SkarpSkarp

Chapter 3 of 29

Network Topology Architectures: Campus, WAN, and Cloud Designs

Compare classic two-tier and three-tier campus designs with spine-leaf, SOHO, WAN, and cloud-connected topologies to see where each shines and how they appear on the exam.

27 min readen

Big Picture: Where These Topologies Show Up (and Why CCNA Cares)

Three Environments

You will see three big environments: campus networks, WANs, and SOHO. Each has different scale, redundancy, and performance expectations, and CCNA questions often test if you can tell them apart.

Campus Focus

Campus networks cover multiple buildings or floors on a single site. Here you will see classic two-tier and three-tier designs, and more recently spine-leaf in areas that look like small data centers.

WAN and SOHO

WANs connect multiple sites and clouds via providers (MPLS, Metro Ethernet, internet VPNs, SD-WAN). SOHO is a tiny site, often one router and Wi‑Fi, but it still fits into enterprise designs.

Cloud Overlay

Cloud connectivity overlays all of this: sites connect to public cloud and SaaS via VPNs, dedicated links, or direct internet access. CCNA diagrams frequently mix on‑prem, WAN, and cloud icons.

Exam Mindset

When you see a diagram, ask: Which architecture is this? Why was it chosen? What are its strengths and weaknesses? That mindset will help you handle CCNA scenario questions.

Two-Tier Campus Design (Collapsed Core/Distribution)

Two-Tier Overview

Two-tier (collapsed core) combines core and distribution into one layer above access switches. It is very common in small and medium campuses and is a favorite CCNA exam diagram.

Access Layer Role

Access switches connect end devices and provide VLANs, PoE, and port security. Remember the VLAN definition: a logical Layer 2 subdivision forming one broadcast domain.

Collapsed Core/Distribution

Distribution/core switches aggregate access switches, perform inter-VLAN routing, apply ACLs and QoS, and connect to WAN or data center. Often there are two of them for redundancy.

STP in Two-Tier

Because access-to-distribution links are usually Layer 2, STP is used. STP prevents loops by blocking redundant paths while keeping a loop-free logical topology.

When to Use Two-Tier

Use two-tier for smaller sites, moderate traffic, and limited budget. On a diagram, look for two big central switches with multiple access switches hanging below.

Three-Tier Campus Design: Access, Distribution, Core

Three Layers

Three-tier campus design has access, distribution, and core layers. It is used in larger campuses with many buildings and higher traffic and provides more scalability and resiliency.

Access and Distribution

Access connects end devices. Distribution aggregates access switches, applies ACLs and QoS, and usually acts as the Layer 3 boundary for VLANs, running routing like OSPFv2 to the core.

Core Layer Role

The core is the high-speed backbone focusing on fast, reliable Layer 3 forwarding with minimal policy. It interconnects distribution blocks, data centers, WAN, and internet edge devices.

Why Split Layers

Separating distribution and core improves scalability (each block can grow), resiliency (core is highly redundant), and performance (core optimized for high throughput and low latency).

Visual Exam Cue

On CCNA diagrams, three horizontal switch layers usually indicate a three-tier campus. Expect questions about which layer to apply ACLs or where to terminate VLANs.

Spine-Leaf Architecture: Modern Data Center and High-Density Campus

Spine-Leaf Overview

Spine-leaf is common in modern data centers and high-density campuses. Leaves connect to devices; spines form a high-speed backbone. Every leaf connects to every spine, forming a Clos fabric.

Leaf and Spine Roles

Leaf switches connect to servers or access blocks. Spine switches connect only to leaves (and sometimes WAN edge), not to end hosts. This creates many equal-cost paths between leaves.

Fabric Characteristics

Spine-leaf offers predictable latency (two hops between leaves) and high bandwidth via multiple parallel links and ECMP. It is often built as a Layer 3 fabric using routing protocols.

SDN Connection

Spine-leaf pairs well with SDN. SDN separates control and data planes and lets controllers program the fabric using software and APIs, a direction many data centers have taken in recent years.

