At PLVision, we know that secure, high-performance connectivity is the backbone of office or campus network infrastructure. In this blueprint, we present a robust network design that leverages SONiC Lite, an enterprise distribution of SONiC by PLVision for access platforms in campus deployments to unify wired and wireless edge devices under a single, programmable, and vendor-neutral operating system.
This reference campus network design combines the flexibility of SONiC Lite to enable seamless device integration for PoE-capable Wi-Fi access points and IP cameras, reducing cabling and installation complexity. It features access control with 802.1X and RADIUS for secure authentication and dynamic VLAN assignment, scalable performance for high-density Wi-Fi 6E/7 and HD video streams, and management through a consistent CLI for simplified configuration, monitoring, and rapid deployment of new services and policies.
In the sections that follow, we’ll walk through the key architectural components, demonstrate how SONiC Lite CLI commands are used, and highlight best practices for ensuring a resilient, future-proof office or campus networks.
Building a Modern Campus Network with SONiC Lite
A modern office or campus network must accommodate Bring Your Own Device (BYOD) environments, supporting a wide range of personal devices such as laptops, smartphones, and tablets. The network must be robust, scalable, and secure to ensure reliable performance and protect sensitive data in these dynamic settings. This requires the implementation of several key capabilities:
- High-speed wireless coverage to ensure campus-wide distribution of Wi-Fi access points for seamless and reliable connectivity.
- Network Access Control (NAC) to implement 802.1X authentication systems that verify users and enforce network security policies.
- Traffic segmentation to separate VLANs, reducing the risk of lateral movement in the event of a security breach.
In addition, it is essential to future-proof the infrastructure against growing traffic demands. New wireless standards such as Wi-Fi 6E (802.11ax) and Wi-Fi 7 (802.11be) require support for multigigabit access speeds. Increasingly, 2.5 GbE or 5 GbE access ports for end-user devices and 25 GbE uplinks within the network infrastructure are becoming standard, highlighting the importance of a scalable and high-performance network backbone.
Figure 1. Required Features for Building a Campus Network
Figure 1 outlines the essential features required for deployment, while Figure 2 provides a sample campus network architecture. The access switch is at the heart of this setup, delivering connectivity for various endpoints. HCL-certified SONiC Lite switches are an excellent solution for single-site deployments or small office networks. To explore all supported PoE-capable devices, including models like Edgecore 4650P/4655 and Wistron ES-2227-54TS/ES-2221-54TS, visit the SONiC Lite Hardware Compatibility page.
Figure 2. SONiC Lite Small Office/Campus Network Example
In the illustrated topology, a Layer 3 switch delivers several key services:
- PoE (Power over Ethernet) for wired devices such as access points and security cameras simplifies power and data delivery via a single Ethernet cable.
- DHCP relay supports clients connected through access points, enabling centralized IP address management across subnets.
- 802.1X authentication for desktop PCs enhances user verification and network access control.
A laptop connects to a Wireless Access Point (WAP) that receives both power and network connectivity over a single Ethernet cable, effectively reducing cabling costs. The PoE feature includes support for adjustable power limits and transmission speeds, allowing for customizable and efficient deployments.
To access network services, client devices such as laptops or IP phones must obtain an IP address via a DHCP server. This server resides in a separate VLAN or subnet in many networks to enhance security and facilitate scaling. DHCP relay (also known as a helper function) is essential in such scenarios. It forwards client DHCP requests to the appropriate VLAN and DHCP server, ensuring uninterrupted address assignment regardless of the device’s physical or logical network position.
The configuration illustrated below showcases the features typically required to implement a functional and future-ready office or campus network.
Centralized and Secure Network Access Control via RADIUS
Security is a foundational pillar of modern network architecture. Through 802.1X, organizations can effectively block unauthorized devices from gaining network access, while RADIUS servers empower administrators to enforce access policies based on device identity, user credentials, and user roles.
By configuring RADIUS authentication, network teams can implement dynamic VLAN assignment and session control for wired connections. This strengthens security and ensures seamless scalability as the number of users and devices continues to grow.
