1. NETWORK REQUIREMENTS ANALYSIS

1.1 Network Traffic Requirements

The hypothetical organisation selected for this assignment is the Oxford University Global Digital Campus (OUGDC), a world-leading, research-intensive university headquartered in Oxford, United Kingdom, with multiple international campuses distributed across Europe, Asia, and North America. OUGDC serves approximately 50,000 students across its global network, employs over 15,000 academic and administrative staff, and operates several specialist research centres engaged in high-performance computing, artificial intelligence research, biomedical sciences, and, notably, the development of AI-based assistive technologies for neurodiverse students within the Special Educational Needs (SEN) sector. The breadth and mission-critical nature of these operations necessitate an advanced, enterprise-grade network infrastructure capable of supporting highly diverse workloads across geographically dispersed sites.

OUGDC generates substantial and heterogeneous network traffic across multiple functional domains. Academic operations require high-bandwidth, low-latency connectivity to support synchronous video conferencing for hybrid and remote lectures, virtual learning environments (VLEs), collaborative research platforms, and cloud-hosted Learning Management Systems (LMS) serving concurrent connections from tens of thousands of students and staff globally. Research activities particularly those involving artificial intelligence and machine learning workloads necessitate dedicated high-speed interconnects between GPU compute clusters and high-performance storage systems within the data centre. Internal data transfers for model training pipelines routinely demand bandwidths exceeding 100 Gbps, requiring a data centre fabric capable of sustaining high-throughput, non-blocking east-west traffic patterns characteristic of distributed computing environments.

Administrative traffic encompasses Enterprise Resource Planning (ERP) systems, Human Resources platforms, financial management tools, and Student Information Systems, which generate consistent background traffic demanding guaranteed Quality of Service (QoS) policies to prevent latency-sensitive application degradation.

Internet of Things (IoT) devices — including smart building sensors, environmental monitors, laboratory automation equipment, and AI-powered assistive technologies deployed in support of students with Special Educational Needs and Disabilities (SEND) — generate low-bandwidth but high-frequency traffic streams that must be logically segregated from core academic and administrative networks. The network must be engineered to accommodate significant traffic peaks during examination periods, coursework submission deadlines, and major research milestones without perceptible degradation in service quality.

1.2 Security Requirements

As a custodian of highly sensitive research data, student personal information, and substantial intellectual property, OUGDC operates under stringent regulatory obligations. These include the UK General Data Protection Regulation (UK GDPR) (Information Commissioner’s Office, 2021), the Data Protection Act 2018 (UK Parliament, 2018), and the Network and Information Systems (NIS) Regulations 2018. The university must additionally adhere to the Janet Acceptable Use Policy        , given its connectivity to the Joint Academic Network (JANET), the UK national research and education backbone. Cyber threats targeting higher education institutions have intensified markedly in recent years, with the UK National Cyber Security Centre (NCSC) identifying universities as high-value targets for state-sponsored and criminal threat actors (NCSC, 2021). The deployment of AI-based SEN support systems, which process sensitive behavioural, cognitive, and biometric data relating to neurodiverse students, introduces further data protection obligations requiring robust encryption, fine-grained access control, and auditable data processing pipelines.

1.3 Scalability Requirements

The network must be designed to accommodate significant growth in connected devices, user populations, and computational resource demands over a projected five-year planning horizon. The university anticipates the onboarding of two additional international campuses, the expansion of AI research infrastructure through the acquisition of further GPU cluster capacity, and a continued increase in the number of IoT and BYOD (Bring Your Own Device) endpoints connected to the network. The architecture must therefore support seamless horizontal scaling at the access layer, modular expansion of data centre compute and storage capacity, and the dynamic allocation of wide area network (WAN) bandwidth to new geographic sites without requiring fundamental redesign of the core infrastructure (Stallings, 2022).

1.4 Reliability Requirements

OUGDC’s academic and research operations are fundamentally dependent on continuous network availability. The target service level agreement (SLA) specifies 99.99% uptime — approximately five minutes of planned or unplanned downtime per annum — for core network services. This stringent availability target necessitates fully redundant core infrastructure with no single points of failure, geographically diverse fibre routing, and automated failover mechanisms with sub-second convergence times. Research operations, in particular, cannot tolerate unplanned network outages, as interruption to long-running AI model training jobs may result in significant computational resource wastage, data corruption, and associated financial cost.

2. NETWORK DESIGN

The proposed network architecture for OUGDC is based upon a hierarchical three-tier model comprising a Core Layer, a Distribution Layer, and an Access Layer, augmented by dedicated on-premises data centre infrastructure, a cloud gateway facilitating integration with cloud-hosted services, and secure VPN connectivity for international campus sites (Cisco, 2023). This well-established architectural model, as illustrated in Figure 1 below, provides the modularity, scalability, and defence-in-depth security posture necessary to meet the requirements identified in Section 1.

Figure 1: Oxford University Global Digital Campus – Proposed Network Architecture

2.1 Core Layer

The Core Layer constitutes the high-speed backbone of the OUGDC network, responsible for the rapid forwarding of large volumes of inter-site and inter-VLAN traffic with minimal latency and maximum fault tolerance. This layer employs enterprise-grade core switches interconnected via redundant 100 Gigabit Ethernet (GbE) fibre links in a fully meshed topology, ensuring that the failure of any single link or switch does not interrupt core forwarding operations. A Next-Generation Firewall (NGFW) is positioned at the network perimeter, between the JANET/Internet uplink and the core routing infrastructure, providing deep packet inspection, application-layer traffic analysis, and integrated intrusion prevention functionality. A dedicated core router manages Border Gateway Protocol version 4 (BGP4) peering sessions with upstream Internet Service Providers and the JANET network, whilst a cloud gateway appliance provides policy-enforced, encrypted connectivity to cloud-hosted services including the university’s LMS, collaborative research databases, and Software-as-a-Service (SaaS) platforms.

2.2 Distribution Layer

The Distribution Layer provides VLAN segmentation, inter-VLAN routing, and policy enforcement between the Core Layer and the Access Layer. Redundant distribution switches are deployed in paired configurations with Inter-Switch Link (ISL) cross-connects and Link Aggregation Control Protocol (LACP, IEEE 802.3ad) uplinks to the core, providing both load balancing and rapid failover. This layer implements QoS classification and queuing policies, ensuring that latency-sensitive traffic classes — including real-time video conferencing streams, VoIP, and AI inference API calls from SEN support applications — receive preferential treatment over bulk file transfer and best-effort traffic. A VPN Gateway device at this layer provides encrypted tunnel termination for remote staff and student connections and for permanent site-to-site tunnels with international campus locations.

2.3 Access Layer

The Access Layer provides wired and wireless end-point connectivity to office computers, classroom workstations, research laboratory equipment, Wi-Fi access points, and IoT devices. Access switches implement IEEE 802.1X Network Access Control (NAC) at each port, authenticating connecting devices via a RADIUS server before granting access to the appropriate VLAN. Discrete VLANs are provisioned for administrative staff, academic users, research laboratory systems, IoT devices, AI SEN systems, and guest wireless access, providing logical traffic isolation and minimising lateral movement opportunities for a potential adversary (Rose et al., 2020). Wi-Fi 6 (IEEE 802.11ax) access points are deployed throughout all campus facilities, providing high-density wireless coverage with improved multi-user efficiency and reduced contention in densely populated environments such as lecture theatres and open study areas (IEEE, 2021).

2.4 Data Centre Infrastructure

The university’s on-premises data centre hosts critical application servers, high-capacity storage systems, and AI compute clusters comprising GPU arrays for machine learning model training and inference. Internally, the data centre employs a spine-leaf fabric architecture with 25 GbE server-to-leaf interconnects and 100 GbE leaf-to-spine uplinks, providing a low-latency, non-blocking switched environment optimised for the east-west traffic patterns characteristic of distributed AI workloads. The data centre additionally hosts the AI-based SEN support system platform, processing neurodiverse student data within a security-hardened, isolated network segment with strict access controls and encrypted storage.

