Skip to content
PAVEL GLUKHIKH
Menu

Reference Architecture

Secure Enterprise Campus Network

Reference architecture for a zoned campus and datacenter network: L3 core, firewall placement, NAC admission, and an isolated management plane.

6 min read

Design summary

A secure enterprise campus network is a zoned L3 design where user access, datacenter workloads, and network management each live behind their own enforcement points. This reference architecture covers a collapsed-core campus feeding a firewalled datacenter block, 802.1X admission at the access edge, and a fully out-of-band management plane. By the end you will know where the firewalls belong, which traffic they should and should not see, and the operational decisions that keep the design workable at 500 to 10,000 users.

Component stack

  • L3 core switch pair (VSS/StackWise Virtual or MLAG)
  • OSPF or IS-IS for campus IGP
  • Zone-based firewall cluster (active/active)
  • 802.1X NAC with RADIUS (ISE/ClearPass-class)
  • Out-of-band management switch fabric
  • Jump hosts / PAM for device administration
  • NetFlow/IPFIX collection at core and firewall
  • Centralized syslog + config backup (RANCID/Oxidized-class)

Purpose and requirements

This is the campus-plus-datacenter design I reach for when an organization of 500 to 10,000 users needs a network that contains an intrusion instead of transporting it. It assumes a headquarters campus (one to three buildings), an on-prem or colo datacenter block, and internet/WAN connectivity — the shape of most mid-size enterprises and most of the accounts I have led.

A network that cannot contain an intrusion is just fast transport for the attacker.

Requirements it is built to meet:

  • Containment. A compromised workstation must not have a routed path to identity infrastructure, backups, or device management.
  • Admission control. Devices are authenticated before they get network access, not after they start misbehaving.
  • Operability. Firewall rules only where they buy risk reduction; the core stays a fast, boring router.
  • Survivable management. The network remains administrable when the production data plane is degraded or actively hostile.

Topology

                        Internet / WAN
                              |
                    +------------------+
                    |  Edge FW cluster |---- DMZ (proxies, mail edge, VPN)
                    +------------------+
                              |
                    +------------------+
                    |   L3 CORE pair   |  OSPF, no stateful inspection
                    +---+---------+----+
                        |         |
        +---------------+         +----------------+
        |                                          |
+---------------+                        +------------------+
| Campus dist.  |                        |  DC FW cluster   |
| (per building)|                        +------------------+
+---------------+                                 |
   |    |    |                          +-------------------+
 Access switches                        |  DC distribution   |
 802.1X + MAB                           +----+---------+----+
   |    |    |                               |         |
 Users, printers,                      App servers   RESTRICTED
 phones, Wi-Fi APs                     (per-VLAN)    (AD, PKI, backup)

 ................ OOB MGMT FABRIC (no route to production) .............
 :  Console servers -- mgmt switch -- jump hosts (MFA) -- admin VLAN   :
 :......................................................................

Traffic rules the diagram implies: user-to-user stays in the campus blocks, user-to-app crosses the DC firewall, nothing initiates from user space into Restricted, and the management fabric is reachable only through the jump hosts.

Component roles

L3 core. A pair of chassis or fixed switches running as one logical device (StackWise Virtual, VSS, or MLAG). It routes between distribution blocks and the DC firewall — nothing else. No ACL sprawl, no stateful features, no services. Core failures should be link-level and self-healing via the IGP.

Campus distribution and access. Each building gets a distribution pair; access switches uplink to both. The L2/L3 boundary sits at distribution, so a broadcast storm dies inside one building. Access ports run 802.1X with MAB fallback for the printers and badge readers that will never speak EAP; the RADIUS policy assigns VLAN and downloadable ACL, which means a quarantine decision is a policy change, not a truck roll.

Edge firewall cluster. Terminates internet and WAN, fronts the DMZ, and enforces egress policy. Egress filtering is the underrated half: blocking outbound server-initiated traffic to arbitrary destinations breaks most C2 channels for free.

Datacenter firewall cluster. The workhorse. Every user-to-server flow and every crossing into the Restricted enclave passes through it. This is a separate cluster from the edge — different rule lifecycle, different failure domain, and it keeps a DDoS at the edge from starving inspection capacity for internal flows.

Restricted enclave. Domain controllers, PKI, privileged access infrastructure, and backup systems, each in their own VLAN behind the DC firewall with a default-deny posture. Domain controllers reachable from every VLAN are the standard ransomware on-ramp; this enclave exists to close it. The reasoning follows the zone model in my segmentation article.

Out-of-band management fabric. A small, physically separate switch layer connecting device management ports and console servers. Admission is through jump hosts with MFA; production has no route in. When I ran networks at a petrochemical plant, OOB console access was the difference between fixing a bad change in ten minutes and driving in at 2 a.m. — it earns its cost the first time the data plane takes management down with it.

