Executive Summary
When a premier New York City architecture firm scaled past 100 employees and relocated to a new headquarters, their legacy bare-metal Windows Server environment could no longer support the high-concurrency, high-throughput demands of their design workflow. Staff routinely worked directly off shared storage rather than copying files locally. A workflow pattern that ruthlessly exposes any latency or bandwidth weakness in the underlying infrastructure. Large-format CAD and BIM assets, real-time multi-user collaboration, and uninterrupted application availability were non-negotiable requirements.
Macktez was engaged to architect a ground-up, zero-compromise infrastructure covering wired networking, wireless, compute, and storage. Every layer was designed with redundancy as a first-order constraint: redundant power, controllers, chassis, and paths throughout. The result is an environment that has delivered zero infrastructure downtime since deployment, with real-world internal file transfer throughput of 5–7 Gbps. This performance is comparable to the local NVMe storage of a modern high-end workstation, delivered over a fully shared, enterprise-grade SAN.
The Network: Eliminating Bottlenecks
Design Philosophy
Architectural workflows involve file sizes measured in gigabytes, exchanged continuously across a 100+ person organization. When users work directly off a shared server, not via local sync, the network and storage fabric must sustain concurrent high-throughput sessions without degradation.
Access Layer: Cisco Catalyst 9300 Stack
The access layer is built on six Cisco Catalyst 9300 switches deployed as a single logical stack, providing nearly 300 ports of Ethernet connectivity across the office floor. The top member of the 9300-series switch stack — a multi-gigabit variant — was dedicated exclusively to wireless access point uplinks, supporting 5 Gbps per AP uplink and future 10 Gbps capacity.
The switch stack was spec’d with a pair of 8-port 10GbE network expansion modules, providing significant uplink headroom beyond what Essentials-tier licensing would require. Since the access layer operates exclusively in Layer 2 mode, with no inter-VLAN routing, no advanced policy features, we specified Cisco Essentials licensing rather than Advantage, eliminating thousands of dollars in license costs without sacrificing any capability required by the environment.
Redundant Power via StackPower: Beyond data-plane stacking (each inter-switch stacking cable operates at 480 Gbps, with dual cables per switch providing 960 Gbps of intra-stack switching capacity), we implemented Cisco StackPower. StackPower connects the power supplies of all stacked switches into a single logical power domain. As a result, a switch member can remain fully operational even if both of its local PSUs fail simultaneously, provided the aggregate pool has sufficient capacity from neighboring members. Every switch was also spec’d with dual PSUs connected to independent 30-amp UPS circuits, providing defense-in-depth at the power layer.
Core Layer: Catalyst 9500 with StackWise Virtual
The core consists of a pair of Catalyst 9500 switches, each with 40 ports of 10GbE SFP+ (400 Gbps per chassis) and a 2-port 40GbE network module. All four 40GbE ports, two per chassis, are used exclusively to interconnect the two switches, providing 80 Gbps of inter-chassis throughput over the StackWise Virtual link.
The distinction between StackWise Virtual and traditional stacking is architecturally significant. Traditional stacking elects a single active supervisor; all others are on standby. StackWise Virtual creates a unified control plane in which both chassis are simultaneously active and authoritative. Neither chassis can experience a “split-brain” event in which it assumes sole mastership. From the perspective of any connected device, the two physical switches appear as a single logical entity, enabling true cross-chassis EtherChannel bundle formation.
This matters for the access-to-core uplinks: six 10GbE EtherChannel members connect the access stack to each core chassis, for a total of 12 physical uplinks providing 120 Gbps of aggregate bandwidth between layers. Because the access stack and the core stack each behave as a single logical device, all 12 links function as a single bundle, providing simultaneous bandwidth aggregation and link-level redundancy with no STP blocking. At 300 connected ports, full-tilt simultaneous saturation would exceed this uplink capacity, but in practice, the access/core uplink is never the bottleneck.
Both core switches carry dual redundant PSUs on independent circuits.
Firewall: SonicWall NSA 4700
Moving toward the WAN edge, we deployed a pair of High Availability SonicWall NSA 4700 firewalls in active/passive configuration. The NSA 4700 was selected specifically for its threat inspection throughput, the ability to sustain deep packet inspection at multi-gigabit line rates. At initial deployment, the WAN circuit was 1 Gbps; however, the intent was to scale to a 10 Gbps WAN connection (or a bonded pair of 10 Gbps circuits) as the firm’s remote access requirements grew. The 4700 is rated to sustain full-rate 10 Gbps inspection, ensuring the firewall would not become a throughput ceiling post-upgrade.
Downstream connectivity from each firewall to the core switch layer uses four bonded 10GbE links — 40 Gbps per firewall. Active/passive failover typically converges within 2–3 seconds in practice. Both units carry redundant power on independent circuits.
Wireless Infrastructure: Controller-Managed Roaming in a High-RF-Interference Environment
The RF Challenge
The firm’s open floor plan, with extensive glass partitions, reflective surfaces, and dense client populations moving continuously through the space, presents a genuinely hostile RF environment. The expected real-world performance degradation from multipath interference and co-channel contention required us to over-spec radio capacity relative to theoretical client density, so that practical usability remained top-tier even as conditions diverged from ideal lab conditions.
Access Point Deployment
We deployed a tiered Ruckus Wi-Fi 6 infrastructure based on per-quadrant density and coverage requirements:
- Ruckus R850 (8×8:8 MU-MIMO, Wi-Fi 6): Deployed in high-density open-plan design zones and primary desk clusters. The 8×8:8 stream radio capacity with MU-MIMO support are critical for managing co-channel interference in environments where many clients are simultaneously active within a small geographic area.
- Ruckus R650 / R610: Deployed in conference rooms and corridor coverage zones where lower simultaneous client density reduces the need for full 8-stream radio capacity.
All APs were cabled with dual Cat6a cables, each supporting 10GbE, ensuring that neither the cabling nor the WAPs become obstacles when the client refreshes hardware on a 5–10-year cycle. The dedicated WAP switch supports up to 10 Gbps and 60W PoE per AP uplink, supporting the fastest available WAPs for years to come..
Virtualized SmartZone Controller
Rather than purchasing physical Ruckus SmartZone controller appliances, which, at the time of deployment, ran approximately $10,000 per unit for 10GbE-capable hardware, we virtualized redundant instances of the Ruckus Virtual SmartZone (vSZ) as VMs on the Dell/VMware cluster. This eliminated $20,000 in hardware spend while delivering equivalent functionality with the added benefit of VM-level HA and vMotion portability.
The controller-based roaming model is central to wireless performance in this environment. Without a controller, roaming decisions are left entirely to the client device, leading to the well-known “sticky client” problem, where a laptop clings to a degraded AP signal rather than handing off to a stronger one. vSZ continuously monitors per-client RSSI and SNR metrics across the AP fabric and issues directed disassociations, forcibly transitioning clients to the optimal AP. This orchestration is invisible to the user and ensures seamless handoffs during active video conferences or large file transfers as staff move through the office.
Storage Architecture: Dual-Appliance iSCSI SAN with Precision I/O Tuning
Primary SAN: Synology UC3200 — Active-Active Controllers
The storage backbone is decoupled from compute and presented to the VMware cluster over iSCSI. The primary unit is a Synology UC3200, selected specifically for its dual active-active iSCSI controllers. Each controller has its own processor, RAM, and dedicated network interfaces. In the event of a controller failure, path failover occurs at the hardware level with nanosecond-range latency. There is no controller election, no convergence delay, no VM I/O timeout. Both controllers are continuously serving I/O; the failure of one does not interrupt the other.
Disk configuration: The UC3200 is populated with 8x 16TB SAS HDDs for raw capacity, with 4x 1.92TB high-endurance SAS SSDs functioning as a read/write cache tier. The cache tier handles small-block, high-IOPS workloads — OS operations, database access, application binaries — while the spinning disk array serves large sequential transfers. The Synology tiering engine dynamically promotes and demotes data between tiers based on access patterns, transparently optimizing the performance profile of the array.
iSCSI connectivity: The UC3200 is connected via 8 discrete 10GbE iSCSI interfaces, each assigned a unique IP address, all running with a Jumbo Frame MTU of 9000. Jumbo frames reduce per-packet CPU overhead and increase effective payload efficiency, which is critical at the throughput levels this environment sustains. With 8 x 10GbE interfaces, the appliance presents 80 Gbps of raw iSCSI connectivity to the fabric. Each ESXi host uses 3 dedicated 10GbE NICs for iSCSI, providing 9 host-side paths in aggregate; closely matched to the 8 appliance-side paths, ensuring neither side is the bottleneck.
Importantly, the network fabric was deliberately over-provisioned relative to the storage appliance’s maximum sustainable I/O throughput. The true performance ceiling in this system is the aggregate read/write capability of the disk array, not the network. That is by design.
Secondary SAN: Synology SA3200D — Backup and Extended Services
Because no data should ever exist in a single location, a secondary appliance, the Synology SA3200D, also a dual-controller unit, serves as the backup target and extended services platform. The SA3200D uses an active/passive controller model (as opposed to the UC3200’s active/active), with a failover window of a few seconds between controllers.
The SA3200D was chosen for the secondary role because it supports capabilities the UC3200 does not: native cloud replication to AWS S3 buckets, DNS services, and other data management functions required by the firm’s workflow. A second UC3200 would have provided superior failover characteristics for the secondary role, but the SA3200D’s feature set justified the architectural trade-off, given the greater tolerance for brief failover interruptions on the backup tier versus the primary SAN.
Precision Multipath Tuning
A default iSCSI deployment can leave significant performance on the table. We applied targeted optimizations at multiple layers:
ALUA MPIO: We configured Asymmetric Logical Unit Access (ALUA) Multipath I/O across all ESXi hosts. ALUA allows iSCSI initiators to distinguish between optimized paths (directly attached to the owning controller) and non-optimized paths (traversing the inter-controller link), enabling intelligent path selection that avoids unnecessary inter-controller traffic and reduces effective latency.
Round-Robin IOPS Threshold: ESXi’s default Round-Robin Path Selection Policy switches active paths every 1,000 I/O operations. We reduced this threshold to 1, forcing a path switch after every single I/O operation. With 8 active 10GbE iSCSI paths available across 6 NICs per host, this setting distributes I/O across all available interfaces simultaneously, eliminating the micro-bottlenecks that accumulate under sustained sequential or mixed workloads where the default 1,000-IOPS threshold allows a single path to carry disproportionate load.
EtherChannel Hashing and vSwitch Load Balancing: For non-storage VM data traffic, three 10GbE interfaces per ESXi host are bonded via Cisco EtherChannel into a logical 30 Gbps trunk. We reviewed and tuned the hashing algorithms at both the Cisco switch layer and the VMware vSwitch layer, in coordination with Dell, VMware, and Cisco, to ensure that traffic is distributed effectively across all three physical links rather than consistently hashing to a single member. This is a configuration only available on Catalyst-class Cisco switches; the small business switch lines do not support the EtherChannel feature set required for full VMware integration.
Compute: Three-Node VMware vSphere Cluster on Dell PowerEdge R650
Hardware
Three Dell PowerEdge R650 servers form the compute cluster, each configured with half filled with RAM slots (to allow for future expansion) totalling 128 GB of RAM and 6x 10 GbE SFP+ NICs per host, with 3 NICs dedicated to iSCSI storage traffic, and 3 NICs bonded via EtherChannel for VM data traffic, vMotion, and management.
The cluster was deployed with VMware ESXi 7, deployed under a VMware Essentials Plus kit license. At the time of deployment, a one-time perpetual purchase for ~$7000 covered up to three hosts with up to 32 logical cores each. This licensing tier included vMotion and DRS, both of which are central to the cluster’s operational model.
vMotion and Dynamic Resource Scheduling
vMotion enables live migration of running VMs between physical hosts with zero downtime and no connectivity interruption; a critical capability for a cluster where planned maintenance on any single host must not affect production workloads. Firmware updates, hardware replacements, and scheduled maintenance tasks can be performed during business hours by migrating workloads off the target host first.
DRS (Dynamic Resource Scheduler) monitors real-time CPU and RAM utilization across all three hosts and automatically migrates VMs to rebalance load. A VM allocated 64 GB RAM that idles at 24 GB but spikes periodically, will be automatically redistributed if its host is running hot relative to peers. The three-node cluster was sized to sustain full workload capacity with any single host offline. The two surviving hosts carry sufficient headroom to run all production VMs at full allocation.
VM Affinity Rules
DRS’s dynamic placement is powerful but must be constrained for redundant service pairs. Without affinity rules, DRS might co-locate both Domain Controllers on the same physical host — providing zero protection against a host failure. We programmed anti-affinity rules for all redundant VM pairs, like Primary and Secondary Domain Controllers, and the Wireless SmartZone Controller pair.
This ensures that a single host failure — however unlikely given redundant power and redundant internal storage — cannot simultaneously eliminate both instances of any critical service.
Workloads
The cluster supports a broad range of production workloads: Active Directory Domain Controllers, file sharing services, both vSZ wireless controller instances, synchronization agents pushing to cloud services, a Network Video Recorder for the office camera system, print servers, and additional line-of-business application VMs. The shared SAN model means all VM storage is centralized, replicated, and backed up — rather than siloed on individual host disks.
Thermal Management
The server room, as is common in built-out office environments, presented a thermal challenge. The firm was taking over an entire floor and installing its own HVAC infrastructure, but extending dedicated precision-cooling capacity to the server room would have required many tens of thousands of dollars in additional ductwork and chiller capacity — not fiscally viable given the space geometry.
We specified and installed a dedicated HVAC unit within the server room with a hot-aisle/cold-aisle airflow design: cold supply air directed at the rack front faces, and hot exhaust captured and ducted into an adjacent printer room. Not an ideal thermal architecture, but a pragmatic solution within the constraints of the space — and one that has maintained stable operating temperatures since deployment.
Results
Following deployment and end-to-end tuning, the environment was benchmarked using iPerf to measure real-world throughput (not theoretical line rate).
Real-world internal file transfer throughput: ~5 Gbps.
This is performance on par with local NVMe storage on a modern high-end workstation — delivered over a shared, fully redundant SAN simultaneously accessible to all three compute hosts. Since initial deployment, the infrastructure platform — switches, servers, storage appliances — has experienced zero downtime. Application-layer events (firmware updates, print server restarts, wireless controller reboots) have occurred, but the underlying fabric has never failed.
The total cost of this environment, while significant, compares favorably to hyperconverged infrastructure solutions of equivalent capability. Hyperconverged platforms meeting these throughput and redundancy requirements would have carried a price tag exceeding $100,000 per node. This architecture delivered comparable or superior real-world performance through deliberate hardware selection, precise configuration tuning, and a willingness to engage deeply with the knobs that most deployments leave at their defaults.
This engagement is presented as a representative example of our infrastructure design and implementation practice.
For a free consultation and written estimate, call 646-274-0933 or email info@macktez.com.