Visual Exam Cue

On diagrams, look for a few spines at the top and several leaves below, with every leaf uplinked to each spine. That pattern is your signal that the question is about spine-leaf behavior.

Comparing Two-Tier, Three-Tier, and Spine-Leaf in Real Scenarios

Scenario 1: Small Office

Single building, ~200 users, moderate traffic, limited budget but some redundancy. Two big switches in a main room, smaller switches on floors. This maps well to a two-tier collapsed core design.

Scenario 2: Large Campus

University with 10 buildings, central data center, and WAN links. Each building has access and distribution, all tied into a redundant core. This is a textbook three-tier campus architecture.

Scenario 3: Data Center

Private cloud data center with thousands of VMs and heavy server-to-server traffic. Servers connect to leaf switches, every leaf to every spine. This is a spine-leaf fabric.

Exam Strategy

When reading a scenario, first decide: small/medium campus, large campus, or data center? That often points directly to two-tier, three-tier, or spine-leaf before you see any diagrams.

WAN Topologies: Hub-and-Spoke, Full Mesh, and SD-WAN Overlays

WAN Purpose

WANs connect multiple sites: branches, data centers, and clouds. On diagrams, they are often shown as a cloud symbol with routers from each site connecting into that cloud.

Hub-and-Spoke

In hub-and-spoke, branches connect only to a central hub. It is simple and cheaper but the hub can be a performance bottleneck and a single point of failure for inter-branch traffic.

Full and Partial Mesh

Full mesh gives every site direct links to all others, offering great latency and resiliency but high cost. Partial mesh is a compromise where only some sites have multiple direct links.

Underlay vs Overlay

Physical WAN links (MPLS, Metro Ethernet, internet) form the underlay. SD-WAN overlays create virtual tunnels across these, with controllers steering traffic based on policy.

Exam Recognition

On CCNA, identify whether a WAN diagram shows hub-and-spoke, full mesh, or partial mesh, and relate each to redundancy, latency, and cost trade-offs.

SOHO Topology: Small Office/Home Office in Enterprise Designs

What is SOHO?

SOHO stands for Small Office/Home Office. It is the simplest topology: one all-in-one router with Wi‑Fi, a few wired ports, and a single internet link, serving a small number of users.

Key Functions

A SOHO router typically provides NAT, DHCP, basic DNS forwarding, switching, wireless, and firewalling in one box. This contrasts with enterprise sites where these roles are separated.

SOHO in Enterprises

Enterprises use SOHO-style setups for home workers or very small branches. A VPN tunnel from the SOHO router back to HQ extends corporate access securely over the internet.

Comparing to Campus

Compared to campus or WAN designs, SOHO has tiny scale, almost no redundancy, and modest performance. It is not meant for heavy data center or high-availability workloads.

Exam Diagrams

On CCNA diagrams, SOHO appears as a single router/Wi‑Fi icon with a few PCs and an internet cloud. Recognize it quickly and relate it to low cost and low redundancy.

On-Premises, Cloud, and Hybrid Connectivity Patterns

On-Premises

On-prem means servers and services live in your own data center or campus. Users reach them entirely over internal LAN/WAN paths such as access → distribution → core → data center.

Cloud-Connected

Cloud-connected networks host apps in public cloud or SaaS. Connectivity is via site-to-site VPNs over the internet or dedicated carrier links from your edge to the cloud provider.

Hybrid Patterns

Hybrid mixes on-prem and cloud. Users may access local apps over LAN and cloud apps via internet or via a central data center that also connects to the cloud.

Diagram Clues

On CCNA diagrams, cloud icons represent cloud or WAN. Dashed lines often show VPN tunnels. Hybrid diagrams show both local servers and cloud icons with traffic between them.

Gateways and NAT

Be ready to identify which device is the default gateway for a subnet and where NAT is applied when traffic leaves on-prem networks for the internet or cloud.

Thought Exercise: Classify These Network Diagrams

Work through this mental exercise to solidify how you recognize topologies. No need to draw, but you can sketch if it helps.

