Network Designer Interview Questions &

Answers
Ques 1. What is Hierarchical Network Architecture?
A Hierarchical network design involves dividing the network into discrete layers. Each layer (called
as tier) in the hierarchy provides specific functions that define its role within the overall network.
This helps the network designer and architect to optimize and select the right network hardware,
software, and features to perform specific roles for that network layer.
In large environments, 3 major layers are used –
 Core Layer
 Distribution Layer
 Access Layer

Core Layer is the top of Hierarchical Network and Provides fast transport between distribution
switches within the enterprise campus. Core Layer offers high-speed switching, reliability, fault
tolerance, quality of service (QoS) classification and other related processes.
Distribution Layer sits between Core and Access Layer and provider policy-based connectivity and
controls the boundary between the access and core layers. Distribution layer offers Policy-based
security and filtering by ACLs (Access Control Lists), Routing services between LANs/VLANs,
Redundancy, load balancing and route summarization.
Access Layer is responsible for providing workgroup/user access to the network. Access Layer offers
Layer 2 switching, Port security, QoS marking and trust boundaries, Address Resolution Protocol
(ARP) inspection , Virtual access control lists (VACLs), Spanning tree, PoE and auxiliary VLANs for
VoIP.
In scenarios where the customer has comparatively a smaller business with lesser endpoints, a 2-tier
hierarchical (also called Collapsed Core) is provisioned where Distribution layer and core layer
functions are performed by a single device. This design architecture reduces network cost while
maintaining most of the benefits of the three-tier hierarchical model.

Ques 2. What is a VRF?

Virtual routing and forwarding (VRF) is a technology that allows multiple instances of a routing table
to co-exist within the same router at the same time. Because the routing instances are independent,
overlapping IP addresses can be used without conflicting with each other. The multiple Routing
instances can be made to traverse different path (i.e. take different outgoing interfaces).VRFs are
the same methods of network isolation/virtualization as VLANs. VLANs are used at the L2 and VRFs
are L3 tools.

Ques 3. Name two technology by which you would connect two offices in remote locations.
2 commonly known technologies to connect 2 offices in remote locations are -
 PTP leased Link
 Site-To-Site VPN

Additionally MPLS is quite a popular WAN technology used to connect offices across remote
locations.

Ques 4. How would you provide user based authentication on a wireless network?
Radius will be leveraged to provide user based authentication in wireless network.

Ques 5. What technology would you use to segregate departments?

VLAN will be used to segregate different departments within an Office like Marketing, Sales, and HR
etc.

Ques 6. How many users are available on the network 192.168.32.0/28

The Subnet 192.168.32.0 has subnet mask of /28 = 255.255.255.240. This accounts to 14 usable IPs
(16-2 = 14). Out of These 14, 1 IP will be reserved for Default Gateway (May be a router or Layer 3
Switch on which SVI for this subnet is created). Hence, we are left only with 13 usable IPs.

Note – Some may argue that 14 IPs can be used for endpoints. In that case, we may not be able to
communicate with outside world since a subnet needs to have a default Gateway (atleast 1 IP from
same subnet) to reach outside world.

Ques 7. What device would you use for sharing a cable modem Internet connection with LAN
users?
Preferred way of sharing Internet connection on Cable modem with LAN users is by provisioning a
Wireless Router (should have NAT enabled) –
 Connect the Cable Modem to WAN port of Wireless Router
 The Wireless Router generally has LAN ports also. Hence Wireless and Wired endpoints may
be connected to Wireless Router (Router shares the Internet connection) and access the
Internet simultaneously.
 Ques 8. Name one scenario, where a NAT device would be preferred over forward proxy
server?
One scenario where NAT is preferred over forward proxy is when Web facing portals (in DMZ Zone)
need to be accessed from Internet. NAT is used to hide the private IPs of servers in DMZ zone.

Ques 9. A Wireless Solution with Wireless controller and Wireless Access points is being
setup in corporate office. The customer does not intend to invest on having a dedicated
Radius Server for Wireless Users access. What all alternative solution can be suggested to
save on additional infrastructure cost?
The Designer can propose on integrating Wireless Controller directly via AD on LDAP protocol for
user authentication service. This way need to Radius server will be removed and AD will perform the
additional functionality of Radius.

