Building a Campus Area Network (CAN)

Designing, deploying, and maintaining a multi-building enterprise network with speed, security, and scalability.

1. Define Scope and Requirements

  • Coverage area: Identify all buildings, floors, and outdoor spaces to be connected.
  • User count: Estimate simultaneous wired/wireless clients.
  • Application demands: Voice, video conferencing, ERP, cloud workloads, research data, etc.
  • Performance targets: Latency, throughput, redundancy.
  • Security & compliance: Industry-specific requirements (e.g., HIPAA, PCI-DSS, FERPA).
  • Budget constraints: Include CAPEX (hardware) and OPEX (support, licensing).

2. Core Network Architecture

  • Hierarchical Model(Best Practice):
    1. Core Layer — High-speed backbone interconnecting distribution switches/buildings.
    2. Distribution Layer — Aggregates access switches, enforces policy, and routes between VLANs.
    3. Access Layer — Connects end devices, APs, and local resources.
  • Alternative: Spine-leaf fabric for flatter, low-latency connectivity.

3. Media and Physical Layer

  • Fiber backbone: Single-mode for long runs (>550m), multi-mode OM4 for shorter inter-building runs.
  • Copper (Cat 6A/7): Access ports, PoE for APs, IP phones, security cameras.
  • Conduits & pathways: Allow for growth; follow ANSI/TIA-568 and TIA-942 standards.
  • Environmental protection: Use armored or outdoor-rated fiber between buildings.

4. Hardware Selection

(See Major Network Hardware Providers list for vendor options)

Core & Distribution Switches

  • Modular chassis or high-throughput fixed switches with redundant power supplies/fans.
  • Support for Layer 3 routing, MPLS (if needed), and high-speed uplinks (40/100/400G).

Access Switches

  • PoE/PoE+ or UPoE support for wireless APs, VoIP, cameras.
  • Stacking or VSF/MLAG for redundancy.

Routers

  • Enterprise-class for WAN connectivity; consider dual routers with VRRP/HSRP/GLBP for failover.

Wireless Access Points

  • Wi-Fi 6/6E or Wi-Fi 7 capable.
  • Managed via on-premises controller or cloud.

Firewalls & Security Gateways

  • NGFW with intrusion prevention, SSL decryption, and application awareness.
  • Optional segmentation firewalls between departments.

5. Logical Network Design

  • IP addressing: Plan IPv4/IPv6 subnets by building, floor, or department.
  • VLAN segmentation: Separate user groups, voice, guest Wi-Fi, IoT devices.
  • Routing: OSPF/EIGRP for internal; BGP if connecting to ISPs or multiple WANs.
  • QoS policies: Prioritize VoIP, video conferencing, and critical apps.
  • Redundancy: Dual uplinks, link aggregation (LACP), spanning tree tuning or multi-chassis LAG.

6. Wireless LAN Design

  • RF survey: Predictive + on-site validation for AP placement.
  • Channel planning: Minimize co-channel interference.
  • Roaming optimization: 802.11k/r/v features for seamless mobility.

7. Security Framework

  • AAA services: RADIUS/TACACS+ for authentication.
  • Network Access Control (NAC): Device posture checks before granting access.
  • Segmentation: VRF, ACLs, or micro-segmentation.
  • Threat detection: IDS/IPS, NetFlow analysis, SIEM integration.
  • Physical security: Locked racks, controlled access to telecom rooms.

8. Management & Monitoring

  • Network Management System (NMS): Centralized monitoring and configuration.
  • Syslog & SNMP: For performance metrics and alerting.
  • Firmware & patch management: Scheduled updates.
  • Change control: Documented processes for modifications.

9. Implementation Steps

  1. Site survey & fiber/copper path validation.
  2. Install backbone fiber and terminate in MDF/IDF rooms.
  3. Rack & stack core/distribution/access switches.
  4. Configure VLANs, routing, security policies.
  5. Deploy wireless APs with controller/cloud integration.
  6. Test failover scenarios and throughput.
  7. Document topology, IP schemes, configurations.

10. Ongoing Maintenance

  • Regular backups of configurations.
  • Capacity planning for bandwidth growth.
  • Security audits and penetration testing.
  • Training for IT staff and helpdesk.

Example Vendor Blueprint for CAN

LayerVendor ExampleModel Example
Core SwitchingCisco Catalyst 9600C9606R modular chassis
DistributionJuniper EX4650Fixed 10/25/100G uplinks
Access SwitchingAruba 6300MPoE+ 1/10G ports
WirelessCisco Catalyst 9136Wi-Fi 6E
FirewallPalo Alto PA-5220NGFW
WAN RouterCisco ISR 4431Dual WAN, MPLS ready