Network Hierarchy: Core, Distribution, and Access Layers

Posted on Jan 12, 2026 in Computer Engineering

Network Hierarchy Design

Core Layer

The Core Layer consists of the biggest, fastest, and most expensive routers with the highest model numbers. The Core Layer is considered the backbone of networks. Core Layer routers are used to merge geographically separated networks. These routers move information on the network as fast as possible. Core layer switches also operate to switch packets as fast as possible.

The core layer provides fast transport between distribution switches within the enterprise campus. It is the network’s high-speed switching backbone, crucial to corporate communications, and is also referred to as the backbone. The core layer should have the following characteristics:

  • Fast transport
  • High reliability
  • Redundancy
  • Fault tolerance
  • Low latency and good manageability
  • Avoidance of CPU-intensive packet manipulation (security, inspection, QoS classification, etc.)
  • Limited and consistent diameter
  • Quality of Service (QoS)

Distribution Layer

The purpose of the Distribution Layer is to provide boundary definition by implementing access lists and other filters. Therefore, the Distribution Layer defines policy for the network. This layer includes high-end Layer 3 switches. The Distribution Layer ensures that packets are properly routed between subnets and VLANs in your enterprise.

The network’s distribution layer is the isolation point between the network’s access and core layers. The distribution layer can have many roles, including implementing the following functions:

  • Policy-based connectivity (e.g., ensuring traffic sent from a particular network is forwarded out one interface while all other traffic is forwarded out another interface)
  • Redundancy and load balancing
  • Aggregation of LAN wiring closets
  • Aggregation of WAN connections
  • QoS
  • Security filtering
  • Address or area aggregation or summarization
  • Departmental or workgroup access
  • Broadcast or multicast domain definition
  • Routing between Virtual LANs (VLANs)
  • Media translations (e.g., between Ethernet and Token Ring)
  • Redistribution between routing domains (e.g., between two different routing protocols)
  • Demarcation between static and dynamic routing protocols

You can use several Cisco IOS Software features to implement policy at the distribution layer:

  • Filtering by source or destination address
  • Filtering on input or output ports
  • Hiding internal network numbers by route filtering
  • Static routing
  • QoS mechanisms, such as priority-based queuing

Access Layer

The Access Layer includes access switches which are connected to the end devices (Computers, Printers, Servers, etc.). Access layer switches ensure that packets are delivered to the end devices.

Features often implemented at the Access Layer include:

  • Layer 2 switching
  • High availability
  • Port security
  • Broadcast suppression
  • QoS classification and marking and trust boundaries
  • Rate limiting/policing
  • Address Resolution Protocol (ARP) inspection
  • Virtual Access Control Lists (VACLs)
  • Spanning tree
  • Trust classification
  • Power over Ethernet (PoE) and auxiliary VLANs for VoIP
  • Network Access Control (NAC)
  • Auxiliary VLANs

Hierarchical Network Benefits

A hierarchical network design involves dividing the network into discrete layers. Each layer, or tier, in the hierarchy provides specific functions that define its role within the overall network. Benefits:

  • Cost saving
  • Ease of understanding
  • Modular network growth
  • Improved fault isolation

For designing networks, the hub-and-spoke design provides better convergence times than ring topology, also scales better, and is easier to manage than ring or mesh topologies. For example, implementing security policies in a full mesh topology would become unmanageable because you would have to configure policies at each point location. (Ring = delay, mesh = complex configuration).

Redundancy Solutions

Virtual Switching System (VSS)

Another solution for providing redundancy between the access and distribution switching is the Virtual Switching System (VSS). VSS solves the STP looping problem by converting the distribution switching pair into a logical single switch. It removes STP and negates the need for Hot Standby Router Protocol (HSRP), Virtual Router Redundancy Protocol (VRRP), or Gateway Load Balancing Protocol (GLBP).

Key Benefits of VSS
  • Layer 3 switching can be used toward the access layer, enhancing nonstop communication.
  • Scales system bandwidth up to 1.44 Tbps.
  • Simplified management of a single configuration of the VSS distribution switch.
  • Better return on investment (ROI) via increased bandwidth between the access layer and the distribution layer.
  • Supported on Catalyst 4500, 6500, and 6800 switches.

