Campus LAN design and deployment across every major switching platform

A collapsed-core merges distribution and core functions into one switch pair — the right answer for a single-building site with fewer than four distribution nodes, because the architectural cost of a dedicated core layer outweighs the benefit at that scale.

A three-tier design adds a dedicated high-speed core layer for multi-building campuses with four or more distribution pairs, inter-building fiber, or a requirement for non-blocking east-west traffic between distribution domains.

The core in a three-tier design carries zero policy; its only job is to move packets at silicon speed.

Per the Cisco Campus LAN and WLAN Design Guide, the three-tier threshold is approximately four distribution pairs — below that number, collapsed-core is operationally simpler and cheaper.

Wi-Fi 7 tri-radio APs — all three radios (2.4, 5, 6 GHz) active, with 90 W USB-C downstream for a co-located sensor — typically require 802.3bt Type 4, which is 90 W at the switch port and 71.3 W guaranteed to the powered device.

Before specifying switches, always verify the AP’s power class on the vendor datasheet; a Wi-Fi 6E AP with only two active radios may run on 802.3bt Type 3 (60 W PSE / 51 W PD) but a Wi-Fi 7 AP with full-radio operation and PoE downstream will require Type 4.

The rule: sum of worst-case per-port draw cannot exceed PSU nameplate minus 20% headroom.

A single-PSU chassis in a 48-port Wi-Fi 7 closet is the most common PoE budget mistake we see; always budget dual PSUs on PoE-dense access closets.

Best practice is 802.1X on every access port — wired and wireless. A wired port without 802.1X allows any device plugged into an unused wall jack to bypass NAC entirely, which defeats the segmentation and zero-trust posture the NAC exists to enforce. Use EAP-TLS (mutual X.509 certificate authentication per IETF RFC 5216) as the primary method on user-facing ports.

MAB (MAC Authentication Bypass) is a fallback for devices that cannot run a supplicant — printers, older medical devices, IoT sensors — and should be scoped as an exception policy for an enumerated device class with profiling and anomaly detection enabled in the NAC (Cisco ISE Profiler, Aruba ClearPass Device Insight, Mist Access Assurance).

MAC addresses are trivially spoofed; MAB alone is not authentication.

Yes. IEEE 802.3bz defines 2.5GBASE-T and 5GBASE-T over Cat 5e or Cat 6 at up to 100 meters — no recabling required in most campuses.

The minimum access port speed for a Wi-Fi 6E AP is 2.5 GbE; a dense Wi-Fi 7 block is better served by 5 GbE or 10 GbE per AP port to accommodate the real-world aggregate throughput per AP (typically 3-6 Gbps with a diverse client mix).

Confirm cable-plant channel test results (ANSI/TIA-568.2-D) before committing to the higher speed — excessive crosstalk or a marginal run length can limit the achievable data rate.

Where the cable plant is older than 2008 or has never been certified, the cabling audit is scoped as a parallel workstream in the same fixed-fee SOW.

Fabric overlay (SD-Access or EVPN-VXLAN) earns its cost above approximately 500 endpoints when policy-follows-user segmentation is a requirement — clinical wards with medical-device-per-VLAN isolation, regulated gaming floors, or multi-business-unit corporate campuses that need macro-segmentation between organizational boundaries. Below that threshold, a traditional three-tier design with VRF-Lite segmentation at distribution is operationally simpler, meaningfully cheaper, and does not require Catalyst Center or Aruba Fabric Composer licensing.

Choose SD-Access if you are already Cisco-aligned and have Catalyst Center Advantage (formerly DNA Advantage) licensing; choose EVPN-VXLAN if multi-vendor fabric is a requirement or if the ops team has BGP expertise; stay traditional if your campus is stable, low-change-rate, and your current segmentation posture is adequate.

Spanning-tree migration is a pre-cutover activity, not a cut-window activity. Before the new distribution pair is brought online, we migrate root election to the new platforms and convert legacy PVST+ to MST (IEEE 802.1s) with documented VLAN grouping. Loop Guard, Root Guard, and BPDU Guard are enabled on every access port that is not an uplink before any access stack is migrated.

