Fortinet black logo

Switching Reference Architecture Guide

Home FortiSwitch 7.2.3 Switching Reference Architecture Guide
7.2.3
7.4.0
7.2.3

Campus architectures

Campus architectures

A campus is a sizable network composed of a large building or multiple buildings with different purposes. The density of ports and users depends on the use case, and, even in the same organization, there can be multiple different implementations of the campus. For example, a campus can be any of the following:

  • A university

  • A conference hall

  • An airport

  • A Navy ship

  • A site with manufacturing facilities, shipping docks, warehouses, and administrative offices

  • A financial services headquarters

Because of the diverse use cases, a campus network cannot be considered a one-size-fits-all implementation. Nevertheless, the essence of the design proposed by Fortinet in campus environments is based on the following factors:

  • Security

  • Usability

  • Scalability

  • Flexibility

  • Resiliency

Whether you require a very high availability of the network or just continued availability with lower levels of resiliency, this guide discusses the options for the recommended designs proposed here, with a focus on the most critical environments because they are the most difficult to grasp, handle, and deploy. You can choose less demanding network designs if waiting for a firewall, switch, or access point (AP) replacement is acceptable or if you rely on spare units stocked at some facility. The proposed designs in this guide aim for seamless operation for high availability, taking into consideration multiple hardware issues and denial-of-service (DoS) attacks on specific elements in the network.

You can also provide wired and wireless secure guest access for your visitors, contractors, and temporary workers, such as interns, with the possibility to segment the network and isolate their traffic.

The trend towards Everything-as-a-Service has dramatically disrupted the traffic path in the campus. The campus needs to be flexible and scalable now. This includes voice-conferencing and video-conferencing between people in the same building, each person using an individual device instead of congregating in meeting rooms, and communicating with remote workers who are not in the office everyday. It is now commonplace for people to launch Zoom or GoTo Meeting, for example, in a one-to-one meeting, just to be able to share their screens, hence forwarding all the traffic not to one another, but to a central location hosted in the cloud through the firewall. Even in the case of Zoom’s on-premise solution, the traffic flows through a central meeting connector VM in the company’s private cloud, not between users directly. Telephony connections still need to use the Zoom Cloud, as explained in the Zoom Help Center.

Because of this move away from having most applications accessible through the traditional data center, the edge network needs to be even more secure and intelligent to prevent the applications (also) hosted in the cloud from escaping and bypassing controls.

This guide recommends disassociating the logical path from the underlying physical layout of the network to cope with these emerging trends that are reducing the east-west traffic in a campus to very limited use cases of direct VoIP phone calls and direct printing (without a network-attached printer spooling through a print server).

Because of the pervasiveness of 802.1X supplicants in both wired and wireless clients (and in more devices like wireless access points), as well as the adoption of network access control (NAC) in network and security elements, the design of a campus must be able to dramatically evolve and simplify the tasks of deploying a new switch or AP.

This section covers the following topics:

Previous
Next

Campus architectures

A campus is a sizable network composed of a large building or multiple buildings with different purposes. The density of ports and users depends on the use case, and, even in the same organization, there can be multiple different implementations of the campus. For example, a campus can be any of the following:

  • A university

  • A conference hall

  • An airport

  • A Navy ship

  • A site with manufacturing facilities, shipping docks, warehouses, and administrative offices

  • A financial services headquarters

Because of the diverse use cases, a campus network cannot be considered a one-size-fits-all implementation. Nevertheless, the essence of the design proposed by Fortinet in campus environments is based on the following factors:

  • Security

  • Usability

  • Scalability

  • Flexibility

  • Resiliency

Whether you require a very high availability of the network or just continued availability with lower levels of resiliency, this guide discusses the options for the recommended designs proposed here, with a focus on the most critical environments because they are the most difficult to grasp, handle, and deploy. You can choose less demanding network designs if waiting for a firewall, switch, or access point (AP) replacement is acceptable or if you rely on spare units stocked at some facility. The proposed designs in this guide aim for seamless operation for high availability, taking into consideration multiple hardware issues and denial-of-service (DoS) attacks on specific elements in the network.

You can also provide wired and wireless secure guest access for your visitors, contractors, and temporary workers, such as interns, with the possibility to segment the network and isolate their traffic.

The trend towards Everything-as-a-Service has dramatically disrupted the traffic path in the campus. The campus needs to be flexible and scalable now. This includes voice-conferencing and video-conferencing between people in the same building, each person using an individual device instead of congregating in meeting rooms, and communicating with remote workers who are not in the office everyday. It is now commonplace for people to launch Zoom or GoTo Meeting, for example, in a one-to-one meeting, just to be able to share their screens, hence forwarding all the traffic not to one another, but to a central location hosted in the cloud through the firewall. Even in the case of Zoom’s on-premise solution, the traffic flows through a central meeting connector VM in the company’s private cloud, not between users directly. Telephony connections still need to use the Zoom Cloud, as explained in the Zoom Help Center.

Because of this move away from having most applications accessible through the traditional data center, the edge network needs to be even more secure and intelligent to prevent the applications (also) hosted in the cloud from escaping and bypassing controls.

This guide recommends disassociating the logical path from the underlying physical layout of the network to cope with these emerging trends that are reducing the east-west traffic in a campus to very limited use cases of direct VoIP phone calls and direct printing (without a network-attached printer spooling through a print server).

Because of the pervasiveness of 802.1X supplicants in both wired and wireless clients (and in more devices like wireless access points), as well as the adoption of network access control (NAC) in network and security elements, the design of a campus must be able to dramatically evolve and simplify the tasks of deploying a new switch or AP.

This section covers the following topics:

Previous
Next