Ques 10. A Network Designer is setting up Campus Architecture in ring topology. What is
maximum number of Layer 2 Switches recommended to be used to form ring architecture?
Max of 7 switches in a Layer 2 ring.

Ques 11. A customer wants to load share traffic across 2 ISP Links (on 2 separate Routers) for
browsing. What all options can be leveraged to meet this requirement?
Some of possible solutions which may be recommended are –
 Using Link Load Balancer
 Using BGP based Load Sharing
 Using MHSRP

Ques 12. There is need to setup proxy server for secured Internet browsing of Corporate LAN
users. Where the Proxy server should be deployed?
DMZ Zone.
 Ques 13. What will be longest prefix we can use on WAN Interface for a point to point link?
A /31 prefix (255.255.255.254) may be used over WAN link between 2 Routers –

Ques 14. A new Branch office is being set up. Below are the key Network and Security
Infrastructure which have been procured .Kindly arrange them in order of placement in
branch setup –

The placement of various network and security assets is shown in the below diagram –
 Ques 15. Roaming Corporate workers need to access Corporate LAN Services like File server
and Internal Portals. What solution should be proposed to meet this requirement?
A Remote Access VPN solution will meet this requirement. VPN allows corporate users who are
roaming and on unsecured Internet to access secured Services of Corporate LAN by Using Remote
Access VPN Service.

Ques 16. As network designer, you are given responsibility to resolve WAN Link choking so
that Business critical and rich media traffic may not face disruptions due to WAN congestion.
What will be the most viable and economical solution?
Provisioning QOS (preferably end to end- LAN and WAN) will address the issue of some non-critical
traffic hogging the bandwidth. The QOS should be configured based on traffic requirements. For e.g.
application like SAP and O-365 etc. are bandwidth hungry and need to be allocated a substantial
portion of the overall bandwidth. On the other hand Rich media traffic like Voice and Video may not
be requiring such high bandwidth however are very delay sensitive and hence require priority to
their packets across WAN links.

Ques 17. What difference between HLD and LLD?

Below table enumerates the difference between HLD and LLD -

Ques 18. What is difference between Functional and Non-functional Business requirements of
an IT setup?
Table below enlists difference between Functional and Non-Functional Requirements -
 Ques 19. What are major Security Zones in Corporate network?
Below are the key Security Zones in a Corporate Network –
 Internet/Outside Zone
 DMZ Zone
 Extranet Zone
 Production Zone
 LAN Zone
 WAN Zone
 Management Zone
 T&D Zone

Ques 20. What are the key considerations while selecting a Router for a WAN Link?
Following parameters should be considered while selecting a WAN Router -
 WAN bandwidth Supported
 No. of LAN and Interfaces
 Media type of LAN and WAN Interfaces
 Service or Network Module support (to support additional services like VM

Ques 21. What are the key considerations while selecting a Switch in a solution?
Below are the considerations while selecting a Switch –
 Stack Support or equivalent technology
 Bandwidth (Throughput)
 Number of ports
 Layer2/3 Functionality
 Port Media type support

Ques 22. In below diagram, the LAN traffic from Behind Firewall needs to reach out towards
Internet. The Links should be configured as Active Standby. What would be recommended
configuration on Cisco Routers to support Active Standby outgoing traffic flow via the 2
links?
Feature of HSRP should be used to support Active-Backup flow for outgoing traffic. The Routers R1
and R2 LAN side Interface pointing towards Firewall will be configured to use HSRP with VIP being
192.168.12.3. In this scenario -
 R1 will be the HSRP master (priority 105) and
 R2 will be HSRP backup (priority 100)
R1 Configuration -
interface GigabitEthernet0/0
ip address 192.168.12.1 255.255.255.0
standby 1 ip 192.168.12.3
standby 1 priority 105
standby 1 preempt
standby 1 track Gi0/1
end

R2 Configuration -
interface GigabitEthernet0/0
ip address 192.168.12.2 255.255.255.0
standby 1 ip 192.168.12.3
standby 1 preempt
standby 1 track Gi0/1
end

Ques 23. After the solution for above is implemented, there is a new requirement where a
new DMZ VLAN has been also been provisioned and now customer wants to have Active-
Active traffic flow over both the links with minimal configuration changes. How will this be
achieved?

