How to Choose Switches, Routers, Firewalls, and Web‑Traffic Management for Data Centers

Data‑Center Network Architecture Overview

Modern data‑centers use a multi‑layer design rather than a single device. The dominant topology has shifted from the classic three‑tier (access‑aggregation‑core) to a Leaf‑Spine architecture, where every Leaf switch connects to every Spine switch, guaranteeing a constant two‑hop path between any two servers and enabling easy scaling by adding Leaves or Spines.

A typical stack consists of Internet entry via multiple ISP links, a firewall, core routers for routing and NAT, dual active‑standby core switches, the Spine‑Leaf fabric, and finally the server racks.

Switches: The Data‑Center Traffic Hub

Switches operate at OSI layer 2 (with layer‑3 capabilities in some models) and forward frames with microsecond latency. Core capabilities include VLAN segmentation, LACP link aggregation, STP/RSTP/MSTP loop prevention, and stacking or M‑LAG for high availability.

Data‑center switches differ from enterprise switches in port speed (25 G/40 G/100 G up to 800 G), back‑plane bandwidth (tens of Tbps), large buffers for bursty AI training traffic, support for overlay protocols (VXLAN, BGP EVPN), and lossless features (PFC + ECN). In 2024 the global data‑center switch market was the only network segment with positive growth, with China’s data‑center switch segment growing 23.3 % year‑over‑year, driven by AI compute demand.

Top vendors (global market share ~70 %): Cisco, Arista, Huawei, HPE/新华三, and Ruijie. Huawei’s CloudEngine line leads the Chinese market with broad product coverage and aggressive lossless networking, while Cisco’s Nexus series offers the most mature ecosystem at a premium price. Arista focuses on white‑box hardware with the EOS operating system, favored by large‑scale cloud operators.

Routers: The Data‑Center Diplomat

Routers work at OSI layer 3, handling IP routing, NAT, and BGP‑based path selection. Typical roles include Internet gateway, inter‑data‑center MPLS VPN or IPSec tunnels, and serving as the control plane for VXLAN overlay networks (BGP EVPN).

Key vendor families: Huawei NE series (dominant in Chinese carrier and enterprise markets), Cisco ISR/ASR (global leader with mature IOS/IOS‑XE ecosystem), H3C SR/MSR (strong domestic presence), Juniper MX/SRX (renowned for robust routing engines), and ZTE ZXR10 (cost‑effective solutions).

Firewalls: The Data‑Center Perimeter Guard

Next‑generation firewalls (NGFW) enforce security policies, perform application‑level identification, IPS, anti‑virus scanning, URL filtering, and sandbox analysis. Major players include Palo Alto Networks (leader in Gartner’s Magic Quadrant, strong application‑ID engine but high cost), Fortinet FortiGate (high performance SPU chip, good price‑performance), Huawei USG/HiSecEngine (market leader in China with integrated NP acceleration), and Deep Security NGAF (consolidated security functions).

Web‑Traffic Management (UTM/NGAF): The Internal Discipline Officer

These devices sit behind the firewall and enforce user authentication, application control, web filtering, bandwidth shaping, content audit, and reporting to meet compliance (e.g., China’s Cybersecurity Law). Leading solutions are Deep Security AC (market leader in China), Qi‑Anxin ICG, and other domestic vendors.

Key Selection Criteria

Switches : port density, back‑plane bandwidth, buffer size, VXLAN/BGP EVPN support, stacking/M‑LAG.

Routers : routing table capacity (hundreds of thousands of BGP entries), forwarding performance (pps), MPLS/Segment Routing support, interface types.

Firewalls : throughput with all security features enabled, concurrent connections, IPS/AV signature update frequency, sandbox capability.

Web‑Traffic Management : application‑identification coverage and update rate, supported user count, audit/reporting compliance.

Ecosystem Compatibility : ensure STP, BGP, VXLAN interoperability across brands; mixed‑vendor deployments may require additional testing.

Typical Data‑Center Network Stack

From top to bottom: ISP links → firewall → core router → dual core switches → Spine layer → Leaf layer → servers. Additional security layers (micro‑firewalls, WAF, load balancers, bastion hosts) may be placed in the management network.

