Infrastructure Scenario Tests

A sudden work-from-home mandate floods the SSL VPN concentrator with 500+ simultaneous connections. The device supports 250 concurrent sessions. Users see 'maximum sessions reached' errors. Split tunneling not configured, so all traffic routes through VPN, crushing the bandwidth.

The hub firewall's IKE daemon crashes, tearing down all 6 site-to-site IPSec VPN tunnels simultaneously. All branch offices lose connectivity to the data center. File shares, ERP, email, and VoIP between sites all fail.

The HA synchronization between a FortiGate firewall cluster pair fails due to a mismatched firmware version after one unit was updated. Session tables are out of sync. If the primary fails, the secondary has a stale configuration that will break VPN tunnels and NAT rules.

A junior admin pushes a firewall rule that blocks TCP port 443 outbound for the production server VLAN. All HTTPS-dependent services fail — API calls to payment gateways, cloud backups, software license checks, and update services all stop.

Meraki Enterprise licenses expire on a Saturday night. Dashboard access becomes read-only. Advanced features including Auto VPN, traffic shaping, and client analytics are disabled. APs continue broadcasting but without content filtering or group policies.

The Meraki VPN concentrator hub at the data center fails, breaking all Auto VPN tunnels in the mesh. 8 branch sites lose connectivity to central resources including file shares, ERP, and VoIP.

An upstream switch reboot causes 20 Meraki MR46 access points to lose their uplink simultaneously. APs lose Meraki Dashboard cloud connectivity and fall into local management mode. SSIDs remain broadcasting but no new clients can authenticate via RADIUS.

The primary Meraki MX450 appliance at a large campus fails due to a firmware crash. The warm spare MX450 assumes the primary role after a 45-second failover gap. All site-to-site VPN tunnels and client connections are disrupted during the transition.

A vulnerability scanner on the network is using incorrect SNMP community strings, generating thousands of SNMP authentication failure traps from every managed device. NMS is overwhelmed.

A UniFi controller update introduces a bug that causes all APs to lose their management connection. APs continue serving clients with last-known config, but cannot be managed, updated, or monitored.

The MPLS PE-CE link at a remote branch office fails. The branch is completely isolated from the WAN. No backup link exists. 30 employees cannot access any corporate resources.

The primary MPLS circuit at a branch office goes down. SD-WAN fails over to the backup broadband link. Voice quality degrades due to higher jitter on the broadband path.

An attacker spoofs a MAC address to bypass network access control. Port security detects the violation and shuts down the port, but not before the attacker exfiltrates data for 30 seconds.

An OSPF adjacency between two core routers drops due to a unidirectional fiber failure. Routes are withdrawn, causing a major routing blackhole for half the campus network.

A FortiGuard web filter update incorrectly categorizes a critical SaaS application as malware. All employee access to the application is blocked by the UTM policy.

The primary FortiGate in an HA pair crashes due to a firmware bug, triggering failover to the secondary unit. All active VPN tunnels drop and need to re-establish.

Two devices on the same VLAN have been assigned the same IP address. Both are sending gratuitous ARPs, creating an ARP storm that degrades network performance for the entire subnet.

A compromised workstation is flooding the network with spoofed MAC addresses, overflowing the switch CAM table and causing unknown unicast flooding across all VLANs.

A fiber SFP is failing on the uplink between access and distribution layer switches. The port flaps every 30-90 seconds, causing MAC table instability and intermittent connectivity for 200+ users.

A user plugs a personal switch into an access port configured with BPDU Guard. The switch sends BPDUs, triggering err-disable on the port and a topology change notification across the network.