Network Architecture Design

Large and medium-sized campus networks often use the tree topology with the core layer as the root. In Figure 3-1, the topology is stable and easy to expand and maintain. A campus network can be divided into the following layers: access layer, aggregation layer, core layer, and multiple zones. The zones include the Internet zone, DC zone, network management zone, and DMZ. Modules in zones involve less internal adjustment and facilitate fault location.

The functions of layers and zones are described as follows:

• Terminal layer

  The terminal layer involves various terminals that access the campus network, such as computers, printers, IP phones, mobile phones, and cameras.

• Access layer

  The access layer provides various access modes for users and is the first network layer to which terminals connect. The access layer is usually composed of access switches. There are a large number of access switches that are sparsely distributed in different places on the network. In most cases, an access switch is a simple Layer 2 switch. If the terminal layer has wireless terminals, the access layer has APs that access the network through access switches.

• Aggregation layer

  The aggregation layer connects the access layer to the core layer. The aggregation layer forwards horizontal traffic between users and forwards vertical traffic to the core layer. It can also function as the switching core for a department or zone and connect the department or zone to the exclusive server zone. In addition, the aggregation layer can further extend a quantity of access terminals.

• Core layer

  The core layer is the core of data exchange on a campus network. It connects to various components of the campus network, such as the DC, aggregation layer, and campus egress. The core layer is responsible for high-speed interconnection of the entire campus network. High-performance core switches need to be deployed to meet network requirements for high bandwidth usage and fast convergence upon network faults. It is recommended that the core layer be deployed for any campus with more than three departments. For a wireless network, the core layer includes WACs. After a wireless terminal accesses the wireless network through an AP, the AP communicates with the WAC by using a Control and Provisioning of Wireless Access Points (CAPWAP) tunnel.

• Campus egress zone

  The campus egress is the edge that connects a campus network to an external network. Internal users of the campus network can access the external network through the campus egress zone, and external users can access the internal network through the campus egress zone. Routers and firewalls need to be deployed in the campus egress zone. The routers enable interconnection between internal and external networks, and the firewalls provide border security protection.

• DC zone

  In the DC zone, service servers such as the file server and email server are managed, and services are provided for internal and external users.

• Network management zone

  In the network management zone, network servers such as the network management system and authentication server are managed. The standard NMS interacts with network devices through the Simple Network Management Protocol (SNMP) and provides configuration, management, and maintenance functions. For example, it provides network topology and port display management, network device configuration management, network fault diagnosis and alarm, and network performance and status analysis.

• DMZ

  The demilitarized zone (DMZ) provides access services with strictly controlled security for external guests (personnel other than the enterprise employees). Public servers are usually deployed in the DMZ.