Campus LAN Design and Deployment Across Every Major Switching Platform
Multi-CCIE engineers with 25 years of campus switching experience. Fixed-fee SOW on every engagement. We design, migrate, and validate campus LAN infrastructure across Cisco Catalyst 9000, HPE Aruba Networking CX (AOS-CX), Juniper EX, and Extreme Networks Universal Switches — with no vendor bias baked into the recommendation.
25 years of enterprise networking leadership
Multi-CCIE engineering bench
Ekahau Certified Survey Engineer (ECSE)
Minority-owned · Fixed-fee SOW on every project
A campus LAN project fails at the design phase more often than at the install phase. Undersized uplinks, flat VLAN topology, or a PoE budget built around 802.3at when the AP spec sheet calls for 802.3bt — any one of these decisions becomes expensive to fix after conduit is in and switches are racked. WiFi Hotshots designs and deploys campus network infrastructure with a multi-CCIE bench and 25 years of enterprise networking leadership behind every statement of work.
We coordinate wireless access layer design alongside the wired campus build, so the LAN and the WLAN are engineered as one system rather than handed off between separate vendors. Our work extends to structured cabling coordination and independent post-install validation — design through sign-off under one fixed-fee SOW.
Three-Tier vs Collapsed-Core: Choosing the Right Campus LAN Architecture
Architecture selection is the first and most consequential decision in a campus LAN engagement. Per the Cisco Validated Designs Campus LAN and WLAN Design Guide, a collapsed-core topology — where the distribution and core functions run on the same switch stack — is appropriate for single-building environments where east-west traffic stays within one IDF zone. The moment you introduce multiple buildings, inter-building fiber, or WAN handoff diversity requirements, a full three-tier model (access / distribution / core) earns its cost. Collapsing the core in a multi-building campus forces all inter-building traffic through a single logical failure domain, which is exactly the constraint you are trying to engineer out.
We evaluate floor count, building count, projected client density, and application latency profiles before recommending either path. A single 4-story office building with one MDF is a collapsed-core candidate. A 12-building university sub-campus with separate IDFs per floor and a data center interconnect is not. The design deliverable is an architecture diagram and bill of materials tied to that determination — not a generic template.
PoE and Multigigabit Uplinks: Sizing for 802.3bt and Wi-Fi 7
PoE budget mismatches are the most common access-layer mistake we see on inherited campus LAN designs. IEEE 802.3bt defines four power classes: 802.3af delivers 15.4 W at the PSE, 802.3at (PoE+) delivers 30 W, 802.3bt Type 3 delivers 60 W, and 802.3bt Type 4 delivers 90 W. A Wi-Fi 7 tri-radio access point operating all three radios simultaneously — 2.4 GHz, 5 GHz, and 6 GHz — requires 802.3bt Type 4 for full-radio operation. Deploying those APs on an 802.3at switch is not a minor gap; the AP will power-manage one radio offline, which means the 6 GHz radio the business paid for stays dark. Every campus LAN refresh we scope starts with a PoE power budget worksheet against the client’s actual AP model list, not the switch port count.
The uplink side has the same problem at scale. A 1 GbE uplink from an access switch feeding 48 PoE+ ports — half of them Wi-Fi 6E APs — becomes the aggregate bottleneck well before the radios run out of capacity. IEEE 802.3bz specifies 2.5GBASE-T and 5GBASE-T operation over existing Cat 5e and Cat 6 cabling to 100 meters, which means multigigabit uplinks are often deployable without recabling. Wi-Fi 7 tri-radio APs frequently require 5 GbE or 10 GbE switch ports to avoid wired-side congestion during peak load.
We spec the uplink tier based on the AP model, channel width, and client-density projections — not on what happened to be available in the existing BOM.
StackWise Options: 480, 1T, and StackWise Virtual
Cisco Catalyst access and distribution stacking comes in three distinct configurations, and choosing the wrong one is a support problem waiting to happen. StackWise-480 provides 480 Gbps of stack bandwidth across up to 8 Catalyst 9300 switches — appropriate for dense access closets where aggregate port count matters more than per-port throughput headroom. StackWise-1T scales to 1 Tbps and is exclusive to the Catalyst 9300X; the platform difference matters because the 9300X supports higher-density mGig port cards that the base 9300 does not.
StackWise Virtual (SVL) is a separate architecture altogether: exactly two Catalyst 9500 or 9400 chassis presented as one logical switch, with dual-active detection required to prevent split-brain during link failures. SVL is the right choice at the distribution or core tier where chassis-level redundancy matters. Mixing these three models in a single-campus design without understanding the operational differences between a physical stack and an SVL pair is how you end up with a support ticket during a maintenance window.
Campus LAN Security: 802.1X, EAP-TLS, and Port NAC
Port-level network access control is where campus LAN security either holds or collapses. 802.1X with EAP-TLS — defined in IETF RFC 5216 — is the strongest authentication path available at the access port. Mutual certificate validation means the switch authenticates the endpoint and the endpoint authenticates the RADIUS server; neither side trusts a PSK or a username-password pair that can be shared. MAB (MAC Authentication Bypass) is appropriate for non-supplicant devices — printers, IP cameras, BACnet controllers, legacy IP phones — but MAB-only deployments on a campus LAN leave the port authentication model entirely dependent on MAC address spoofability. We design NAC policies that layer 802.1X for supplicant-capable endpoints, MAB for known non-supplicants with static MAC registration, and profiling-based VLAN assignment so that a device that doesn’t match its expected profile lands in a quarantine VLAN rather than the production segment.
