Comprehensive principles and practical patterns for designing reliable, scalable, and secure networks across enterprise, data center, and wide area environments. Covers topology choices such as spine and leaf, hub and spoke, star, mesh, ring, and hybrid topologies, and how those choices affect resilience, latency, and scalability. Includes hierarchical design patterns for access distribution and core layers, device roles such as switches, routers, and load balancers, and cloud and data center specific patterns. Details redundancy and high availability strategies including active active and active passive failover, redundancy sizing such as N plus one, failure modes, convergence behavior, and operational implications for service level agreements. Addresses capacity planning, performance trade offs, quality of service and traffic engineering, routing and switching fundamentals and routing protocol behavior, segmentation for performance and security including virtual local area networks and subnets, and placement of security controls. Emphasizes trade offs between bandwidth, latency, cost, complexity, manageability, and operational burden, and how to select topology and design patterns for different application, performance, and operational requirements.
HardSystem Design
71 practiced
Design a global anycast-based DNS and service delivery architecture to provide low-latency read-only API endpoints from 12 regional PoPs. Describe how you would implement health checks, DDoS mitigation, BGP anycast routing, and regional failover without causing split-brain or client-side caching issues.
Sample Answer
**High-level approach**Run identical read-only API frontends in 12 PoPs and announce the same anycast IP from each PoP via BGP. Use local load-balancers + health agents to keep only healthy nodes announcing/serving. Combine anycast for data-plane with short-TTL authoritative DNS and a control-plane orchestration to avoid split-brain.**Architecture components**- Anycast fabric: each PoP announces /32 (or /24 depending on provider) for the API anycast IP via peered routers (iBGP w/ route-reflectors or eBGP to multiple upstreams). Use consistent MED/LOCAL_PREF and communities for traffic engineering.- Local infra: L3 edge routers → DDoS mitigation layer (hypervisor/NAT + scrubbing or cloud scrubbing) → LB (HAProxy/Envoy) → stateless app nodes.- Control plane: central controller (k8s/operator or orchestration) receiving health telemetry and pushing BGP withdraws/announcements via router APIs (Netconf/EVPN/GoBGP).**Health checks & failure detection**- Local probes: active L7 (HTTP(S) /health) and L4 (TCP SYN) checks from the PoP LB to every backend. If backend fails, LB stops advertising to local anycast pool.- Router-level failure detection: BFD between PoP routers and upstreams for sub-second detection of link/router failure.- Controller-level sanity: aggregate heartbeat to avoid flapping; require N-of-M failures and sustained failure window (e.g., 3 failed probes in 20s) before withdrawing routes to prevent split-brain.**BGP anycast routing details**- Announce same prefix from each PoP; use prepending/communities to steer preferred regions.- Use RPKI + prefix filters at peers; implement consistent IGP metrics and avoid asymmetric next-hops.- For maintenance or graceful failover, controller updates LOCAL_PREF or withdraws the prefix from a PoP rather than killing app processes.**Regional failover without split-brain**- Failure -> local LB stops serving and controller withdraws the BGP announcement for that PoP. Upstreams converge to next-best PoP.- To avoid split-brain (two PoPs believing they are primary for regional-only stateful features), keep frontends stateless (read-only) and store ownership information in a strongly-consistent control plane (e.g., etcd). No local-only authoritative decisions for critical routing.**DDoS mitigation**- Multi-layer defense: On-path rate limiting, SYN cookies, connection limits at LB; route-based mitigation: RTBH + BGP FlowSpec to drop malicious flows quickly; integration with cloud scrubbing providers (AWS Shield/Akamai/Cloudflare) via traffic steering (BGP communities or GRE tunnels) for large events.- Telemetry-driven escalation: automatic FlowSpec rules installed by controller when traffic anomalies detected; black/gray lists synchronized across PoPs.- Ensure scrubbing preserves source IP (via GRE/GRE-GSO) to keep real client IP for geo-steering.**DNS & client caching considerations**- Authoritative DNS: anycasted or geo-aware authoritative with low TTL (30–60s) for API name to let clients switch quickly. Set negative TTLs conservatively.- Avoid client caching problems: set short TTL + serve EDNS-Client-Subnet only when necessary; document recommended HTTP retries and DNS caching behavior.- For long-lived clients, support active in-application retry/backoff and HTTP 3xx/5xx that hint to retry against the same anycast IP.**Operational checks & metrics**- Monitor BGP announcement visibility (bgp.he.net / RIPE RIS), per-PoP telemetry (latency, connection rates, SYN/pps), FlowSpec hit rates, and health-check consistency.- Run chaos tests: simulate PoP failures and DDoS to verify route withdraw, failover time, and no split-brain.**Trade-offs**- Lower DNS TTL increases DNS load; mitigate with caches/CDNs.- Anycast hides topology — debugging harder; invest in global telemetry and distributed tracing.This design gives sub-100ms regional routing via anycast, fast failover using BFD and BGP withdraws, layered DDoS protection (local + network-level scrubbing + FlowSpec), and short DNS TTLs to reduce client-side caching issues while using conservative health/hysteresis to avoid split-brain.
EasyTechnical
34 practiced
You need to design VLAN and subnet segmentation for a mid-size company with three services: user workstations, critical database servers, and guest Wi-Fi. Describe a practical VLAN/subnet plan including gateway placement, inter-VLAN routing considerations, and how to enforce isolation. Include brief notes on broadcast domain sizing and native VLAN usage.
Sample Answer
**Plan overview**- VLAN 10: Users — 192.168.10.0/24 (hosts ~200)- VLAN 20: DB servers — 192.168.20.0/26 (hosts ≤60)- VLAN 30: Guest Wi‑Fi — 192.168.30.0/24 (captive portal)**Gateway & routing**- Use L3 switch SVIs as default gateways (SVI .1 for each VLAN). Inter‑VLAN routing on L3 switch; place firewall/router between L3 core and internet for edge control.**Isolation & enforcement**- Apply ACLs on SVIs to deny guest→internal and users→DB except specific app ports. DB VLAN only allows management from admin IPs; use host-based firewall and microsegmentation.- Put guest SSID on separate AP VLAN, rate‑limit and NAT at firewall.**Broadcast sizing & native VLAN**- Size subnets to keep broadcast domains under ~250 hosts; use /24 for users, /26 for DB if small.- Avoid using native VLAN for user traffic; set native VLAN to an unused ID and enforce trunk native tagging (no implicit native) to prevent VLAN hopping.
HardTechnical
36 practiced
In an EVPN-VXLAN overlay, asymmetric routing can cause packets to be forwarded out a different leaf than they entered, creating potential issues for stateful services and security appliances. Explain root causes of asymmetric traffic in this context and propose architectural and configuration mitigations to avoid service disruption and to preserve traffic symmetry where needed.
Sample Answer
**Summary / scope**As a network engineer I’d explain why asymmetric routing happens in EVPN–VXLAN overlays, and give architectural + configuration mitigations to keep flows symmetric for stateful services and inline security.**Root causes**- ECMP/hash divergence between ingress and egress VTEPs (different path chosen per direction due to 5-tuple variance).- MAC/IP mobility: EVPN MAC advertisement changes (active-active multi-homing) send return traffic to a different leaf.- Distributed forwarding: VXLAN encapsulation decouples underlay L3 path from overlay L2/3, causing different egress leaf selection.- Service insertion design: decentralized placement of firewalls/load-balancers across leaves without flow affinity.**Architectural mitigations**- Centralized or pinned service-chain: concentrate stateful functions on a consistent service VTEP or service cluster reachable via symmetric routing (e.g., service nodes as default-gateway).- Service VTEP pair with NAT or reverse-path pinning so both directions traverse same service chain.- Use hairpin/forwarding proxies (L2/L3 hairpin) on leafs to steer return traffic back through the same service node.- Design EVPN active-standby for hosts needing strict symmetry (avoid active-active MAC mobility for those segments).**Configuration mitigations**- Consistent hashing: ensure underlay ECMP uses full 5-tuple hashing and same hash algorithm on all devices.- Flow-affinity on devices: enable flow pinning/connection tracking on leafs and underlay routers (if supported).- BGP EVPN tuning: control MAC mobility timers; use Ethernet Segment (ES) attributes to avoid unexpected re-anchoring.- Configure ingress replication or use multicast for known symmetric paths when ECMP causes variance.- Use service chaining features (e.g., NSX/ACI L4-L7 service insertion) to enforce symmetric steering and stateful session persistence.- SNAT/DNAT where appropriate to make return flow hashing symmetric (e.g., consistent source IP seen by underlay).**Operational checks**- Validate with traffic captures: ensure same VTEP src/dst for both directions.- Monitor MAC mobility and ECMP path counts; test failover scenarios.- Document which tenants/applications require enforced symmetry and apply mitigations selectively.These steps reduce asymmetric forwarding while balancing scalability; choose centralized service nodes for strict stateful requirements and use consistent hashing + service chaining for broader deployments.
