1.2 Network Topology Architectures

The campus hierarchy

The CCNA expects you to pick the right architecture for a given size and traffic pattern. Cisco's hierarchical model splits responsibilities so each layer scales independently.

Three-tier architecture (large campus)

Access layer

• Connects endpoints: PCs, phones, APs, printers.
• Provides PoE, port security, and VLAN assignment.
• Highest port density, lowest per-port cost.

Distribution layer

• Aggregates access switches and is where policy lives: ACLs, route summarization, QoS marking, and inter-VLAN routing via Layer 3 switches.
• Provides redundancy (first-hop redundancy protocols like HSRP).

Core layer

• High-speed backbone that interconnects distribution blocks.
• Goal is forward as fast as possible: avoid CPU-intensive features like ACLs here so nothing slows the backbone.

Two-tier (collapsed core)

When a single building or small campus does not justify a dedicated core, the core and distribution collapse into one layer, leaving an access layer and a combined core/distribution layer. This cuts equipment and cost while keeping a clean hierarchy. It is the most common real-world enterprise design.

Spine-leaf (data center)

Modern data centers carry mostly east-west traffic (server-to-server). The spine-leaf (Clos) fabric solves this: every leaf switch connects to every spine, and leaves never connect to other leaves. The result is predictable latency, because any server reaches any other server in exactly the same small number of hops, and bandwidth scales by adding spines.

SOHO and WAN

A small office/home office (SOHO) typically uses one integrated multifunction device that is router, switch, wireless AP, and firewall in one box. For wide-area connectivity, CCNA covers leased lines, MPLS, broadband/cable, and the Internet as transport for site-to-site VPNs.

On-premises vs cloud

v1.1 of the blueprint added cloud-based network management and AI/ML awareness, so understand that controllers and analytics increasingly live off-premises while data plane stays local.

Worked decision example

A company with three buildings, ~2,000 users, and heavy inter-building traffic should use three-tier for scale and fault isolation. A single 200-user office should use two-tier to save cost. A virtualization farm with constant server-to-server replication should use spine-leaf.

WAN and connectivity options

The CCNA wants you to recognize the common ways sites connect across the wide area:

• Leased line (point-to-point): a dedicated private circuit between two sites, predictable bandwidth, higher cost.
• MPLS: a provider Layer 3 service that delivers any-to-any connectivity with QoS guarantees across many sites.
• Broadband/cable/DSL: inexpensive Internet access used as transport for site-to-site VPNs that encrypt traffic over the public Internet.
• Metro Ethernet: a provider Ethernet service connecting metro-area sites at LAN-like speeds.

Many enterprises now layer SD-WAN on top of these transports to steer traffic intelligently and use cheap broadband alongside MPLS.

North-south vs east-west traffic

A design idea the exam tests is the direction of traffic. North-south traffic flows between clients and servers, or out to the Internet, the classic campus pattern that the three-tier hierarchy optimizes. East-west traffic flows server-to-server within the data center, which exploded with virtualization and clustering. Because spine-leaf gives every server an equal, short path to every other server, it is purpose-built for east-west dominance, whereas the hierarchical campus model is tuned for north-south.

Choosing a model: a checklist

• Small single office, tight budget -> two-tier (collapsed core) or even a single SOHO device.
• Large multi-building campus, high availability -> three-tier with redundant distribution and core.
• Virtualization/storage farm with heavy server-to-server traffic -> spine-leaf.
• Burst capacity, global reach, minimal capital outlay -> public cloud (IaaS/PaaS/SaaS) or hybrid.

Common traps

• The core should NOT run ACLs or other slow features, speed is its only job.
• In spine-leaf, leaf-to-leaf direct links do not exist; traffic always traverses a spine.
• Hybrid cloud is a valid answer, the choice is rarely "cloud or on-prem" exclusively.
• Spine-leaf targets east-west traffic; do not assign it to a classic north-south campus question.

Redundancy and high availability

Good topologies build in redundancy so a single failure does not cut service. At the distribution layer, redundant switches run a first-hop redundancy protocol (FHRP) such as HSRP, VRRP, or GLBP to present one virtual gateway IP so endpoints keep working if one switch fails. Access switches dual-home to two distribution switches, and EtherChannel bundles multiple physical links into one logical link for both bandwidth and resilience. The rule of thumb: the higher in the hierarchy a device sits, the more traffic it carries, so the more redundancy it warrants.

A failed core switch can isolate an entire campus, which is why cores are always deployed in pairs.

Cloud connectivity models

When workloads move to the cloud, the campus still needs a path to them. Options the exam references include a site-to-site VPN over the Internet (cheapest), and a dedicated private interconnect to the cloud provider (lowest latency, highest cost). A hybrid design keeps sensitive data on-premises while bursting compute to the cloud, and the network team must extend addressing, routing, and security policy consistently across both, which is exactly why the v1.1 blueprint added cloud-based network management as a topic.