Network · Switching · SD-WAN · UAE
A vendor-neutral UAE buyer's guide for switching, routing, SD-WAN, load balancers, NAC, monitoring and DDI. Honest comparisons across HPE Aruba, Cisco, Juniper Mist, Arista, Fortinet, Sophos and the architectures that actually fit UAE enterprises.
HPE Aruba CX + Central, Cisco Catalyst 9000 + Catalyst Center / Meraki, Juniper Mist, Arista, Extreme, FortiSwitch + FortiGate, Sophos Switch + XGS Firewall. Aruba EdgeConnect (Silver Peak), Cisco SD-WAN, Fortinet Secure SD-WAN, Versa, Cato, Palo Alto Prisma, Sophos Firewall SD-WAN. F5, Citrix NetScaler, Kemp, NGINX, A10. ClearPass, ISE, Forescout, FortiNAC. Infoblox, BlueCat. NESA, SIA, DESC, CBUAE, DHA, TDRA aligned.
The Buyer's Guide
Vendors who quote without asking these are not designing, they're shifting risk to you.
| Step | Question | Nail down | Why it matters |
|---|---|---|---|
| 1 | What is the network for? | Campus user access, data center east-west, branch connectivity, IoT/OT, voice, video, guest, AI/HPC fabric | Each role has fundamentally different design requirements. A campus access switch and a DC leaf switch are not interchangeable. |
| 2 | How many users, devices, sites? | Wired user count, wireless device count, IoT device count, branch sites, growth over 3-5 years | Scale drives architecture choice, fixed-config vs chassis, cloud-managed vs controller-based, leaf-spine vs traditional 3-tier. |
| 3 | Performance & throughput requirements? | 1/2.5/5/10/25/100 GbE per port, oversubscription tolerance, latency-sensitive apps, AI/GPU east-west bandwidth | Tomorrow's GPU server needs 100 GbE; yesterday's '1Gb is enough' is a 5-year regret. |
| 4 | Security integration model? | Standalone network + separate firewall, or synchronized security (NAC + EDR + firewall + switching all sharing telemetry) | Determines whether a security-integrated vendor (Sophos, Fortinet) earns a place in the shortlist alongside the network specialists. |
| 5 | Operational model, cloud-managed or on-prem controller? | Aruba Central / Cisco Meraki / Juniper Mist / Cisco Catalyst Center / on-prem controllers | Cloud-managed simplifies day-2; on-prem suits airgap / regulated; some shops mix. |
| 6 | Compliance & data residency? | NESA / SIA / DESC / sector-specific (CBUAE / DHA / TDRA), telemetry residency, country-of-origin sensitivities | Influences cloud-management acceptability, vendor selection, and audit posture. |
| 7 | In-house skills & AMC model? | CCNA/CCNP-deep team, Aruba-aligned, Mist AI-friendly, or fully outsourced | Skill alignment beats spec-sheet wins, a brilliant Cisco shop on Aruba kit will struggle and vice-versa. |
Checklist
Checklist
Checklist
Checklist
Network Architecture
Modern enterprise networks split into four distinct domains. Mixing them up is the single most common architectural mistake we encounter.
| Criterion | Campus / Office | Data Center | Branch / Edge | SASE / SD-WAN |
|---|---|---|---|---|
| What it does | Connects users, IoT, printers, APs to the network | Connects servers, storage, east-west traffic | Connects a remote / smaller site to HQ & cloud | Connects all sites + cloud + SaaS through a security-aware fabric |
| Typical port speed | 1 GbE (with 2.5/5/10 GbE for Wi-Fi 6E/7 APs) | 25 / 100 / 400 GbE | 1 GbE | WAN-side virtual |
| Architecture | Access → Distribution → Core (or collapsed) | Leaf-Spine (modern) or 3-tier (legacy) | Single switch + router/firewall | SD-WAN edge → cloud / SASE PoP |
| Core protocols | VLAN, MSTP/RSTP, OSPF | EVPN-VXLAN, BGP, RoCE / DCB for storage | OSPF / static + IPSec to HQ | Overlay over Internet/MPLS, SD-WAN orchestrator |
| Vendor density | High, many vendors compete | Concentrated, Cisco / Arista / Aruba dominate | High, almost any vendor works | Specialist, Gartner SD-WAN Leaders |
| Lifecycle | 5-8 years | 5-7 years | 5-7 years | 3-5 years (subscription model dominates) |
| Artiflex top pick (UAE) | HPE Aruba CX + Cisco Catalyst 9000 alt | Arista or HPE Aruba CX 8000-series, Cisco Nexus 9k alt | HPE Aruba CX, Cisco Catalyst, FortiSwitch (security-led), Sophos Switch (sync-sec shops) | Aruba EdgeConnect (Silver Peak) top pick; Cisco SD-WAN, Fortinet, Sophos for budget |
Switches · L2 vs L3
| Layer | Function | What it does | Does NOT | Where it fits |
|---|---|---|---|---|
| Layer 2 | Switching (MAC-based) | Forwards frames within a VLAN, based on MAC addresses; supports VLANs, STP, link aggregation, basic QoS | Cannot route between VLANs / IP subnets, that requires Layer 3 | Access switches in a campus, edge of branches, where routing is done upstream |