The method to achieve active – active traffic flow will be achieved by utilizing feature of MHSRP. In
this setup , we will make use of PBR (Policy Based Routing) along with Default Routing - VIP1 (R1 is
Master for MHSRP VIP1) will be default route for any traffic while for DMZ based traffic , PBR will be
implemented on Firewall to route DMZ sourced traffic to point towards VIP2 (R2 is Master for
MHSRP VIP2).
 Ques 24. As a network Designer, I have been asked to Install Riverbed steelhead inpath across
a Branch location. Which of the below recommended approach to on RB placement with
Router and WAN Link?

Option B is the correct approach to be followed while placing riverbed in a network.

Ques 25. In a Corporate Head Office Network Setup, User LAN traffic is supposed to traverse
through Firewall before talking to Application Servers. However, on verifying the traffic Flow
(User LAN to App Server) flow via Firewall, no traffic is seen. What could be the reason for
no traffic log in Firewall? What change needs to be performed to achieve the required traffic
flow?
The Default Gateway for User LAN Subnet and APP Server Subnet is Layer 3 Switch. Hence, when the
User generated traffic wants to communicate with any application in APP Server VLAN, the L3 Switch
directly Routes traffic across VLANs (Inter VLAN Routing) instead of Routing traffic towards Firewall.
This is the reason why Firewall doesn’t see any traffic of USER-APPLICATION communication.

To achieve desired result where User LAN Traffic needs to traverse via Firewall to communicate with
Servers in APP VLAN, the default Gateway for all Users (in User VLAN) and APP Servers (in APP VLAN)
should be changed from Layer 3 Switch to Firewall. This change will achieve the desired result.

Ques 26. In previous scenario, Changing of Default Gateway on User LAN and APP Server LAN
is not possible. What could be the workaround (configuration is only possible at Network
devices and not end points) with minimal changes in devices?

In scenario where changing Default Gateway of end points is not possible, another way is to create
VRF on the Layer 3 Switch (may incur cost for buying license which supports VRF routing). 2 VRF will
be created in L3 Switch Only namely -
 USER
 APP

The traffic flow will be as follows –

LAN User will generate traffic for reaching APP Servers .The request will land on its Default gateway
192.168.10.1 (in VRF “USER” of L3 Switch). Further, VRF “USER” will have static Route pointing
towards Firewall IP 192.168.10.254 for reaching network 192.168.20.0/24. The Firewall will route
traffic towards ip 192.168.20.1 (in VRF “APP” of L3 Switch) to be further Routed by L3 VRF towards
APP Servers. Same is the way reverse traffic flow happens.
Henceforth, Traffic Routing via Firewall is achieved by using VRF (Virtual Routing and Forwarding) on
the Layer 3 Switch without changing default Gateway setting on endpoints.

Ques 27. In below Setup, Router is connected through single link to Layer 3 Switch (switch
ports on Layer2 - Switchport) with subnet 192.168.1.0/30. In order to provide link
redundancy , another link is connected between switch and router , However 2 challenges
are there –
 Another IP subnet for new link is not available
 Router ports don’t support layer 2 configuration (Switchport command not
supported)
What needs to be done to meet link redundancy requirement?
In such a scenario, we may leverage use of BVI (Bridged Virtual Interface) on the router. Bridged
Virtual Interface on Router will allow us to configure its Layer 3 interfaces to be in same broadcast
domain.

Router configuration -
bridge irb
bridge 1 protocol ieee
bridge 1 route ip
!
interface GigabitEthernet0/0/1
bridge-group 1
!
interface GigabitEthernet0/0/2
bridge-group 1
!
interface BVI 1
ip address 192.168.1.1 255.255.255.252

Layer 3 Switch configuration -

!
interface GigabitEthernet0/0
Switchport
Switchport mode access
Switchport access vlan 10
!
interface GigabitEthernet0/0/2
Switchport
Switchport mode access
Switchport access vlan 10
!
interface vlan 10
ip address 192.168.1.2 255.255.255.252

Note – Another option which may be used by further subnetting the network 192.168.1.0/30 into
192.168.1.0/31 and 192.168.1.2/31 and each of Subnet used for both individual links between
Router and Switch.