2.5 International Campus Connectivity and Justification

International campuses connect to the OUGDC headquarters network via a hybrid WAN design employing SD-WAN overlays with MPLS private circuits as the primary path and internet-based IPSec VPN tunnels as cost-effective, high-availability backup paths (Cisco, 2022; Meyer, 2021). SD-WAN application-aware routing policies ensure that critical academic applications consistently utilise the low-latency MPLS path, whilst bulk and non-critical traffic may be offloaded to the internet path, reducing MPLS bandwidth costs. The hierarchical three-tier campus model was selected over alternative flat or spine-leaf-only designs because it provides clear functional separation, simplified troubleshooting, and more predictable scaling behaviour as the organisation grows. The choice of a dedicated on-premises data centre, rather than full cloud migration, reflects the sensitivity of research data and the performance requirements of AI training workloads, which are ill-suited to the variable latency characteristics of public cloud compute.

3. NETWORK PROTOCOLS AND TECHNOLOGIES

The proposed network design employs a carefully selected suite of protocols and technologies, each chosen for its suitability to the scale, performance, and security requirements of a global research-intensive university. This section provides a critical analysis of each major protocol and technology, justifying its inclusion within the architecture.

3.1 Routing Protocols

Open Shortest Path First version 3 (OSPFv3), specified in RFC 5340 (Coltun et al., 2008), is deployed for internal campus routing, providing rapid convergence through its link-state database and Dijkstra shortest-path-first algorithm. OSPFv3 natively supports IPv6, consistent with the dual-stack IPv4/IPv6 deployment strategy adopted for the OUGDC network in alignment with Jisc’s recommendation for UK academic institutions (Jisc, 2022). OSPF area partitioning reduces the scope of topology flooding, improving scalability as the campus network grows. Border Gateway Protocol version 4 (BGP4), specified in RFC 4271 manages external routing between the OUGDC autonomous system and its upstream Internet Service Providers and the JANET network, enabling traffic engineering through route policy application and AS-path manipulation. The combination of OSPF for intra-domain routing and BGP for inter-domain peering represents the standard approach for enterprise and research network deployments of this scale.

3.2 Switching and VLAN Technologies

Virtual Local Area Networks conforming to IEEE 802.1Q provide logical traffic segmentation across the campus switching fabric, isolating user groups and services without requiring separate physical infrastructure for each segment (Comer, 2023). Rapid Spanning Tree Protocol (RSTP, IEEE 802.1w) prevents layer-2 forwarding loops whilst providing rapid topology convergence following a link or switch failure. Link Aggregation conforming to IEEE 802.3ad (LACP) bundles multiple physical switch uplinks, simultaneously providing increased aggregate bandwidth and redundancy. Multiple Spanning Tree Protocol (MSTP, IEEE 802.1s) is configured to load-balance VLAN traffic across redundant distribution switch uplinks, maximising utilisation of the available link capacity.

3.3 Wireless Networking

Wi-Fi 6 (IEEE 802.11ax) access points are deployed throughout all OUGDC campus buildings. Wi-Fi 6 introduces Orthogonal Frequency Division Multiple Access (OFDMA) for efficient spectrum allocation across multiple concurrent users, Target Wake Time (TWT) for improved IoT device battery efficiency, and Basic Service Set (BSS) colouring to reduce inter-cell interference in high-density deployments (IEEE, 2021). These enhancements make Wi-Fi 6 particularly well-suited to the densely populated academic environment, where large numbers of students simultaneously connect during lectures or examinations. WPA3-Enterprise authentication with IEEE 802.1X and a RADIUS backend provides per-user encrypted wireless sessions, preventing eavesdropping and credential interception.