RADIUS infrastructure selection, certificate authority design, and ISE or Aruba ClearPass policy model are all in scope for a campus LAN engagement. We have deployed network security architecture including 802.1X NAC across healthcare campuses requiring HIPAA-compliant VLAN isolation, financial trading floors with per-desk port authentication, and K-12 districts where Chromebook certificate enrollment runs through Google Workspace device policies. The access layer is where the security policy is enforced — designing the switch config without the security model produces a campus LAN that passes packets but doesn’t control who sends them.
Campus Fabric Options: SD-Access, EVPN/VXLAN, and Mist Wired Assurance
Campus fabric overlays are not required on every campus LAN, but when scale or policy automation justifies one, the platform choice has significant operational consequences. Cisco SD-Access uses LISP for control-plane endpoint mobility and VXLAN for the data-plane overlay, managed through Catalyst Center. That combination requires DNA-Advantage licensing — the Essentials tier does not include the fabric provisioning workflows. SD-Access is the right answer when a Cisco-primary campus needs automated macro-segmentation, scalable group policy (SGT-based), and a single-pane orchestration model.
EVPN/VXLAN over native switching — supported on Aruba CX, Juniper EX, and Cisco Nexus in campus roles — is the multi-vendor path that does not lock the design to one vendor’s management plane. For organizations already running Juniper Mist for wireless, Mist Wired Assurance extends the same AI-driven assurance and telemetry to the wired campus without introducing a separate management system. We design for the operator’s 5-year platform roadmap, not for the easiest vendor quote.
A current switch inventory, IDF/MDF diagram, and port-count estimate give us everything needed to scope the work. Most engagements are scoped and quoted within two business days.
Frequently asked questions
How do you handle spanning-tree migration when introducing a new distribution or core layer?
The distribution and core cutover sequence defines the risk. We migrate spanning-tree root election to the new platform before touching any access layer — typically converting from PVST+ to MSTP (IEEE 802.1s) during the same window to reduce per-VLAN protocol overhead at scale. Every cutover uses a documented rollback procedure; our change-control standard sets a two-hour maximum recovery window for distribution and core work. We validate with live traffic checks at each stage; the engagement does not close until convergence timers and MAC address table population confirm stability across all VLANs.
What does the campus LAN deliverable package include beyond a device count and BOM?
The deliverable set covers Layer 2 topology diagrams (access/distribution/core), VLAN and trunking design in Visio or AutoCAD format, 802.1X Network Access Control policy mapped to Cisco ISE or Aruba ClearPass as applicable, uplink sizing calculations (10GbE, 25GbE, 50GbE, and 100GbE; 400GbE noted at campus core-to-backbone where applicable), PoE budget per IDF (including 802.3bt Type 3/60W and Type 4/90W class sizing for Wi-Fi 7 APs and USB-C endpoints), and a phased cutover runbook. For Catalyst 9000 deployments, we include a Cisco Catalyst Center site hierarchy and template configuration. Switch configurations are provided as validated, deployment-ready CLI or RESTCONF payloads.
When does a campus LAN refresh require a BGP edge design rather than pure Layer 2 aggregation?
Any campus with multiple WAN or MPLS handoffs, an SD-WAN underlay requiring route redistribution, or a BGP EVPN/VXLAN fabric overlay is a BGP candidate. We implement eBGP at the campus edge or core — for WAN/MPLS multi-homing, SD-WAN underlay route redistribution, or BGP EVPN/VXLAN fabric deployments — on Cisco IOS-XE, AOS-CX, or Juniper Junos. Internal campus routing in those designs uses OSPF or IS-IS as the IGP underlay. For smaller campuses without those constraints, OSPF Area 0 with HSRP or VRRP gateway redundancy is usually the right trade-off between operational simplicity and resilience.
When should a campus redesign move to SD-Access or a BGP EVPN/VXLAN fabric instead of a traditional three-tier hierarchy?
SD-Access (Cisco LISP/VXLAN overlay with Catalyst Center automation and ISE policy) is the right path when the organization needs policy-follows-user segmentation at scale — group-based access control without per-VLAN ACL sprawl. BGP EVPN/VXLAN campus fabric (open-standards, supported on Catalyst 9000, Aruba CX, and Juniper EX) fits environments that want the same host-mobility and segmentation benefits without a proprietary management dependency. Traditional three-tier (access/distribution/core with OSPF or MSTP) remains appropriate for stable, low-change campuses where the operational team is STP-fluent and scale does not exceed a single-IGP domain. We scope all three models in the initial design phase, with access-port multigigabit (802.3bz 2.5G/5G) sizing included when a Wi-Fi 6E or Wi-Fi 7 AP refresh is concurrent.