Exercise A

You see a diagram with:

  • 4 small switches at the bottom connected to PCs.
  • 2 bigger switches above them.
  • A router and firewall above those, connected to the internet.
  • Each small switch has two uplinks, one to each big switch.
  1. Is this likely two-tier, three-tier, or spine-leaf?
  2. What clues led you there?

Think it through, then check yourself:

  • Only two layers of switches (access and distribution/core) → two-tier.
  • The router/firewall is not a separate core layer, just WAN edge.

Exercise B

New diagram:

  • 8 access switches in two buildings.
  • 2 distribution switches per building.
  • 2 core switches in a central data center.
  • WAN routers connect to the core.
  1. Which campus architecture is this?
  2. Where would you apply most ACLs: access, distribution, or core?

Check yourself:

  • Three switch layers → three-tier.
  • ACLs commonly at distribution for policy control.

Exercise C

Another diagram:

  • 6 leaf switches connected to servers.
  • 3 spine switches.
  • Every leaf has uplinks to all 3 spines.
  1. What architecture is this?
  2. How many hops from one server on Leaf1 to another on Leaf4?

Check yourself:

  • Spine-leaf, 2 hops (leaf → spine → leaf).

Pause for a minute and imagine how each of these would look if the exam asked you to choose the best topology for a given scenario.

Quiz 1: Campus and SOHO Topologies

Test your understanding of campus and SOHO designs.

A company has a single 3-floor building with 150 users. There are several access switches on each floor, and two larger switches in the main equipment room that provide inter-VLAN routing and connect to the internet edge router. Which topology best describes this design?

  1. Three-tier campus with dedicated core
  2. Two-tier collapsed core campus
  3. Spine-leaf data center fabric
  4. SOHO topology
Show Answer

Answer: B) Two-tier collapsed core campus

This is a small single-building campus with access switches on each floor and two larger switches providing aggregation and routing. Core and distribution roles are combined in those two switches, which matches a two-tier collapsed core campus design. Three-tier would have a separate core layer; spine-leaf would show each leaf connected to all spines; SOHO would typically have a single all-in-one router.

Quiz 2: WAN, Cloud, and Hybrid Patterns

Check your understanding of WAN and cloud-connected topologies.

An enterprise has three branch offices, each with a router that connects to a service provider MPLS cloud. The HQ router also connects to the same MPLS cloud. Branches send traffic to each other via HQ, and there are no direct branch-to-branch links. What WAN topology is this, and how is it most likely represented on a CCNA diagram?

  1. Full mesh, shown as routers connected in a ring
  2. Hub-and-spoke, shown as branch routers connecting into a WAN cloud with HQ as central
  3. Spine-leaf, shown as leaves and spines with equal-cost paths
  4. SOHO, shown as one router with built-in Wi‑Fi
Show Answer

Answer: B) Hub-and-spoke, shown as branch routers connecting into a WAN cloud with HQ as central

All branches reach each other via HQ, with no direct branch-to-branch links. That is a hub-and-spoke WAN topology. On diagrams, you typically see each branch router and the HQ router connected to a WAN cloud, with HQ effectively acting as the hub.

Key Terms and Concepts Review

Flip these cards to reinforce key definitions and topology characteristics.

