Mental model
A flat network — every switch is the same, every link is the same — works fine for 10 hosts. At 100 it’s painful. At 1000 it’s a disaster: broadcast storms, unpredictable performance, no clear failure domain, every change touches everything.
Cisco’s answer is hierarchical design — split the network into layers, each with one job:
Internet / Data Center
│
┌───────┴───────┐
│ CORE │ High-speed transit only
└───┬───────┬───┘
│ │
┌───────┴───┐ ┌─┴───────┐
│ DIST │ │ DIST │ Aggregation + L3 boundary + policy
└───┬──┬───┘ └───┬──┬───┘
│ │ │ │
┌─────┴┐┌┴────┐┌──┴┐┌┴────┐
│ ACC ││ ACC ││ ACC ││ ACC│ User-facing — switchports for clients
└─────┘└─────┘└─────┘└─────┘
│ │ │ │
└──┴──hosts──┴──┘
This three-tier (or “campus”) model is what 95% of enterprise networks use. The CCNA exam tests it directly — knowing the layer responsibilities and design choices is required.
The three layers — one job each
Access Layer
Job: connect end-users (and IoT, APs, phones, cameras) to the network.
Characteristics:
- One switch per ~24–48 user ports.
- Layer-2 only (most designs). VLANs live here; the SVI/gateway is on Distribution.
- Lots of features: PortFast + BPDU Guard, PoE, Voice VLAN, port security, 802.1X, DHCP Snooping.
- Failure of one access switch isolates 24–48 users — bounded blast radius.
What you do NOT do at access:
- Route. (Mostly. Some recent designs push routing down — see “Routed access” below.)
- Connect users directly to multiple distributions (single uplink is fine if redundancy is at the dist+core layer).
Distribution Layer
Job: aggregate access switches, handle inter-VLAN routing, apply policy.
Characteristics:
- Layer-3 boundary. SVIs for each VLAN live here.
- FHRP (HSRP / VRRP / GLBP) for gateway redundancy — see FHRP comparison.
- ACLs, QoS marking, route filtering.
- Two per “distribution block” — paired for redundancy. Each access switch dual-homed to both.
- Routing protocols summarize prefixes northbound (one /20 instead of 16 /24s — see Route Summarization).
- ~100 Gbps aggregate capacity per pair is typical in 2026.
Core Layer
Job: move traffic between distribution blocks at line rate. Nothing else.
Characteristics:
- Highest-speed switches in the building. 40 / 100 / 400 Gbps interfaces.
- No user ports. No policy. No filtering. Just forwarding.
- Two switches, fully meshed with each distribution pair → no single point of failure.
- Often runs OSPF or EIGRP between cores and distribution; sometimes BGP if connecting to a WAN/DC fabric.
- Reachable from every distribution pair via diverse paths.
The core is intentionally simple — keep it stable, keep it fast, don’t touch it.
Two-tier (“collapsed core”)
For small/medium sites — say, ≤200 access ports, single building, single floor or two — you may not need a dedicated core. Distribution and core merge into one layer:
Internet / WAN
│
┌────────┴────────┐
│ COLLAPSED CORE │ Aggregation + routing + transit in one layer
└───┬────┬────┬───┘
│ │ │
┌───┴┐ ┌─┴┐ ┌─┴───┐
│ACC │ │ACC│ │ ACC │
└────┘ └──┘ └─────┘
│ │ │
hosts hosts hosts
Same design principles, fewer boxes. Move to three-tier when:
- You’re outgrowing the box’s capacity.
- You have multiple buildings or floors.
- You need to keep core stability separate from distribution policy churn.
Don’t add a core just to look enterprise-grade.
The redundancy pattern
The canonical campus design pattern at each layer:
| Layer | Redundancy |
|---|---|
| Access | Single switch is fine; redundancy is at the dist+core layer. Optional: dual-home access switches to two distribution switches (uplinks). |
| Distribution | Always pair. Two distribution switches per block. Cross-connected. Both run FHRP for VLAN gateways. |
| Core | Always pair. Two core switches. Fully meshed to every distribution pair (4 links between cores + dists). |
This is the “redundant L3 distribution + redundant core” pattern. It survives any single failure (link, switch, line card, power supply) with no user impact.
Loop-free designs — modern best practices
Classic distribution uses STP (or RSTP) between access and distribution, with active/standby uplinks. RSTP convergence in 1–2 seconds is OK but not great.
Two newer approaches:
1. StackWise Virtual / VSS (Virtual Switching System)
Pair the two distribution switches into one logical switch with two chassis. From access switches’ perspective there’s only one upstream — they EtherChannel to both physical chassis, both links forward simultaneously. No STP blocking.
Failure of one chassis = the other keeps forwarding. Failover ≤1 second.
2. Routed Access
Push Layer 3 all the way down to access switches. Each access switch is a tiny routed device with its own subnet. STP only lives within the access switch itself. Distribution still aggregates but no longer terminates VLANs.
- Pros: Faster convergence (IP routing > STP). Smaller failure domain.
- Cons: Each access switch is L3 — every device needs OSPF/EIGRP knowledge. Mobile clients require some workaround (VXLAN, LISP, or stickiness).
CCNA tests this at recognition level — both VSS and routed access are above the certification depth.
What lives where — quick reference
| Feature / Function | Layer |
|---|---|
| End-user / IoT / AP ports | Access |
| PortFast + BPDU Guard | Access |
| Port security, 802.1X | Access |
| PoE | Access (and APs/phones) |
| Voice VLAN | Access |
| DHCP Snooping | Access |
| Dynamic ARP Inspection | Access |
| VLAN gateway SVI | Distribution |
| FHRP (HSRP/VRRP) | Distribution |
| ACLs (user → server policy) | Distribution |
| Route summarization | Distribution → Core |
| QoS marking | Access (set), Distribution (trust + remark) |
| WAN/DC connections | Distribution or Core |
| BGP / OSPF area boundary | Distribution or Core |
| High-speed transit only | Core |
A complete tiny campus example
50 users across one building. Two-tier collapsed-core design:
Internet
│
┌────────┴────────┐
│ CORE-1 ←──→ CORE-2 │ Catalyst 9500. EtherChannel between them.
└───┬────┬────┬───────┘ HSRP virtual IP for each VLAN.
│ │ │ OSPF to internet edge router.
┌───┴┐ ┌─┴┐ ┌─┴───┐
│ACC1│ │ACC2│ │ACC3 │ Catalyst 9200. PoE+.
└────┘ └──┘ └─────┘ PortFast + BPDU Guard on user ports.
│ │ │ Trunk uplinks to both cores.
users phones APs
- VLAN 10 USERS / VLAN 20 PHONES / VLAN 30 GUEST / VLAN 99 MGMT.
- SVIs on the cores. HSRP between them.
- Each access switch trunks to both cores (LACP EtherChannel + RPVST+).
- One core could fail and everything keeps working.
When to break the rules
The pure three-tier model is a starting point, not gospel. Real reasons to deviate:
- Small enough that 2-tier is sufficient. Don’t pay for boxes you don’t need.
- Data center spine-leaf is a different paradigm (Clos topology) — not three-tier. Used in DCs because east-west traffic dominates.
- SD-Access fabric flattens it — leaf switches form a fabric and DNAC handles intent. Same physical layers, very different control plane.
- Modern campus with VSS / StackWise Virtual essentially collapses dist+access into a logical pair, removing STP entirely.
Common mistakes
-
Running user ports off the core. Putting ten users on core ports turns the core into an access switch. Failures and config changes now risk the whole network.
-
No FHRP at distribution. One distribution switch reload = one outage. Always run HSRP / VRRP between the pair.
-
Trunking all VLANs everywhere. Each VLAN should only be trunked where it’s needed. Permit-all on the trunk allowed list = broadcast amplification.
-
Single access uplink. Cheap to dual-home access switches. Don’t skimp here — single-link failure isolates 24–48 users.
-
Skipping route summarization at distribution. Every access subnet floods into the core’s RIB. Wasteful. Summarize.
-
Multiple roles in one box. “Core/distribution/access combo switch” is a price-driven design for SMB — fine if you know what you’re trading off. Not fine as an enterprise default.
-
Designing for current size only. Build for 3× current host count. Refit costs more than overprovisioning.
-
Mixing campus design and DC design. A campus is hierarchical because most traffic is north-south. A DC is spine-leaf because most traffic is east-west. Don’t apply one’s pattern to the other.
Lab to try tonight
- In CML/EVE-NG, build a 2-tier campus: 2 core switches, 3 access switches, 2 hosts each.
- Cores are L3 switches with SVIs Vlan10 and Vlan20. HSRP between them.
- Access switches are L2 only. Dual-homed to both cores via EtherChannel + RPVST+.
- PortFast + BPDU Guard on user ports.
- Test failures: shut one core’s interface. Watch traffic continue via the surviving core.
- Reload an access switch. Observe affected ports go down but neighbor switches unaffected.
- Now expand to a 3-tier: add 2 dedicated core switches that the existing “core” (now distribution) connect into.
- Bonus: enable route summarization between distribution and core —
area 0 range 192.168.0.0 255.255.252.0. - Bonus: convert to StackWise Virtual (if your simulated switches support it). Compare convergence on a failure.
Cheat strip
| Layer | One-line job |
|---|---|
| Access | User ports. L2. PortFast + BPDU Guard. PoE. 802.1X. |
| Distribution | Aggregation + L3 boundary + policy. SVIs + FHRP. Always pair. |
| Core | Highest-speed transit. No users, no policy. Always pair. |
| Two-tier (collapsed core) | Acceptable for small/mid sites. Distribution + core merged. |
| Three-tier | Default for large enterprises. Each layer = one job. |
| Dual-home pattern | Access → both dists; dist pair → both cores; cores fully meshed |
| Routed access | Push L3 to access — modern alternative, faster convergence |
| StackWise Virtual / VSS | Pair of physical switches behaving as one logical box — removes STP between layers |
| Where SVIs live | Distribution (default) or access (routed access designs) |
| Where features live | Memorize the table above — comes up on CCNA constantly |