Example: 802.1X and RADIUS Configuration
sonic-cli
configure terminal
nac enable
nac auth radius
nac radius primary host <ip_address> key <key>
nac port Ethernet 0 enable
do show nac
Admin state : up
Auth type : radius
NAC type : port
NAC RADIUS server Role Auth port Acct port Key
------------------ ---------- ---------- ---------- ------------------
172.20.10.124 primary 1812 1813 testing123
NAC Quiet Supp TX EAP Auth EAP Reauth RADIUS
Profile Period Timeout Period Method Period Prim. Retry
------------- -------- -------- -------- --------- ----------- ------------
profile1 300 450 310 MD5 300 600
do show nac session
NAC sessions:
Interface Admin state NAC status
------------- ------------- ---------------
Ethernet0 up authorized
Ethernet1 down unauthorized
Restricting network access is just the beginning. Once devices are authenticated and connected, they must also receive appropriate IP configurations to enable efficient communication across a growing and distributed infrastructure. This is where centralized address management becomes essential.
Simplified DHCP Relay Deployment
As enterprises grow across multiple physical locations and VLANs, centralized IP address allocation becomes increasingly complex. SONiC Lite streamlines DHCP relay configuration, ensuring that client devices – regardless of their physical site or VLAN – can reliably receive IP addresses from centralized DHCP servers.
This capability is crucial for maintaining a consistent and unified IP address management strategy, especially supporting mobile workforces, IoT devices, and distributed branch offices. With the SONiC Lite, configuring DHCP relay is fast and easy to manage, particularly in dynamic environments that demand frequent updates or high availability.
Example: DHCP Relay Configuration
sonic-cli
configure terminal
interface Vlan 10
exit
interface Ethernet 53
switchport access Vlan 10
dhcp-relay vlan 10 helper 192.2.10.202
do show dhcp-relay helper
--------------- -------------------
Interface DHCP Relay address
--------------- -------------------
Vlan10 192.2.10.202
--------------- -------------------
do show Vlan
Q: A - Access (Untagged), T - Tagged
NUM Status Q Ports
10 Active A Ethernet53
With IP address management streamlined across the network, the next frontier is powering the growing variety of connected devices – from VoIP phones to next-generation Wi-Fi access points. In this context, seamless power delivery becomes just as vital as dependable network connectivity.
Precision Control of Power over Ethernet (PoE)
For campus deployments involving VoIP phones, security cameras, wireless access points, and other endpoint devices, Power over Ethernet (PoE) streamlines both cabling and device management. Devices powered by SONiC Lite support the full spectrum of modern PoE standards, including PoE++ (IEEE 802.3af/at/bt), ensuring seamless compatibility with both high-power and low-power devices.
In combination with high-speed port capabilities – 1Gbps, 2.5Gbps, 10Gbps, and 25Gbps Ethernet – these switches deliver both bandwidth and power precisely where it’s needed most, making them ideal for next-generation Wi-Fi access points and intelligent IP-enabled devices.
With the SONiC Lite, network administrators can configure PoE settings on a per-port basis, including power limits, detection modes, and priority levels. This granular control ensures stable power delivery to critical endpoints and optimizes the available PoE power budget. Whether provisioning a new access point or remotely diagnosing a power-related issue, SONiC Lite enables swift configuration and efficient monitoring.
Example: PoE Configuration
interface Ethernet 0
poe power-limit 20
do show poe interface configuration
Port En/Dis Power limit Priority LLDP PoE
------------ ----------- ---------------- ------------ ----------
Ethernet0 enable 200 dW high
This hands-on flexibility empowers IT teams to fine-tune power settings confidently, supporting efficient, resilient network operations.
Conclusion
As digital transformation continues accelerating, network teams are under constant pressure to deliver secure, stable, high-performance, and scalable infrastructure, often with constrained budgets and limited manpower. SONiC Lite rises to this challenge, equipping teams with a robust, CLI-driven toolset grounded in software engineering best practices.
Designed to serve as the foundation of a reliable access layer, SONiC Lite includes all the essential features needed to build and manage a modern office or campus network. Whether you’re configuring Wi-Fi access points, segmenting traffic through VLANs, enforcing security policies with RADIUS, enabling DHCP relay, managing PoE power distribution, or ensuring time synchronization with NTP servers, SONiC Lite offers a unified, dependable approach tailored to real-world campus deployment needs.
Contact us to discover how SONiC Lite can be integrated into your network architecture or try a free demo to experience its capabilities firsthand.
- Reference Campus Network Design: Deploying SONiC Lite on Access Switches - April 24, 2025
- Transforming OpenLAN Switching with SONiC Lite & Edgecore ECS4650-54P - January 22, 2025
- SONiC Capabilities:
Empowering Networks
with Open-Source Solutions - September 26, 2024