Ready‑to‑Run Configuration Examples

Switch Basic Configuration (Huawei)

# Huawei switch basic configuration
<HUAWEI> system-view
[HUAWEI] sysname Core-SW-01
[Core-SW-01] interface Vlanif 1
[Core-SW-01-Vlanif1] ip address 192.168.1.10 255.255.255.0
[Core-SW-01] vlan batch 10 20 30
[Core-SW-01] interface GigabitEthernet 0/0/1
[Core-SW-01-Gig0/0/1] port link-type access
[Core-SW-01-Gig0/0/1] port default vlan 10
[Core-SW-01] stelnet server enable
[Core-SW-01] aaa
[Core-SW-01-aaa] local-admin password cipher Admin@123
[Core-SW-01] save

Link Aggregation + STP

# VLAN + link aggregation configuration
[Core-SW-01] interface Bridge-Aggregation 1
[Core-SW-01-Bridge-Aggregation1] port link-type trunk
[Core-SW-01-Bridge-Aggregation1] port trunk permit vlan all
[Core-SW-01] interface GigabitEthernet 0/0/24
[Core-SW-01-Gig0/0/24] port link-aggregation group 1
[Core-SW-01] stp mode rstp
[Core-SW-01] stp root primary

Router Basic Configuration (Huawei)

# Huawei router basic configuration
<HUAWEI> system-view
[HUAWEI] sysname Edge-RT-01
[Edge-RT-01] interface GigabitEthernet 0/0/0
[Edge-RT-01-Gig0/0/0] ip address 203.0.113.1 255.255.255.0
[Edge-RT-01] interface GigabitEthernet 0/0/1
[Edge-RT-01-Gig0/0/1] ip address 10.0.0.1 255.255.255.0
[Edge-RT-01] ip route-static 0.0.0.0 0.0.0.0 203.0.113.254
[Edge-RT-01] acl number 2000
[Edge-RT-01-acl-2000] rule 5 permit source 10.0.0.0 0.0.0.255
[Edge-RT-01] interface GigabitEthernet 0/0/0
[Edge-RT-01-Gig0/0/0] nat outbound 2000

OSPF Dynamic Routing

# OSPF dynamic routing configuration
[Edge-RT-01] ospf 1 router-id 10.0.0.1
[Edge-RT-01-ospf-1] area 0
[Edge-RT-01-ospf-1-area-0.0.0.0] network 10.0.0.0 0.0.0.255
[Edge-RT-01-ospf-1-area-0.0.0.0] network 192.168.1.0 0.0.0.255
[Edge-RT-01] display ospf peer
[Edge-RT-01] display ospf routing

Firewall Basic Configuration (Huawei)

# Huawei firewall basic configuration
<FW> system-view
[FW] sysname Sec-FW-01
[Sec-FW-01] interface GigabitEthernet 1/0/0
[Sec-FW-01-Gig1/0/0] ip address 10.0.0.2 255.255.255.0
[Sec-FW-01] firewall zone trust
[Sec-FW-01-zone-trust] add interface GigabitEthernet 1/0/0
[Sec-FW-01] interface GigabitEthernet 1/0/1
[Sec-FW-01-Gig1/0/1] ip address 203.0.113.2 255.255.255.0
[Sec-FW-01] firewall zone untrust
[Sec-FW-01-zone-untrust] add interface GigabitEthernet 1/0/1
[Sec-FW-01] security-policy
[Sec-FW-01-policy] rule name Allow-Internal-to-External
[Sec-FW-01-policy-rule-Allow-Internal-to-External] source-zone trust
[Sec-FW-01-policy-rule-Allow-Internal-to-External] destination-zone untrust
[Sec-FW-01-policy-rule-Allow-Internal-to-External] action permit

Web‑Traffic Management Basic Steps (Deep Security AC)

Deploy in gateway mode behind the firewall and in front of core switches. Configure external and internal interfaces, enable local or AD authentication, create user groups, define application‑control policies (e.g., block P2P, video, games during work hours, allow OA and email), set per‑user bandwidth limits, and enable content audit logs for web access, file transfers, and IM chats. Remember to keep the application‑signature database up‑to‑date and consider SSL decryption for HTTPS inspection.

Conclusion

Choosing data‑center network devices is about matching core capabilities—port speed, backplane bandwidth, buffer size, routing capacity, security throughput, and application‑identification performance—to the specific workload and compliance requirements, while ensuring interoperability across the chosen vendor ecosystem.