The migration runbook documents rollback steps with a defined recovery window — typically two hours for distribution-layer changes.

Stability is validated via live-traffic verification and STP convergence timer confirmation before any production cut advances.

Where the goal is to eliminate spanning-tree entirely, we stage a routed-access migration in parallel — access switches terminate Layer 3 at the top-of-rack with OSPFv2 or EIGRP to distribution, and STP disappears below distribution.

Every engagement produces: Layer 2 and Layer 3 topology diagrams with native source files; VLAN and trunking design worksheet; 802.1X NAC policy including EAP-TLS enrollment, RADIUS policy set, MAB exception enumeration, and downloadable ACL specifications; uplink sizing calculations per closet and per distribution-pair; PoE budget worksheet with 802.3bt Type 3/4 sizing and dual-PSU verification;

phased cutover runbook with closet-by-closet pass/fail criteria and rollback procedures; deployment-ready switch configurations in Ansible or controller backup format; and a post-migration validation report with as-built inventory, link error rate baselines, 802.1X authentication success rate baselines, and end-to-end throughput verification.

The document set is the same whether the platform is Cisco, Meraki, Aruba, Juniper, or Extreme.

Documentation belongs to the client and is formatted for a 7-10 year shelf life.

Every engagement is priced as a fixed-fee SOW — we do not bill hourly. Scope variables that drive the fee: number of buildings, number of IDFs, number of switch ports across access/distribution/core, PoE density, platform (Cisco Catalyst, Meraki MS, Aruba CX, Juniper EX, Extreme), fabric scope (traditional vs. SD-Access vs. EVPN-VXLAN), NAC scope (greenfield vs. migration from an existing ISE/ClearPass deployment), and whether post-migration validation and an independent validation report are in scope.

We return a written SOW quote within three business days of the scoping call of receiving switch inventory and a scope description.

Send switch inventory to sales@wifihotshots.com or call (844) 946-8746.

No engagement begins without the client signing off on the fixed-fee price first.

Segment by role: Catalyst 9300 at the access layer, Catalyst 9500 where two fixed aggregation nodes are enough, Catalyst 9600 when slot density and dual-supervisor HA are required at the core. The 9300 is the stackable access platform (up to 8-member stack, PoE/PoE+/UPOE/UPOE+, 1760 Gbps standalone and 14 Tbps stacked).

The 9500 is Cisco’s fixed enterprise core and aggregation platform (9500X reaches 12.8 Tbps full duplex).

The 9600 is the modular 6-slot chassis with up to 25.6 Tbps switching capacity and 6.4 Tbps per slot.

All three run IOS-XE and support the same open standards (802.3bt, 802.3bz mGig, 802.1AE MACsec, 802.1X), so differentiation is chassis form factor and scale, not feature set.

The 9300X adds StackWise-1T and UPOE+ when access-layer 90 W PoE is required.

Our campus LAN design team spec-sheets each platform against closet density before issuing a fixed-fee SOW.

Both are stackable 48-port access switches with 802.3bt PoE, but the stacking math differs. Catalyst 9300 stacks up to 8 members via StackWise-480 (480 Gbps) or StackWise-1T (1 Tbps on 9300X).

Aruba CX 6300 stacks up to 10 members via VSF, with four built-in uplinks at 10/25/50/100 GbE providing 200 to 400 Gbps of stacking throughput per switch. PoE budgets land in the same range: CX 6300 offers 720 W, 1440 W, and 2880 W maximum PoE options; C9300X-48HX-M hits 1690 W with secondary PSU.

Both support MACsec-256 (IEEE 802.1AE-2018) and mGig (IEEE 802.3bz).

The decision usually falls to license model (Aruba Central vs.

Catalyst Center) and SFP/SKU economics. Tall closets that need 8+ switches favor Aruba VSF on member count; StackWise-1T wins on raw backplane. See our structured cabling team for cable-plant validation before finalizing the platform.

