🌐 Enterprise Network Design: Switching, Routing, and Segmentation for Commercial Buildings

The Three-Tier Network Architecture

Most commercial buildings use the classic Cisco three-tier (or collapsed two-tier) network architecture: Core, Distribution, and Access layers. Each layer has a specific function:

• Access layer: Where end devices connect — workstations, IP phones, printers, wireless APs, IP cameras. Access switches provide 1 Gbps copper ports, PoE, and port security. Located in each IDF (Intermediate Distribution Frame) closet.
• Distribution layer: Aggregates access switches, enforces inter-VLAN routing policies, applies QoS and ACL policies, and provides uplinks to the core. Distribution switches are typically multilayer (Layer 3) and located in the main equipment room.
• Core layer: The high-speed backbone that interconnects distribution switches and provides connectivity to the internet edge and data center. Core switches must never be the bottleneck — high-capacity (40/100 Gbps) switches with redundant paths and sub-second failover.

Smaller buildings (under 50 users) often use a collapsed core architecture where distribution and core functions are combined in a single switch stack.

VLAN Design

VLANs (Virtual Local Area Networks) segment the network into isolated broadcast domains. A well-designed VLAN scheme is foundational to network security and performance. Standard VLANs for a commercial building:

• VLAN 10 — Workstations/Corporate data
• VLAN 20 — Voice (IP phones) — separate from data for QoS
• VLAN 30 — Guest Wi-Fi — isolated from corporate resources
• VLAN 40 — IoT/Building systems (BMS, IP cameras, badge readers)
• VLAN 50 — Servers/Data center
• VLAN 100 — Management (switch management, out-of-band access)

VLANs are defined on distribution and core switches; access switches carry VLANs as trunks (802.1Q tagged) to the distribution layer where inter-VLAN routing occurs on a Layer 3 switch or router.

Spanning Tree and Redundancy

Redundant uplinks between access and distribution switches are essential for high availability. Without Spanning Tree Protocol (STP), redundant links create broadcast storms that crash the network. Modern networks use Rapid-PVST+ or MSTP (Multiple Spanning Tree Protocol) for fast convergence. For mission-critical facilities, link aggregation (LACP/802.3ad) or switch stacking with StackWise/VSS provides active-active redundancy with no STP blocking.

Routing Protocols

Internal routing between VLANs uses a Layer 3 switch running EIGRP (Cisco proprietary) or OSPF (open standard). OSPF is preferred for multi-vendor environments. The distribution switches peer with the internet edge router for default route distribution. For buildings with multiple sites, BGP connects to the MPLS WAN or SD-WAN overlay.

Wireless Network Integration

Wi-Fi 6 (802.11ax) and Wi-Fi 6E access points require Cat6A horizontal cabling for full 2.5 Gbps uplink speed. APs should be centrally managed through a wireless LAN controller (WLC) or cloud management platform (Cisco Meraki, Aruba Central). AP placement is designed through RF prediction tools (Ekahau, AirMagnet) to achieve -65 dBm minimum RSSI coverage with 15 dB SNR throughout the building.

Network Documentation

Deliver three documents with every enterprise network installation: logical network diagram (VLAN assignments, IP addressing, routing protocol), physical network diagram (switch locations, cable paths, port assignments), and IP address plan (VLAN, subnet, DHCP scope, gateway). These are essential for ongoing network management and troubleshooting.