01 | First, Let’s Clarify: What Is a Gateway’s Purpose?

02 | What Do Three Mainstream Gateway Deployment Models Look Like?

Model One: Gateways at the Core Layer (Classic Three-Layer)

Characteristics:

• All VLANIF interfaces are configured on core switches
• Aggregation/access layers only perform Layer 2 forwarding

Suitable scenarios:

• Medium to large campus networks
• Multiple services, numerous VLANs, complex Layer 3 policies

Advantages:

• Centralized gateways for unified management
• Routing tables at the core provide clear path visibility
• Centralized security policy deployment with firewalls near the core

Disadvantages:

• All north-south and east-west traffic must traverse the core, creating high pressure
• The core becomes a single point of failure and potential bottleneck

Model Two: Gateways at the Aggregation Layer (Flat Three-Layer)

Characteristics:

• VLANIF interfaces configured at the aggregation layer
• Aggregation layer handles L3 forwarding; core only manages route summarization or exit connections

Suitable scenarios:

• Medium-sized campus networks with clearly defined service areas
• Relatively independent aggregation zones (e.g., organized by floor or area)

Advantages:

• Reduced core load
• Aggregation layer can implement localized ACLs and security policies
• Flatter network structure, easier to expand

Disadvantages:

• Each aggregation switch maintains routing tables, increasing routing complexity
• Communication between aggregation layers must traverse the core, creating slightly indirect routing paths

Model Three: Gateways at the Access Layer (Edge Gateways)

Characteristics:

• VLANIF interfaces placed on access switches
• Each access switch functions as a Layer 3 device

Suitable scenarios:

• Small networks with simple deployments
• IoT or branch scenarios where devices are relatively fixed with strong isolation requirements

Advantages:

• Extremely simplified network without requiring an aggregation layer
• All forwarding completed locally, high efficiency

Disadvantages:

• Dispersed device configuration, complex management
• Distributed security policies that are difficult to maintain
• Increased load on access switches, making them more prone to failures

03 | So Where Should Gateways Be Configured?

• Small networks (≤50 devices): Access layer industrial routers serving as gateways
• Medium networks (50-500 devices): Aggregation layer gateways
• Large networks (500+ devices): Core layer gateways

04 | Are “Hybrid Deployments” Possible?

• Most VLANIF interfaces placed at the core for centralized management
• Certain specialized networks (like surveillance cameras, security systems) placed at aggregation or access layers for local isolation and forwarding
• Wireless controllers and DHCP servers deployed in a distributed manner using virtual gateways (SVIs) + DHCP relay

05 | Practical Deployment Recommendations

• Core-layer gateways work well, but require reliable devices + clear routing + sufficient resources
• When using aggregation-layer gateways, each aggregation switch should only manage its own VLANs, avoiding cross-region mixing
• Access-layer gateways are recommended for small-scale/independent segments/branch node scenarios
• If implementing gateway redundancy, remember to use VRRP or HVRRP for high availability

Final Thoughts