Enterprise IT Network Architecture
An integrated, end-to-end enterprise network — organized as the classic three-tier campus plus data center, security, and services. From the internet edge (dual ISP, DDoS, SD-WAN/MPLS) through the perimeter/DMZ (next-gen firewalls, VPN, load balancing), the redundant core/distribution and access layers, the data-center/server tier (compute, virtualization, SAN, backup/DR), and the enterprise services (AD/DNS, email, ERP, UC, cloud) — plus the management network, VLAN segmentation, defense-in-depth security, and high-availability strategy that tie it together. Hover, tap, or focus any component or connection for its description and standard reference.
Hover, tap, or focus any component on the drawing (or a circuit below it) for details. Click to pin; move away or click again to clear.
Component Reference
Every component in the diagram above, grouped by layer of the enterprise network, with its role and the relevant standard.
WAN / Internet Edge
Internet
The public internet — the untrusted external network reached through the carrier links. All inbound and outbound traffic crosses the perimeter security stack (DDoS scrubbing, next-gen firewalls, DMZ) before touching internal systems.
📘 RFC 1918 / RFC 6598 (address scopes)DDoS Protection
A DDoS mitigation layer (cloud scrubbing or on-prem appliance) that absorbs and filters volumetric, protocol, and application-layer floods before they saturate the internet circuits, keeping public services available under attack.
📘 NIST SP 800-61 (IR)ISP 1 / ISP 2 (Edge Routers)
Redundant internet edge routers homed to two independent ISPs for carrier diversity. BGP or SD-WAN policy steers traffic across both links and fails over automatically, eliminating the single-carrier outage as a point of failure.
📘 BGP (RFC 4271)WAN / SD-WAN
The wide-area network tying sites together. SD-WAN adds an application-aware overlay across internet and MPLS underlays — dynamic path selection, encryption, and centralized policy that lower cost and improve resilience versus traditional WAN.
📘 MEF 70 (SD-WAN)MPLS
A managed MPLS service providing a private, SLA-backed transport with traffic-engineered paths and QoS classes between major sites. Often retained as the premium underlay for latency-sensitive and voice traffic alongside internet broadband.
📘 RFC 3031 (MPLS)Remote Sites / Branch Offices
Branch and remote offices connected over the WAN/SD-WAN fabric and secure VPN. Each branch runs a scaled-down version of the campus design and reaches central data-center and cloud services across the encrypted overlay.
📘 IPsec (RFC 4301)Perimeter / DMZ Layer
Web Server
Internet-facing web servers placed in the DMZ so public requests never reach the internal network directly. Hardened, patched, and reverse-proxied, they serve the organization’s public sites and APIs in an isolated security zone.
📘 NIST SP 800-44 (Web)Mail Gateway
A secure email gateway in the DMZ that filters spam, phishing, and malware and enforces SPF/DKIM/DMARC before relaying mail to internal mailboxes. The chokepoint for the organization’s most-attacked channel.
📘 DMARC (RFC 7489)DNS Server (External)
External/authoritative DNS in the DMZ resolving the organization’s public domains. Split-horizon DNS keeps internal records private while presenting only public records outward, with DNSSEC to protect against spoofing.
📘 DNSSEC (RFC 4033)Reverse Proxy
A reverse proxy / web application firewall that terminates TLS, inspects HTTP, and brokers requests to back-end servers. It hides internal topology, offloads encryption, and adds WAF protection in front of published applications.
📘 OWASP ASVSNext-Gen Firewall (Primary)
The primary next-generation firewall enforcing the perimeter policy — stateful inspection, application awareness, IPS, and TLS inspection. Defines the zones and conduits between internet, DMZ, and the internal network.
📘 NIST SP 800-41 (Firewalls)Next-Gen Firewall (HA Pair)
The second firewall of the high-availability pair. Configured active/passive (or active/active) with state synchronization so a hardware or software failure on one unit fails over to the other without dropping sessions.
📘 IEC 62443 (Zones & Conduits)VPN Gateway
The VPN concentrator terminating remote-access (SSL/IPsec) and site-to-site tunnels. Combined with MFA and posture checks, it extends the trusted network securely to remote workers and branch offices.
📘 IPsec (RFC 4301) / TLS 1.3Load Balancer
A load balancer distributing inbound connections across server pools with health checking, SSL offload, and session persistence. Provides horizontal scale and removes any single server as a point of failure for published services.
