to find out your answer but not able to understand which chart you talking.

Thanks & Regards,

1 Like

I believe he is talking about this chart.


There are layer 3 switches in the chart but this is because those are the “lower end models” that Cisco has to offer. They can run as layer 2 switches and not utilize the layer 3 functionality. As switches have gotten more powerful layer 3 functionality has been easier to put into a switch. A big consideration of what switches you might use in a network is the size of said network. A tiny network might only need 2960-X’s for the core, distribution, and access layer. I hope this helps!


1 Like

Hello Eliu

You can use Layer 2 switches at the access layer, and that would be fine. However, keep in mind that if you have multiple VLANs running on a single switch, any communication between those two VLANs will have to be sent up to the distribution layer to be routed and then back to the access layer switch once again, to reach the destination.

Now for some networks, that’s fine, however, if there is much inter-subnet communication in a network between devices that are connected to the same switch, it may be worthwhile (although more expensive) to provide that routing within the access switch itself. It all depends on the applications being used and the expected traffic between such devices.

Remember, if your uplinks are being used to transfer data between two devices on separate VLANs on the SAME switch, you may be using up valuable bandwidth of the routing will have to take place at the distribution layer. It all depends on your network design, uplink bandwidths as well as the expected traffic.

I hope this has been helpful!


1 Like