Yes. At the data plane they interoperate like any two IEEE 802.1Q/802.3 switches — LACP, trunks, STP/RSTP/MSTP, and OSPF all work. At the management plane they run separate controllers: Meraki dashboard for MS, and CLI, Catalyst Center, or Prime for Catalyst. Meraki’s Cloud Management with IOS-XE path now lets a Catalyst 9200/L/CX, 9300, or 9500 High Performance be managed from the Meraki dashboard while keeping IOS-XE on device.

Two practical patterns emerge.

Federated deployments put Meraki MS at branch or edge for cloud-first operations, with Catalyst 9500/9600 at the core under Catalyst Center for full SD-Access features.

Converted deployments run IOS-XE Catalyst hardware but manage via the Meraki dashboard (requires IOS-XE 17.15.3 or later for device-configuration mode, 17.18.x for cloud-configuration mode). We design both patterns — our managed services team runs either controller.

The EX4400 is Juniper’s access answer to the Catalyst 9300: up to 10-member Virtual Chassis, 802.3bt 90 W PoE, 3,600 W PoE budget on 48XP/48MXP with dual AC PSUs, and 2×100 GbE Virtual Chassis interconnect ports. The EX4400-48MXP exposes 12x100M/1/2.5/5/10G and 36×1/2.5G multigig ports.

The EX4650 is the campus distribution/aggregation answer to the Catalyst 9500: 48×25 GbE SFP28 plus 8×100 GbE QSFP28, 4 Tbps aggregate throughput, and native EVPN-VXLAN to extend fabrics beyond the data center.

The EX4400 fits well when Mist Wired Assurance is already running alongside Wi-Fi on Juniper Mist, or when operational tooling (Junos CLI, Apstra) matters more than SD-Access.

The EX4650 is a natural 9500 alternative for EVPN-VXLAN campus fabrics, particularly multi-vendor builds.

Three distinct Cisco technologies with overlapping names. StackWise-480 is the physical back-panel stack on Catalyst 9300 (non-X) — 480 Gbps ring bandwidth, up to 8 members. StackWise-1T is the high-speed mode on Catalyst 9300X only, running the same SIF ports at 1 Tbps ring bandwidth (C9300X-12Y, 24Y, 48HX, 48TX).

StackWise Virtual (SVL) is the virtual-chassis approach pairing two Catalyst 9500 or 9600 chassis as a single logical switch over standard 10/40/100 GbE EtherChannel links.

SVL replaces legacy VSS from the 6500/6800 era.

On the 9600 with Supervisor 2 (C9600X-SUP-2), SVL can form over a 400 G link.

Toggle between modes with “switch stack-speed high” on the 9300X. Never mix: SVL is always a 2-chassis pair, physical stacking goes up to 8 members. Our engineers size stack vs. SVL against forwarding and HA requirements before issuing a fixed-fee SOW.

All three achieve chassis-level redundancy at the distribution or core layer, but with different control-plane mechanics. Aruba VSX keeps separate control planes on each switch in the pair — each remains independently manageable and upgradeable, enabling rolling ISSU on CX 6400, 8300, 8400, and 10000.

Cisco StackWise Virtual (SVL) merges two switches into one logical control plane via SSO and NSF — a simpler operational model (single IP, single config).

Juniper Virtual Chassis fuses up to 10 switches into a single logical chassis with master/backup/linecard roles.

All three use 802.1AX LACP at the underlay.

The operational delta matters: VSX’s dual-control-plane model wins for zero-impact software upgrades at the core; SVL wins where “one switch to manage” simplicity outweighs staged upgrades. GLBP is often dropped entirely when SVL or VSX is deployed since the FHRP question goes away.

Three-tier (access/distribution/core) remains the dominant vendor-validated pattern for traditional campuses. Spine-leaf with EVPN-VXLAN is becoming the validated choice for new builds at scale or where the design is intentionally fabric-first (Cisco SD-Access, Arista Cognitive Campus, Juniper Mist Wired Assurance, Aruba CX). Three-tier is still correct for small/medium single-building campuses, brownfields with functioning VLAN/HSRP/OSPF designs, and operations teams without EVPN/BGP expertise.

Spine-leaf plus EVPN-VXLAN fits new multi-building campuses planning 10+ year lifecycles, deployments where segmentation volume exceeds practical VLAN scale, and sites already committed to SD-Access, Mist Wired, Aruba ESP, or Arista Cognitive Campus.

Spine-leaf underlay uses BGP (RFC 4271) with BGP EVPN overlay (RFC 7432, RFC 8365) and VXLAN encapsulation (RFC 7348).

The right answer depends on scale and operational team depth, not hype.

VLAN-based segmentation uses 802.1Q plus ACLs plus HSRP — subnets are tied to physical location, policy is hop-by-hop, and scale is bounded by the 4094 VLAN limit.

SD-Access abstracts all of that into a fabric: LISP distributes endpoint identity (control plane), VXLAN encapsulates traffic into Virtual Networks (data plane), ISE assigns Security Group Tags (SGTs), and Catalyst Center provisions via NetConf/RESTCONF. The delta is the policy model, not the underlying transport.

Traditional design reads: “user lands on VLAN 20, VLAN 20 ACL permits subnets X and Y.”

SD-Access reads: “user authenticates to ISE, receives SGT=Contractor, SGT=Contractor is denied to SGT=Finance regardless of switch.” At scale this removes the hop-by-hop ACL maintenance that consumes most legacy campus operations effort.

Requires Catalyst Center licensing. Our network security architects scope SGT policy alongside fabric design.

EVPN-VXLAN belongs in a campus when any of four conditions hold: the design crosses multiple buildings with L2 extension requirements, segmentation scales past practical VLAN counts, the organization already runs EVPN-VXLAN in the data center and wants unified tooling, or multi-vendor is a hard constraint. EVPN-VXLAN is open-standard (RFC 7432, February 2015; RFC 8365, March 2018; VXLAN encapsulation RFC 7348), while SD-Access is Cisco-only.

For small single-building campuses under 500 users, EVPN-VXLAN is overkill — traditional three-tier works.

For 1,000-plus-user multi-building campuses with heavy IoT density or multi-tenant isolation where SD-Access is off the table (budget, multi-vendor, DC-already-EVPN), EVPN-VXLAN in the campus is the modern default.

Juniper EX4650 and Arista 720XP are purpose-built leaf platforms with EVPN control-plane support.

Plan 2.5/5G multigig access ports per AP and aggregate 10 G uplinks per access switch minimum; move to 25 G or 2×10 G per access switch when closet density exceeds 24 Wi-Fi 7 APs. Per IEEE 802.11be-2024 (published 2025-07-22), Wi-Fi 7 specifies at least 30 Gbit/s MAC-SAP throughput using 320 MHz channels and 4K-QAM. Real-world aggregate AP throughput lands at 3-6 Gbps per AP under load.

Worked math: 24 Wi-Fi 7 APs at 4 Gbps real-world equals 96 Gbps aggregate — fits a 2×40 G or 2×50 G uplink with headroom, but a single 10 G uplink bottlenecks immediately. mGig access ports (IEEE 802.3bz) at 2.5/5 G are the new baseline; 1 GbE access ports choke any 4K-QAM Wi-Fi 7 client.

Our wireless engineering team runs AP throughput models from Ekahau survey data before sizing wired uplinks.

Blanket MACsec on every link is overkill for most campuses. MACsec (IEEE 802.1AE-2018, approved September 27, 2018) encrypts Ethernet frames hop-by-hop at wire speed with negligible performance penalty when hardware-accelerated.

Tradeoffs: MKA key management adds operational overhead, cipher suite interoperability requires matching GCM-AES-128 vs. 256 and XPN variants, and some features (port mirroring, mid-path NetFlow) may be limited on encrypted links. Cisco requires Network Advantage license for GCM-AES-256 on Catalyst 9300.

The practical pattern: MACsec on inter-building fiber runs outside physical security, access-to-distribution uplinks in regulated environments (healthcare HIPAA, finance PCI), and any link traversing shared conduit.

On access-port-to-endpoint links, 802.1X plus NAC is usually sufficient — MACsec there is optional and requires endpoint MACsec support that most enterprise PCs do not ship with.

Aruba CX 6200/6300 supports MACsec-256; Juniper EX requires a feature license.

Plan for about 6,000 W of PoE budget plus 20% headroom. Cisco CW9176I Wi-Fi 7 APs require 802.3bt Class 6 (60 W) for full operation; at 802.3at they degrade. 100 APs x 60 W = 6,000 W at the PSE. A Catalyst 9300 stack maxes at 8 physical members.

The C9300X-48HX-M delivers 590 W primary and 1,690 W with secondary PSU, so 4x C9300X-48HX-M with dual 1,900 W PSUs each yields 6,760 W — fits with roughly 11% headroom.

For the recommended 20% headroom, size to 7,200 W — bumping to 5 switches or Platinum PSU upgrades.

StackWise-1T (1 Tbps ring) handles 100-AP aggregate traffic of 300-600 Gbps without strain.

Do not skip the mGig requirement: CW9176I needs a 2.5/5/10 G port (802.3bz), delivered by C9300-48UXM or C9300X-48HX-M. Our engineers ship a PoE/uplink spreadsheet with every fixed-fee SOW.

Yes, but the device list is narrow. Type 4 (90 W) is required for outdoor PTZ cameras with active heating in healthcare entry portals or education parking lots, LED digital signage powered over Ethernet (hospital wayfinding, retail displays), some IoT gateway hubs, and power-pass-through devices where an AP supplies a downstream camera off its own USB-C port.

IEEE 802.3bt-2018 defines Type 3 (60 W) and Type 4 (90 W); vendors expose Type 4 on selected SKUs.

Cisco UPOE+ ports (Catalyst 9300X) deliver 90 W; Aruba CX 6300 offers Class 8 (90 W) per port; Arista 720XP exposes 15-90 W options; Juniper EX4400 provides up to 90 W per port.

Most Wi-Fi 6, 6E, and mid-tier Wi-Fi 7 APs only need Type 3 (60 W).

If the site has no 90 W endpoints in scope, Type 3 UPOE switches are a material cost saving — do not over-specify.

See our AI-ready infrastructure team for high-density design.

Multigig is the correct access-port speed whenever the downstream device (Wi-Fi 6E/7 AP, high-end workstation, PTZ camera) can exceed 1 Gbps. IEEE 802.3bz-2016 (published October 18, 2016) defines 2.5GBASE-T and 5GBASE-T over existing Cat 5e and Cat 6 cabling for 100 m. 2.5GBASE-T runs 100 m on Cat 5e; 5GBASE-T runs 100 m on Cat 6; 10GBASE-T generally needs Cat 6A to 100 m.

Most enterprise closets with Cat 5e or Cat 6 runs can upgrade to 2.5/5 G without rewiring — that is the value proposition of 802.3bz.

Cisco Catalyst 9300-48UXM delivers 48 multigig ports standalone, 448 across an 8-member stack.

Juniper EX4400-48MXP ships 12 ports of 100M/1/2.5/5/10G plus 36 ports of 1/2.5G. 1000BASE-T SKUs remain cheaper but bottleneck any Wi-Fi 7 AP — reserve them for IP phones, printers, and basic cameras.

Three first-hop redundancy protocols with distinct mechanics. HSRP (Cisco-proprietary) has one active router forwarding for a virtual IP, with one or more standbys; sub-3-second failover is typical. VRRP (IETF RFC 5798, March 2010) is functionally similar to HSRP but vendor-neutral; one master, one or more backups; around three-second failover with defaults;

supports IPv4 and IPv6. GLBP (Cisco-proprietary) lets all configured routers forward traffic simultaneously via multiple virtual MACs — load balances first-hop traffic across 2-4 routers.

For multi-vendor campuses, VRRP is the only correct choice since it works Cisco-to-Arista-to-Juniper-to-Aruba.

For all-Cisco builds, HSRP is the legacy default.