EasyTechnical
69 practiced
Explain the roles of Spanning Tree Protocol (STP) and Link Aggregation Control Protocol (LACP). Why would you choose LACP or MLAG over STP in modern data center topologies, and what are the operational implications of doing so?
Sample Answer
**Brief roles**- **STP (Spanning Tree Protocol):** Prevents switching loops by blocking redundant Layer 2 paths, creating a loop-free tree. Legacy mechanism for multi-path topologies.- **LACP (Link Aggregation Control Protocol):** Bundles multiple physical links into one logical port-channel for increased bandwidth and redundancy; operates between two devices.- **MLAG (Multi-chassis LAG):** Allows a device to form an aggregated link to two separate switches that act as a single logical LACP peer, enabling active-active forwarding.**Why choose LACP/MLAG over STP in modern DCs**- Active-active utilization of redundant paths (better bandwidth) vs STP’s blocked links.- Faster convergence and deterministic hashing for flow distribution.- Better predictable performance for east-west traffic in leaf-spine fabrics.**Operational implications**- Requires consistent LACP configuration (hashing, MTU, speed) and careful split-brain prevention for MLAG (peer-link, heartbeat).- Debugging shifts from STP state issues to LACP/port-channel health and MLAG consistency checks.- Firmware/feature compatibility and upgrade coordination become critical.- Monitoring must include LACP counters, channel status, and MLAG peer health to detect asymmetric failures.Example: In a leaf-spine, MLAG on leaves permits dual-homed servers with full bandwidth and no STP blocks, improving utilization and failover speed.
EasyTechnical
39 practiced
Describe the difference between traffic policing and traffic shaping in QoS, and explain how DSCP markings are used to steer traffic into different queues. Provide a simple queueing configuration example for three traffic classes: voice, video, and best-effort data.
Sample Answer
**Difference: policing vs shaping**- Policing: enforces a rate by dropping or remarking packets that exceed a configured bandwidth (hard limit). Suitable at ingress or when you must enforce contract limits. Causes bursts to be dropped -> increased jitter/loss.- Shaping: buffers and smooths bursts to conform to a rate by queuing excess packets and releasing them at configured rate. Reduces loss/jitter at expense of delay and buffer usage. Good for egress on edge devices.**DSCP -> queue steering**- DSCP (Differentiated Services Code Point) marks packet IP header with a class value (e.g., EF for voice = 46, AF41 for video).- ACL/class-map matches DSCP values, policy maps map classes to queues (priority queue, weighted queues) and apply policer/shaper.- Hardware scheduler maps queues to egress ports; higher priority queues serviced first (with configured policing/shaping).**Example (Cisco MQC style)**
cisco
class-map match-any VOICE
match dscp ef
class-map match-any VIDEO
match dscp af41
class-map match-any BE
match any
policy-map OUTBOUND
class VOICE
priority 2000 ! strict priority queue, 2 Mbps
class VIDEO
bandwidth 4000 ! assured bandwidth 4 Mbps
class BE
fair-queue ! leftover capacity
interface GigabitEthernet0/1
service-policy output OUTBOUND
- Voice uses PQ to minimize latency; video gets bandwidth guarantee; best-effort shares remaining capacity. Use policing at ingress to enforce SLA; shaping on egress to smooth bursts.
Unlock Full Question Bank
Get access to hundreds of Network Architecture and Design interview questions and detailed answers.