Designing large enterprise campus networks requires a

Large Enterprise dedicated distribution layer for each building (distribution

block). The main campus network is typically constructed
Network Architecture of multiple buildings. Therefore, implementing the three-
tier layer model is a highly recommended and feasible

Design by Cisco design model, especially if the network is expected to grow

significantly over time.

Network Service Furthermore, in large-scale enterprise campus networks,

when the density of WAN routers, Internet edge devices,
WAAS controllers and wireless LAN controllers grows, it
Architectures is not feasible and not advised to connect these nodes to a
single distribution layer switch. This way, you avoid design
(Your Name) and operational complexities as well as a single point of
failure, which will make it an inflexible, nonresilient, and
nonscalable design.
Abstract – An Enterprise environment needs network
designed for availability, performance and scalability to Enterprise should consider a separate distribution layer for
achieve outcomes. Seasoned IT professionals with the network-based services. As a result, there will be more
progressive end-to-end network design expertise are distribution blocks to be interconnected, and the more
crucial in ensuring networks deliver to meet today’s distribution blocks in the network, the more the need to
requirements while future-proofing investments. consider a separate core block (layer). As a rule, three or
more distribution blocks, it should consider a separate core
I. IINTRODUCTION layer/block to interconnect these distribution blocks, as
An enterprise campus is usually consisting of computing illustrated in Figure 1, where multiple distribution switches
infrastructure that provides access to end users with must be interconnected.
network communication services and resources, where
devices spread over a single geographic location. The
campus core can frequently interconnect the campus
access, WAN portions of the network and data center. The
largest enterprises might have distributed worldwide sites
with each providing local backbone connectivity and end-
user access. The campus network, as defined for enterprise
design guides, consists of the integrated elements that
includes the set of services used by end-station devices and
a group of users that all share the same high-speed
switching communications fabric. They include the traffic
identification, packet-transport services (both wired and Figure 1: Enterprise Core Block (Layer)
wireless), and control (security and application
optimization), traffic management and monitoring, and Modular Enterprise Campus Architecture and Modular
overall systems provisioning and management. These Enterprise Campus with OSPF
functions include
Normally, large-scale enterprise campus network
- Nonstop high-availability services architecture can have multiple different specialized
- Operational and management services modules, also referred to as “building blocks” or “places in
- Application optimization and protection services the network PINs,”
- Access and mobility services
- Virtualization services
- Security services

This paper focuses on the major design principles and

design criteria that form the enterprise campus architecture.
These principles, when applied correctly, provide for a
framework and a solid foundation and in which the upper-
layer services can be resourcefully deployed.

II. NETWORK DESIGN

 Like any dynamic routing protocol, the main goal of BGP
is to exchange network reachability information with other
BGP systems. Unlike IGP, BGP also passes the information
about the list of autonomous system paths of each route;
therefore, it is referred to as a path-vector protocol.

As an intra- and interdomain routing protocol, BGP can

offer flexibility to different interconnected autonomous
systems (AS). In interior routing, split-horizon route
advertisement is a method of preventing routing loops in
distance-vector routing protocols by prohibiting a router
from advertising a route back onto the interface from which
it was learned. In BGP, split horizon is enforced in a
slightly different way, using extra mechanisms.

As highlighted in the preceding section, BGP has two

forms of speakers, EBGP and IBGP, and each uses
different mechanisms to avoid routing loops. BGP
communities are designed to give network operators the
flexibility to apply complex policies to large numbers of
routes alongside built-in mechanisms of routing policy
language (RPL) or route maps.

IV. NETWORK SECURITY

Security is one of the significant parts of modern network
Figure 2: Modular Enterprise Campus Architecture design. To protect the critical resources, today’s networks
should be segmented, and proper control mechanisms
However, each of the enterprise campus building blocks should exist between those network segments. The design
still needs to use the hierarchal design model, such as the of secure networks should follow the common network
access-distribution block and its connectivity to the architecture best practices and guidelines to provide the
enterprise core block. Furthermore, introducing modularity proper level of security. Cisco offers a wide range of next-
into large campus networks with multiple distribution generation products and technologies to meet modern
blocks will promote more optimized routing design so that security needs.
you can have better fault isolation per block/module and
more efficient route summarization (assuming there is a The network infrastructure is one of the foundation
structured IP addressing scheme in which each block has its elements of enterprise IT infrastructure and is a critical
own IP range). business asset. Therefore, it is crucial to secure the
network. You should take security into consideration in the
designing phase of the network. To provide complete
security of the network, begin by enforcing fundamental
III. ROUTIGN PROTOCOLS elements of network security. These elements can serve far
more advanced security features and mechanisms.
BGP, as defined in RFCs 1163 and 1267, is an Exterior Network security zoning
Gateway Protocol (EGP). It enables you to set up an
interdomain routing system that automatically guarantees To restrict access between different parts of the network,
the loop-free exchange of routing information between use the concept of zoning. Zoning mitigates the risk of
autonomous systems. having one flat network without any access restrictions
between different network segments. It is a design
Any typical BGP route consists of the following: approach that restricts communication to only those flows
- A network number that are defined by security policy.
- A list of autonomous systems that information Many types of zones exist in the network. The most typical
has passed through (called the autonomous zones follow:
system path)
- A list of other path attributes - Public zone: An external zone that is not under
control of the organization. Public services are
located in this zone.
 - Public access zone: A zone that hosts the public Service availability and resiliency: The Cisco modular
services of the organization and is often called network architecture incorporates several layers of
the demilitarized zone (DMZ). These services redundancy to eliminate single points of failure and to
can be accessed from the public zone. Typical maximize the availability of the network infrastructure.
services include e-mail proxy, web proxy, reverse
proxy, and remote-access services. Auditable implementations: The Cisco modular network
- Restricted zone: An internal zone that hosts the architecture designs accommodate a set of tools to measure
most critical data services for the organization. and verify the operation and the enforcement of safeguards
Usually, this zone is the most secured zone, and across the network.
access to this zone should be limited.
Regulatory compliance: The Cisco modular network
architecture integrates an ironic set of security practices and
functions that are frequently required by regulations and
standards to facilitate the achievement of regulatory
compliance.