3.4 Wide Area Networking: SD-WAN and MPLS

Software-Defined Wide Area Networking (SD-WAN) is employed for international campus connectivity, providing application-aware traffic steering, centralised policy orchestration via a cloud-based SD-WAN controller, and integrated security functions including firewall, URL filtering, and IPS within the SD-WAN edge devices. SD-WAN’s ability to dynamically select between MPLS, broadband internet, and 5G transport paths based on real-time Quality of Experience (QoE) metrics ensures that critical applications consistently receive optimal performance whilst reducing total WAN expenditure compared to purely MPLS-based designs. Multiprotocol Label Switching (MPLS), specified by the IETF and extensively documented by Davie and Rekhter (2000), provides the primary transport service for international campus connectivity, offering guaranteed bandwidth, deterministic latency, and traffic engineering capabilities.

3.5 Software-Defined Networking in the Data Centre

The data centre employs Software-Defined Networking (SDN) principles, with a centralised SDN controller — implementing the OpenFlow protocol as specified by the Open Networking Foundation (ONF, 2014) — managing the spine-leaf switching fabric. SDN enables programmatic, API-driven network provisioning, rapid deployment of isolated virtual network segments for new research projects, and fine-grained traffic engineering in support of AI workload placement optimisation (Kreutz et al., 2015). The decoupling of the control plane from the data plane that characterises SDN architectures reduces network management complexity and enables automated, intent-based network configuration that is both more consistent and less error-prone than manual configuration of individual switch devices.

3.6 Quality of Service

Differentiated Services (DiffServ), as defined in RFC 2474 and the DiffServ architecture described in RFC 2475 (Blake et al., 1998), is implemented end-to-end across the OUGDC network to ensure consistent QoS treatment for traffic at all network tiers. Traffic is classified and marked at the access layer according to application type and user role, with priority queuing applied to latency-sensitive classes including video conferencing, VoIP, and real-time AI SEN application APIs. Weighted Fair Queuing (WFQ) is applied to bulk traffic classes to prevent starvation whilst ensuring equitable resource sharing during periods of congestion. Consistent DiffServ marking across core, distribution, and access layers ensures end-to-end QoS policy enforcement without per-packet inspection at intermediate nodes.

4. NETWORK SECURITY

The security architecture of the OUGDC network is designed in accordance with the principle of Defence-in-Depth, layering multiple complementary security controls across physical, network, and application domains to mitigate the risk of both external and insider threats. This section discusses the comprehensive security measures integrated into the network design.

4.1 Next-Generation Firewall and Perimeter Security

A Next-Generation Firewall (NGFW) deployed at the network perimeter provides stateful packet inspection, application identification and control, URL categorisation and filtering, SSL/TLS decryption and inspection, and integrated intrusion prevention capabilities. The NGFW enforces a default-deny policy, explicitly permitting only traffic flows required for operational purposes in accordance with the principle of least privilege. Threat intelligence feeds from the Global Threat Intelligence network are integrated into the NGFW to enable automated, real-time blocking of known malicious IP addresses, command-and-control domains, and malware file signatures. High availability is achieved through an active-passive NGFW pair with sub-second failover, ensuring that perimeter security does not represent a single point of failure.

4.2 Intrusion Detection and Prevention

An Intrusion Detection and Prevention System (IDS/IPS), as described by Scarfone and Mell (2007) in NIST Special Publication 800-94, is deployed in-line at the distribution layer, analysing network traffic in real time for both signature-based and anomaly-based indicators of compromise. The IDS/IPS integrates with the university’s Security Information and Event Management (SIEM) platform, enabling centralised log aggregation, event correlation across multiple data sources, and automated alerting for security incidents. Regular signature updates ensure that the IPS maintains efficacy against newly identified threat variants. Behavioural anomaly detection capabilities provide supplementary protection against zero-day exploits and novel attack techniques not yet captured in signature databases.

