Networking
Campus Network Design in Ethiopia: A Hierarchical Reference Architecture
A campus network is the LAN that connects the buildings of a single site — a university, a ministry, a bank headquarters, a manufacturer. The right architecture is hierarchical: an access layer that connects end devices, a distribution layer that aggregates buildings, and a core layer that provides high-speed interconnect. This guide walks through the reference architecture we use for Ethiopian campuses, with a worked example for a 12-building university and a redundancy plan that survives a fibre cut between buildings.
What "campus" means in the Ethiopian context
A campus network in Ethiopia is a multi-building, single-owner LAN. Common examples are the African Union campus in Addis, the Commercial Bank of Ethiopia headquarters, the Ministry of Innovation and Technology compound, and large universities (Addis Ababa University, Jimma University, Bahir Dar University). The defining properties are: one administrative owner, one IP address plan, and one set of security and routing policies.
The "campus" label is borrowed from the Cisco three-tier model. A wide-area connection between two campuses is a WAN, not a campus. A single 200-user office in a Bole tower is too small to be a campus — it is a single-tier access network. The hierarchical design is justified at the point where you have more than three buildings or more than 500 users.
Why it matters in Ethiopia
Ethiopian campuses are subject to two practical constraints the rest of the world does not always face. First, fibre between buildings is often single-path and single-carrier, because the alternative carrier routes (Ethio Telecom, Safaricom Ethiopia) do not always serve the same compound. A single fibre cut between two buildings can black out a department. The fix is dual-path fibre and dual-supplier SLAs where the carrier market allows it.
Second, power is unreliable at some campuses, particularly outside Addis. POE-powered access switches can reboot the entire access layer when the UPS is undersized. The fix is a properly sized campus UPS plant (N+1) per building, with separate utility and generator feeds. We have walked two universities back from access-layer designs that reloaded every 4 hours.
The hierarchical three-layer design
| Layer | Role | Typical switch | Uplink | Redundancy |
|---|---|---|---|---|
| Access | End devices (PC, Wi-Fi AP, printer, camera) | Cisco C9200, HPE Aruba CX 6200, Huawei S5735 | 2 x 10G LACP | Dual distribution |
| Distribution | Aggregates access switches; runs OSPF/BGP; applies policy | Cisco C9500, HPE Aruba CX 6400, Huawei S5732-H | 2 x 25G or 100G to core | HSRP/VRRP, MC-LAG |
| Core | High-speed interconnect between buildings and to data center / WAN | Cisco C9600, HPE Aruba CX 8400, Huawei S6730-H | 100G fibre ring or square | Dual paths, dual cores |
Reference architecture: 12-building university
Worked example for a 12-building, 8,000-user university campus in Ethiopia. The design uses two core switches in different buildings, connected by a 100 Gbps fibre ring. Each building has a pair of distribution switches (MC-LAG) and four to eight access switches depending on user count. Fibre between buildings runs in two physically diverse paths (north and south trenches) and is terminated on separate patch panels to support a single-path failure.
The routing protocol is OSPFv2 for IPv4 and OSPFv3 for IPv6, with area 0 on the core and a separate area per building. Distribution switches are ABRs. HSRP runs between the two cores, with the active core physically located in the data center building. The result: any single fibre cut, switch failure, or core reboot is invisible to the end user.
VLAN and IP plan
A campus needs a single, defensible VLAN and IP plan. We use a 10.0.0.0/8 supernet, sliced by building and by function. A typical building gets a /16 or /17, with /24 subnets for data, voice, Wi-Fi staff, Wi-Fi guest, security cameras, building management, and a future-use block. The plan is documented in a single spreadsheet that lives in the customer's IT wiki and is the source of truth for switch port assignments and firewall rules.
