Designing Scalable Data Center Networks: Partitioning, VRF, and Future Trends

Introduction

Viewing a data center as a living organism, servers and storage act as organs while the network (switches, routers, firewalls) serves as the nervous system. This guide focuses on data‑center network architecture and typical design patterns.

Network Partitioning and Security Levels

Enterprises usually divide physical network devices into zones for flexibility, security, and manageability. A three‑tier core‑aggregation‑access structure is common, where the core handles fast forwarding and the aggregation layer functions as a gateway for each zone.

Each zone receives a distinct business subnet based on expected traffic and server count. High‑security zones ("等保") deploy firewalls to control inbound and outbound traffic, effectively separating different security levels.

Methods of Partitioning

A. By Server Type – Grouping x86 servers, blade servers, mainframes, VMs, etc. This method is rarely used because workload distribution is often uneven.

B. By Application Layer – Front‑end services (Web, APP) are placed in one zone, back‑end services (databases, storage, NFS) in another. This simplifies management but can cause operational friction when front‑end services need back‑end resources, requiring firewall rule changes.

C. By Application Function – Zones such as core services, public services, office, isolation, and development/testing are defined. This reduces firewall‑related coordination but may lead to a less orderly network layout and IP‑address planning challenges.

Common Data‑Center Network Architectures

A. Flat Topology – Suitable for small data centers (<300 servers). Two‑layer design with aggregation devices acting as gateways and access devices as layer‑2 switches. Two variants exist: traditional VRRP+MSTP and a “fat‑tree” design that stacks aggregation switches and bundles redundant links for higher bandwidth and loop protection.

B. Three‑Layer Architecture – Used in large, feature‑rich data centers. Core layer consists of 2‑4 high‑capacity chassis switches (often deployed independently). Aggregation and access layers are stacked to provide layer‑2 redundancy. Firewalls are connected in a bypass mode to improve scalability and support dynamic routing, with VRF on aggregation switches isolating routes for different security levels.

VRF and Bypass‑Firewall Logic

In a single‑security‑level scenario, all business subnets under aggregation can communicate directly; a single VRF separates traffic between aggregation‑core and aggregation‑firewall links, effectively turning a bypass firewall into a serial connection.

For multiple security levels, each level requires its own VRF. Traffic between different security zones must pass through the firewall. The diagram shows how to replace physical aggregation devices with a logical box containing multiple VRF instances, connect the firewall to both the global routing box and each VRF, and map interfaces accordingly.

When drawing the logical flow, remember that all interface labels (global, VRF‑1, VRF‑2) correspond to ports on the aggregation switch.

Future Development of Data‑Center Networks

With the rise of big data, data‑center workloads increase rapidly, driving the evolution toward more elastic, simple, and open networks.

Elasticity – Networks must scale smoothly at device, system, and data‑center levels (e.g., 25GE/40GE access, >100 Tbps core capacity, high‑density 100GE/400GE ports, support for tens of thousands of servers, and inter‑data‑center VM migration).

Simplicity – Networks should serve business needs directly, enabling unified management of network and IT resources and seamless translation from business intent to logical and physical network configurations.

Openness – Moving from closed, isolated management to open integration with SDN controllers, third‑party plugins, and virtualization platforms, creating flexible end‑to‑end data‑center solutions.