Skip to content
System Architecture

Cloud-native, zero-trust, AI-first

Microservices across design → deploy → monitor → optimize. Multi-tenant. Edge-aware. SD-WAN + security integrated.
Live topology workspace
Switch templates · trace traffic · simulate failover · export
Pick a topology template to refresh nodes, animate a traffic flow, model a failover scenario, and download a branded engineering report.
Template
16 Healthy
Live · updated 0s ago
Flow · hop 1/6
Status Healthy Degraded Down
Click a node for details
Multi-floor enterprise campus
Campus HQ

Dual-ISP edge, NGFW + SD-WAN edge, VSS core pair, MLAG distribution and PoE++ access stacks feeding Wi-Fi 6E and IoT segments.

Traffic flow
2 scenarios
Hop 1/6
App class
SaaS · interactive
Bandwidth
Burst 12–80 Mbps
Latency
< 80 ms RTT

A user on Floor 2 launches Outlook + Teams. Traffic is 802.1X-authenticated at the access stack, trunked over the MLAG distribution to the VSS core, inspected by the NGFW, then NATted out the primary ISP.

Path
cli1acc2dist2core1fwinet
  1. 1
    cli1 → acc2
    802.1X EAP-TLS, ISE assigns VLAN 10 + SGT 20
  2. 2
    acc2 → dist2
    LACP uplink, QoS marks Teams DSCP 46
  3. 3
    dist2 → core1
    MLAG hashes flow to VSS primary, ECMP path
  4. 4
    core1 → fw
    NGFW App-ID = 'ms-teams', SSL-decrypt bypass for M365
  5. 5
    fw → inet
    PAT to public IP, BGP via primary ISP (AS 64500)
Failover
Recovery
Sub-second SSO failover
Mechanism
VSS active/standby with stateful switchover
Blast radius
0 user-impacting seconds (VSS pair)
Primary path
acc2dist2core1fwinet
Failover path
acc2dist2core2sdwaninet
  1. 1
    Core SW-01 loses power. The VSS link (Po1) goes down and Core SW-02 promotes itself to active.
  2. 2
    MLAG re-hashes northbound traffic onto the surviving distribution-to-core uplinks within 200–400 ms.
  3. 3
    North-south traffic re-routes from the NGFW to the SD-WAN edge as a transient asymmetric path while BGP reconverges.
  4. 4
    ISE sessions remain authenticated; no client deauths because the access stacks are unaffected.
Experience Layer
Web console, mobile, CLI, public APIs
React UIREST + GraphQLWebSocket telemetryOpenAPI SDKs
AI / ML Engine
Predictive design, anomaly detection, self-healing, edge inference
RF predictorClient behavior modelRCA LLMEdge AI agents
Domain Services
Microservices for each lifecycle stage
Design serviceNAC serviceDeploy orchestratorTelemetry pipelinePolicy engine
Vendor Abstraction
Normalized config + driver layer per vendor
Cisco / MerakiAruba / MistRuckus / HuaweiUbiquitiGeneric 802.11
Data & Identity
Time-series, graph, identity, secrets
TimescaleDBNeo4j topologyOIDC/SAMLVault secretsS3 telemetry lake
AI-first
Predictive RF, anomaly detection, RCA, self-healing
Zero-trust
mTLS, OIDC, posture-based access, micro-segmentation
Cloud-native
K8s, autoscaling, multi-region, hybrid + on-prem
Edge AI
On-AP inference for sub-50ms decisions, IoT telemetry
Lifecycle workflow
Design → Validate → Deploy → Monitor → Optimize — continuously
01
Design
AI auto-place, predictive heatmap, capacity model
02
Validate
Digital twin, what-if, conflict checks
03
Deploy
ZTP, vendor templates, staged rollout, rollback
04
Monitor
Telemetry, SLA, experience score, AI RCA
05
Optimize
Channel/power, firmware, capacity recos
Stack
TS / Go / Rust · K8s · Kafka · TimescaleDB · ClickHouse · PyTorch
Integrations
SD-WAN (Viptela, Versa) · SIEM · ServiceNow · Slack · PagerDuty
Security
FIPS 140-2 · SOC 2 · ISO 27001 · zero-trust posture