A network must align with the existing requirements of an organization, but it must also be flexible enough to easily integrate new technologies, which is where hierarchical network design comes in.

What is hierarchical network design

First proposed by Cisco in 2002, hierarchical network design has become an industry-wide best practice for developing reliable, scalable, and cost-effective networks.

Initially, networks had a flat design and could only be expanded in one direction through hubs and switches, making it challenging to filter out undesirable traffic and control broadcasts. As a network grew in size, response times would degrade. A new network design was necessary, resulting in the hierarchical approach.

Flat network design is still in use today, but is primarily reserved for very small networks, or designs looking to minimize cost by using a limited number of routers or switches.

An example of a "flat" network design: several devices connected directly to a switch.

An example of a “flat” network design.

A hierarchical design separates a network into distinct layers, where each layer has a series of functions that define its role in the network. Because of this, a network designer can choose the optimal hardware, software, and features to take on a particular role for that network layer.

Data management is also far more efficient. In a hierarchical design, local traffic stays local and only moves to a higher layer when it is headed for another network.

What are the typical layers in hierarchical network design?

The layers in a hierarchical network design are usually mapped according to the network’s physical layout. They can differ, however, so it’s best to consider them as logical layers.

A three-layer design is most common, but not mandatory. A three-layer hierarchical networks typically consist of:

  1. A core layer. This is the backbone of your network. It offers fast transport between distribution switches in the network.
  2. A distribution layer. This middle layer offers policy-based connectivity and regulates the boundary between the other two layers. It’s where routing and data filtering take place, and is sometimes referred to as the “Workgroup” layer.
  3. A access layer. Where endpoints and local servers access the network, and is often referred to as the “Workstation” layer.

Diagram of a typical hierarchical network

Smaller networks can consist of only two layers, where the distribution and core are collapsed into a single layer, also known as a collapsed core design.

The basic outbound data flow starts from the endpoint into the access layer of the network. Data leaving the access layer is then fed into the distribution layer. If the destination is outside the local network, it’s routed into the core layer and, finally, to the destination, be it on the LAN, WAN, or to the outside world. The return trip is the same: the powerful, high-speed backbone of the core layer transports the data to the distribution layer, where it is intelligently routed to local access layers before hitting the endpoint.

Let’s take a closer look at each layer’s functions as they relate to hierarchical network design.

Core layer

The core layer is essential as it connects multiple network components and is made up of your highest-speed, most powerful network devices.
However, since it only has one purpose, it doesn’t require too many features (just be fast!).

The core must be reliable and efficient to maximize performance, and also available at all times. It should be designed with redundancies so it doesn’t have a single point of failure. If a catastrophic problem should occur, recovery needs to be quick.

High-speed switching is essential, as well as fault tolerance. The core layer should be scaled through quality (better equipment) rather than quantity (number of devices). CPU-intensive packet manipulation, such as restrictive ACLs and QoS classifications, should be avoided at this level.

Essentially, the core layer should be as lean as possible to minimize the potential for failure and maximize efficiency.

Distribution layer

Distribution layers aggregate the traffic from access layers and, well, distribute it into the rest of the network. This layer will usually have multiple switches and routers (or layer 3 switches performing routing functions), with each switch connected to multiple devices in the access layer.

The distribution layer itself acts as a border, creating self-contained networks within the more extensive network. These distribution blocks can then route traffic to each other through the core layer. The advantage of separate blocks is that a problem in one block won’t affect the rest of the network. Distribution blocks are where network policies should be applied and act as an additional layer of security between access layers and the whole network.

Access layer

The access layer can be considered the entry point into the network (or the exit, depending on the direction of data flow!). It’s where end-user devices connect, feeding into access layer switches. Due to the number of end-user devices connecting to the network, there tends to be more switches on the access layer than any other in a typical hierarchical network design. They require high port density to support the large number of connecting devices, but generally don’t need a high throughput on them, as each port is connecting to just one specific device. These devices can be anything that requires a network connection, including laptops, smartphones, tablets, and printers.

As it must support so many devices, the access layer tends to have the most features. It’s also where admins tend to spend a lot of their time.

And with so many users and ad hoc devices, this layer also requires intensive security, as it’s the first border between the external world and the network.

Some services you can typically find in the access layer include:

  • Discovery and configuration: CDP, LLDP
  • Security and network identity: 802.1x, DHCP, port security
  • Application recognition: QoS marking, policing, queuing
  • Network control: routing protocols, spanning-tree, DTP
  • Physical infrastructure: PoE

The access layer feeds into the distribution layer via OSI Layer 2 trunk ports, or Layer 3 routed ports. End-user devices connect to switches in the access layer at Layer 2.

Why is hierarchical network design so important?

Hierarchical networks offer a wide range of benefits, such as enhanced performance, reliability and scalability, better security, easier management and design, and improved cost-efficiency. Let’s focus a bit on each one below.

Enhanced performance

A hierarchical network design means data is routed through aggregated switchport links at close to wire rate, instead of being sent through lower performance intermediary switches.

The distribution and core layers consist of high-performance switches, which means higher speeds and fewer issues with network bandwidth. Therefore, if the network is designed correctly, data should travel at close to wire-speed between every device on the network for most of its journey within the network.

Improved reliability

The modular nature of a hierarchical network translates into a more reliable network as a whole, as segments that fail or become degraded can be isolated and routed around. The rest of the network won’t be affected.

