Three-Tier Network Architecture Lab: Building Enterprise-Grade Networks with Core, Distribution & Access Layers
Networking Labs · Cisco Hierarchical Design
A hands-on guide to designing, cabling, and configuring a hierarchical three-tier network — including VLANs, inter-VLAN routing, subnetting, port security, and troubleshooting.
www.thenetworkdna.com | ⏱ 12 min read | CCNA / CCNP Level
Whether you are studying for the Cisco CCNA or CCNP Enterprise certifications, or designing a production network for a real organization, the three-tier hierarchical model is one of the most foundational architectures you will ever work with. It is the backbone behind virtually every medium-to-large enterprise campus network in existence.
What Is the Three-Tier Network Model?
The three-tier (or three-layer) hierarchical model is a Cisco-advocated network design that divides an enterprise LAN into three distinct layers: the Access Layer, the Distribution Layer, and the Core Layer. Each layer has a specific role, making the network modular, scalable, and far easier to troubleshoot than a flat design.
Table of Contents
- Why Hierarchical Network Design? The Scalability Problem Explained
- The Three Layers: Roles and Responsibilities
- Lab Topology Overview
- Layer 1 — Access Layer Configuration
- Layer 2 — Distribution Layer Configuration
- Layer 3 — Core Layer Configuration
- Inter-VLAN Routing with Layer 3 Switches
- Subnetting and IP Addressing Plan
- Port Security on Access Switches
- Verification and Troubleshooting Commands
- Three-Tier vs Two-Tier (Collapsed Core) — When to Use Which
- Key Takeaways
1. Why Hierarchical Network Design? The Scalability Problem Explained
Before understanding the three-tier model, it is essential to understand the problem it solves. In a small network with two or three switches, you can interconnect every device to every other device in a full-mesh topology and things work perfectly. The moment your network grows, however, this approach collapses.
With 10 switches connected in full mesh, you need 45 links and 9 ports on each switch. Scale that to 150 switches and you need over 11,175 links — clearly impossible. Full mesh designs are expensive, wasteful, and a nightmare to troubleshoot.
⚡ Key Networking Principle
"Complex fails, simple scales." — Hierarchical design replaces an unmanageable mesh with an organised, layered structure where each switch needs only two uplinks, dramatically reducing cabling cost and complexity.
The three-tier solution breaks the network into modular blocks. Adding a new department means adding a new access switch with just two uplinks — the rest of the network does not change. This is what makes the model infinitely scalable.
2. The Three Layers: Roles and Responsibilities
Each tier in the architecture has a well-defined purpose. Understanding these roles before touching any configuration is crucial.
Access Layer — Tier 1 (Bottom)
The Access Layer is where end-user devices connect to the network. This includes desktops, laptops, IP phones, printers, wireless access points, and IoT sensors. It is the most numerous layer — a large campus may have hundreds of access switches.
Primary Functions:
- Provide physical connectivity for end-user devices
- VLAN assignment per port (switchport access vlan)
- Port security to limit MAC addresses per port
- Dynamic ARP Inspection (DAI) and DHCP snooping
- PoE (Power over Ethernet) for IP phones and WAPs
- Spanning Tree Protocol (STP) portfast / BPDU guard
⚙️ Distribution Layer — Tier 2 (Middle)
The Distribution Layer aggregates traffic from multiple access switches and routes it toward the core. This is where most of the intelligence lives — routing decisions, policy enforcement, and VLAN management all happen here. Distribution switches are typically Layer 3 switches (multilayer switches).
Primary Functions:
- Aggregate uplinks from access layer switches
- Inter-VLAN routing via Switched Virtual Interfaces (SVIs)
- Apply routing policies, ACLs, and QoS
- Redundant uplinks to the core (HSRP / VRRP for gateway redundancy)
- Summarise routes to reduce routing table size at the core
- Act as the boundary between Layer 2 (access) and Layer 3 (core)
⚡ Core Layer — Tier 3 (Top)
The Core Layer is the high-speed backbone of the network. Its sole purpose is to move packets between distribution blocks as fast as possible. It should never perform complex processing like ACL evaluation or policy enforcement — that belongs in the distribution layer. Core switches are the most powerful devices in the network.
Primary Functions:
- High-speed, low-latency switching between distribution blocks
- Full mesh or partial mesh between core switches for redundancy
- Layer 3 routing with dynamic protocols (OSPF, EIGRP)
- Uplinks to ISP routers or WAN edge devices
- No access ports — exclusively uplinks and inter-core links
3. Lab Topology Overview
The three-tier lab implements a realistic campus topology that mirrors what you would find in a medium-to-large enterprise. The typical device stack used in this kind of lab includes the following.
| Device Role | Layer | Typical Device | Quantity |
|---|---|---|---|
| Core Switch | Core | Cisco Catalyst 3650 / 4500 | 2 (redundant pair) |
| Distribution Switch | Distribution | Cisco Catalyst 3560 / 3750 | 2–4 (per building block) |
| Access Switch | Access | Cisco Catalyst 2960 | 4–8 (per distribution block) |
| ISP / Edge Router | WAN Edge | Cisco ISR 1941 / 2911 | 1–2 (for WAN / Internet) |
| End Devices | Access | PCs, Laptops, Servers | Multiple (per department VLAN) |
Topology Note: In the lab, VLANs are typically segmented by department — e.g., VLAN 10 for Management, VLAN 20 for Sales, VLAN 30 for IT, VLAN 40 for Finance, VLAN 99 for native/trunk. Trunk links (802.1Q) carry all VLANs between access and distribution switches, while routed Layer 3 links connect distribution to core.
4. Access Layer Configuration
Access switches are configured first. Start with foundational switch hardening, then define VLANs, configure access ports, and set up trunk uplinks to the distribution layer.
Step 1 — Basic Switch Hardening
Switch> enable
Switch# configure terminal
Switch(config)# hostname AS1
AS1(config)# enable secret cisco123
AS1(config)# banner motd # Authorised Access Only #
AS1(config)# no ip domain-lookup
AS1(config)# service password-encryption
AS1(config)# username admin secret cisco123
AS1(config)# crypto key generate rsa modulus 2048
AS1(config)# line vty 0 15
AS1(config-line)# login local
AS1(config-line)# transport input ssh
AS1(config-line)# exec-timeout 5 0
Step 2 — VLAN Creation and Access Port Assignment
AS1(config)# vlan 10
AS1(config-vlan)# name Management
AS1(config)# vlan 20
AS1(config-vlan)# name Sales
AS1(config)# vlan 30
AS1(config-vlan)# name IT
AS1(config)# vlan 40
AS1(config-vlan)# name Finance
AS1(config)# vlan 99
AS1(config-vlan)# name Native
AS1(config)# interface range fa0/1-8
AS1(config-if-range)# switchport mode access
AS1(config-if-range)# switchport access vlan 20
AS1(config-if-range)# spanning-tree portfast
AS1(config-if-range)# spanning-tree bpduguard enable
Step 3 — Trunk Uplinks to Distribution
AS1(config)# interface gi0/1
AS1(config-if)# switchport mode trunk
AS1(config-if)# switchport trunk native vlan 99
AS1(config-if)# switchport trunk allowed vlan 10,20,30,40,99
AS1(config-if)# no shutdown
5. Distribution Layer Configuration
Distribution switches are Layer 3 multilayer switches. They receive trunk links from all access switches below them and routed links to the core above. This is also where HSRP is configured for default gateway redundancy.
Enable IP Routing and Configure SVIs
DS1(config)# ip routing
DS1(config)# interface vlan 10
DS1(config-if)# ip address 10.10.10.1 255.255.255.0
DS1(config-if)# no shutdown
DS1(config)# interface vlan 20
DS1(config-if)# ip address 10.10.20.1 255.255.255.0
DS1(config-if)# no shutdown
DS1(config)# interface vlan 30
DS1(config-if)# ip address 10.10.30.1 255.255.255.0
DS1(config-if)# no shutdown
DS1(config)# interface vlan 40
DS1(config-if)# ip address 10.10.40.1 255.255.255.0
DS1(config-if)# no shutdown
Configure Routed Uplink to Core
DS1(config)# interface gi1/0
DS1(config-if)# no switchport
DS1(config-if)# ip address 172.16.1.2 255.255.255.252
DS1(config-if)# no shutdown
Configure HSRP for Gateway Redundancy
DS1(config)# interface vlan 20
DS1(config-if)# standby 20 ip 10.10.20.254
DS1(config-if)# standby 20 priority 110
DS1(config-if)# standby 20 preempt
DS2(config)# interface vlan 20
DS2(config-if)# standby 20 ip 10.10.20.254
DS2(config-if)# standby 20 priority 90
6. Core Layer Configuration
Core switches run purely at Layer 3. They have no access ports and should never be burdened with policy processing. Their configuration is lean — IP routing, dynamic routing protocol, and uplinks only.
CS1(config)# ip routing
CS1(config)# interface gi0/1
CS1(config-if)# no switchport
CS1(config-if)# ip address 172.16.1.1 255.255.255.252
CS1(config-if)# no shutdown
CS1(config)# interface gi0/2
CS1(config-if)# no switchport
CS1(config-if)# ip address 172.16.1.5 255.255.255.252
CS1(config-if)# no shutdown
CS1(config)# router ospf 1
CS1(config-router)# router-id 1.1.1.1
CS1(config-router)# network 172.16.0.0 0.0.255.255 area 0
CS1(config-router)# passive-interface default
CS1(config-router)# no passive-interface gi0/1
CS1(config-router)# no passive-interface gi0/2
The same OSPF configuration is applied to CS2. Both core switches advertise their connected distribution blocks and learn routes from each other, forming the routing backbone.
