# Modular Network Design: A Scalable Architecture Framework ## Introduction to Modular Network Design Network modularity is the practice of designing networks as interconnected, purpose-built segments rather than monolithic structures. Each module serves a specific function, has defined boundaries, and connects to adjacent modules through well-understood interfaces. This approach transforms network design from an art into a repeatable engineering discipline. The power of modularity lies in its ability to create **predictable patterns** that can be applied consistently across an organization's entire infrastructure footprint—whether that spans tens of thousands of small sites, thousands of medium sites, or hundreds of large enterprise campuses. ## Why Modularity Matters ### Benefits Across All Network Scales | Benefit | Small Sites | Medium Sites | Large Sites | |---------|-------------|--------------|-------------| | **Simplified Troubleshooting** | Single engineer can understand entire topology | Teams can specialize by module | Clear escalation paths between module owners | | **Predictable Scaling** | Add modules as needed | Clone proven patterns | Extend without redesign | | **Consistent Security** | Same policies everywhere | Uniform compliance posture | Auditable boundaries | | **Operational Efficiency** | Template-based deployment | Automated provisioning | Standardized change management | | **Cost Control** | Right-size each module | Bulk purchasing by module type | Lifecycle management by tier | ### The Scaling Challenge Organizations rarely stay static. A modular design must accommodate: - **10,000+ small sites**: Branch offices, retail locations, remote facilities - **1,000+ medium sites**: Regional offices, distribution centers, manufacturing plants - **100+ large sites**: Headquarters, data centers, major campuses Without modularity, each site becomes a unique snowflake requiring custom documentation, specialized training, and one-off troubleshooting. With modularity, an engineer who understands the pattern can work effectively at any site. --- ## Core Network Modules ### Module 1: Internet Edge Segment The Internet Edge is where your organization meets the outside world. This module contains: - **WAN/Internet circuits** (MPLS, DIA, broadband, LTE/5G) - **Edge routers** (BGP peering, WAN termination) - **Firewalls** (stateful inspection, NAT, VPN termination) - **VLAN segmentation** for functional separation ```plantuml @startuml Internet Edge Module !define ICONURL https://raw.githubusercontent.com/Roemer/plantuml-office/master/office2014 skinparam backgroundColor #FEFEFE skinparam handwritten false nwdiag { internet [shape = cloud, description = "Internet"]; network ISP_Transit { address = "VLAN 10-12" color = "#FFE4E1" description = "ISP/MPLS Transit" internet; ISP_A [description = "ISP-A\nCircuit"]; ISP_B [description = "ISP-B\nCircuit"]; MPLS [description = "MPLS\nCircuit"]; } network Edge_Router_Segment { address = "VLAN 10,11,12" color = "#E6E6FA" description = "Edge Router Aggregation" ISP_A; ISP_B; MPLS; Edge_Router [description = "Edge Router\n(BGP Peering)"]; } network FW_Outside { address = "VLAN 100" color = "#FFFACD" description = "Firewall Outside" Edge_Router; FW_Primary [description = "Firewall\nPrimary"]; FW_Secondary [description = "Firewall\nSecondary"]; } network FW_HA_Sync { address = "VLAN 101" color = "#F0FFF0" description = "HA Sync Link" FW_Primary; FW_Secondary; } network FW_Inside { address = "VLAN 102" color = "#E0FFFF" description = "To Internal Edge" FW_Primary; FW_Secondary; } } @enduml ``` **Key Design Principles:** - Redundant circuits from diverse providers - Firewall high-availability pairs - Clear VLAN boundaries between trust zones - L3 point-to-point links between router and firewall --- ### Module 2: Internal Edge / DMZ Tier For medium and large sites, the Internal Edge provides an aggregation layer for services that require controlled exposure or serve as transition points between security zones. ```plantuml @startuml Internal Edge Module skinparam backgroundColor #FEFEFE nwdiag { network From_Internet_Edge { address = "VLAN 102" color = "#E0FFFF" description = "From Firewall Inside" IntEdge_A [description = "Internal Edge\nSwitch A"]; IntEdge_B [description = "Internal Edge\nSwitch B"]; } network MCLAG_Peer { address = "Peer-Link" color = "#DDA0DD" description = "MCLAG/vPC Peer" IntEdge_A; IntEdge_B; } network WLC_Mgmt { address = "VLAN 200 - 10.x.200.0/24" color = "#FFE4B5" description = "WLC Management" IntEdge_A; IntEdge_B; WLC [description = "Wireless LAN\nController"]; } network Proxy_Farm { address = "VLAN 201 - 10.x.201.0/24" color = "#FFDAB9" description = "Proxy Services" IntEdge_A; IntEdge_B; Proxy [description = "Web Proxy\nServers"]; } network VPN_Services { address = "VLAN 202 - 10.x.202.0/24" color = "#E6E6FA" description = "VPN Termination" IntEdge_A; IntEdge_B; VPN [description = "VPN\nConcentrator"]; } network Infrastructure { address = "VLAN 204 - 10.x.204.0/24" color = "#F0FFF0" description = "Infrastructure Services" IntEdge_A; IntEdge_B; DNS_DHCP [description = "DNS/DHCP\nServers"]; } network To_Core { address = "VLAN 205" color = "#B0E0E6" description = "Core Transit" IntEdge_A; IntEdge_B; } } @enduml ``` **Services Typically in Internal Edge:** - Wireless LAN Controllers (WLC) - Web proxies and content filters - VPN concentrators - DNS/DHCP infrastructure - Load balancers - Jump hosts / bastion servers --- ### Module 3: Core Layer The Core is the high-speed backbone that interconnects all other modules. It should be optimized for: - Maximum throughput - Minimum latency - High availability - Simple, fast forwarding ```plantuml @startuml Core Module skinparam backgroundColor #FEFEFE nwdiag { network From_Internal_Edge { address = "L3 Routed" color = "#B0E0E6" description = "From Internal Edge" Core_A [description = "Core Switch A\n100G Backbone"]; Core_B [description = "Core Switch B\n100G Backbone"]; } network Core_Interconnect { address = "100G+ ISL" color = "#FFB6C1" description = "High-Speed Interconnect\nOSPF/IS-IS/BGP" Core_A; Core_B; } network To_Distribution_1 { address = "L3 P2P" color = "#98FB98" description = "Building A" Core_A; Core_B; Dist_1 [description = "Distribution 1\n(L3 Adjacent)"]; } network To_Distribution_2 { address = "L3 P2P" color = "#DDA0DD" description = "Building B" Core_A; Core_B; Dist_2 [description = "Distribution 2\n(MCLAG)"]; } network To_Distribution_3 { address = "L3 P2P" color = "#FFDAB9" description = "Building C" Core_A; Core_B; Dist_3 [description = "Distribution 3\n(MCLAG)"]; } network To_DC_Border { address = "L3 Routed" color = "#87CEEB" description = "Datacenter" Core_A; Core_B; Border_Leaf [description = "Border Leaf\n(DC Fabric)"]; } } @enduml ``` **Core Design Principles:** - No directly attached end-user devices - L3 routing between core switches (no spanning tree) - Equal-cost multipath (ECMP) for load distribution - Fast convergence protocols --- ### Module 4: Distribution Layer The Distribution layer aggregates Access switches and enforces policy. This is where network design choices have the most variation based on site requirements. --- ## Distribution Tier Variations ### Variation 1: L3 Adjacent (Routed Access) In this design, the distribution and access layers are **L3 adjacent**—each access switch has its own IP subnet and routes directly to distribution. ```plantuml @startuml Distribution Variation 1 - L3 Adjacent skinparam backgroundColor #FEFEFE nwdiag { network From_Core { address = "L3 ECMP" color = "#B0E0E6" description = "From Core Layer" Dist_A [description = "Distribution A\n(L3 Router)"]; Dist_B [description = "Distribution B\n(L3 Router)"]; } network Dist_iBGP { address = "iBGP Peering" color = "#DDA0DD" description = "ECMP/iBGP" Dist_A; Dist_B; } network P2P_Access_1 { address = "10.x.2.0/30" color = "#98FB98" description = "L3 Point-to-Point" Dist_A; Dist_B; Access_1 [description = "Access SW-1\n(L3 Gateway)"]; } network P2P_Access_2 { address = "10.x.2.8/30" color = "#FFE4B5" description = "L3 Point-to-Point" Dist_A; Dist_B; Access_2 [description = "Access SW-2\n(L3 Gateway)"]; } network P2P_Access_3 { address = "10.x.2.16/30" color = "#FFDAB9" description = "L3 Point-to-Point" Dist_A; Dist_B; Access_3 [description = "Access SW-3\n(L3 Gateway)"]; } network User_VLAN_1 { address = "10.x.32.0/24" color = "#F0FFF0" description = "Users - SW1" Access_1; Laptop_1 [description = "Laptops"]; Phone_1 [description = "Phones"]; } network User_VLAN_2 { address = "10.x.33.0/24" color = "#FFF0F5" description = "Users - SW2" Access_2; Laptop_2 [description = "Laptops"]; Camera_2 [description = "Cameras"]; } network User_VLAN_3 { address = "10.x.34.0/24" color = "#F5FFFA" description = "Users - SW3" Access_3; Laptop_3 [description = "Workstations"]; Camera_3 [description = "Cameras"]; } } @enduml ``` **Subnet Allocation Example:** | Link | Subnet | |------|--------| | Distribution to Core | 10.x.1.0/30, 10.x.1.4/30 | | Dist-A to Access-1 | 10.x.2.0/30 | | Dist-B to Access-1 | 10.x.2.4/30 | | Access-1 User VLAN | 10.x.32.0/24 | | Access-2 User VLAN | 10.x.33.0/24 | **Benefits:** - Broadcast domain isolation at each access switch - Simplified troubleshooting (issues contained to subnet) - No spanning tree between distribution and access - Summarization possible at distribution layer **Considerations:** - Requires L3-capable access switches - DHCP relay configuration on each access switch - More complex IP address management --- ### Variation 2: MCLAG with LACP Trunks This design uses **Multi-Chassis Link Aggregation (MCLAG)** at distribution with **LACP bonds** to access switches carrying trunked VLANs. > **Vendor Terminology**: Cisco calls this vPC (Virtual Port Channel), Arista uses MLAG, Juniper uses MC-LAG, and HPE/Aruba uses VSX. The functional behavior is similar across vendors. ```plantuml @startuml Distribution Variation 2 - MCLAG skinparam backgroundColor #FEFEFE nwdiag { network From_Core { address = "L3 Routed Uplinks" color = "#B0E0E6" description = "From Core Layer" Dist_A [description = "Distribution A\n(MCLAG Member)"]; Dist_B [description = "Distribution B\n(MCLAG Member)"]; } network MCLAG_Peer_Link { address = "Peer-Link" color = "#FFB6C1" description = "MCLAG/vPC Peer-Link" Dist_A; Dist_B; } network LACP_To_Access { address = "Po1 - LACP Trunk" color = "#DDA0DD" description = "VLANs 100,110,120 Trunked" Dist_A; Dist_B; Access_1 [description = "Access SW-1\n(L2 Switch)"]; } network Data_VLAN { address = "VLAN 100 - 10.x.32.0/24" color = "#98FB98" description = "Data VLAN" Access_1; Laptops [description = "Laptops\nWorkstations"]; } network Voice_VLAN { address = "VLAN 110 - 10.x.64.0/24" color = "#FFE4B5" description = "Voice VLAN" Access_1; Phones [description = "IP Phones"]; } network Security_VLAN { address = "VLAN 120 - 10.x.96.0/24" color = "#FFDAB9" description = "Security VLAN" Access_1; Cameras [description = "Cameras\nBadge Readers"]; } } @enduml ``` **SVI Placement (VRRP VIP on Distribution Pair):** - VLAN 100: 10.x.32.1/24 - VLAN 110: 10.x.64.1/24 - VLAN 120: 10.x.96.1/24 **VLAN Trunk Configuration:** | Port-Channel | VLANs | Destination | |--------------|-------|-------------| | Po1 (MCLAG) | 100,110,120 | Access-1 | | Po2 (MCLAG) | 100,110,120,130 | Access-2 | | Po3 (MCLAG) | 100,110 | Access-3 | | Native VLAN | 999 (unused) | — | **MCLAG Benefits:** - Active-active forwarding (both uplinks utilized) - Sub-second failover - Single logical switch from access perspective - No spanning tree blocking **Considerations:** - VLANs span multiple access switches (larger broadcast domains) - MCLAG peer-link can become bottleneck - STP still required as loop prevention backup --- ### Variation 3: Border Leaf for Spine/Leaf Datacenter In datacenter environments, the distribution layer becomes the **Border Leaf** connecting the spine/leaf fabric to the rest of the enterprise network. ```plantuml @startuml Distribution Variation 3 - Border Leaf Datacenter skinparam backgroundColor #FEFEFE nwdiag { network Enterprise_Core { address = "L3 Routed (eBGP/OSPF)" color = "#B0E0E6" description = "From Enterprise Core" Border_A [description = "Border Leaf A\nVXLAN Gateway"]; Border_B [description = "Border Leaf B\nVXLAN Gateway"]; } network Border_EVPN { address = "VXLAN EVPN" color = "#DDA0DD" description = "EVPN Type-5 Routes" Border_A; Border_B; Spine_1 [description = "Spine 1"]; Spine_2 [description = "Spine 2"]; } network Spine_Fabric { address = "eBGP Underlay" color = "#FFB6C1" description = "Spine Layer" Spine_1; Spine_2; } network Leaf_Tier_1 { address = "VTEP" color = "#98FB98" description = "Compute Rack 1" Spine_1; Spine_2; Leaf_1 [description = "Leaf 1"]; Leaf_2 [description = "Leaf 2"]; } network Leaf_Tier_2 { address = "VTEP" color = "#FFE4B5" description = "Storage/Services" Spine_1; Spine_2; Leaf_3 [description = "Leaf 3"]; Leaf_4 [description = "Leaf 4"]; } network Server_Rack_1 { address = "VNI 10001" color = "#F0FFF0" description = "Compute Servers" Leaf_1; Leaf_2; Servers_1 [description = "Rack Servers\nVMs/Containers"]; } network Storage_Network { address = "VNI 10002" color = "#FFDAB9" description = "Storage Arrays" Leaf_3; Storage [description = "SAN/NAS\nStorage"]; } network Voice_Services { address = "VNI 10003" color = "#E6E6FA" description = "UC Systems" Leaf_4; PBX [description = "PBX/UC\nSystems"]; } } @enduml ``` **Datacenter Fabric Details:** | Component | Function | |-----------|----------| | **Underlay** | eBGP (ASN per switch) or OSPF | | **Overlay** | VXLAN with EVPN control plane | | **Border Leaf** | VXLAN-to-VLAN gateway, External routes, Inter-VRF routing | | **Leaf Workloads** | Compute, Storage, Voice/UC, Infrastructure | **Benefits:** - Massive horizontal scale (add leaf pairs as needed) - Non-blocking fabric architecture - Multi-tenancy via VRF/VNI - Optimal east-west traffic patterns **Considerations:** - Operational complexity of VXLAN/EVPN - Specialized skills required - Higher equipment costs --- ## Module 5: Access Layer The Access layer is where end devices connect. Regardless of distribution topology, access switches provide: ```plantuml @startuml Access Layer Module skinparam backgroundColor #FEFEFE nwdiag { network Distribution_Uplink { address = "L3 or LACP Trunk" color = "#B0E0E6" description = "Uplinks to Distribution" Access_SW [description = "48-Port Access Switch\nPoE+ Capable"]; } network Data_VLAN { address = "VLAN 100 - Ports 1-8, 25-32" color = "#98FB98" description = "Data VLAN" Access_SW; Laptops [description = "Laptops\nWorkstations"]; } network Voice_VLAN { address = "VLAN 110 - Ports 9-16" color = "#FFE4B5" description = "Voice VLAN" Access_SW; Phones [description = "IP Phones"]; } network Camera_VLAN { address = "VLAN 120 - Ports 17-24" color = "#FFDAB9" description = "Security VLAN" Access_SW; Cameras [description = "IP Cameras"]; } network Wireless_VLAN { address = "VLAN 130 - Ports 33-40" color = "#DDA0DD" description = "Wireless AP VLAN" Access_SW; APs [description = "Wireless APs"]; } network Mgmt_VLAN { address = "VLAN 999 - Ports 41-44" color = "#F0FFF0" description = "Management VLAN" Access_SW; } } @enduml ``` **Access Layer Security Features:** - 802.1X / MAB authentication - Dynamic VLAN assignment - Port security - DHCP snooping - Dynamic ARP inspection - IP Source Guard --- ## Complete Modular Topology Here's how all modules connect to form a complete enterprise network: ```plantuml @startuml Complete Modular Network Topology skinparam backgroundColor #FEFEFE title Complete Enterprise Modular Network nwdiag { internet [shape = cloud, description = "Internet/WAN"]; network Internet_Edge { address = "Module 1" color = "#FFE4E1" description = "INTERNET EDGE MODULE" internet; ISP_A [description = "ISP-A"]; ISP_B [description = "ISP-B"]; MPLS [description = "MPLS"]; Edge_RTR [description = "Edge Router"]; FW_A [description = "FW-A"]; FW_B [description = "FW-B"]; } network Internal_Edge { address = "Module 2" color = "#E6E6FA" description = "INTERNAL EDGE / DMZ MODULE" FW_A; FW_B; IntEdge_A [description = "IntEdge-A"]; IntEdge_B [description = "IntEdge-B"]; WLC [description = "WLC"]; Proxy [description = "Proxy"]; VPN [description = "VPN"]; DNS [description = "DNS/DHCP"]; } network Core { address = "Module 3" color = "#B0E0E6" description = "CORE MODULE" IntEdge_A; IntEdge_B; Core_A [description = "Core-A"]; Core_B [description = "Core-B"]; } network Distribution_L3 { address = "Variation 1" color = "#98FB98" description = "DIST - L3 Adjacent\n(Building A)" Core_A; Core_B; Dist_1A [description = "Dist-1A"]; Dist_1B [description = "Dist-1B"]; Access_L3 [description = "Access\n(L3)"]; } network Distribution_MCLAG { address = "Variation 2" color = "#DDA0DD" description = "DIST - MCLAG\n(Building B)" Core_A; Core_B; Dist_2A [description = "Dist-2A"]; Dist_2B [description = "Dist-2B"]; Access_L2 [description = "Access\n(L2)"]; } network Datacenter { address = "Variation 3" color = "#FFE4B5" description = "DATACENTER\n(Spine/Leaf)" Core_A; Core_B; Border_Leaf [description = "Border\nLeaf"]; Spine [description = "Spine"]; Leaf [description = "Leaf"]; Servers [description = "Servers\nStorage\nPBX"]; } network Campus_Users { address = "End Devices" color = "#F0FFF0" description = "Campus Users" Access_L3; Access_L2; Users [description = "Laptops\nPhones\nCameras"]; } } @enduml ``` --- ## IP Addressing Strategy with VRF Isolation ### The Challenge of Multi-Segment, Multi-VRF Design When networks grow to include multiple security zones, business units, or compliance boundaries, **VRF (Virtual Routing and Forwarding)** provides route table isolation. However, extending VRFs through multiple tiers adds complexity: - Each L3 hop requires a transit subnet - Sub-interfaces multiply configuration complexity - Troubleshooting spans multiple routing tables - Documentation must track VRF membership at every tier ### Subnet Schema Strategy A well-designed subnet schema makes patterns recognizable, reducing cognitive load and configuration errors. #### Example: Large Manufacturing Site (10.0.0.0/13) **Site Allocation:** 10.0.0.0/13 (Manufacturing Site Alpha) - 524,286 usable hosts ```plantuml @startuml VRF Subnet Schema skinparam backgroundColor #FEFEFE title Large Site VRF Allocation Schema (10.0.0.0/13) nwdiag { network Corporate_VRF { address = "VRF: CORPORATE\n10.0.0.0/17" color = "#98FB98" description = "Production Users" Corp_Transit [description = "Transit\n10.0.0.0/23"]; Corp_Users [description = "Users\n10.0.32.0/19"]; Corp_Voice [description = "Voice\n10.0.64.0/19"]; Corp_Wireless [description = "Wireless\n10.0.96.0/19"]; Corp_Server [description = "Servers\n10.0.112.0/20"]; } network Guest_VRF { address = "VRF: GUEST\n10.1.0.0/17" color = "#FFE4B5" description = "Visitor Network" Guest_Transit [description = "Transit\n10.1.0.0/23"]; Guest_Users [description = "Users\n10.1.32.0/19"]; } network Security_VRF { address = "VRF: SECURITY\n10.2.0.0/17" color = "#FFDAB9" description = "Physical Security" Sec_Transit [description = "Transit\n10.2.0.0/23"]; Sec_Camera [description = "Cameras\n10.2.32.0/19"]; Sec_Badge [description = "Badge Readers\n10.2.64.0/19"]; Sec_NVR [description = "NVR/VMS\n10.2.96.0/20"]; } network IOT_VRF { address = "VRF: IOT\n10.3.0.0/17" color = "#E6E6FA" description = "Manufacturing OT" IOT_Transit [description = "Transit\n10.3.0.0/23"]; IOT_PLC [description = "PLCs\n10.3.32.0/19"]; IOT_HMI [description = "HMIs\n10.3.64.0/19"]; IOT_SCADA [description = "SCADA\n10.3.96.0/20"]; } } @enduml ``` **Transit Segment Detail (10.0.0.0/23 - 510 usable IPs):** | Subnet | Link Description | |--------|------------------| | 10.0.0.0/30 | FW-Inside → Internal-Edge-A | | 10.0.0.4/30 | FW-Inside → Internal-Edge-B | | 10.0.0.8/30 | Internal-Edge-A → Core-A | | 10.0.0.12/30 | Internal-Edge-A → Core-B | | 10.0.0.16/30 | Internal-Edge-B → Core-A | | 10.0.0.20/30 | Internal-Edge-B → Core-B | | 10.0.0.24/30 | Core-A → Distribution-A | | 10.0.0.28/30 | Core-A → Distribution-B | | 10.0.0.32/30 | Core-B → Distribution-A | | 10.0.0.36/30 | Core-B → Distribution-B | | 10.0.0.40/30 | Distribution-A → Access-SW-1 | | 10.0.0.44/30 | Distribution-B → Access-SW-1 | | ... | (Pattern continues) | > **Note:** /31 subnets (RFC 3021) can also be used for point-to-point links, conserving address space. ### Pattern Recognition Benefits When subnet patterns are consistent across VRFs: | What You Know | What You Can Infer | |---------------|-------------------| | Transit link in Corporate uses 10.0.0.40/30 | Guest equivalent is 10.1.0.40/30 | | Access-SW-5 users are on 10.0.36.0/24 | Security cameras on same switch are 10.2.36.0/24 | | Site Alpha is 10.0.0.0/13 | Site Beta could be 10.8.0.0/13 | This allows engineers to: - Predict IP addresses without consulting documentation - Recognize misconfigured subnets immediately - Create automation templates that work across VRFs - Train new staff on the pattern, not memorization --- ## Site Size Templates ### Small Site Template (Branch Office) ```plantuml @startuml Small Site Template skinparam backgroundColor #FEFEFE title Small Site Template (< 50 users) nwdiag { internet [shape = cloud]; network WAN { color = "#FFE4E1" description = "ISP/MPLS Circuit" internet; UTM [description = "UTM/SD-WAN\nAppliance\n(Router+FW+VPN+WLC)"]; } network LAN { address = "10.100.x.0/24" color = "#98FB98" description = "Single Subnet" UTM; Access [description = "Access Switch\n(or UTM ports)"]; } network Endpoints { color = "#F0FFF0" description = "End Devices" Access; AP [description = "WiFi AP"]; Users [description = "Users"]; Phones [description = "Phones"]; } } @enduml ``` **Small Site Design Notes:** - **Collapsed Design**: All functions in minimal hardware - **Subnet**: /24 or /23 per site - **Example**: 10.100.1.0/24 (Site 001) ### Medium Site Template (Regional Office) ```plantuml @startuml Medium Site Template skinparam backgroundColor #FEFEFE title Medium Site Template (50-500 users) nwdiag { internet [shape = cloud]; network WAN_Edge { color = "#FFE4E1" description = "Internet Edge" internet; ISP_A [description = "ISP-A"]; ISP_B [description = "ISP-B/MPLS"]; Edge_RTR [description = "Edge Router"]; } network Firewall_Tier { color = "#FFDAB9" description = "Firewall HA Pair" Edge_RTR; FW_A [description = "FW-A"]; FW_B [description = "FW-B"]; } network Distribution { address = "10.50.x.0/21" color = "#DDA0DD" description = "MCLAG Distribution\n(Dist/Core Combined)" FW_A; FW_B; Dist_A [description = "Dist-A"]; Dist_B [description = "Dist-B"]; } network Access_Tier { color = "#98FB98" description = "Access Switches (LACP)" Dist_A; Dist_B; Acc1 [description = "Acc1"]; Acc2 [description = "Acc2"]; Acc3 [description = "Acc3"]; Acc4 [description = "Acc4"]; Acc5 [description = "Acc5"]; } network Users { color = "#F0FFF0" description = "End Devices" Acc1; Acc2; Acc3; Acc4; Acc5; Endpoints [description = "Laptops/Phones\nCameras/APs"]; } } @enduml ``` **Medium Site Design Notes:** - **Partial Modularity**: Distinct Edge and Access tiers - **Subnet**: /21 per site (2,046 IPs) - **Example**: 10.50.0.0/21 (Site 050) ### Large Site Template (Headquarters/Campus) ```plantuml @startuml Large Site Template skinparam backgroundColor #FEFEFE title Large Site Template (500+ users) nwdiag { internet [shape = cloud]; network Internet_Edge { color = "#FFE4E1" description = "INTERNET EDGE MODULE" internet; ISP_A [description = "ISP-A"]; ISP_B [description = "ISP-B"]; MPLS [description = "MPLS"]; Edge_RTR [description = "Edge-RTR"]; FW_A [description = "FW-A"]; FW_B [description = "FW-B"]; } network Internal_Edge { color = "#E6E6FA" description = "INTERNAL EDGE MODULE" FW_A; FW_B; IntEdge_A [description = "IntEdge-A"]; IntEdge_B [description = "IntEdge-B"]; WLC [description = "WLC"]; Proxy [description = "Proxy"]; VPN [description = "VPN"]; DNS [description = "DNS"]; } network Core { color = "#B0E0E6" description = "CORE MODULE" IntEdge_A; IntEdge_B; Core_A [description = "Core-A"]; Core_B [description = "Core-B"]; } network Dist_Var1 { color = "#98FB98" description = "L3 Adjacent" Core_A; Core_B; Dist_1 [description = "Dist-1"]; Access_1 [description = "Access"]; } network Dist_Var2 { color = "#DDA0DD" description = "MCLAG Trunk" Core_A; Core_B; Dist_2 [description = "Dist-2"]; Access_2 [description = "Access"]; } network Dist_Var3 { color = "#FFE4B5" description = "MCLAG Trunk" Core_A; Core_B; Dist_3 [description = "Dist-3"]; Access_3 [description = "Access"]; } network Datacenter { color = "#87CEEB" description = "SPINE/LEAF DC" Core_A; Core_B; Border [description = "Border-Leaf"]; Spine [description = "Spine"]; Leaf [description = "Leaf"]; Servers [description = "Servers"]; } } @enduml ``` **Large Site Design Notes:** - **Full Modularity**: All tiers physically separate - **Subnet**: /13 to /15 per site (based on VRF count) - **Example**: 10.0.0.0/13 (HQ) - 524,286 IPs --- ## VRF and L3 Segmentation: Benefits and Complexity ### Benefits of L3 Segmentation with Sub-Interfaces 1. **Security Isolation**: Traffic between VRFs must traverse a firewall or policy device 2. **Blast Radius Containment**: Compromised segment cannot directly reach other VRFs 3. **Compliance Boundaries**: PCI, HIPAA, or OT networks in separate routing domains 4. **Traffic Engineering**: Different routing policies per VRF ### The Complexity Tradeoff When segments must extend through multiple tiers, each L3 boundary adds configuration overhead: ```plantuml @startuml Multi-VRF Path Through Tiers skinparam backgroundColor #FEFEFE title Multi-VRF Traffic Path: Camera to NVR nwdiag { network Camera_Segment { address = "VLAN 120\n10.2.36.0/24" color = "#FFDAB9" description = "VRF: SECURITY" Camera [description = "Camera"]; Access_SW [description = "Access-SW\nSub-int: 10.2.0.40/30"]; } network Access_to_Dist { address = "10.2.0.40/30" color = "#DDA0DD" description = "VRF: SECURITY" Access_SW; Distribution [description = "Distribution\nSub-int: 10.2.0.24/30"]; } network Dist_to_Core { address = "10.2.0.24/30" color = "#B0E0E6" description = "VRF: SECURITY" Distribution; Core [description = "Core\nSub-int: 10.2.0.8/30"]; } network Core_to_IntEdge { address = "10.2.0.8/30" color = "#E6E6FA" description = "VRF: SECURITY" Core; Internal_Edge [description = "Internal-Edge\nSub-int: 10.2.0.0/30"]; } network IntEdge_to_FW { address = "10.2.0.0/30" color = "#FFE4E1" description = "VRF: SECURITY" Internal_Edge; Firewall [description = "Firewall\nInter-VRF Policy"]; } network DC_Path { address = "VXLAN/EVPN" color = "#87CEEB" description = "Datacenter Fabric" Firewall; Border_Leaf [description = "Border-Leaf"]; Spine [description = "Spine"]; Leaf [description = "Leaf"]; NVR [description = "NVR"]; } } @enduml ``` **Configuration Overhead:** - 5 sub-interfaces per VRF per path - 4 VRFs × 5 sub-ints = 20 sub-interfaces per switch - Routing protocol adjacencies in each VRF - Route-leaking or firewall rules for inter-VRF traffic ### Mitigation Strategies 1. **Limit VRF count**: Only create VRFs for genuine isolation requirements 2. **Centralize inter-VRF routing**: Single firewall policy point vs. distributed 3. **Use VXLAN/EVPN**: Overlay reduces physical sub-interface sprawl 4. **Automate provisioning**: Templates ensure consistent configuration 5. **Document the pattern**: Once learned, patterns are faster than lookup --- ## Summary: Building a Scalable Network Pattern The goal of modular network design is to create a **repeatable pattern** that enables: | Scale | Sites | Pattern | |-------|-------|---------| | Small | 10,000+ | Collapsed UTM + single switch, /24 per site | | Medium | 1,000+ | Edge + MCLAG distribution + access, /21 per site | | Large | 100+ | Full modular (Edge, Internal Edge, Core, Distribution variants, DC fabric), /13-/15 per site | ### Key Takeaways 1. **Modules create boundaries**: Each module has a defined purpose and interface 2. **Patterns enable scale**: Same design at every site reduces training and errors 3. **VRFs provide isolation**: But add configuration complexity at each tier 4. **Subnet schemas matter**: Predictable addressing reduces cognitive load 5. **Distribution varies by need**: L3 adjacent, MCLAG/LACP, or spine/leaf 6. **Right-size for the site**: Don't over-engineer small sites By establishing these patterns and applying them consistently, organizations can build networks that scale from a single branch office to a global enterprise—all while maintaining operational simplicity and security posture. --- *Article version 2.0 | Published 2026-02-02 | Updated with PlantUML nwdiag diagrams*