4.3 Zero Trust Architecture

The network design adopts a Zero Trust Architecture (ZTA) approach, as specified in NIST Special Publication 800-207, wherein no user, device, or network segment is implicitly trusted regardless of its physical or logical location. Multi-Factor Authentication (MFA) is mandatory for all administrative access, remote connections, and access to sensitive research data repositories. Micro-segmentation is implemented within the data centre to restrict lateral movement between compute workloads, ensuring that compromise of a single server does not enable unrestricted access to adjacent systems. Identity-aware proxies enforce continuous, per-session authorisation for access to AI SEN system APIs and research databases, with sessions re-evaluated based on device health, user behaviour, and contextual risk signals. This approach directly addresses the threat of insider attacks and compromised credential abuse, which represent significant risks in large academic environments.

4.4 VPN and Encrypted Communications

All remote access connections and inter-campus communications are secured using IPSec tunnels with AES-256-GCM encryption and SHA-384 HMAC integrity protection, conforming to IETF standards for cryptographic algorithm selection. The VPN Gateway supports both permanent site-to-site IPSec tunnels for international campus interconnections and SSL/TLS based clientless remote access VPN for individual users. Transport Layer Security version 1.3 (TLS 1.3), specified in RFC 8446, is enforced for all application-layer encrypted communications, with earlier TLS versions explicitly disabled. All data processed by the AI SEN support systems including personally identifiable information relating to neurodiverse students  is encrypted both in transit and at rest using AES-256, ensuring compliance with the UK GDPR requirements for appropriate technical safeguards for the processing of special category personal data.

4.5 Network Access Control

IEEE 802.1X Network Access Control is implemented at all wired and wireless access switch ports. Devices attempting to connect to the network are authenticated via EAP-TLS or EAP-PEAP protocols against a RADIUS server cluster integrated with the university’s Active Directory and LDAP directory infrastructure. Devices that fail authentication or do not satisfy endpoint compliance requirements  including current operating system patches, enabled host-based firewalls, and up-to-date endpoint protection software are automatically redirected to a quarantine VLAN providing restricted internet access for remediation purposes only. Guest and visiting researcher wireless access is provided through a dedicated, isolated SSID with internet-only access and no inbound connectivity to internal OUGDC resources.

4.6 Physical Security

Physical security measures are implemented in accordance with ISO/IEC 27001:2022 (ISO, 2022) and BSI best practice guidance (BSI, 2022). Server rooms and data centre facilities are protected by multi-factor physical access controls comprising proximity card readers and biometric fingerprint authentication, 24-hour CCTV surveillance with tamper-evident recording, environmental monitoring systems detecting temperature excursions, humidity anomalies, and water ingress, and Uninterruptible Power Supply (UPS) systems with N+1 redundancy backed by diesel generator support. Cable plant is managed in locked, segregated pathways to minimise the risk of accidental disconnection, electromagnetic interference, or deliberate tampering. All network hardware is asset-tagged, inventoried, and subject to periodic physical audit to detect unauthorised additions or substitutions.

4.7 DDoS Mitigation and Cyber Essentials Plus

DDoS mitigation is implemented through a combination of upstream scrubbing services provided by the Janet DDoS Mitigation Service, which filters volumetric attack traffic before it reaches the campus perimeter, and rate limiting and traffic shaping policies at the NGFW for low-volume application-layer attacks. OUGDC maintains Cyber Essentials Plus certification in accordance with the UK government’s mandatory cybersecurity assurance scheme (NCSC, 2022), ensuring that fundamental security controls including boundary firewalls, secure configuration, access control, malware protection, and patch management are independently verified on an annual basis. This certification is a prerequisite for accessing UK Research and Innovation (UKRI) funding and demonstrates the university’s commitment to a baseline of security hygiene across its network infrastructure.