Router Redundancy Protocols

ARP: Some IP workstations send an ARP frame to find a remote station. A router running proxy ARP can respond with its data link layer address. Cisco routers run proxy ARP by default.

RDP: RFC 1256 specifies an extension to the Internet Control Message Protocol (ICMP) that allows an IP workstation and router to run RDP to let the workstation learn a router’s address.

The Cisco HSRP provides a way for IP workstations that support only one default router to keep communicating on the internetwork even if their default router becomes unavailable.

VRRP is a router redundancy protocol defined in RFC 3768. RFC 5768 defined VRRPv3 for both IPv4 and IPv6 networks.

GLBP protects data traffic from a failed router or circuit, such as HSRP, while allowing packet load sharing between a group of redundant routers. Features include:

  • Load sharing: GLBP can be configured so that traffic from LAN clients can be shared by multiple routers.
  • Multiple virtual routers: GLBP supports up to 1024 virtual routers (GLBP groups) on each physical interface of a router.
  • Preemption: GLBP enables you to preempt an active virtual gateway with a higher-priority backup.
  • Authentication: Simple text password authentication is supported.

Server Farm High Availability

Some environments need fully redundant (mirrored) file and application servers. For example, in a brokerage firm where traders must access data to buy and sell stocks, two or more redundant servers can replicate the data. Also, you can deploy Cisco Unified Communications Manager (CUCM) servers in clusters for redundancy. The servers should be on different networks and use redundant power supplies. To provide high availability in the server farm module, you have the following options:

  • Single attachment: This is not recommended because it requires alternate mechanisms (HSRP, GLBP) to dynamically find an alternate router.
  • Dual attachment: This solution increases availability by using redundant network interface cards (NIC).
  • Fast EtherChannel (FEC) and Gigabit EtherChannel (GEC) port bundles: This solution bundles 2 or 4 Fast or Gigabit Ethernet links to increase bandwidth.

Route redundancy provides load balancing and high availability. Link redundancy uses multiple WAN links that provide primary and secondary failover for higher availability. On LANs, use EtherChannel.

Enterprise Modules

Enterprise Campus Area

The enterprise campus module includes the building access and building distribution components and the shared campus backbone component or campus core. Edge distribution provides connectivity to the enterprise edge. High availability is implemented in the server farm, and network management monitors the enterprise campus and enterprise edge.

Enterprise Edge Area

Consists of e-commerce, Internet, VPN/remote access, and WAN modules.

Enterprise WAN Module

This module provides MPLS or other WAN technologies.

Enterprise Remote Branch Module

The enterprise branch normally consists of remote offices, small offices, or sales offices. These branch offices rely on the WAN to use the services and applications provided in the main campus.

Enterprise Data Center Module

The enterprise data center consists of using the network to enhance the server, storage, and application servers. The offsite data center provides disaster recovery and business continuance services for the enterprise.

Enterprise Teleworker

The enterprise teleworker module supports a small office, mobile users, or home users providing access to corporate systems via VPN tunnels.

VPN/Remote Access Module

The VPN/remote access module of the enterprise edge provides remote-access termination services, including authentication for remote users and sites. Components of this submodule include the following:

  • Firewalls: Provide stateful filtering of traffic, authenticate trusted remote sites, and provide connectivity using IPsec tunnels.
  • Dial-in access concentrators: Terminate legacy dial-in connections and authenticate individual users.
  • Cisco Adaptive Security Appliances (ASAs): Terminate IPsec tunnels, authenticate individual remote users, and provide firewall and intrusion prevention services.
  • Network intrusion prevention system (IPS) appliance.

EtherChannel Technology

EtherChannel is a port link aggregation technology or port-channel architecture used primarily on Cisco switches. It allows grouping of several physical Ethernet links to create one logical Ethernet link for the purpose of providing fault-tolerance and high-speed links between switches, routers, and servers.