Security model

The design enforces four boundaries, each with a distinct mechanism:

BoundaryMechanismDefault posture
Device → network802.1X/MAB + RADIUS policyAuthenticate before admission
User zone → DCDC firewallExplicit app flows only, logged
Anything → RestrictedDC firewall, per-VLAN policyDeny by default, alert on deny
Anything → ManagementPhysical/VRF separation + jump host MFANo route from production

Layered on top: NetFlow from core and firewalls into the SIEM for east-west visibility, RADIUS accounting as the device-to-port audit trail, and firewall deny logs from the Restricted boundary treated as detection signal rather than noise. Identity-aware policy (user-ID on the DC firewall) is worth enabling early — it makes rules survive re-IP events and makes incident scoping dramatically faster, a point I expand on in identity-first security.

Tradeoffs

DecisionWhat you gainWhat it costs
Stateless core (no core firewall)Line-rate east-west, simple failure modesCampus-internal flows uninspected; rely on NAC + host controls
Separate edge and DC firewall clustersIndependent failure domains and rule lifecyclesTwo clusters to license, patch, and audit
802.1X with MAB fallbackAdmission control at the portRADIUS becomes tier-0; MAB list needs curation
Physically separate OOB fabricManagement survives data-plane compromiseDedicated hardware, cabling, and a second credential path
Collapsed core (core = DC distribution) at smaller scaleFewer boxes, lower costOne failure domain for campus and DC routing
Per-building distribution pairsContained L2 domainsMore devices than a flat stack; IGP design required

Scaling and variations

Down to ~200 users: collapse core and distribution into one switch pair and run the DC firewall on the same cluster as the edge with strict zone separation. Keep the OOB path even if it is just a console server and an LTE gateway — small networks lose management access in outages just as thoroughly as large ones.

Up past 10,000 users or multiple large sites: the collapsed campus core becomes a routed spine, each building becomes a leaf block, and the DC block migrates toward a proper leaf-spine with VXLAN/EVPN if virtualization density demands it. WAN sites replicate the pattern in miniature: local user zone, local firewall, Restricted stays centralized.

Wireless-heavy estates: treat Wi-Fi as another access method into the same policy model — same RADIUS, same VLAN/ACL assignment logic. A separate “wireless zone” with its own rules is a parallel policy universe you will fail to keep synchronized.

Multi-site resilience: if the datacenter block needs a second site, the zone model must replicate exactly, including the Restricted enclave — a DR site with a flatter network is where attackers wait out your incident response.

Operations notes

  • Config management is part of the architecture. Every device backs up config nightly (Oxidized or similar), and diffs go to the network team’s channel. Unexplained diffs are incidents.
  • Rule hygiene: every DC firewall rule carries an owner and a review date. A rule base that only grows is a segmentation program in reverse.
  • NAC rollout order: monitor mode network-wide first, then enforce building by building. Track MAB exceptions as an asset list with owners — it is your inventory of the devices that cannot defend themselves.
  • Test the OOB path quarterly. An out-of-band network that has never been used during a drill will not work during an incident.
  • Documentation: the zone diagram, the IGP design, and the “how to reach the console when the core is down” runbook are the three artifacts that must stay current — the approach in network documentation that works covers how to keep them alive rather than archived.

The exit test I hold this design to: an on-call engineer can explain the zone model from memory, and a compromised workstation, fully weaponized, still has no route to the domain controllers, the backups, or the switch management ports. Everything else is refinement.

Firewall vendors and switching fabrics will keep changing. The principle this design encodes — decide where trust ends before you decide where packets go — has not changed since the first flat network transported its first worm, and it will outlast whatever replaces the hardware in this diagram.

Frequently asked questions

Should the firewall sit in the campus core?
No. The core should route, fast and stateless, between campus distribution blocks. Firewalls belong at zone boundaries — the datacenter edge, the internet edge, and in front of restricted enclaves. Putting stateful inspection in the core turns every campus flow into a firewall session and makes the firewall cluster the availability bottleneck for the entire network.
Is 802.1X worth the operational cost?
For wired user ports in any organization handling regulated or sensitive data, yes — it is the only control that decides admission before a device gets an IP address. Start in monitor mode, build the MAB exception list for printers and badge readers, and enforce building by building. Skipping NAC means your segmentation begins one hop too late.
What does an out-of-band management network actually require?
A physically or logically separate switch fabric connected to device management ports, reachable only through hardened jump hosts with MFA. Production VLANs must have no route to it. At minimum: dedicated management VRF, separate credentials, and console servers for the devices you will need when routing is broken.
How many zones should a campus design start with?
Four to six: internet edge/DMZ, user access, server/datacenter, restricted (identity, backups), and management. Granularity beyond that should be earned after the coarse zones are enforceable and the change process works. Twenty-zone designs on day one stall in the firewall change queue.

References

Related reading