Two-tier (collapsed core) campus
Campus design with access layer switches and a combined distribution/core layer. Often used in small to medium sites. Distribution/core switches aggregate access switches, perform inter-VLAN routing, and connect to WAN/internet.
Three-tier campus
Campus design with access, distribution, and core layers. Access connects end devices, distribution aggregates access and enforces policy, and core provides a high-speed, highly available routed backbone.
Spine-leaf architecture
Modern fabric where leaf switches connect to end devices and to all spine switches. Spines connect only to leaves (and sometimes WAN edge). Provides predictable two-hop latency and many equal-cost paths, common in data centers.
Hub-and-spoke WAN
WAN topology with a central hub site connected to multiple spokes (branches). Spokes typically communicate via the hub, not directly with each other. Simpler but can create a hub bottleneck.
Full mesh WAN
WAN topology where every site has a direct link to every other site. Offers excellent resiliency and latency but is expensive and complex to scale.
SOHO topology
Small Office/Home Office design, typically a single all-in-one router with built-in switch, Wi‑Fi, NAT, DHCP, and basic firewall, serving a small number of devices over one internet link.
On-premises vs cloud vs hybrid
On-premises: services hosted in your own data center/campus. Cloud: services hosted in public cloud or SaaS. Hybrid: mix of on-prem and cloud, connected via VPN or dedicated links.
Default gateway
A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.
NAT
Network Address Translation (NAT) is a method of translating private IP addresses to public IP addresses, and vice versa, as packets traverse a router or firewall.
DHCP
The Dynamic Host Configuration Protocol (DHCP) automatically assigns IP configuration parameters such as IP address, subnet mask, default gateway, and DNS servers to clients.
DNS
The Domain Name System (DNS) is a distributed database that maps human-readable hostnames to IP addresses and other resource records.
ACL
An Access Control List (ACL) is an ordered set of permit and deny statements that control which packets are allowed or blocked based on criteria such as source, destination, and protocol.

Pulling It Together: How This Appears on the CCNA and Next Steps

Exam Patterns

Expect questions that ask you to identify the topology from a diagram, pick the best design for a scenario, or reason about behavior (e.g., what fails, how many hops, where to place ACLs).

Links to Other Topics

These architectures are the stage on which routing, VLANs, STP, ACLs, and security devices act. Knowing the stage helps you predict where each technology is used.

Using Skarp Tools

In your Skarp diagnostics and mock exams, focus on diagram questions. Your spaced review queue and gap guide will reinforce whichever topology areas you miss.

Readiness Check

If you can glance at a diagram and say which campus, WAN, and cloud pattern it shows, you are well prepared for this slice of the CCNA exam blueprint.

Key Terms

ACL
An Access Control List (ACL) is an ordered set of permit and deny statements that control which packets are allowed or blocked based on criteria such as source, destination, and protocol.
DNS
The Domain Name System (DNS) is a distributed database that maps human-readable hostnames to IP addresses and other resource records.
NAT
Network Address Translation (NAT) is a method of translating private IP addresses to public IP addresses, and vice versa, as packets traverse a router or firewall.
DHCP
The Dynamic Host Configuration Protocol (DHCP) automatically assigns IP configuration parameters such as IP address, subnet mask, default gateway, and DNS servers to clients.
OSPFv2
Open Shortest Path First version 2 (OSPFv2) is a link-state interior gateway protocol used to exchange IPv4 routing information within a single autonomous system.
On-premises
Services and infrastructure hosted in an organization’s own data center or campus.
Full mesh WAN
WAN topology where every site has a direct link to every other site, offering high resiliency but high cost and complexity.
SOHO topology
Small Office/Home Office network, typically a single all-in-one router with Wi‑Fi, NAT, DHCP, and basic firewall.
Cloud-connected
Topology where services are hosted in public cloud or SaaS, reached via VPNs or dedicated links from the enterprise network.
Default gateway
A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.
Hub-and-spoke WAN
WAN topology with a central hub site and multiple spokes, where spokes usually reach each other via the hub.
Three-tier campus
Campus design with access, distribution, and core layers to improve scalability, performance, and resiliency in larger environments.
Hybrid connectivity
Mix of on-premises and cloud-hosted services with connectivity between them (VPN or dedicated links).
Spine-leaf architecture
Fabric with leaf switches connecting to end devices and all spine switches, providing predictable two-hop latency and many equal-cost paths.
Two-tier (collapsed core) campus
Campus design with access layer switches and a combined distribution/core layer, used for small to medium sites.
Software-defined networking (SDN)
Software-defined networking (SDN) is an architectural approach that separates the control plane from the data plane, enabling centralized control of network behavior through software-based controllers and APIs.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself