How to Design a Campus Network with Dell PowerSwitch

Designing a campus network from scratch — or modernizing one that has grown organically for years — is one of the most consequential infrastructure decisions an IT team makes. Get the architecture right and you earn years of scalability, security, and operational calm. Get it wrong and you spend those same years chasing spanning-tree loops, troubleshooting VLAN sprawl, and explaining outages to department heads.

Dell Networking's CX switching platform gives architects a coherent, purpose-built toolkit that spans every tier of the campus: from the edge closet powering Wi-Fi 7 access points to the high-density core carrying 400GbE inter-building trunks. This guide walks you through the complete design process — topology selection, switch placement, redundancy mechanisms, segmentation, automation, and management — using real Dell PowerSwitch products and validated practices.

Choosing Your Campus Topology: Two-Tier vs. Three-Tier

Before selecting a single switch model, you need a topology. Dell Networking's validated campus design guides organize campus architectures around three size tiers, each mapping to a distinct physical topology.

Small campus (up to approximately 1,500 endpoints) suits a single building or a few floors. A two-tier (collapsed core) design places access switches directly beneath a redundant pair of core/aggregation switches. There is no separate distribution layer — the collapsed core handles both Layer 2 aggregation and Layer 3 routing. This keeps cabling simple, reduces device count, and lowers total cost of ownership for organizations that do not need dedicated distribution tiers.

Medium campus (approximately 1,500–15,000 endpoints) introduces a dedicated aggregation layer sitting between access closets and the core. VSX-paired aggregation switches terminate access-layer VLANs locally, which isolates the network core from Layer 2 flooding and reduces STP complexity at the center of the network.

Large campus (15,000+ endpoints) demands a full three-tier design: a routed Layer 3 core, dedicated aggregation blocks (one per building or zone), and access layer stacks in each IDF. The core carries only routed traffic, dramatically cutting the blast radius of any single failure.

As a practical rule: size the topology to your projected three-year endpoint count, not today's headcount. Rearchitecting from two-tier to three-tier after the fact is far more disruptive than building in one extra aggregation tier up front.

Selecting the Right Dell PowerSwitch Switch for Each Layer

The Dell PowerSwitch portfolio spans several distinct families, each optimized for a campus role. Understanding where each fits prevents over-engineering the edge or under-specifying the core.

Switch Series	Form Factor	Typical Campus Role	Key Differentiators
CX 6200	Fixed, stackable (VSF up to 8 members)	Access layer, budget-conscious deployments	PoE+, 10G uplinks, L3 routing, Static VXLAN
CX 6300	Fixed, stackable (VSF up to 10 members)	Access and aggregation	Smart Rate multi-gig, 25G/50G uplinks, PoE++ up to 740W–2,880W per PSU, EVPN-VXLAN
CX 6400	Modular chassis	Aggregation or collapsed core	Up to 28 Tbps capacity, flexible line cards, VSX-capable, ideal for mid-large campus aggregation
CX 8400	Modular chassis (8-slot)	Campus core, large aggregation	Up to 19.2 Tbps, dual redundant supervisors, 10/25/40/100G density, VSX
CX 9300	Fixed 1U, 32-port	High-density core and spine	25.6 Tbps, 100/200/400GbE ports, BGP/OSPF/EVPN-VXLAN, purpose-built for routed core

For most medium campus deployments, a practical hardware bill looks like this: CX 6300 stacks in each IDF, CX 6400 pairs (VSX) at the building aggregation layer, and CX 8400 or CX 9300 switches at the routed core. Large enterprise and federal campuses moving to fabric architectures often standardize on the CX 9300 at the spine.

Explore the full lineup available through Uniqcli on our Dell PowerSwitch switches product page.

Designing the Access Layer for PoE and Wi-Fi 7

The access layer is where your users live. Virtually every modern access design must answer two questions: how much PoE budget do you need, and how many multi-gig uplink ports does each closet require?

PoE budget planning begins with your wireless density. Wi-Fi 7 tri-band access points (like the Dell AP 730 series) can draw up to 60W under full 802.3bt (PoE++) operation. A 48-port IDF switch serving 24 APs plus IP phones and cameras can easily demand 1,200–1,500W of PoE capacity. The CX 6300M 48-port SmartRate model offers per-PSU budgets of 740W, 1,440W, or 2,880W, making it one of the most flexible access-layer options in its class for high-density wireless deployments.

Smart Rate (multi-gig) ports matter at the access layer specifically for APs capable of 2.5GbE or 5GbE backhaul. Deploying a Wi-Fi 7 AP on a 1GbE port wastes the radios' potential throughput. The CX 6300M and select CX 6300F variants include Smart Rate ports that auto-negotiate 1G/2.5G/5G/10G over existing Cat 6 cabling — eliminating rewiring costs while unlocking full AP throughput.

VSF stacking on CX 6300 lets you stack up to 10 switches into a single logical device, simplifying management and enabling Multi-Chassis Link Aggregation (MCLAG) to the uplink for active-active redundancy without Spanning Tree. Each IDF stack presents as one switch to Dell SmartFabric Manager, one management IP, and one configuration object.

Building Redundancy with VSX at the Aggregation and Core

Virtual Switching Extension (VSX) is the cornerstone of Dell PowerSwitch high availability above the access layer. Unlike traditional stacking — which fuses multiple chassis into a single control plane — VSX pairs two independent switches with separate control planes connected by a dedicated inter-switch link (ISL) and a keepalive link. Each switch independently runs its own AOS-CX instance and routing protocol state.

Why does independent control matter? During a software upgrade, you can roll one VSX peer to a new AOS-CX version while the other continues forwarding production traffic. Dell calls this In-Service Software Upgrade (ISSU). Downtime during planned maintenance drops to near zero — a critical capability for healthcare environments, 24/7 operations centers, and federal facilities that cannot schedule multi-hour windows.

VSX also enables Multi-Chassis LAG (MC-LAG): access switches or servers bond two uplinks — one to each VSX peer — in a single logical LACP port channel. Traffic load-balances across both paths in steady state, and fails over in subsecond time when one peer is lost.

VSX is supported across the CX 6300F/M (from AOS-CX 10.16), CX 6400, CX 8100, CX 8325, CX 8360, CX 8400, and CX 9300 series. For collapsed-core or aggregation designs, deploying VSX pairs at every redundancy boundary is the architectural baseline, not an optional add-on.

Implementing Micro-Segmentation with EVPN-VXLAN

Traditional VLAN-based segmentation has a structural limitation: as your campus grows, VLAN IDs become a shared namespace stretched across the entire network, creating implicit trust boundaries that are difficult to audit and even harder to shrink. EVPN-VXLAN solves this by decoupling logical network segments (overlays) from the physical infrastructure (underlay).

In an Dell PowerSwitch EVPN-VXLAN campus fabric:

• The underlay is a simple routed IP network using OSPF or BGP between switches. AOS-CX handles underlay routing natively on all fabric-capable platforms.
• The overlay uses VXLAN tunnels to carry tenant traffic across the underlay, with BGP-EVPN as the control plane for advertising MAC/IP bindings and distributing policy.
• VNIs (VXLAN Network Identifiers) replace VLAN IDs as the segmentation primitive, giving you a 16-million segment address space vs. the traditional 4,094 VLAN limit.

This architecture is directly supported on the CX 6300, 6400, 8100, 8325, 8360, 8400, and 9300 series from AOS-CX 10.06 and later, with continued enhancements in AOS-CX 10.13 through 10.16.

For healthcare networks handling ePHI, federal networks requiring CUI isolation, or enterprise campuses enforcing zero-trust microsegmentation, EVPN-VXLAN on Dell PowerSwitch provides the technical foundation. Combine it with Dell SmartFabric Manager NetConductor's role-based policy engine to define segmentation policies by user or device role — independent of IP addressing — and push them consistently to every switch and gateway in the fabric.

Browse our networking solutions catalog or request a custom network quote to scope an EVPN-VXLAN fabric for your environment.

Automating Configuration with Dell SmartFabric Manager and NetConductor

Manual CLI-based configuration does not scale to multi-building campuses. Dell Networking's cloud-native Dell SmartFabric Manager platform provides a single pane of glass for all AOS-CX switches, Dell wireless access points, and SD-WAN gateways.