GLBP has been deprecated in many modern deployments in favor of SVL or VSX, which eliminate the FHRP question entirely by presenting one logical router. Our design team picks the FHRP based on vendor mix and existing operational tooling.

Each SSE vendor supports tunneling user-bound internet traffic from the campus edge to a cloud PoP. Zscaler accepts GRE or IPsec and recommends GRE where a static IP is available. Palo Alto Prisma Access accepts IPsec only —

GRE is not supported. Cisco Umbrella SIG accepts IPsec, active/backup or active/active via SD-WAN templates. All three use dual-tunnel HA; Prisma Access defaults to DH Group 2 for IKE and IPsec with an 8-hour IKE Phase 1 lifetime.

Campus edge devices (Catalyst 8000, ASR/ISR, or SD-WAN box like FortiGate or Palo Alto) terminate the tunnels.

Critical design rule: user-bound internet uses PBR to the SSE, not the entire default route — corp-to-corp and internal resources must not tunnel through SSE.

Our SD-WAN team scopes the SSE integration alongside the campus WAN edge.

Usually no. TSN is a set of IEEE 802.1 amendments (Qbv, Qbu, AS, Qcc, Qch) adding deterministic low-latency, time-synchronized Ethernet transport. For pro-AV (Dante, NDI, SMPTE 2110), tight PTP (IEEE 1588v2) is typically sufficient — full 802.1Qbv scheduled traffic is overkill except in broadcast studios. Catalyst 9300 supports PTP (IEEE 1588-2008), but full TSN profile support on Cisco is primarily on Industrial Ethernet (IE3x00/IE4000) platforms, not mainline Catalyst 9300.

For industrial campuses (manufacturing, utilities, transit), Cisco’s validated pattern uses TSN on IE3x00 or IE4000 in the Cell/Area Zone with Catalyst 9300 as the distribution switch.

Ask the real question first: do you need bounded latency, or good QoS? 90% of the time the answer is RFC 4594 QoS, not TSN. 802.1Qbv-2015 (published March 18, 2016) and 802.1AS-2020 (published June 19, 2020) are the core standards if TSN is genuinely required.

Each vendor publishes formal lifecycle policies per SKU. Cisco runs End-of-Sale (EoS) to Last-Day-of-Support (LDoS) typically 5 years after EoS — one year of critical bug fixes, then approximately two years of OS software bug fixes.

HPE Aruba runs two software tracks: SSR (Short Supported Release, Initial Release plus 1 year, with End-of-Maintenance and End-of-Support on the same date) and LSR (Long Supported Release, extended window). Juniper publishes EoL Notifications with distinct End-of-Engineering and End-of-Support milestones; EX series ships with Enhanced Limited Lifetime Warranty.

Procurement rule: do not buy switches within 12 months of a rumored or announced EoS — the 5-year LDoS clock starts at EoS.

Watch specific SKU announcements: Catalyst 9300L stack-kit last-day-to-order was November 3, 2025; Aruba CX 6400 earliest EoL is listed as March 1, 2031.

Our engineers pull current EoL notices per SKU at scoping time.

Cisco’s validated brownfield migration pattern is parallel plus incremental. Deploy new Catalyst 9500 or 9600 as border and control-plane nodes in parallel with the existing core. Convert existing Catalyst 9300 access switches to SD-Access fabric edge nodes one closet at a time. Use L2 Border Handoff so endpoints stay in place with the same IP subnets during migration.

Catalyst Center orchestrates IS-IS underlay provisioning, Virtual Network and SGT definition, and policy distribution via NetConf/RESTCONF.

Practical sequence: deploy Catalyst Center and onboard inventory; stand up two 9500 or 9600 as new core/border in SVL pair; build IS-IS underlay to selected 9300 edges; configure L2 Border Handoff so users retain IP; migrate 9300 stacks one closet per night; after 100% fabric, remove L2 Border Handoff and decommission legacy core.

Timeline for a 10-building campus: 6-12 months with weekly closet cutovers.

Our validation testing team verifies each cutover.