Voice and data separation is non-negotiable in a campus: a separate VLAN with QoS priority queueing for IP phones, DHCP options for the call server, and ACLs at the distribution layer. The same applies to security cameras, which should never share a broadcast domain with the data network. The Chinese "all in one VLAN" pattern we sometimes inherit is the most common cause of mystery video freezes and dropped calls.
Redundancy and high availability
- MC-LAG or vPC at the access-distribution layer. Two distribution switches per building, both actively forwarding. A single distribution failure halves the access bandwidth but does not disconnect users.
- HSRP or VRRP at the core layer. Two core switches, one active, one standby. Sub-second failover.
- Diverse fibre paths. Two physical trenches, north and south. This is the single biggest availability lever in an Ethiopian campus.
- Per-building UPS. A 30 to 60 minute UPS per building, with the generator backing the entire campus. The UPS is the bridge; the generator is the destination.
- Out-of-band management. A separate management VLAN, with cellular failover for the management plane. This is the network that lets you fix the network.
UT Solutions' campus practice
UT Solutions designs, deploys, and operates campus networks for Ethiopian banks, ministries, universities, and manufacturers. We are Cisco Select and Huawei Silver partners, with 60 in-house engineers and a 24/7 NOC that monitors the campus fabric. Our engagements start with a structured site survey, a written design, and a bill of materials that the customer's procurement team can tender cleanly.
Case study: Jimma University campus refresh
Jimma University engaged UT Solutions to refresh the campus network across 18 buildings, supporting 42,000 students and staff. We deployed two Cisco C9600 core switches, 36 C9500 distribution switches, and 240 C9200 access switches across a 100 Gbps fibre ring with physically diverse paths. The new network supports 12,000 concurrent Wi-Fi clients and reduced the helpdesk ticket rate by 64% in the first academic year. The university has since added IoT for building management on a separate VLAN, without touching the access layer.
Common campus design mistakes in Ethiopia
The most common campus mistake in Ethiopia is a flat L2 design. A single VLAN across an 18-building campus is a broadcast storm waiting to happen, and it is the single most common cause of mystery slowness in Ethiopian enterprise networks. UT Solutions' campus engagements start with the hierarchical three-layer design and refuse to take on a flat L2 retrofit.
The second mistake is single-path fibre. A campus where the only fibre between two buildings runs in a single trench is a campus with a planned outage every time someone digs. UT Solutions' campus designs require dual physical paths, in opposite directions, with diverse carriers where the market allows. The CAPEX is real; the availability gain is larger.
The third mistake is over-sized uplinks. A 1 Gbps uplink from the access to the distribution layer in a 24-port access switch with 24 phones is over-sized for the access load but under-sized for the resilience. The right answer is two 10 Gbps uplinks in LACP, which gives 20 Gbps of aggregate bandwidth and resilience to a single link failure. UT Solutions' standard campus uplink is 2 x 10 Gbps LACP for access, 2 x 25 Gbps for distribution, and 100 Gbps for the core.
A final mistake is mixing voice and data on the same VLAN. The voice quality suffers during broadcast storms or scanning events, and the data network suffers during voice bursts. UT Solutions' campus designs mandate separate VLANs with QoS priority queueing for the voice traffic, and the configuration is documented and tested as part of the handover.
Frequently asked questions
Is a flat L2 design ever acceptable for a campus?
For under 200 users in a single building, yes. Beyond that, the broadcast domain and the failure domain become unmanageable. Use a hierarchical design.
What is the right routing protocol?
OSPF for most Ethiopian campuses, because it is simple, well-understood, and converges in seconds. BGP is justified only when the campus is multi-tenant or connects to multiple service providers.
How long does a campus refresh take?
4 to 9 months for a 10 to 20 building campus, with most of the time spent on fibre pulling and switch installation. The design phase itself is 4 to 6 weeks.
Can I run SD-WAN inside a campus?
Technically yes, but it is overkill for a single site. SD-WAN shines when the underlay is heterogeneous (MPLS, broadband, 4G) and the sites are distributed. Save it for the WAN.