7. Inter-VLAN Routing with Layer 3 Switches
With VLANs segmenting departments, devices in VLAN 20 (Sales) cannot talk to devices in VLAN 30 (IT) without routing. In the three-tier model, this routing happens at the Distribution Layer via SVIs — not on a router, not via router-on-a-stick. This is critical to understand for CCNA and CCNP exams alike.
| VLAN | Name | Subnet | SVI Gateway (DS1) |
|---|---|---|---|
| VLAN 10 | Management | 10.10.10.0/24 | 10.10.10.1 |
| VLAN 20 | Sales | 10.10.20.0/24 | 10.10.20.1 |
| VLAN 30 | IT | 10.10.30.0/24 | 10.10.30.1 |
| VLAN 40 | Finance | 10.10.40.0/24 | 10.10.40.1 |
| VLAN 99 | Native / Trunk | 192.168.99.0/24 | 192.168.99.1 |
8. Port Security on Access Switches
Port security is configured at the Access Layer to prevent unauthorized devices from connecting to the network. It limits the number of MAC addresses that can be learned on a port and defines what happens if that limit is violated.
AS1(config)# interface range fa0/1-8
AS1(config-if-range)# switchport port-security
AS1(config-if-range)# switchport port-security maximum 2
AS1(config-if-range)# switchport port-security mac-address sticky
AS1(config-if-range)# switchport port-security violation restrict
| Violation Mode | Traffic | Syslog | Port Shutdown |
|---|---|---|---|
| Shutdown | Dropped | Yes | Yes (err-disabled) |
| Restrict | Dropped | Yes | No (port stays up) |
| Protect | Dropped | No | No (port stays up) |
9. Verification and Troubleshooting Commands
After completing configuration, use these commands to verify the network is operating correctly at each layer.
Access Layer Verification
show vlan brief
show interfaces trunk
show spanning-tree
show port-security interface fa0/1
show port-security address
Distribution Layer Verification
show ip interface brief
show ip route
show interfaces vlan 20
show standby brief
ping 10.10.30.1 source vlan 20
Core Layer Verification
show ip route ospf
show ip ospf neighbor
show ip ospf interface brief
traceroute 10.10.40.10
show ip protocols
10. Three-Tier vs Two-Tier (Collapsed Core) — When to Use Which
The two-tier architecture (also called collapsed core) merges the distribution and core layers into one. It is simpler and cheaper, but trades scalability for cost savings. Understanding when each model is appropriate is a core CCNP exam topic.
| Factor | Three-Tier | Two-Tier (Collapsed Core) |
|---|---|---|
| Network Size | Large enterprise (500+ devices) | Small / Medium (50–500 devices) |
| Scalability | Very high — modular expansion | Limited — harder to scale |
| Cost | Higher (more devices) | Lower (fewer devices) |
| Redundancy | Excellent — multiple failure domains | Good — but single point of risk |
| Troubleshooting | Faults isolated per layer | Fewer layers — simpler but wider blast radius |
| Best For | Multi-building campus, hospitals, universities | Single-building offices, branch sites |
11. Key Takeaways
- Full-mesh topology fails at scale — the three-tier model solves this with a modular, layered design where each switch only needs two uplinks.
- The Access Layer provides connectivity for end devices; the Distribution Layer routes between VLANs and enforces policy; the Core Layer moves traffic fast without processing.
- SVIs (Switched Virtual Interfaces) on Layer 3 distribution switches are the standard method for inter-VLAN routing in enterprise networks — not router-on-a-stick.
- HSRP or VRRP at the distribution layer ensures that even if one distribution switch fails, the default gateway for end devices remains reachable.
- OSPF or EIGRP at the core layer dynamically builds the routing table, ensuring fast convergence if a link or device fails.
- Port security at the access layer is the first line of defense against rogue device connections.
- The two-tier collapsed core model is a valid, simpler alternative for smaller networks where a dedicated core layer would add unnecessary cost and complexity.
- Always save your configuration with write memory or copy running-config startup-config after every change.
Final Thoughts
Whether you run it in Cisco Packet Tracer, GNS3, or physical gear, working through this lab will give you the muscle memory and conceptual clarity that no textbook alone can provide. The three-tier architecture is not just an exam topic — it is the foundational design pattern behind the networks that power modern enterprise computing.
Tags:
Three-Tier Network Cisco Hierarchical Design CCNA Lab CCNP Enterprise Inter-VLAN Routing VLAN Configuration OSPF HSRP Port Security Network Lab GitHub