📘 L4/L7 (NIST SP 800-44)Core / Distribution Layer
Core Switch 1
One of two redundant core switches forming the high-speed Layer-3 backbone of the campus. The core does fast packet forwarding between distribution blocks and the data center, kept simple and resilient with no access ports.
📘 Cisco 3-tier (campus)Core Switch 2
The paired core switch providing redundancy via stacking, VSS, or MLAG so the two appear as one logical core. Dual paths and sub-second failover keep the backbone available through a switch or link loss.
📘 MLAG / VSS / StackWiseDistribution Switch A
The distribution layer aggregates access switches and is the Layer-2/Layer-3 boundary — inter-VLAN routing, first-hop redundancy (HSRP/VRRP), ACLs, and QoS marking live here, shielding the core from access-layer churn.
📘 HSRP/VRRP (RFC 5798)Distribution Switch B
The redundant distribution peer providing a second uplink path and active/active gateway redundancy. Paired with Distribution Switch A so any single device or uplink failure leaves the access layer fully reachable.
📘 STP / RSTP (IEEE 802.1w)Management Network (MGMT)
NMS / Monitoring
The network management system polling devices via SNMP/streaming telemetry for availability, performance, and faults. It is the operational single-pane-of-glass on an isolated management VLAN, separated from production traffic.
📘 SNMPv3 (RFC 3411)Syslog / SIEM
Centralized syslog collection feeding a SIEM that correlates events across firewalls, switches, servers, and identity systems. The backbone of security monitoring, threat detection, and audit/compliance evidence.
📘 Syslog (RFC 5424)NetFlow / Analytics
Flow-based analytics (NetFlow/IPFIX/sFlow) giving per-conversation visibility into who talks to whom and how much. Drives capacity planning, anomaly detection, and application dependency mapping without full packet capture.
📘 IPFIX (RFC 7011)Config Backup
Automated configuration backup and version control for every network device. Enables rapid restore after a failure or bad change, change auditing, and compliance reporting against a known-good baseline.
📘 NIST SP 800-128 (config mgmt)Access Layer (Campus / Office)
Access Switch 1 (PoE)
A PoE access switch providing the user-facing edge ports for phones, APs, and endpoints. It supplies inline power (PoE/PoE+/PoE++), enforces port security and 802.1X, and assigns access ports to the right VLAN.
📘 PoE (IEEE 802.3af/at/bt)Access Switch 2 (PoE)
An additional access switch — typically stacked with its peers for single-management and resilient uplinks. Scales edge port density across the wiring closet while presenting one logical switch to the distribution layer.
📘 802.1X (port auth)Access Switch n (PoE)
The Nth access switch, illustrating that the access layer scales horizontally across floors and IDF closets. Each uplinks redundantly to both distribution switches per structured-cabling and 3-tier design rules.
📘 TIA-568 / TIA-942Wireless Controller
The wireless LAN controller centrally managing the access points — RF/channel planning, roaming, security (WPA3/802.1X), and guest segmentation. It tunnels or bridges client traffic and applies consistent policy fleet-wide.
📘 Wi-Fi 6 (IEEE 802.11ax)Access Points
Ceiling-mounted access points delivering Wi-Fi coverage and capacity to laptops, phones, and IoT. Placement and density follow a predictive/site-survey design to hit signal, SNR, and roaming targets across the floorplate.
📘 IEEE 802.11ax/beEndpoints
Corporate Users
Managed corporate endpoints — desktops and laptops on the CORP VLAN. Authenticated via 802.1X, protected by EDR, and granted least-privilege access to internal and cloud resources per zero-trust policy.
📘 VLAN 10 (CORP-USERS)IP Phones
PoE-powered IP phones on a dedicated voice VLAN with QoS priority so call quality is protected from data congestion. They register to the on-prem or cloud unified-communications platform.
📘 VLAN 30 (VOICE) / SIPPrinters
Networked printers and multifunction devices, usually segmented into their own VLAN with tight ACLs. Treated as untrusted endpoints because embedded firmware is a common lateral-movement and data-exfiltration vector.
📘 Network segmentationIoT Devices
Building IoT — cameras, badge readers, sensors, and controllers — placed on an isolated IoT VLAN with strict east-west controls. Segmentation contains the large, hard-to-patch attack surface these devices represent.