Global information sharing and collaboration: The

Cisco modular network architecture uses information
sharing and collaborative capabilities available on the
Cisco products and platforms. Logging and event
information that is generated from the devices in the
network is centrally collected, trended, and correlated for
maximum visibility.

Strive for operational efficiency: The Cisco modular

Figure 3: Logical Security Zones network architecture is designed to facilitate management
and operations throughout the entire solution life cycle.
Cisco modular network architecture delivers defense-in- Designs were conceived with simplicity to accelerate
depth by positioning Cisco products and capabilities provisioning and to help troubleshoot and isolate problems
throughout the network and by using collaborative quickly, effectively reducing operating expenditures.
capabilities between the platforms. A wide range of
security technologies is deployed in multiple layers. V. CONNECTIVITY
Products and capabilities are positioned where they deliver
A campus network is a building or collection of buildings
the most value, while facilitating collaboration and
linked by a single company network made up of several
operation.
local networks (LANs). In general, a campus is part of an
The Cisco modular network architecture follows these activity (or the business as a whole) limited to a defined
principles: geographical region.

Defense-in-depth: In Cisco modular network architecture, The campus setting is always actual cables installed by the
security is embedded throughout the network by following corporation that operates the organization network. The
a defense-in-depth approach. For enhanced visibility and topology of the campus network is mainly LAN
control, a rich set of security technologies and capabilities technology, which links all terminal systems in the city. In
is deployed in multiple layers, under a common strategy general, campus networks utilize LAN technologies
and administrative control. including Ethernet, Token Loop, Fiber Distributed Data
Interface (FDDI), Fast Ethernet, Gigabit Ethernet and
Modularity and flexibility: In Cisco modular network ATM. It is taken into consideration the following network
architecture, all components are described by functional geography structures in network campus:
roles. The overall network infrastructure is divided into
functional modules, such as the campus and the data center. Intra-building
Functional modules are then subdivided into more
Inter-building
manageable and granular functional layers and blocks, such
as the access layer and edge distribution layer. The modular Distant remote building
designs result in added flexibility, which enables phased
implementation for deployment plus selection of the best Policies, Budgetary and Staffing Constraints and
platforms and their eventual replacement as technology and Project Scheduling are constraints of network campus.
the business need to evolve. Finally, modularity also
accelerates the adoption of new services and roles. VI. REMOTE ACCESS
VPN connections enable users to send data between
remote-site locations and to access centralized corporate
resources in a secure and efficient manner. The two main 2. “Borderless Campus 1.0 Design Guide,”
categories of VPN solutions are http://www.cisco.com

- Image Remote VPN solutions 3. “Campus Network for High Availability Design Guide,”
- Image Site-to-site VPN solutions http://www.cisco.com

The goal of remote VPN solutions is to connect specific 4. “Network Virtualization for the Campus,”
users through device-specific capabilities to one another http://www.cisco.com
and to centralized resources. An example of a modern
remote VPN solution is SSLVPN. Remote VPN solutions
typically require users to have special software on their
devices to establish connectivity back to the enterprise.

Enterprise-managed VPNs are the right option to

implement own routing infrastructure without provider
involvement. Many organizations prefer this approach
because it results in a consistent routing operational model
and provides future flexibility associated with provider
migrations. Enterprise-managed VPN connections are
established over a third-party infrastructure and can take
advantage of Internet or provider-managed VPNs for
underlying transport connectivity.

Enterprises can use provider-managed VPN services to lay

the foundation for the underlying network and implement
enterprise-managed VPN solutions over the provider
infrastructure. The motivation for implementing an
enterprise-managed VPN over a provider-managed VPN is
that these services typically do come with SLAs in place
for connections. To promote operational consistency and to
minimize risk with a focus on security, you can establish
traffic encryption even when you use provider-managed
VPN services; this is a good practice. The drawback of
using provider-managed VPNs is that this solution is often
more expensive than VPN solutions over the Internet.

VII. QoS
Two different models exist for addressing QoS on a
network. The Integrated Services (IntServ) model was
introduced to supplement the best-effort delivery by setting
aside some bandwidth for applications that require
bandwidth and delay guarantees. IntServ expects
applications to signal their requirements to the network.
The Differentiated Services (DiffServ) model was added to
provide greater scalability for addressing QoS requirements
for IP packets.

Some applications, such as high-definition

videoconferencing, require consistent, dedicated bandwidth
to provide a sufficient experience for users. IntServ was
introduced to guarantee predictable network behavior for
these types of applications. Because IntServ reserves
bandwidth throughout a network, no other traffic can use
the reserved bandwidth.

VIII. REFERENCES
1. “Enterprise Campus 3.0 Architecture: Overview and
Framework,” http://www.cisco.com