Availability also increases because it is easier to implement network redundancies. For example, switches in the access layer can be connected to two switches in the distribution layer. If one fails, the other comes into play. Likewise, the distribution switches connect to multiple core switches, providing yet another layer of redundancy.

The only redundancy limitation is at the access level, since most end-user devices cannot link to multiple switches simultaneously. However, even if an access switch were to fail, only the devices using that switch would experience an outage and not the entire network.

Access layer tip!

With the proliferation of wireless connectivity on nearly every endpoint, access layer redundancy can be partially obtained by making sure your wireless access points in an area aren’t connected into the same access layer switches as the physical switchports. This way, if an access switch providing physical connectivity is having issues, endpoints may still be able to have wireless network access.

Increased scalability

Hierarchical networks are more flexible than their counterparts. Segments and elements can easily be added without significantly disrupting the existing network.

Design elements can also be copied and repeated, thanks to the network’s modularity. Consistent design from one module to the next makes it easy for network administrators to plan and implement network expansion, and know the topology is unchanged module to module. Therefore, networks can expand with the organization with little to no downtime.

Better security

In terms of security, a hierarchical network permits a greater level of control. Access control lists can be more complex and granular, and traffic can be shaped and blocked more effectively.

Furthermore, these policies can be applied to a user, a department, or the whole organization, allowing admins to develop network traffic plans tailored to the needs of the enterprise.

Since network details aren’t available for most users, intentional or accidental network issues are less of a concern, thereby increasing productivity and improving the network’s performance.

Easer to manage

Since each network layer is designed for specific and consistent functionality, these networks are easier to manage. For example, should you need to modify the functions of an access layer switch, you can confidently make that same change to all the access layer switches—because they have the same role.

It’s also simpler to deploy new switches because you can copy configurations from one device to another without significant changes. Troubleshooting and recovery is also simpler and faster.

Increased cost efficiency

IT networking equipment is an expensive necessity. However, hierarchical network design can reduce costs because the organization can limit the amount of equipment to only what is needed based on the logical structure of the enterprise.

The modular nature of the network means that it can be expanded without significant one-off investments. Adding a new department, for example, can often be done with a single access switch and a few Ethernet cables, rather than needing a new series of routers and switches (many of which will sit underused).

Considerations when designing a hierarchical network

While hierarchical networks are easier to design, there’s still certain factors to consider, like your overall business needs, the organization’s budget, network size, and your on-premises versus cloud services.

Business needs

Hierarchical network design should always start with the organization’s needs. This means gathering information and developing a plan with clear targets. You might need to support a new office, or you might have to design a complete, but bare-bones, network for the entire organization. Once you have a clear target, you can determine technical requirements, such as bandwidth and security.

Budgetary constraints

When designing a network, you also need to consider budgetary constraints. You might want to go full-out and create a network with the latest and most expensive hardware. Maybe you want your redundancies to have redundancies, and incorporate so many switches that you could run a small country, but in the end you’ll always run into the organization’s budget wall.

So when designing the network, consider budgetary constraints, which might mean a design that’s just enough for the organization’s needs, a design that leverages better equipment in one layer vs. another, and so on. The advantage of a hierarchical network design is that it can easily be expanded in stages. So, even if the organization cannot make a significant initial investment, you can still expand the network incrementally as the need arises while spacing out the costs.

Network size

The size of the network you have to design will affect the technical requirements. The more extensive the network, the more distribution blocks and core layers you will need, which will increase equipment needs and costs.

As well, the size of the network will also dictate the approach you take. For example, a smaller network, usually fewer than 200 devices, might not require a three-layer design and might be just as effective with a collapsed-core design.

On-prem vs. cloud services

In some cases, your choice of whether to adopt a hierarchical network design will be driven by how your users access network services. For example, if you use primarily cloud services, all traffic generated at the access layer will be destined to leave the network. Not many decisions need to be made at the distribution layer, and speeds at the core layer become less important, as the performance for your end-users will be throttled by the speed of your internet connection. You’ll want to be sure your network’s design doesn’t force you to use an on-premises approach if a cloud network might be a more efficient option.

Are many of your services on premises? Legal regulations might also affect the design of your network. Everything from local building codes to electrical codes can affect your network’s design, so make sure to keep them in mind to ensure the compliance of your network.


Hierarchical network design is an industry-wide standard for a good reason. The modular nature of this design offers a wide range of benefits, making it a better option for almost any network.

These networks are easier to design but also more flexible, reliable, and secure. They’re easy to scale because all it takes is replicating design elements, and changes can be made quickly to either a single switch or across the whole network.

The reliability and flexibility alone make hierarchical networks the obvious choice. You can easily integrate new technology while being able to reduce failure potential through redundancies.

And the modularity of the design means that when a failure does occur, the block can be isolated so won’t affect the rest of the network.

If you’re looking for a network that will easily scale with your organization while providing the highest level of performance, then a hierarchical network is the most effective option. Just remember to consider issues such as network size, business requirements, budgetary constraints, and remaining network design best practices.

It’s an exciting time when you’re designing a network from the ground up, but more often than not you’re looking to get a handle on the configuration, performance, and use of an existing network. Cloud-based network management solutions like Auvik can help you visualize your network, whether built to this hierarchical model or not. Get started with Auvik today, and visualize your entire network in under an hour!