5. EVALUATION

5.1 Effectiveness of the Design

The proposed network architecture comprehensively addresses the requirements identified in Section 1. The hierarchical three-tier campus design provides the modularity, performance predictability, and incremental scalability required to support OUGDC’s growth trajectory, whilst fully redundant core layer infrastructure with diverse fibre routing delivers the five-nines availability necessary for research-critical operations. The integration of SD-WAN for international campus connectivity achieves a favourable balance between performance and cost efficiency, providing dynamic path selection and centralised policy management that would be impractical with purely static MPLS designs. The deployment of Wi-Fi 6 technology addresses the high-density wireless requirements of modern academic environments, with OFDMA and BSS colouring providing measurable improvements in per-user throughput and latency in congested deployment scenarios (IEEE, 2021).

The incorporation of a dedicated AI compute cluster within the on-premises data centre, connected via a low-latency spine-leaf fabric, directly supports the university’s strategic research agenda in artificial intelligence and enables the deployment and operation of AI-based assistive technologies for neurodiverse students within an appropriately secured environment. The adoption of Zero Trust Architecture and Defence-in-Depth security principles provides robust, layered protection for sensitive research data and personal information, ensuring regulatory compliance with UK GDPR, the Data Protection Act 2018, and JANET Acceptable Use Policy.

5.2 Limitations and Proposed Solutions

Several limitations of the proposed design merit critical consideration. Firstly, the capital and operational expenditure associated with a fully redundant three-tier hierarchical network, dedicated on-premises data centre AI cluster infrastructure, and MPLS WAN circuits represents a substantial financial commitment that may challenge institutional budget cycles. As a mitigation strategy, a phased deployment approach is recommended, prioritising core infrastructure redundancy and data centre security in an initial phase whilst deferring less critical access-layer enhancements and international SD-WAN expansion to subsequent phases aligned with the university’s capital investment programme.

Secondly, the operational complexity of managing a heterogeneous, multi-vendor network environment  encompassing NGFWs, core switches, SD-WAN edge devices, SDN controllers, RADIUS infrastructure, and SIEM platforms may place significant demands upon the university’s IT operations team. The adoption of a unified, vendor-agnostic Network Management System (NMS) with AI-driven anomaly detection, automated configuration compliance checking, and intent-based provisioning would substantially reduce manual operational burden and improve Mean Time to Resolution (MTTR) for network incidents.

Thirdly, whilst the Zero Trust Architecture provides strong security guarantees against both external and insider threats, its implementation introduces additional per-session authentication and policy evaluation overhead that may introduce latency into real-time AI inference calls from SEN support applications. This latency may be perceptible in time-sensitive assistive interactions. Proposed mitigations include the deployment of edge caching for policy decisions, hardware-accelerated cryptographic processing within ZTA proxy appliances, and the selective co-location of latency-sensitive AI inference endpoints within the same network segment as end-user access switches. These measures would maintain the security benefits of ZTA whilst minimising its performance impact on the neurodiverse student user experience. In conclusion, the proposed network design for OUGDC represents a mature, enterprise-grade architecture that successfully balances the competing demands of performance, security, scalability, and operational manageability for a complex, research-intensive institution. With the phased implementation strategy and operational tooling enhancements proposed above, the architecture provides a robust and sustainable foundation for the university’s digital operations over the strategic planning horizon.

Contrary to popular belief, Lorem Ipsum is not simply random text. It has roots in a piece of classical Latin literature from 45 BC, making it over 2000 years old. Richard McClintock, a Latin professor at Hampden-Sydney College in Virginia, looked up one of the more obscure Latin words, consectetur, from a Lorem Ipsum passage, and going through the cites of the word in classical literature, discovered the undoubtable source. Lorem Ipsum comes from sections 1.10.32 and 1.10.33 of “de Finibus Bonorum et Malorum” (The Extremes of Good and Evil) by Cicero, written in 45 BC. This book is a treatise on the theory of ethics, very popular during the Renaissance. The first line of Lorem Ipsum, “Lorem ipsum dolor sit amet..”, comes from a line in section 1.10.32.