Showing results for 
Search instead for 
Did you mean: 

Network Design Campus + Data Center for Hospital


We are designing a network for a public healthcare customer that needs to support about 3,000+ users. It's a big building with 13 floors.

To keep it simple we proposed C9500 on the distro/core (collapsed core) and C9400 on the access layer. Keeping all L3 on the collapsed core and trunk L2 to IDFs 9400 access switches.We intend to adopt a three-tier architecture for the Datacenter, with all the SVIs for servers terminating at the Data Center Firewalls.

Purpose of Data Center Firewalls: Protecting servers from user. Isolating east-west traffic between servers. Discovering and preventing malware. Achieving compliant with regulatory requirement

Please check the initial design attached.

Would genuinely appreciate any insights, feedback, or suggestions to enhance the design.

4 Replies 4

Leo Laohoo
Hall of Fame
Hall of Fame

@thenetadmin wrote:
We are designing a network for a public healthcare customer that needs to support about 3,000+ users. It's a big building with 13 floors.

It is also a very expensive exercise and should not be treated like a joke.  

Get a reputable systems integrator because they will know all the regulatory compliances and design a network appropriately. 

@Leo Laohoo 

The proposed design has been drafted by the system integrator.

I would like to also have a brainstorming discussion to ensure we're on the right path, as sometimes vendors might propose solutions that are excessively complex and overkill. It would be beneficial if our Cisco expert community could lend their insights on this matter.

@thenetadmin in your diagram you look like you have single points of failures for the Internet Firewalls, ISE and the WLCs? Ideally should be dual-homed to different switches.

Are the DC firewalls scaled accordingly to cope with isolating east-west traffic between servers?

Hello @Rob Ingram 

Apologies for the oversight, but while it might not be clearly depicted in the diagram, our Internet Firewalls are set up in an HA pair with dual-homed internet connections.

Additionally, both ISE and WLCs are in high availability and are connected to separate switches.

Our VAR has made sure to appropriately size the DC firewalls.

I have another question, do the DC firewalls positioned correctly in the network layout?

On another note: LAN cores will be set up using StackWise, and the Access Layer is connected to the Core via Etherchannels. The SVIs for user VLANs terminate on the LAN cores. Should we still consider revising the topology to L3 to avoid any STP potential issues?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: