Designing a campus core is a long-term decision. For most enterprises, a core built on Cisco Catalyst 9500 or 9600 is expected to remain in service for five to eight years, survive multiple software upgrades, and tolerate both planned and unplanned failures.
The most common default approach is to deploy StackWise Virtual (SVL) and treat the core as a single logical system. While this works well in many environments, it is not the only viable option—and in some cases, not the most resilient one.
This article explores redundant campus core design options beyond simple stacking, with a focus on Catalyst 9500/9600 switches and Fortinet firewalls, highlighting real-world trade-offs that network engineers and architects must consider.
- Part 1: Catalyst 9500 vs. Catalyst 9600
- Part 2: Architecture Choices Beyond Simple Stacking
- Part 3: Integrating Fortinet Firewalls
- Part 4: From Architecture to Deployment
- Part 5: Enhancing Resiliency with Catalyst 9000 Features
- Part 6: FAQ
- Part 7: Key Takeaways
Part 1: Catalyst 9500 vs. Catalyst 9600: Choosing the Core Foundation
Before discussing topology, the platform choice matters.
Catalyst 9500: Fixed-Core Design
The Catalyst 9500 is a fixed-form-factor core switch commonly used in campus environments.
- High-performance Layer 2 and Layer 3 switching
- SVL support for dual-core designs
- Compact footprint and lower operational complexity
Redundancy on the 9500 is typically achieved by deploying two switches in StackWise Virtual, creating a single logical control plane.
Catalyst 9600: Modular, High-Availability Core
The Catalyst 9600 is Cisco’s modular campus core platform, designed for environments where resiliency is a primary requirement.
- Dual or quad supervisor support
- Redundant power, fabric, and control components
- Sub-second failover with SSO / NSF
Unlike the 9500, the 9600 can achieve high availability within a single chassis, and optionally extend that redundancy across multiple chassis using SVL.
Key distinction:
The 9500 relies on external redundancy. The 9600 provides internal redundancy by design.
Part 2: Architecture Choices: Beyond “Just Stack Them”
Option 1: StackWise Virtual (SVL)
StackWise Virtual connects two physical switches into one logical system using high-speed links.
Advantages
- Eliminates Spanning Tree at the core
- Enables Multi-Chassis EtherChannel (MEC)
- Simplifies gateway design (no HSRP/VRRP required)
Trade-off
- Both switches share a single control plane
- Rare software or control-plane faults can affect both members simultaneously
SVL is operationally simple and widely deployed, but it introduces a shared-fate risk that some environments are not willing to accept.
Option 2: Standalone Layer 3 Core with ECMP
In this model, each core switch operates independently with its own control plane.
- Access and distribution layers connect using routed links
- ECMP (Equal Cost Multi-Path) provides load sharing
- HSRP or VRRP delivers gateway redundancy
Advantages
- Complete control-plane isolation
- Failures are fully contained to a single device
Trade-off
- More configuration complexity
- Requires careful tuning of routing and FHRP timers
This approach is often preferred in environments where failure domains must be strictly separated, even at the cost of operational simplicity.
Part 3: Integrating Fortinet Firewalls into the Campus Core
When Cisco core switches are paired with Fortinet FortiGate firewalls, the design usually follows one of two patterns.
Pattern 1: Layer 3 Core with Firewalls at the Edge
- Catalyst 9500/9600 handles inter-VLAN routing
- FortiGate is used for north-south traffic inspection
- Firewall connects via routed links or transit VLANs
This model leverages the routing scale and stability of the Catalyst core while keeping security policies centralized.
Pattern 2: Firewall-Centric Gateway Design
- FortiGate provides the default gateway for all VLANs
- Catalyst core operates primarily at Layer 2
This simplifies policy enforcement but increases firewall load and may reduce overall campus scalability.
Operational note:
For Fortinet HA (active-passive), use aggregated interfaces (LAG) for both data traffic and session synchronization to avoid throughput bottlenecks.
Part 4: From Architecture to Deployment: Practical Sourcing Considerations
Once the design decision is made—SVL or standalone L3—the next challenge is execution.
In real projects, teams often encounter:
- Long OEM lead times for specific Catalyst 9500/9600 SKUs
- IOS XE version constraints tied to supervisor or line card models
- Campus refreshes involving hardware that is approaching EOS but still operationally required
At this stage, the problem is no longer architectural—it is logistical.
In similar campus core deployments, router-switch is sometimes evaluated as a sourcing option, particularly when engineers need:
- Specific Catalyst 9500/9600 models rather than a forced platform change
- Predictable availability across regions
- Hardware continuity for phased migrations or Fortinet-integrated designs
In these cases, the value is not in replacing the design, but in enabling the design to be deployed without compromise.
Part 5: Enhancing Resiliency with Catalyst 9000 Features
Regardless of topology, Catalyst 9500/9600 platforms support features that significantly improve uptime:
- ISSU (In-Service Software Upgrade): Enables upgrades with minimal traffic impact
- GIR (Graceful Insertion and Removal): Allows controlled maintenance windows
- NSF / SSO: Maintains forwarding during control-plane events
These capabilities are essential for campus cores that must remain operational during maintenance cycles.
Part 6: FAQ: Campus Core Design with Catalyst 9500/9600
Q1.Do I have to use StackWise Virtual in a campus core?
No. While SVL simplifies operations, a standalone Layer 3 ECMP design is a valid alternative that avoids shared control-plane risk.
Q2.What makes the Catalyst 9600 more resilient than the 9500?
The 9600 provides internal redundancy through dual supervisors, fabrics, and power systems, while the 9500 depends on external stacking for redundancy.
Q3.Can Fortinet firewalls handle all campus routing?
They can, but doing so increases firewall load and may limit scalability. Many designs keep inter-VLAN routing on the Catalyst core.
Q4.Is sub-second failover possible without stacking?
Yes, with proper tuning of routing protocols, FHRP timers, and NSF/SSO, convergence can be achieved in sub-second ranges.
Q5.Can core upgrades be done without downtime?
In many cases, yes. ISSU and fast upgrade mechanisms allow maintenance with minimal traffic disruption, depending on platform and software version.
Part 7: Key Takeaways
- StackWise Virtual is powerful but introduces shared-fate risk
- Standalone Layer 3 cores offer stronger isolation at the cost of complexity
- Catalyst 9500 and 9600 target different availability models
- Fortinet integration works best when routing and security roles are clearly defined
- Successful campus core projects depend as much on deployment reality as on architecture
Expertise Builds Trust
20+ Years • 200+ Countries • 21500+ Customers/Projects
CCIE · JNCIE · NSE7 · ACDX · HPE Master ASE · Dell Server/AI Expert
