§ 7 Campus Network Design
Three-tier and collapsed-core campus design, SD-Access, NAC, wireless, PoE, multicast, QoS, and Catalyst Center operations.
1. Overview
Campus design is a failure-domain and policy-placement problem. The access layer touches endpoints, distribution terminates VLANs and enforces policy, and core keeps fast routed connectivity simple.
| Component | Job | Design notes |
|---|---|---|
| Access | Host edge | 802.1X, MAB, PoE, VLANs, PortFast, storm control |
| Distribution | Policy and gateway | SVIs, HSRP/VRRP, ACLs, QoS marking, summaries |
| Core | Fast backbone | L3-only forwarding, redundant high-speed links, OSPF area 0 |
| Fabric edge | SD-Access host attachment | 802.1X result -> EID registration and VXLAN encap |
| Fabric border | Exit from fabric | LISP/VXLAN to traditional routing, WAN/core handoff |
| Control plane | Endpoint locator database | LISP Map-Register, Map-Request, Map-Reply |
2. Three-Tier vs Collapsed Core
A two-tier collapsed core merges distribution and core into one redundant switch pair. It is cheaper and easier for a small campus, but the pair now owns gateway, policy, routing, and backbone roles.
Use three-tier when the campus has many buildings, independent distribution blocks, or a need to keep outages local. Use collapsed core when the real topology is one or two buildings and the extra tier would only add links, optics, and configuration surface.
3. SD-Access Fabric
SD-Access separates host identity from fabric location. LISP maps endpoint identifiers to edge-node locators, VXLAN carries the data plane, and ISE supplies group policy through 802.1X and Security Group Tags.
The underlay still needs boring IP reachability between fabric node loopbacks. The overlay adds endpoint mobility, segmentation, and a central control-plane database so access switches do not flood unknown hosts across the campus.
4. 802.1X, MAB, and ISE
Port-based NAC has three actors: the supplicant, the switch authenticator, and ISE as the RADIUS server. A successful response can assign VLAN, SGT, or downloadable ACL; MAB is the fallback for printers and IoT endpoints.
CoA lets ISE change authorization mid-session after posture, profiling, or security events. In interview terms, 802.1X authenticates before normal traffic, MAB authenticates by MAC address, and CoA changes the policy without waiting for a cable pull.
5. Wireless and CAPWAP
CAPWAP gives the controller a secure control channel for AP join, RF tuning, and configuration. Local mode tunnels client data to the WLC; FlexConnect keeps branch traffic local and can survive WLC reachability loss with cached policy.
Wi-Fi 6 adds OFDMA, TWT, BSS coloring, and 1024-QAM. Wi-Fi 6E opens the cleaner 6 GHz band, while Wi-Fi 7 adds MLO, wider 320 MHz channels, and 4K-QAM.
6. PoE Planning
PoE is a power-budget exercise, not just a port feature. Count phones, cameras, APs, and future high-power devices against the switch budget, then validate class negotiation through LLDP-MED or CDP.
| Standard | Port power | Typical endpoint |
|---|---|---|
| 802.3af | 15.4 W | Phone, basic camera |
| 802.3at | 30 W | PTZ camera, thin client |
| 802.3bt Type 3 | 60 W | High-throughput AP |
| 802.3bt Type 4 | 90 W | Dock, kiosk, laptop-class device |
7. Multicast and QoS
Campus multicast normally uses PIM-SM with the RP near distribution or core, while access switches use IGMP snooping to avoid flooding video streams to every host-facing port.
QoS starts at the trust boundary. Phones can be trusted for EF voice markings, untrusted PCs are remarked, and uplinks reserve strict-priority capacity for voice while data uses class-based queues.
8. Catalyst Center Operations
Catalyst Center turns site hierarchy, address pools, identity groups, and fabric roles into device configuration, then closes the loop through assurance telemetry and API-driven operations.
In SD-Access deployments, Catalyst Center handles design and provisioning, while ISE remains the identity and SGT policy authority. The REST API makes inventory and intent workflows scriptable.
9. Core Mechanism Walkthrough
Background: A user moves from one building to another. Traditional campus design depends on VLAN placement and gateway location; SD-Access treats the host IP/MAC as an EID and remaps it to the new edge.
Plan: authenticate the endpoint, assign VN and SGT, register the EID-to-RLOC binding, resolve the remote endpoint, then enforce SGT policy before VXLAN forwarding.
| Step | Protocol | State change |
|---|---|---|
| 1 | 802.1X / RADIUS | Port becomes authorized with VN, VLAN, and SGT. |
| 2 | LISP Map-Register | Control plane learns EID to edge RLOC. |
| 3 | LISP Map-Request | Ingress edge resolves destination EID. |
| 4 | VXLAN | Packet crosses fabric with VNI and SGT metadata. |
| 5 | SGT policy | Fabric allows or denies the flow by group, not by switchport. |
10. Minimal C Demo
This demo models SD-Access onboarding decisions. Try input A 1 0 1 for a successful first packet, or B 0 0 1 for a failed 802.1X session.
11. Source Pointers
- Cisco Catalyst Center: inventory, provisioning, assurance, and intent APIs.
- Cisco ISE: RADIUS policy sets, profiling, downloadable ACLs, SGT assignment, CoA.
- RFC 5176: Dynamic Authorization Extensions to RADIUS for CoA behavior.
- RFC 5415: CAPWAP control and data plane behavior.
- RFC 5059: Bootstrap Router mechanism for PIM-SM RP discovery.
12. Interview Prep
- Where should VLANs terminate in a three-tier campus? Usually at distribution SVIs, keeping L2 failure domains out of the core.
- Why use a collapsed core? Lower cost and simpler operations for small campuses, with a larger combined failure and policy domain.
- What does LISP add in SD-Access? It maps endpoint identity to edge-node location so hosts can move without stretching VLAN logic everywhere.
- When is MAB appropriate? For endpoints that cannot speak 802.1X, with profiling and restrictive policy because MAC identity is weak.
- What is the QoS trust boundary? The first place markings are accepted or rewritten, usually the access switch port.