Cisco Enterprise Campus Architecture

Published Date: 02 Nov 2017

Krista Derylak

Kent State University

Cisco Enterprise Campus Architecture

The Cisco Enterprise Campus Architecture is a certain location of a system’s infrastructure that provides resources and communication services to users and devices spanning a single geographical area. Campus architecture can be implemented at the campus level or at the building level to permit flexibility in network design and create ease of implementation and troubleshooting. It is possible to see this design used on a single floor, building, or over a large group of building spanning an extended geographic area. Other networks might have a single campus also act as the core or backbone of the network providing interconnectivity between other segments of the network, such as the data center or the WAN sections of the enterprise network. In large corporations or enterprises, it is common to see multiple campus sites placed worldwide with every one allowing both user access and local backbone connectivity. A small, medium, or large-sized campus infrastructure can be designed depending on the size of the network and what the availability and capacity expectations are.

Following solid structured engineering guidelines is a critical factor for successfully implementing any campus network design. Two complementary principles are the foundation of a structured system: hierarchy and modularity. All large systems should be built using a set of modularized components that can be compiled in a hierarchical and analytical order. There is some independence from the overall design and the modules can be managed as semi-independent sections preparing for overall higher system availability and ease of management and operations. For many years, programmers have controlled the principle of hierarchy and modularity. Programmers used to build spaghetti code systems, which were largely optimized and extremely efficient. As the programs grew and they had to be changed or modified, software engineers learned very quickly that separation within various parts of the program or system meant that any change could not be made without affecting the whole system. According to Cisco, early LAN-based computer networks were designed using a similar layout, highly optimized connections between a small number PCs, printers, and servers (Enterprise Campus). As the networks grew and starting interconnecting, creating the first generation of campus networks, the network engineers were faced with the same challenges at the programmers. If one part of the network encountered a problem, the entire campus network was affected. A program design was developed using modularized or subroutine-based systems, which allowed for changes made on the network without having to make changes to the whole program. This development was designed to achieve more stability, flexibility, and manageability for the campus. The enterprise campus architecture is made up of a three-tier hierarchal design containing the core, distribution, and access layers.

Figure 1. Cisco Enterprise Architecture.[Image] Retrieved from: http://ciscodocuments.blogspot.com/2011/06/chapter-1-cisco-sona-and-cisco.html

The first tier, the access layer, is where end devices (PCs, printers, cameras, etc.) are connected to Cisco switches, providing connectivity. The access layer also initiates communication to the distribution layer. There are benefits to the access layer if the Cisco switches are used properly. There are many hardware and features to support the access layer, including high availability, convergence, and security. Redundancy software engines and power supplies, access to default gateway redundancy using FHRP (first-hop redundancy protocols), inline PoE (Power over Ethernet) for IP telephony and wireless access points, and additional security against unauthorized access to the network using DHCP snoozing, Dynamic ARP inspection, and IP Source Guard are all included benefits. With respect to the entire campus design, the access switch is the first line of defense in the network security architecture and the first negotiation point between devices and the infrastructure.

The distribution layer plays a unique role by acting as a services and control border between the access and the core layer. Unlike these layers that employ a special purpose, the distribution layer serves many purposes. It is a collection for the access switches and also acts as an elemental portion of the access-distribution block allowing connectivity and policy assistance for traffic flowing through routing and packet manipulation. It is also important in the core routing design and the core of the network. The third role of the distribution layer is to provide the collection, policy assistance, and isolation reduction point among the campus distribution building block and the rest of the campus network. The structure choices for features within the distribution layer are usually determined by the needs of the access layer, the core layer, or by acting as an interface for both layers. Segmenting workgroups and isolating network issues are done through a combination of layer two and multilayer switching in the distribution layer.