Cognitive Campus is Arista’s campus architecture built on three pillars: a highly available EOS network, zero-touch operations through CloudVision with AI/ML assistance (AVA), and zero-trust security via CloudVision AGNI plus MSS. A single EOS binary runs across campus, branch, data center, AI, and WAN. Cisco SD-Access requires DNA-Advantage or Catalyst Center licensing and a LISP plus VXLAN control plane.

Juniper Mist Wired Assurance focuses on access-layer AI with Marvis.

Cognitive Campus leans on open EVPN-VXLAN, NetDL streaming telemetry, and MSS group segmentation that inserts into multi-vendor networks without a proprietary inline tag. Product stack includes 720XP, 722XPM, and 750 series switches, Cognitive Wi-Fi APs, and CloudVision Portal 2024.3.

MLAG bonds two Arista switches into a strict 2-peer pair that downstream devices see as a single LACP peer — “Spanning tree views the MLAG Domain as a single switch and each MLAG as a single port.” VARP layers an active-active L3 gateway on top: both peers simultaneously answer the same virtual IP and share a common virtual MAC, so either switch forwards without traversing the peer-link. VRRP elects one master and one standby; VARP does not, which removes the hairpin penalty.

A VLAN interface supports up to 500 virtual IP addresses.

Unlike Cisco StackWise Virtual on Catalyst 9500/9600 — which merges both chassis into one logical control plane — MLAG keeps control planes independent, so an EOS upgrade only disrupts one peer at a time. Campus STP blocking is eliminated across MLAG links.

Campus Fabric Studio is a CloudVision Portal 2024.3 workflow that builds an entire campus fabric from Arista Validated Designs — “set up and configure a complete campus network using Arista’s validated designs.” Pick L2, L3, or EVPN-VXLAN with an OSPF or eBGP underlay and iBGP overlay, define the spine and leaf topology, and ZTP onboards EOS devices without console touches. Campus Health Dashboard streams real-time telemetry for state visibility.

Access Interface Configuration Studio templates endpoint-facing ports.

Authentication Studio configures RADIUS and 802.1X. Software Management Studio handles EOS image and extension lifecycle. Catalyst Center is Cisco-only and does not bridge to the data center; Aruba Central stays campus-scoped. CloudVision manages campus, branch, DC, AI, and WAN fabrics from one management plane, which collapses tooling sprawl for multi-site enterprises.

MSS is Arista’s zero-trust group-based segmentation, enforced in EOS hardware through an advanced tagging engine that “enables grouping endpoints independent of what VLAN/IP subnet they belong to.” MSS-G tags are switch-local — “tags are internal to a switch and are not shared across the network infrastructure” —

so the architecture inserts into multi-vendor campuses without requiring a proprietary inline tag header. Cisco TrustSec SGT carries the group tag in a CMD header across TrustSec-capable devices only, which locks the design into Catalyst hardware end-to-end.

VLAN plus ACL microsegmentation exhausts TCAM at scale.

MSS enforcement runs wire-speed distributed on the switch itself, or traffic redirects to a third-party firewall for L4-7 inspection. CloudVision auto-tags endpoints by connecting to external identity sources, and the same model runs across campus, branch, and data center on one EOS binary.

A fully populated 2RU Arista 720XP-96ZC2 — 96 multigig RJ45 ports with 4 by 25G and 2 by 100G uplinks — delivers 2,255 W of PoE with 3 redundant PSUs and 3,077 W with 4 PSUs, enough for roughly 33 Wi-Fi 7 APs at 90 W Class 8 draw. The 1RU 720XP-48ZC2 and 24ZY4 land at 1,787 W on dual PSUs; the 722XPM-48ZY8 at 1,835 W; the 722XPM-48Y4 at 1,893 W.

The Catalyst 9300-48UXM dual-1100W configuration is in the same neighborhood.

Every 720XP copper port supports 802.3bt Type 3 (60 W) and Type 4 (90 W). The 722XPM adds wire-speed MACsec on every port. Switching capacity on the 720XP-96ZC2 is 580 Gbps at 1.2 microsecond latency, running the common EOS binary shared with the data center.