| Layer 3 | Routing (IP-based) | Forwards packets between subnets; supports OSPF, BGP, VRF, ACLs at IP level, multicast routing | — | Distribution and core; any switch acting as a default gateway for VLANs; data-center spines |
| Tier | Function | Specs | Required features | Recommended class |
|---|---|---|---|---|
| Access | End-user / IoT / AP connection | 24-48× 1 GbE (some 2.5/5 GbE for Wi-Fi 6E/7 APs), PoE+/PoE++, 4× 10 GbE uplinks | VLANs, STP, PoE, sFlow / NetFlow, link aggregation, basic ACLs | Aruba CX 6100/6200/6300, Cisco Catalyst 9200/9300, Sophos CS Switch, Fortinet FortiSwitch 100/200/400 |
| Distribution | Aggregation; inter-VLAN routing | 24-48× 10/25 GbE, redundant PSUs, full L3 (OSPF/BGP), VSF/VSX | Full L3, VRF-Lite, MSTP/RSTP, MC-LAG | Aruba CX 6300/6400/8100, Cisco Catalyst 9400/9500, Arista 7050/7280 |
| Core / Campus core | High-speed backplane; primary L3 routing | 40/100/400 GbE, very low latency, high MAC/route table sizes | Full L3, EVPN-VXLAN (modern), BGP, multicast, redundant PSUs & supervisors | Aruba CX 8325/8400/10000, Cisco Catalyst 9500/9600, Cisco Nexus 9300/9500, Arista 7280R/7800R, Juniper QFX |
| Data center leaf | ToR connection of servers/storage | 48× 25 GbE + 8× 100 GbE uplinks (modern), VXLAN, RoCE | EVPN-VXLAN, MC-LAG/VPC, low latency, lossless support | Arista 7050X3/7060X4, Cisco Nexus 9300, Aruba CX 8325, Juniper QFX5120/5130 |
| Data center spine | Connects every leaf in CLOS fabric | 32-64× 100/400 GbE, deep-buffer optional | BGP-EVPN, ECMP, low latency | Arista 7280R/7800R, Cisco Nexus 9500, Aruba CX 10000, Juniper QFX10K |
Switch Vendor Comparison
Aruba CX
Strengths: Aruba CX OS is modern and consistent across access-to-core, AI-Ops via NetInsight, Aruba Central is a strong cloud-management plane, deep ClearPass NAC integration, lifetime warranty on many SKUs, GreenLake (opex)
Weaknesses: Some legacy Aruba 2930/3810 SKUs still around; clarify CX vs legacy when quoting
Best for: Mid-market to enterprise, customers wanting unified wired+wireless+SD-WAN stack
Top pick for most UAE customers
Cisco
Strengths: Largest installed base in UAE, deepest engineering bench, very broad portfolio, IOS-XE mature, ISE for NAC, Catalyst Center / DNA Center for AI-Ops, Meraki cloud-managed alternative
Weaknesses: DNA / Catalyst Center licensing & tier complexity, premium pricing
Best for: Cisco-skilled shops, large enterprise, complex multi-protocol environments
Strongly recommended alternative, pick if Cisco-heavy team
Mist
Strengths: Mist AI / Marvis is best-in-class AIOps, lean cloud management, EX series ports are robust, growing UAE channel
Weaknesses: Smaller installed base than Aruba/Cisco in UAE; AI-Ops licensing required for full value
Best for: Greenfield deployments, AI-Ops first buyers, customers wanting cleanest cloud-managed UX
Strong choice for AI-Ops-led buyers
Arista
Strengths: Best-in-class for data-center leaf-spine and AI/HPC fabrics, EOS is the most consistent NOS in market, CloudVision for management, exceptional reliability and telemetry
Weaknesses: Premium price, smaller campus / wireless story (focus is DC)
Best for: Data center fabric, AI/HPC, very large enterprise core, hyperscale-style
Top pick for data center fabric / AI
Extreme
Strengths: Strong campus + branch story, ExtremeCloud IQ for management, edge fabric (Fabric Connect) for simplified L3
Weaknesses: Smaller UAE channel than Aruba/Cisco; brand legacy of acquired companies (Avaya, Aerohive, Brocade)
Best for: Cost-sensitive enterprise wanting modern cloud-managed switching
Reasonable third option for cost-conscious mid-market
Fortinet
Strengths: Tightest integration with FortiGate firewall, switches managed from the firewall (FortiLink), included in Fortinet Security Fabric, good price-performance
Weaknesses: Smaller routing protocol depth than Cisco/Aruba at the high end; best when paired with FortiGate
Best for: FortiGate-first customers wanting unified Security Fabric
Strong choice when FortiGate is the firewall standard
Huawei
Strengths: Excellent technology, aggressive pricing, capable AI-driven NOS
Weaknesses: Compliance / sanctions implications for some sectors; component-sourcing scrutiny
Best for: Telco, public sector, sectors where geopolitics is acceptable
Discuss case-by-case; not Artiflex's default
Sophos
Strengths: Native integration with Sophos Synchronized Security (XGS firewall, Intercept X EDR, Sophos Wireless): switches share threat telemetry, automatically isolate compromised endpoints via Security Heartbeat. Centrally managed via Sophos Central. Compelling price-point.
Weaknesses: Layer 2 only, no L3 routing capability. Customers needing inter-VLAN routing must look elsewhere or place routing on the Sophos firewall. Smaller UAE channel than mainstream switching vendors. Limited port-density options.
Best for: SMB / mid-market customers running Sophos firewall + EDR + Wireless who want their entire network stack speaking one synchronized-security language
Recommended for Sophos-first sync-sec customers, only at access-tier where L2 is sufficient
UniFi
Strengths: Very low cost, attractive UI, strong SMB/prosumer following
Weaknesses: Not enterprise-grade; limited TAC/UAE service depth; firmware quality varies
Best for: SMB, retail, hospitality, low-criticality sites
Reasonable for SMB; do not use for enterprise production
MikroTik
Strengths: Extreme price-performance; powerful RouterOS
Weaknesses: Steep learning curve; no enterprise-grade TAC; no in-country spares
Best for: ISP, very small office, lab, technical hobbyists
Niche only; not for production enterprise
⭐ Sophos Switch · When does it earn a place?
Sophos Switch is not for every customer, but it's a genuine fit for customers who already use Sophos Firewall (XGS), Sophos Intercept X EDR, and Sophos Wireless, and who want their entire network stack to participate in Sophos Synchronized Security. When a workstation gets compromised, the Sophos firewall's Security Heartbeat instructs the Sophos switch to isolate that port automatically, without writing a single NAC policy.
Two clear caveats
Where we recommend it
SMB / mid-market customers with Sophos firewall already in place, where access-layer L2-only switching is sufficient, and where synchronized-security operational simplicity beats deploying separate NAC infrastructure.
Where we don't: distribution / core / data center, large campus deployments, or customers without Sophos firewall.
Switch · Support, Price & Availability
* Availability depends on stock-model SKUs versus specifically-designed configurations. Custom configurations may take longer ETA. Artiflex normally suggests proceeding with ready-stock configurations.
| Criterion | Aruba CX | Cisco | Mist | Arista | Fortinet | Sophos |
|---|---|---|---|---|---|---|
| UAE local presence | Direct + extensive | Direct + largest | Direct + selective | Direct + selective | Direct + extensive | Sophos channel + partners |
| 4-hour onsite (24×7) | ★★★★★ All Emirates | ★★★★★ All Emirates | ★★★★☆ Major cities | ★★★★☆ Major cities | ★★★★★ All Emirates | ★★★☆☆ Major cities |
| Spare parts depot | ★★★★★ | ★★★★★ | ★★★★☆ | ★★★★☆ | ★★★★☆ | ★★★☆☆ |
| Lead time (stock SKU) | 3-6 weeks | 3-8 weeks | 4-8 weeks | 4-10 weeks | 3-6 weeks | 3-6 weeks |
| List price competitiveness | ★★★★☆ Aggressive | ★★★☆☆ Premium | ★★★☆☆ | ★★☆☆☆ Premium DC | ★★★★☆ | ★★★★★ Very aggressive |
| Severity-1 response | ★★★★★ | ★★★★★ TAC | ★★★★★ | ★★★★★ | ★★★★★ | ★★★★☆ |
| UAE engineering bench | ★★★★★ | ★★★★★ | ★★★☆☆ Growing | ★★★★☆ | ★★★★☆ | ★★★☆☆ |
| 5-year support cost | ~12-18% / year | ~15-25% / year (DNA Premier) | ~12-18% / year | ~12-18% / year | ~10-16% / year | ~10-14% / year |
Who wins for switching in UAE?
Routers / WAN Edge
Most enterprise routing is now done by L3 switches in the campus and SD-WAN edge devices at the WAN. Dedicated routers remain relevant for ISP-edge, large-WAN aggregation, MPLS interconnect and high-throughput crypto/IPSec at scale.
Cisco
Strengths: Largest installed base, deepest IOS-XE features, Catalyst 8000 series unifies SD-WAN + traditional routing, broadest UAE skill base
Best for: Mainstream WAN edge, MPLS aggregation, large branch
Top pick for traditional routing roles
Juniper MX
Strengths: Carrier-grade routing, MPLS depth, scale, Junos consistency
Best for: ISP, telco, large enterprise WAN aggregation
Excellent for SP-class needs
Aruba
Strengths: L3 switches handle most enterprise routing; EdgeConnect handles WAN edge
Best for: Aruba-aligned campuses where dedicated routers are not required
Strong fit when collapsed routing/switching is acceptable
FortiGate
Strengths: Routing + firewall + SD-WAN in single platform; very strong price-performance for branches
Best for: Branches, mid-market SD-WAN
Excellent for security-led routing scenarios
Sophos XGS
Strengths: Combined firewall + router + SD-WAN in single device; very strong price-point
Best for: SMB / mid-market with Sophos-led security
Reasonable for SMB Sophos-led shops
MikroTik / UniFi
Strengths: Very low cost, capable for small networks
Best for: Very small office, hospitality, ISP edge
Niche only
SD-WAN · Deep Dive
SD-WAN replaces MPLS-only or static-route WAN with a software-defined overlay across multiple transports (MPLS, broadband, 4G/5G), with application-aware QoS and centralised policy.
| Site profile | Users | Throughput | Transports | Recommended class |
|---|---|---|---|---|
| Micro-branch (retail, kiosk) | 1-10 | 50-200 Mbps | Broadband + 4G/5G | Aruba EdgeConnect EC-XS, Cisco C8200, FortiGate 40F/60F, Sophos XGS 87/107 |
| Branch office | 10-100 | 200 Mbps - 1 Gbps | 2× broadband or MPLS + broadband | Aruba EdgeConnect EC-S, Cisco C8300, FortiGate 100F/200F, Sophos XGS 116/126 |
| Regional office / mid-site | 100-500 | 1-5 Gbps | MPLS + 2× broadband + 5G backup | Aruba EdgeConnect EC-M, Cisco C8500, FortiGate 600F, Sophos XGS 3300 |
| HQ / data center | 500+ | 5-20 Gbps | Multiple MPLS / DIA links | Aruba EdgeConnect EC-XL, Cisco C8500L/C8500X, FortiGate 1800F+, dedicated SD-WAN hub |
Aruba EdgeConnect
Strengths: Industry-leading first-packet identification, Boost WAN optimization built-in (TCP acceleration, dedup), Unity Orchestrator best-in-class, deep SaaS optimisation, integrates cleanly into Aruba Central
Weaknesses: Premium relative to Fortinet/Sophos
Best for: Mid-market to large enterprise prioritising application performance and SaaS optimisation, HPE-aligned shops
Top pick for SD-WAN
Cisco SD-WAN
Strengths: Largest installed base, deepest enterprise feature set, vManage / Catalyst SD-WAN Manager mature, integrates with Cisco's broader portfolio (ISE, Umbrella, ThousandEyes)
Weaknesses: Premium pricing, licensing complexity (DNA Advantage / Premier required for full features)
Best for: Cisco-shops, large enterprises, customers wanting Cisco end-to-end
Strongly recommended alternative, pick if Cisco-aligned
VeloCloud
Strengths: Strong cloud-on-ramp story, mature SaaS optimisation, broad telco partnerships
Weaknesses: Post-Broadcom commercial uncertainty mirrors VMware vSphere, pricing risen, partner programs disrupted, longer-term roadmap signals mixed
Best for: Existing VeloCloud customers; new buyers should evaluate cautiously
Existing customers re-evaluate at renewal; new buyers caution
Fortinet
Strengths: SD-WAN included in FortiGate firewall, same device handles security + SD-WAN; strong price-performance, single-pane FortiManager
Weaknesses: Best at branch / mid-tier; very large hub deployments may favour dedicated SD-WAN hubs
Best for: FortiGate-first shops, security-led architectures, mid-market
Excellent choice when FortiGate is the security standard
Versa
Strengths: Single-pass architecture for SD-WAN + security (full SASE), Versa Director, strong service-provider following
Weaknesses: Smaller UAE channel
Best for: SASE-first deployments, SP-class enterprises
Strong for SASE-aligned greenfield
Prisma SD-WAN
Strengths: App-defined fabric, strong integration with Prisma Access (SASE), Palo Alto-aligned customer base
Weaknesses: Best fit when Palo Alto is the security standard
Best for: Palo Alto-aligned shops moving to SASE
Strong for Palo Alto-aligned customers
Cato
Strengths: Cloud-native single-vendor SASE platform, Cato PoPs across MENA, no on-prem orchestrator
Weaknesses: Locks you into Cato's cloud, no on-prem fallback option
Best for: Customers wanting fully-managed SASE without DIY orchestration
Strong for SASE-managed-service buyers
Sophos SD-WAN
Strengths: SD-WAN built into Sophos Firewall, no separate license, no separate device. Application-aware path selection, link bonding, automatic failover, integrated with Sophos Synchronized Security. Excellent price-point.
Weaknesses: Lighter feature set than dedicated SD-WAN platforms, fewer transport options, less mature WAN-optimization, no dedup
Best for: SMB / mid-market customers using Sophos firewall who want SD-WAN without buying a separate platform
Recommended budget-efficient option for Sophos-led SMB / mid-market
⭐ Sophos Firewall SD-WAN · When does it earn the spot?