Ques 28. A new Business partnership has been agreed between 2 organization A and B
respectively. Business Partner A needs to access some services/ applications of Organization
B via a point to point Link. Where should the links to be terminated considering secured flow
of traffic across both?
The WAN Links will be terminated in the Extranet Zone of each Company Firewall. Below is the
diagram depicting the termination Zone of PTP link between both the companies –

Ques 29. While sizing a switch for LAN user termination, what should be oversubscription
ratio?
20:1

Ques 30. While sizing a switch for Server termination, what should be oversubscription ratio?
In a GigabitEthernet environment, oversubscription ratio (Server ports on Access Switch: Uplink to
Aggregation Layer) is preferred to be 2.5:1 which may go upto 8:1

Ques 31. What components would be required to setup IPSEC VPN connection between two
offices?
Requirements for considering an IPSEC VPN between 2 sites –
 Recommended to have atleast 512Kbps of internet bandwidth at each site.
 A VPN appliance at both sites forming IPSEC Tunnel.
 Atleast one Public Static IP address at Main site. This IP address should be exposed directly
to the internet for forming IPSEC Tunnel.
 Ques 32. A new branch office with 50 Mbps MPLS Bandwidth is being setup. What should be
the Router model we should choose?
Considering the fact that Router will have at minimum 1 WAN Port and 1 LAN port (both Ethernet)
and no additional service requirement, we may consider Cisco Router 4321 or 4331. The product
sizing is also based on understanding that Link bandwidth will not increase beyond 50 Mbps in next
10 years.

Ques 33. A new branch office has terminated a new Internet Link but there is no firewall in
the setup to protect the network. What should the best possible solution to provide network
Security?
A Zone based firewall is an IOS Firewall for Cisco Routers and can be leveraged where we have small
setup and with no physical Firewall available.

Ques 34. Customer office has an Internet Connection and wants to use web Hosting traffic
and Cloud proxy. How will the same be implemented?
Default route pointing towards Internet Router will be implemented for Web hosting to work. For
Cloud based proxy, a GRE/IPSEC tunnel from Firewall towards Cloud proxy will be implemented. This
setup will allow both Web Hosting and Web Browsing traffic to work.

Ques 35. A Customer has 2 Internet Links from different providers and using Public IP of 1st
Provider to Host the website. On a day, the 1st Provider Link goes down and customer is not
able to access the Web server from Internet. What could be the reason?
The Customer needs to procure PI (Provider Independent) Public IP Address Block which will be
routable across both the service providers and Web hosting will still work during event of any of the
2 ISP links down. Presently customer has brought PA (Provider Assigned or Provider Aggregable)
Address Block which is not Routable over 2nd ISP Link, hence PA address block solution does not
work.

Note – There are other options also if customer does not still want to buy PI address block.

Ques 36. Service provider Mux is 150 meters away from WAN Router. What should be best
physical media connectivity to meet this requirement of 100 Mbps link?
Since distance between MUX and Router is 150 meters, hence LAN cable (Copper) will not be
feasible since it cane only support upto 100 Meters. A Fibre (preferable Multimode Fibre) can be
used between MUX and Router port (SFP transceiver needs to be procured to terminate fibre on
Router).

Ques 37. Customer has procured a new 10 Mbps link which may increase upto 40 Mbps in
next 5 years? What are considerations with link sizing?
While procuring the link, it is preferable to procure Link with port speed (Actual speed) of 10 Mbps
at provider side with Access speed upto 50 mbps. This approach will allow provider to only perform
soft configuration on PE end device to increase bandwidth upto 50 Mbps in future. If same is not
followed, the customer might have to order new links when upgrade beyond 10 Mbps is required
which will incur additional cost and downtime to upgrade link.

Ques 38. Kindly share models of some of LAN switches which are generally positioned in
Branch Sites?
2960x, 3560 etc.

Ques 39. New Servers with Dual LAN ports are being setup in a Data Center. These are very
critical servers since bulk of revenue generating applications are stationed in these servers.
What should be considerations while selecting the Access layer switch to support such a
setup?

Below are the key considerations to be measured while selecting Access Layer switches for critical
servers –
 Stackable or equivalent technology
 Preferable Dual power supply (also field replaceable)
  Wire Speed/Line rate throughput
 Port bundling/Link Aggregation across multiple chassis members
 Dedicated uplinks
 High MTBF (Mean Time between failures)
 Manageable
 SDN Supported
Infact, a good approach may be to use
 Nexus 2k switches at access layer
 N9K Switches as Leaf Nodes (Spine Leaf Architecture)
 Catalyst 3850/9300 Switches.

Ques 40. A customer has Web facing applications in Data Center and has recently setup new
DR as backup for these applications. Customer is looking for a solution which should support
automatic failover of Application traffic to DR during event of Data Center Down. What
should be the best fit solution in such a scenario?
GSLB (Global Server Load Balancing) also referred to GTM is the solution which supports automatic
failover of Web facing portal traffic towards DR Site during event of Data Centre down.

Ques 41. In Below existing setup, 3 VLANs are created on Layer3 Switch (no IP assigned to any
of 3 SVIs) and all are extended towards Firewall (via Trunk Link). As part of network fine
tuning, a proposal is floated to Network Designer to create 3 SVI for 3 VLANs on Layer 3
Switch. What should be the Network Designer response?

Designer’s answer should be “No” since creating SVI for 3 VLANs and giving them IP will allow traffic
from each VLAN to communicate directly via L3 Switch without going through Firewall. A good
network design always controls traffic across various assets especially when Users are trying to
communicate with Applications. Unless there is an exception, User to application traffic should
always traverse via Firewall and is a standard practice in designs.

Ques 42. What is POC?

POC is abbreviation for Proof of Concept. It is used to demonstrate a technical possibility which once
validated by POC can be implemented as part of solution. It’s something that demonstrates (i.e.,
proves, or at least attempts to prove) that some concept is possible. Once the POC is cleared, the
product is generally given a go ahead to be deployed in customer production environment.

Ques 43. With mushroom growth in application traffic, progression of virtualization and
increase in East-West Traffic which Network topologies and design solutions within Data
Centers should be provisioned?
SDN based solution like ACI – Spine and Leaf architecture.

Ques 44. What is reason for SDWAN based solutions being hot buy in today’s enterprises?
Below are key reasons for SDWAN being the preferred solution for enterprise customers -
 Cost Reduction – Lower OPEX and CAPEX
 Increased application performance across the WAN links
 Improved security
 Automatic provisioning (ZTP – Zero Touch Provisioning)
 Centralized management

Ques 45. Which are leading SDWAN vendors in market?

Some of Leading SD-WAN vendors in market are -
 VeloCloud
 Aryaka
 Cisco
 Citrix
 InfoVista
 Silver Peak
 Talari

Ques 46. What is a server farm?

A server farm (also called server cluster) is a collection of servers under single organization to supply
server functionality beyond the capability of a single machine. Server Farm is a collection of Servers
located at a same location. These may sometimes be connected via a Load Balancing. These servers
would run a number of services for customer business requirements (like DNS, Web, File & Print,
dbases etc.)

Ques 47. What are the protection mechanisms to secure server farms?
To properly secure server farms, a more thorough approach must be followed in addition to
deploying Network Firewalls. Some of products to protect server farms are -
 Firewalls
 LAN switch security features
 Host-based and network-based intrusion detection and prevention systems
 Load balancers
 Ques 48. In Hub and Spoke topology setup, few old routers in small Branch offices are
showing high CPU utilization and memory usage due to loads EIGRP learned routes from
HUB sites. This has led to slow application response and poor end user experience. What
could be done to address this situation?
Route Summarization and EIGRP Stub configuration are 2 methods to address the above shared
condition.

Ques 49. What is Collapsed Core Architecture and where should it be proposed?
Many small enterprise networks do not grow significantly larger over time. Therefore, a 2-tier
hierarchical design where the core and distribution layers are collapsed into one layer is often
preferred approach. A “Collapsed Core” is when the distribution layer and core layer functions are
implemented by a single device. The primary motivation for the collapsed core design is reducing
network cost, while maintaining most of the benefits of the three-tier hierarchical model.

Ques 50. How to compute network availability for a network or security device?
The formula for computing availability of network device is -

Availability = MTBF/(MTBF+MTTR)
MTBF – Mean Time between failures
MTTR – Mean Time to Repair