📘 VLAN 60 (IOT) / NIST 8259Guest Users (Wi-Fi)
Guest and BYOD devices on a captive-portal Wi-Fi network giving internet-only access fully isolated from internal resources. Bandwidth-limited and logged, it keeps visitor traffic off the corporate segments.
📘 VLAN 40 (GUEST)Data Center / Server Layer
Compute / Application Servers
The application server tier hosting business workloads — web/app services, middleware, and line-of-business apps. Sized for performance and redundancy and front-ended by load balancers for scale and availability.
📘 TIA-942 (data center)Database Servers
Clustered database servers holding the organization’s transactional data. Protected with replication, regular backups, and tight access control, they are among the highest-value assets and a priority for DR planning.
📘 ACID / HA clusteringVirtualization / Hypervisor Cluster
A hypervisor cluster (VMware/Hyper-V/KVM) consolidating workloads onto shared hosts with live migration, HA restart, and resource pooling. The virtualization fabric underpins density, fast provisioning, and resilience.
📘 vSphere HA / live migrationStorage Area Network (SAN)
A shared block-storage fabric (Fibre Channel or iSCSI) presenting resilient LUNs to the compute and virtualization tiers. RAID, snapshots, and replication protect data and enable the live-migration and HA features above.
📘 FC / iSCSI (RFC 7143)Backup & DR Servers
The backup and disaster-recovery infrastructure — backup servers, deduplicated repositories, and replication to the DR site. Backups follow the 3-2-1 rule and are tested against defined RPO/RTO targets.
📘 3-2-1 backup / RPO·RTOData Center Network (10/25/40/100G)
The high-speed data-center fabric — typically spine-leaf at 10/25/40/100G — interconnecting servers, storage, and uplinks with low latency and non-blocking throughput. VXLAN/EVPN provides scalable L2/L3 overlays.
📘 Spine-leaf / VXLAN-EVPNEnterprise Services & Platforms
Active Directory / LDAP
The identity backbone — Active Directory / LDAP providing authentication, authorization, group policy, and the directory of record. Nearly every other service depends on it, making it a top availability and security priority.
📘 LDAP (RFC 4511) / KerberosDHCP / DNS
Core network services: DHCP for automatic address assignment and internal DNS for name resolution. Foundational and high-availability — when they fail, clients lose addressing and the ability to find every other service.
📘 DHCP (RFC 2131) / DNS (RFC 1035)File Services
Centralized file services (SMB/NFS) hosting departmental shares and user data with permissions, quotas, and shadow copies. Backed up and access-controlled, it consolidates unstructured data off endpoints.
📘 SMB 3 / NFSv4Email / Collaboration
The messaging and collaboration platform (Exchange/Microsoft 365/Google Workspace) for email, calendaring, chat, and document collaboration. Often hybrid, with the DMZ mail gateway protecting the inbound path.
📘 SMTP (RFC 5321)ERP / Business Apps
Enterprise applications — ERP, CRM, and line-of-business systems — running the organization’s core processes. High-value, integration-heavy workloads that drive capacity, availability, and backup requirements.
📘 N-tier applicationDatabase / Data Warehouse
A consolidated database / data-warehouse platform aggregating operational data for BI, reporting, and analytics. Separated from transactional databases so heavy queries don’t impact production performance.
📘 OLAP / ETLVoIP / Unified Communications
The unified-communications platform delivering voice, video conferencing, presence, and messaging. It registers the IP phones and soft clients and relies on QoS end-to-end to keep real-time media clean.
📘 SIP (RFC 3261) / RTPCloud Services
Public-cloud and SaaS services integrated into the architecture — IaaS workloads, SaaS apps, and identity federation. Reached over secure, often SD-WAN-optimized paths, extending the data center into a hybrid model.
📘 OAuth 2.0 / SAMLDisaster Recovery Architecture
Primary Data Center
The primary production data center hosting live workloads. Its data and state replicate to the secondary site so operations can fail over within the defined RTO if the primary becomes unavailable.
📘 TIA-942 (tiers)DR Site / Secondary Data Center
The recovery site receiving asynchronous replication from production. Maintained warm/standby so applications and data can be brought online there during a primary-site outage, meeting business-continuity objectives.
📘 RPO / RTO (ISO 22301)Cloud / DRaaS
Cloud-based disaster recovery (DRaaS) as a tertiary option — replicating critical workloads to a cloud provider for on-demand recovery without a fully staffed second site, scaling capacity only when invoked.
📘 DRaaS / ISO 22301Monitoring & Management
Network Monitoring (NMS)
Continuous network monitoring for up/down state, interface errors, and SLA thresholds, with alerting to on-call. The first line of operational awareness for the whole estate, fed by SNMP and streaming telemetry.
📘 SNMPv3 / gNMIPerformance Monitoring
Performance and capacity monitoring tracking utilization, latency, and application response over time. Drives proactive capacity planning and pinpoints bottlenecks before users notice degradation.
📘 Baselining / APMAlerting / Notification
The alerting and notification layer turning monitoring signals into actionable incidents — thresholds, deduplication, on-call routing, and escalation. Tuned to cut noise so real problems surface fast.
📘 NIST SP 800-61 (IR)Reporting / Dashboards
Operational dashboards and scheduled reports rolling monitoring data into KPIs, SLA attainment, and compliance evidence for both engineers and management. Closes the loop from raw telemetry to decisions.
📘 SLA / KPI reportingReference Panels
Network Characteristics
The architecture’s headline design goals: high availability, redundant internet and core/distribution, VLAN segmentation, secure remote access (VPN), centralized identity and policy, encrypted communications, and a scalable, modular design.
📘 Design principlesVLAN / Segmentation Overview
The VLAN/segmentation plan that partitions the network by function — CORP-USERS (10), SERVERS (20), VOICE (30), GUEST (40), MANAGEMENT (50), IOT (60), DMZ (70), and BACKUP (80) — the basis for security zoning and IP addressing.
📘 IEEE 802.1Q (VLANs)Security Layers (Defense in Depth)
The defense-in-depth stack: perimeter security (firewalls, DDoS), network segmentation (VLANs/ACLs), access control (NAC, 802.1X), identity & access management, encryption (VPN/TLS/IPsec), threat detection (IDS/IPS), endpoint protection (EDR/AV), and security monitoring (SIEM).
📘 IEC 62443 / NIST CSFHigh Availability Strategy
The high-availability strategy threaded through the design: dual ISPs, redundant active/passive or active/active firewalls, redundant core switches, stacked/VSS/MLAG distribution, redundant servers and storage, load balancing, and UPS/generator backup.
📘 N+1 / 2N redundancyConnections & Networks
The connection, network, and signal types that tie the layers together — each shown as a colored line in the diagram above.
Internet / WAN
Public internet and wide-area transport between the edge routers, carriers, and remote sites — the untrusted underlay carrying encrypted overlay and published-service traffic.
📘 BGP / RFC 1918MPLS / SD-WAN
Managed MPLS and SD-WAN overlay paths between sites — SLA-backed, traffic-engineered, and application-aware transport for site-to-site and branch connectivity.
📘 MEF 70 / RFC 3031LAN (Copper)
Copper Ethernet links (Cat 5e/6/6A) for access-layer and short backbone runs, carrying user, voice, and PoE connections within TIA-568 distance limits.
📘 IEEE 802.3 / TIA-568LAN (Fiber)
Fiber uplinks and backbone links between access, distribution, core, and the data center — high-bandwidth, low-attenuation runs for long distances and 10–100G speeds.
📘 IEEE 802.3 (fiber) / TIA-568Server / Storage Network
The data-center server and storage fabric — high-speed links between compute, virtualization, SAN, and the spine-leaf network carrying east-west and block-storage traffic.
📘 FC / iSCSI / VXLANManagement / Monitoring
The out-of-band management and monitoring network linking devices to NMS, SIEM, flow analytics, and config backup on an isolated VLAN, separated from production traffic.
📘 SNMPv3 / Syslog (out-of-band)High Availability / Redundancy
Redundancy links — firewall HA sync, core/distribution peer links (VSS/MLAG), and replication paths — that keep the system available through device or link failures.
📘 MLAG / VRRP / HA syncWireless
Wi-Fi connectivity between access points and clients (corporate, guest, IoT), managed by the wireless controller with WPA3/802.1X security and per-SSID segmentation.
📘 IEEE 802.11ax (Wi-Fi 6)Power
Electrical power distribution to the infrastructure — PoE to edge devices and UPS/generator-backed feeds to network gear and the data center for ride-through and graceful shutdown.
📘 PoE (802.3bt) / UPS