Most SD-WAN buyer's guides feature only Gartner Leaders. We include Sophos Firewall SD-WAN deliberately because for a specific customer profile, SMB and mid-market customers already using Sophos XGS firewall, buying a separate Aruba EdgeConnect or Cisco SD-WAN solution is overkill and expensive. Sophos Firewall has SD-WAN built into the same box: feature included, orchestration via the same Sophos Central console, per-site cost can be 40-60% lower.
Where Sophos SD-WAN is a strong fit
Where to choose dedicated SD-WAN instead
The honest answer: buy the simplest tool that meets your needs. For a 5-site UAE retail chain on Sophos firewall, Sophos SD-WAN is the right answer. For a 100-site multinational running real-time voice across continents, Aruba EdgeConnect or Cisco SD-WAN earns its premium.
Load Balancers / ADC
ADCs sit between users and applications, distributing traffic, terminating SSL, enforcing WAF policies, accelerating delivery and providing high availability.
F5
Strengths: Industry standard for enterprise ADC, highest feature depth (LTM, ASM/Advanced WAF, APM, GTM/DNS), iRules for granular control, mature in financial & telco, cloud-portable
Best for: Banks, telecom, large enterprise, complex apps requiring fine-grained traffic control
Top pick for enterprise ADC
NetScaler
Strengths: Strong with Citrix VDI, mature ADC, Web App Firewall, GSLB
Best for: Citrix VDI customers, existing NetScaler shops
Strong choice for Citrix-aligned shops
A10
Strengths: High-throughput hardware, DDoS mitigation, competitive pricing vs F5
Best for: Service providers, customers wanting F5-class throughput at lower cost
Strong alternative to F5 for cost-sensitive enterprise
LoadMaster
Strengths: Excellent price-performance, software / VM / hardware options, simple management
Best for: Mid-market, Microsoft Exchange / SharePoint, Citrix front-end
Excellent for mid-market, best value-for-money
NGINX
Strengths: Lightweight, software-only, dominant in cloud-native / Kubernetes ingress
Best for: Cloud-native apps, Kubernetes ingress, microservices
Top pick for cloud-native / DevOps-led teams
HAProxy
Strengths: Very high throughput, low cost, widely deployed at scale
Best for: Cloud-native, very high-throughput web apps, cost-sensitive
Strong for technical teams
Cloud LB
Strengths: Native to cloud, pay-per-use, no infrastructure
Best for: Cloud-first apps, hybrid where most traffic is cloud-side
Default for cloud-native deployments
FortiADC
Strengths: Tight integration with Fortinet Security Fabric, included in some bundles
Best for: FortiGate-first customers wanting unified Fortinet stack
Reasonable for Fortinet-aligned shops
Who wins ADC for UAE customers?
Network Access Control
Critical in UAE for NESA / SIA / sector-specific compliance, BYOD environments, and any network with IoT/OT.
ClearPass
Strengths: Industry-leading device profiling, deep integration with Aruba switching/wireless, OnGuard for posture, multi-vendor support, IoT-friendly
Best for: Enterprise NAC, Aruba-aligned shops, BYOD-heavy environments
Top pick, most deployed NAC in UAE
Cisco ISE
Strengths: Deep Cisco network integration, TrustSec / SGT for software-defined segmentation, mature
Best for: Cisco-aligned enterprise, large environments needing TrustSec
Strong alternative, pick if Cisco-aligned
Forescout
Strengths: Best-in-class agentless device discovery, OT/IoT visibility, multi-vendor
Best for: OT environments, healthcare, manufacturing, multi-vendor networks
Excellent for OT / IoT-heavy environments
FortiNAC
Strengths: Integrates with Fortinet Security Fabric, multi-vendor switch support, posture checking
Best for: Fortinet-aligned shops
Strong for FortiGate-first customers
Mist NAC
Strengths: Cloud-native NAC, Mist AI integration, simple deployment
Best for: Mist-aligned greenfield deployments
Strong for Mist-aligned shops
Sophos Sync-Sec
Strengths: Lightweight NAC-equivalent via Security Heartbeat, compromised endpoints isolated by Sophos firewall + switch + AP automatically
Best for: SMB / mid-market on Sophos stack
Sufficient for Sophos-aligned SMB; not a replacement for ClearPass/ISE in enterprise
Network Monitoring & Observability
Network monitoring spans from basic SNMP polling to AI-driven observability, synthetic monitoring and end-user experience analytics.
Aruba NetInsight
Vendor-native AIOps
Strengths: Best-in-class AIOps for Aruba networks, UXI sensors for user-experience telemetry, included with Aruba Central Advanced
Best for: Aruba-aligned customers
Top pick for Aruba shops
ThousandEyes
Vendor-native + internet-path
Strengths: Excellent internet/SaaS path observability (ThousandEyes), AI-driven Catalyst Center analytics
Best for: Cisco-aligned customers, hybrid/cloud-app monitoring
Strong for Cisco-aligned shops + multi-cloud SaaS visibility
Marvis
Vendor-native AIOps
Strengths: Mist AI / Marvis virtual assistant, natural-language troubleshooting
Best for: Juniper-aligned customers
Excellent for Mist-aligned greenfield
SolarWinds
Multi-vendor
Strengths: Industry-standard SNMP-based monitoring, broad vendor support, mature reporting
Best for: Multi-vendor enterprise environments
Strong for multi-vendor shops
PRTG
Multi-vendor
Strengths: Sensor-based, fast deployment, transparent licensing
Best for: Mid-market, multi-vendor, simpler environments
Excellent value for mid-market
LogicMonitor
SaaS observability
Strengths: Cloud-native, broad coverage, AI-driven
Best for: Hybrid environments, MSP-delivered
Strong for cloud-first / MSP customers
Auvik
SaaS
Strengths: Auto-discovery, network mapping, MSP-friendly
Best for: SMB / mid-market, MSP-delivered
Excellent for SMB / MSP scenarios
Datadog
SaaS observability
Strengths: Unified with infrastructure / app monitoring, modern UX
Best for: Cloud-native / DevOps-led shops
Strong for cloud-native customers
Open-source
Self-hosted
Strengths: Free, very flexible, large community
Best for: Cost-sensitive, technical teams
Reasonable for technical teams; requires operational investment
DDI · DNS / DHCP / IPAM
Most UAE SMB / mid-market run DDI on Microsoft AD-DNS + DHCP, and that works. Enterprises with thousands of devices and compliance pressure typically deploy a dedicated DDI platform.
Infoblox
Strengths: Industry standard for enterprise DDI, BloxOne for cloud-managed, threat intelligence integration, deep automation
Best for: Large enterprise, multi-site, compliance-heavy
Top pick, most deployed in UAE enterprise
BlueCat
Strengths: Strong DNS-driven security, Adaptive DNS, compliance reporting
Best for: Large enterprise, government, regulated sectors
Strong alternative to Infoblox
EfficientIP
Strengths: Strong DNS security focus, competitive pricing
Best for: Mid-market to enterprise
Strong choice for cost-sensitive enterprise
Microsoft AD
Strengths: Free with Windows Server, deep AD integration, sufficient for most SMB / mid-market
Best for: SMB / mid-market with Windows-AD-driven networks
Default for SMB / mid-market, no need to overspend
BIND / Kea
Strengths: Free, very flexible, widely deployed
Best for: ISP, technical teams, hosting environments
Niche for technical operations
Reality Check
Knowing what to ignore saves real evaluation time.
| Technology | Status | Why it's rarely used | Where it still fits |
|---|---|---|---|
| FCoE (Fibre Channel over Ethernet) | Effectively dead | Promised converged fabric but never delivered operational simplicity. Modern DCs use NVMe-oF or pure FC. | Existing UCS B-Series shops; do not deploy new |
| Stretched Layer 2 over WAN | Rarely justifiable | Active-active stretched VLANs across data centers is a known operational and failure-domain problem; modern designs use L3 + EVPN-VXLAN with mobility | Specific legacy app migration scenarios only |
| WAN-optimization-only appliances (Riverbed, dedicated WAAS) | Largely replaced | SD-WAN now bundles WAN optimization, dedup, app routing in one platform | Very large, latency-extreme global enterprises only |
| MPLS-only WAN (no SD-WAN overlay) | Declining | 40-60% cost savings achievable by overlaying SD-WAN over hybrid transports; pure MPLS lacks app-aware path selection | Legacy multi-site enterprise pre-refresh; SP commitments not yet expired |
| Standalone Wi-Fi controllers (in-DC physical box) | Declining | Cloud-managed APs (Aruba Central, Meraki, Mist) eliminated the need for an on-prem controller for most customers | Air-gapped environments, classified networks |
| Token Ring / FDDI / ATM | Long obsolete | — | Nowhere; if you find this in production, it's an emergency refresh |
| L2-only design at distribution / core | Common but inefficient | Forces all routing to the firewall, creating bottlenecks. Modern best practice is L3 at distribution. | Very small offices only |
| 'Best-effort' QoS without classification | Common but ineffective | Without per-application classification (DSCP, NBAR, app-ID), QoS does nothing useful | Nowhere, either do it properly or don't bother |
Budget Guidance · UAE 2026/2027
* Prices are indicative and vary based on configuration, port density, PoE budget, software-licensing tier, support level and quarter-end positioning. Always validate via formal quote.
| Configuration | Indicative range (AED) | Notes |
|---|---|---|
| Access switch, 24-port 1GbE PoE+ (Aruba CX 6100 / Cisco C9200) | AED 5,500 - 14,000 | Hardware; +1,000-2,500 for 3-year cloud licence |
| Access switch, 48-port 1GbE PoE++ + 4× 10GbE uplinks | AED 14,000 - 28,000 | Hardware; +2,500-5,500 for 3-year cloud licence |
| Distribution / core L3, 24-port 10GbE / 4× 25GbE uplinks | AED 30,000 - 70,000 | Hardware; +6,000-14,000 software licence |
| DC leaf, 48× 25GbE + 8× 100GbE (Arista 7050X3 / Aruba CX 8325) | AED 80,000 - 165,000 | Hardware + 3-year support |
| DC spine, 32× 100GbE / 64× 100GbE | AED 180,000 - 380,000 | Hardware + 3-year support |
| Sophos Switch CS210-48FP (48-port PoE++) | AED 11,000 - 18,000 | Hardware + Sophos Central management included |
| SD-WAN branch edge (Aruba EdgeConnect EC-S / Cisco C8200 / FortiGate 100F) | AED 14,000 - 32,000 | Hardware; +6,000-14,000 / year subscription per site |
| SD-WAN HQ edge (Aruba EdgeConnect EC-XL / Cisco C8500) | AED 120,000 - 280,000 | Hardware; +25,000-60,000 / year subscription |
| Sophos XGS Firewall with built-in SD-WAN (XGS 116 / 126 / 3300) | AED 5,500 - 38,000 | Hardware + Xstream Protection bundle |
| F5 BIG-IP entry (i2800-class) | AED 140,000 - 250,000 | Hardware + LTM + 3-year support |
| Kemp / Progress LoadMaster entry | AED 18,000 - 45,000 | Hardware or VM + 3-year support |
| NAC, Aruba ClearPass / Cisco ISE (~500 endpoints) | AED 120,000 - 280,000 | Software + 3-year support |
| Network monitoring, PRTG / SolarWinds NPM (~500 nodes) | AED 22,000 - 60,000 / year | Annual subscription |
| DDI, Infoblox entry appliances | AED 120,000 - 250,000 | 2× appliances + 3-year support |
Artiflex Service Packages
Each is a complete deployment, sizing, hardware, software, professional services, knowledge transfer and ongoing AMC.
SMB, single-site, <100 users
2× Aruba CX 6100 24-port + Aruba Central Foundation + WAP planning + 1-day KT
SLA
9×5 with 4-hr critical
AMC
AED 2,500 - 5,500/mo
AED 40,000 - 80,000
Mid-market, multi-floor / multi-building, 100-500 users
Access + L3 distribution (Aruba CX 6300 / Cisco C9300) + Aruba Central Advanced or DNA + design + 3-day KT
SLA
24×7 with 4-hr onsite
AMC
AED 9,500 - 18,000/mo
AED 180,000 - 400,000
Enterprise, multi-site, 500+ users, integrated DC fabric
Full Aruba CX or Cisco Catalyst stack, ClearPass / ISE NAC, NetInsight / Catalyst Center AIOps, 5-day KT, 90-day post-go-live
SLA
24×7 with 4-hr onsite + named TAM
AMC
AED 22,000 - 55,000/mo
AED 700,000 - 1,800,000
SMB / mid-market on Sophos firewall + EDR; wants unified network + security
Sophos Switch (access L2 only) + Sophos Firewall (XGS) + Sophos AP + Sophos Central + Sync-Sec setup; 2-day KT
SLA
9×5 with 4-hr critical
AMC
AED 4,500 - 11,000/mo
AED 80,000 - 220,000
10-50 site mid-market to enterprise
Aruba EdgeConnect appliances + Unity Orchestrator + path-policy design + ZTP rollout + 3-day KT + DR drill
SLA
24×7 with 4-hr onsite
AMC
AED 14,000 - 35,000/mo
AED 350,000 - 900,000 (10 sites)
3-20 site SMB / mid-market on Sophos firewall
Sophos XGS at each site + SD-WAN policy design + Sophos Central orchestration + 2-day KT
SLA
9×5 with 4-hr critical
AMC
AED 4,500 - 12,000/mo
AED 100,000 - 280,000 (10 sites)
Mid-market to enterprise needing posture-checking, BYOD, IoT segregation
NAC servers + integration with switching/wireless + policy design + posture rollout + 5-day KT
SLA
24×7 with 4-hr critical
AMC
AED 7,500 - 18,000/mo
AED 180,000 - 450,000
Customers wanting end-to-end network + SaaS visibility
Aruba NetInsight or Cisco ThousandEyes, alerting setup, dashboards, runbooks, 3-day KT
SLA
24×7 with monthly review
AMC
AED 5,500 - 14,000/mo
AED 120,000 - 280,000 setup + sub
What's included in every Artiflex network package
UAE-Specific Considerations
Send us your site count, user count, application mix and security posture, we'll come back with a sized solution across two or three vendors so you can compare honestly.
The questions we hear most often from UAE businesses sizing switches, picking SD-WAN, or evaluating NAC.
For most UAE customers, HPE Aruba CX is our top recommendation, with Cisco Catalyst 9000 as a strongly recommended alternative. Pick Aruba if you want a unified wired+wireless+SD-WAN stack with cloud-managed (Aruba Central) and lifetime warranty on many SKUs. Pick Cisco if your team is CCIE-deep, you have an existing Cisco-heavy estate, or you need the broadest portfolio depth. For greenfield AI-Ops-led deployments, Juniper Mist is the third strong option. We deploy and support all three daily.
Yes, but only at the access tier and only if you already use Sophos Firewall + Intercept X EDR + Sophos Wireless. Sophos Switch is Layer 2 only, there is no L3 model, so you cannot use it for inter-VLAN routing, distribution or core. The synchronized-security value (compromised endpoints automatically isolated by the firewall via Security Heartbeat) only appears when the entire stack is Sophos. For SMB / mid-market shops on Sophos, it's a genuinely strong fit. For larger enterprises or anyone needing L3 on the switch itself, look elsewhere.
It depends on scale and complexity. For 3-20 site SMB / mid-market deployments already running Sophos XGS firewall, where application-aware path selection between MPLS / broadband / 4G/5G is sufficient and you don't need WAN optimization (TCP acceleration, dedup), Sophos Firewall SD-WAN is a strong budget-efficient choice and 40-60% cheaper than buying a dedicated SD-WAN platform. For 20+ sites with complex policy requirements, heavy SaaS workloads needing first-packet identification & SaaS optimisation, or carrier-grade voice/video QoS depth, choose Aruba EdgeConnect (top pick) or Cisco SD-WAN instead.
AD authentication gates who can join the network. NAC additionally validates what device they're joining from, posture (patched OS, EDR running, OS version), correct VLAN assignment, and continuous policy enforcement. For UAE compliance regimes (NESA, SIA, sector-specific) and any environment with BYOD or significant IoT/OT, NAC is essentially required. Aruba ClearPass is our top NAC pick (most deployed in UAE), Cisco ISE is the strong alternative for Cisco shops, Forescout for OT/IoT-heavy environments, FortiNAC for FortiGate-aligned. Sophos Synchronized Security provides NAC-equivalent functionality for SMB / mid-market on the Sophos stack.
Cloud-managed (Aruba Central, Cisco Meraki, Juniper Mist, Catalyst Center cloud) wins on day-2 simplicity, zero-touch provisioning, AIOps, and remote multi-site management. Use it unless you have a hard data-residency / air-gap / classified-network constraint. On-prem controllers (Aruba Mobility Controllers, Cisco WLC, traditional Catalyst Center on-prem) suit airgap, regulated, government and TDRA-constrained environments. Some customers mix, cloud-managed at branches, on-prem at HQ. Confirm cloud telemetry residency under NESA / SIA before defaulting to cloud-managed in regulated sectors.
Access switches: 5-8 years. Distribution / core: 5-7 years. Data center fabric: 5-7 years. SD-WAN edge: 3-5 years (subscription model dominates). Drivers for early refresh: PoE++ (90W) needed for new APs and devices, Wi-Fi 6E/7 APs needing 2.5/5/10 GbE access ports, EOL/EOS on existing platforms (Cisco IOS-XE deprecation, Aruba ArubaOS legacy retirement), security advisories that won't be patched on EOL platforms, and AI/GPU build-outs needing 100/400 GbE in the DC.
If you're refreshing in 2026/2027, yes, Wi-Fi 7 is the right target. The benefit isn't always raw speed (most clients don't yet support the highest 6 GHz channel widths), it's improved performance under congestion (MLO, multi-link operation), better latency for real-time apps, and future-proofing the AP refresh cycle. Pair Wi-Fi 7 APs with 2.5 / 5 / 10 GbE access switching as needed, single-gig access ports become the bottleneck for high-end APs. We cover Wi-Fi 7 deployment in detail on the [Wireless Solutions](/infrastructure/wireless-solutions) page.
Pure MPLS-only WAN is declining sharply. Hybrid SD-WAN (MPLS + broadband + 4G/5G with intelligent path selection) typically delivers 40-60% cost savings vs MPLS-only, with materially better SaaS / cloud performance. Keep MPLS for voice / real-time applications where SLA matters and as a transport in a hybrid SD-WAN design, but eliminate MPLS-only architectures at refresh. Aruba EdgeConnect, Cisco SD-WAN and Fortinet Secure SD-WAN all run hybrid transports natively.
Vendor-neutral assessment of HPE Aruba, Cisco, Juniper Mist, Arista, Fortinet, Sophos. Honest Aruba EdgeConnect vs Cisco SD-WAN vs Fortinet vs Sophos guidance. F5, Kemp, Citrix for ADC. ClearPass, ISE, Forescout for NAC. UAE-resident engineering, 24/7 support, no quota pressure.