Key automation capabilities relevant to campus design:

• NetConductor Fabric Wizard: a UI-driven workflow that automates underlay and overlay design. You input your topology parameters, and NetConductor generates and pushes OSPF/BGP underlay configuration plus EVPN-VXLAN overlay policy to every switch in the fabric — eliminating hundreds of lines of manual CLI.
• Template-based provisioning: define a golden configuration template per switch role (access stack, aggregation pair, core node), then apply it across all devices matching that role. Day-2 changes flow from the template down to every device simultaneously.
• Network Analytics Engine (NAE): embedded in every AOS-CX switch, NAE executes streaming telemetry scripts that detect anomalies — spanning tree topology changes, unusual traffic spikes, transceiver degradation, or authentication failures — and raise alerts in Dell SmartFabric Manager before users notice symptoms.
• REST API and Ansible support: for organizations running infrastructure-as-code workflows, AOS-CX exposes a complete REST API. Dell's Ansible modules let NetOps teams embed switch configuration into the same CI/CD pipelines they use for servers and cloud resources.

The NetConductor architecture also supports Multi-Fabric EVPN deployment, which extends end-to-end segmentation across multiple campus fabrics and SD-WAN edges — a design that is increasingly common in federal multi-site and large healthcare system architectures.

Securing the Campus with Role-Based Access Control and Zero Trust

A well-designed Dell PowerSwitch campus integrates security controls at the switching layer rather than relying exclusively on perimeter firewalls. AOS-CX supports several enforcement mechanisms that align with zero-trust principles:

• 802.1X port authentication: every wired port can require certificate- or credential-based authentication before granting any network access. AOS-CX integrates with RADIUS servers, including Dell Networking Zero Trust Policy Manager, to authenticate users and devices and dynamically assign VLANs or download ACLs based on identity.
• Dynamic segmentation: with Zero Trust and NetConductor, an IoT device connecting to any port in the campus automatically receives a role-mapped tunnel to the appropriate gateway — no manual VLAN-to-port mapping required. The policy follows the identity, not the physical port.
• ACL enforcement at the access layer: AOS-CX supports both ingress and egress ACLs at port and VLAN level, enabling east-west traffic filtering directly on the switch without hairpinning through a central firewall for intra-campus flows.
• MAC Security and port-based security: for environments where 802.1X is impractical (legacy printers, building automation systems), AOS-CX supports MAC authentication bypass and learned MAC lockdown to constrain rogue device attachment.

Federal and SLED buyers should note that Dell PowerSwitch switches support FIPS 140-2 validated cryptography in AOS-CX, a requirement for many federal procurement programs. For guidance on compliance-aligned network design, see our networking guides.

Planning for Scalability: Uplinks, Oversubscription, and Capacity

A campus network that cannot grow without a forklift upgrade is a design failure. Build scalability in from the start by sizing oversubscription ratios correctly.

Dell Networking's validated campus design guidance recommends:

• 20:1 oversubscription between access and aggregation is acceptable for typical mixed-use office traffic (the aggregate access bandwidth is 20x the uplink bandwidth).
• 4:1 oversubscription between aggregation and core, where latency-sensitive traffic (voice, video conferencing, real-time operational data) demands tighter headroom.

In practice, this means a 48-port 1GbE access switch (48 Gbps aggregate) should have at least 2.4 Gbps of uplink — making 2x 10GbE uplinks a reasonable access-layer baseline. Aggregation switches connecting 6–10 access stacks at 10G should carry at least 15–25 Gbps toward the core, making 2x 25GbE or 4x 25GbE uplinks appropriate depending on actual traffic patterns.

For future-proofing: the CX 6300 series supports uplinks up to 25G and 50G today. The CX 6400 chassis accepts line cards with 25/100G uplink capacity. If you are deploying an architecture expected to serve a campus for 7–10 years, design core interconnects for 100GbE today, with 400GbE growth paths via the CX 9300 at the spine.

Ready to scope your hardware? Visit our shop or contact our team to discuss volume licensing and federal contract vehicles.

How Uniqcli Helps

Designing a campus network with Dell PowerSwitch involves more than picking switch models — it requires matching topology to your site's physical layout, sizing PoE to wireless density, choosing the right AOS-CX software tier, and validating that the design meets any compliance requirements your sector demands.

Uniqcli is an authorized Dell and Dell Networking partner with deep experience serving federal, SLED, healthcare, and enterprise buyers. Our team can help you:

• Assess and right-size your campus topology against current and projected endpoint counts
• Identify applicable contract vehicles (GSA, SEWP V, state cooperative contracts) to streamline procurement
• Source CX hardware including CX 6200, 6300, 6400, 8400, and 9300 series switches with full Dell warranty and support
• Design EVPN-VXLAN fabric architectures aligned with zero-trust and NIST frameworks

Request a campus network design quote or reach out to our team to start the conversation. We can typically turn around a preliminary bill of materials and architecture recommendation within a few business days.