The enterprise campus core layer is the most important yet in ways the simplest section of the layers. Its services are limited and are designed to be readily available aside from operating in a constant on state. In the event of any comment failure, the core layer is responsible for providing an appropriate level of redundancy for allowing near-instant data-flow recovery. The appropriate design calls for allowing for the occasional hardware and software upgrades or modifications to be implemented without interfering with any network applications. The core layer is considered the campus backbone that ties together the fundamentals of the campus architecture. It allows for connectivity amongst the devices, computing, and data storage services among the data center, and other areas among the network. A core layer is essential unless the distribution layer switches are fully meshed.. Having a core layer permits growth to the campus network without damaging the design of the distribution blocks, the data center, or the rest of the campus network.

According to Cisco, the modules of the system are the building blocks that are assembled into the larger campus (Enterprise Campus). Providing isolation is the advantage to a modular approach. If a failure occurs within a module, it is isolated from the rest of the network, allowing simpler troubleshooting and higher system availability. Any tasks can be performed in a in a regulated and organized fashion, which allows for successful maintenance and operation of the network. Two basic blocks make up the campus network architecture: the access-distribution block and the services block. The access-distribution block is the key component of the enterprise campus design. The complete success and stability of the overall architecture is reliant on the design of the distribution block. It is made up of two out of the three hierarchal tiers within the multiple layer of the enterprise campus architecture, which are the access and distribution layers. Network topology design choices (routing and spanning tree protocols) are fundamental in measuring how the distribution block comes together and meshes within the complete architecture. Multi-tier, routed access and virtual switching are the three design options for configuring the access-distribution block and the associated control plane.

Of the three options, the multi-tier access model is the traditional design. Layer two and layer three forwarding are enabled on access and distribution switches. VLAN trunking for extending subnets from the distribution switches to the access layer. Routing and default gateway protocols are performed for carrying upstream routing to the core. Looped and looped free designs are used in the multi-tier access model. A looped design allows for one-to-multiple VLAN configuration, spanning many access switches. The loop-free version has many benefits, such as a reduction in the possibility of a broadcast storm, uplink load balancing, and the capacity to divert unicast flooding. The routed access distribution block acts as an alternative configuration model. Each switch is arranged with a distinct voice, data, and other required VLANs. In this design, the default gateway and root bridge for the VLANs is shifted from the distribution switch to the access switch. An extreme change from the other options is the virtual switch. Virtual switching eliminates physical loops from the topology and the dependency on spanning tree protocol. Virtual switching also permits changes to be made to configuration and maintenance of the distribution block. Virtual switches may also be used in any area of the campus design.

A considerably new piece to the enterprise campus design is the services block. As IPV6 is introduced and network engineers consider migrating with IPV4, to controller-based WLAN environments, or integrate more advanced unified communications services, challenges are to be expected. Implementing these services into the enterprise campus is important. Recommended functions to be placed in a services block include: centralized LWAPP wireless controllers, IPv6 ISATAP tunnel termination, local Internet edge, unified communications services, and policy gateways.

What an enterprise campus network does or provides is also important to the overall architecture. Services and availability that are provided to devices and users are categorized into the following groups:

Non-stop high availability – Network failure, down time, system and network resiliency are all factored in availability.

Security services – Essential piece of all network designs, proving protection to network devices, the links, and the control pane using NetFlow, hardware DPI, Syslog, firewalls or security router, and implementing client applications, such as CSA (Cisco Security Agent).

Access and mobility services – 24/7 quality network connectivity, along with increased mobility and flexibility for multiple devices (wired and wireless) connecting to the network.

Application optimization and protection services – The use of QoS tools for providing availability and flexibility, by protecting traffic flow.

Virtualization services – Provide additional services for guests, vendors, or departmental networks in a virtual environment with specific roles and policies using switched VLANs.

Operational and management services – Success of the enterprise campus design relies on successfully configuring, managing, and troubleshooting both devices and applications residing on the network.

According to Cisco Systems, standard requirements for an enterprise campus network must be met, such as functionality, performance, scalability, availability, manageability, and cost-effectiveness. The campus network has evolved from a layer 2 access-switch design, to a virtual switch-based design and what used to be a design with subnets within a single access switch to a routed access design. As these changes have been introduced; security, flexibility in the infrastructure, and application data flow changes, a strong architecture is fundamental. Strict design approach and principles is the key to an effective campus network design.