What Senior Network Panels Actually Ask (and What Trips Most Candidates Up)
Network engineer interview questions get harder the further you progress in a loop. The phone screen is textbook. The onsite is not. I’ve watched candidates who aced subnetting math stall completely when an interviewer said, “Our OSPF DR election is flipping every 20 minutes on this segment. Walk me through your first five minutes.” It’s a different skill. This post covers both.
Quick context on why this matters in 2026: the BLS reports 331,500 network and computer systems administrator roles in the US as of 2024, with a median wage of $96,800. Overall headcount is projected to shrink 4% by 2034 as automation absorbs routine tasks, but around 14,300 openings per year still open up from attrition alone. The net effect: fewer easy jobs, more competition for the ones that exist. Interviewers can afford to be picky, and they are.
At LastRound AI, we see candidates running through live network engineering interview sessions with our copilot. One pattern holds up consistently: people who drill protocols in isolation do worse than people who practice explaining trade-offs out loud. The questions below are grouped by theme, and each answer is written the way you’d want to explain it to a skeptical senior engineer who will push back.
Fundamentals: OSI, TCP/IP, and the questions that seem easy until they aren’t
These show up in almost every network engineer interview questions loop. The catch is that interviewers don’t want the seven-layer recitation – they want to know what happens when something at that layer breaks.
1. Walk me through the OSI model. Now tell me where TCP lives and where IP lives. Now tell me where a VLAN tag gets added.
TCP is Layer 4 (Transport). IP is Layer 3 (Network). A VLAN 802.1Q tag is inserted at Layer 2 (Data Link) – specifically into the Ethernet frame header between the source MAC and the EtherType field.
The reason this question trips people up: they memorize the layers but can’t map real protocol headers to them. When an interviewer asks where DSCP marking happens, the right answer is Layer 3 IP header, DSCP field. When they ask where a stateful firewall tracks connections, it’s Layer 4 (source IP, destination IP, ports, and TCP state flags).
Don’t say: “The OSI model has seven layers: Application, Presentation…” That’s the answer to a different question. Lead with what they actually asked.
2. What exactly happens when you type a URL and hit Enter? Go as deep as the interviewer wants.
Browser checks local DNS cache. Cache miss triggers recursive resolution: stub resolver queries local resolver (usually your DHCP-assigned DNS), which queries root, then TLD, then authoritative. TTL determines how long the answer sits in each cache.
TCP three-way handshake to port 443. TLS ClientHello – this is where the handshake negotiates cipher suite, exchanges certificates, and produces session keys via ECDHE or similar. HTTP request goes over the established encrypted session.
For senior roles, add: HTTP/2 multiplexes streams over one TCP connection. HTTP/3 runs over QUIC (UDP-based), which eliminates head-of-line blocking at the transport layer. Knowing this distinction is the difference between “I understand TCP” and “I understand why the web is moving away from it.”
3. TCP vs UDP. When is UDP actually the right call for something critical?
TCP: reliable, ordered, connection-oriented. Retransmissions add latency when packets drop.
UDP: no guarantees. Faster because there’s no handshake, no retransmit logic, no connection state.
UDP is right for: DNS queries (latency matters more than reliability; dropped queries just retry), VoIP (a retransmitted 20ms audio packet arriving 200ms later is worse than silence), financial market data feeds where you want the latest tick, not a buffered one from 300ms ago. QUIC is built on UDP because Google’s engineers decided the TCP stack in OS kernels was too slow to iterate on – another good thing to know for senior networking roles.
4. Explain ARP. What’s an ARP cache poisoning attack and how do modern networks defend against it?
ARP maps Layer 3 IP addresses to Layer 2 MAC addresses on a local segment. A host broadcasts “who has 192.168.1.1?” and the owner responds with its MAC. The querier caches the result.
ARP has no authentication. An attacker on the same segment can send unsolicited ARP replies (“I have 192.168.1.1, my MAC is AA:BB:CC:DD:EE:FF”) and poison neighbors’ caches. This is how man-in-the-middle attacks work on LANs.
Defense: Dynamic ARP Inspection (DAI) on managed switches cross-checks ARP replies against the DHCP snooping binding table, dropping replies that don’t match. Private VLANs also limit which hosts can talk to which, reducing blast radius. IPv6 replaces ARP with NDP (Neighbor Discovery Protocol), which is slightly better but still vulnerable to similar spoofing without SEcure Neighbor Discovery (SEND).
5. What is NAT and what does it actually break?
NAT rewrites IP headers as packets cross the router. PAT (Port Address Translation, the variant you actually use everywhere) also rewrites port numbers, letting many private hosts share one public IP.
What it breaks: any protocol that embeds IP addresses in the payload (FTP in active mode, SIP for VoIP, H.323). IPsec in transport mode can’t work through NAT without NAT-T encapsulation, because ESP doesn’t have port fields. Peer-to-peer connectivity is painful (STUN, TURN, ICE are the workarounds WebRTC uses). IPv6 was supposed to kill NAT – it mostly hasn’t, which is its own conversation.
Routing protocols: the questions that require you to have actually debugged something
This is where network engineer interview questions separate the people who studied for CCNP from the people who’ve managed a production network. If you’ve never watched BGP try to reconverge after an upstream flap, some of these will feel abstract.
6. OSPF vs BGP. The follow-up most people aren’t ready for: why would you run BGP inside your own AS?
OSPF is an IGP (Interior Gateway Protocol) – link-state, fast convergence, hierarchical areas. Use it within your organization. BGP is an EGP (Exterior Gateway Protocol) – path-vector, policy-driven, designed to scale to the full internet routing table. Use it between organizations or ISPs.
The iBGP question: you run iBGP inside your own AS in large networks and data centers because it scales better than OSPF for carrying a massive number of prefixes, and because you want the same policy tooling (route-maps, communities, local-pref) inside your network that you use externally. Big cloud providers and large enterprises run iBGP route reflectors to distribute prefixes across thousands of routers without a full mesh. Spine-leaf data center fabrics with BGP as underlay (a la RFC 7938 “Use of BGP for Routing in Large-Scale Data Centers”) is a real production pattern.
7. Walk through BGP best-path selection. What attribute do most operators actually tune?
The order: Weight (Cisco-local, highest wins) – then Local Preference (highest) – then locally originated – then AS-path length (shortest) – then Origin code – then MED (lowest) – then eBGP over iBGP – then lowest IGP metric to next-hop – then oldest eBGP path – then lowest BGP router-ID.
In practice: Local Preference is what operators tune most. It’s the standard way to prefer one upstream ISP over another for outbound traffic. AS-path prepending is what operators use to influence inbound traffic from external ASes (you make your own AS-path artificially longer to make neighbors prefer a different path). MED is theoretically for telling a neighbor which entry point you prefer, but many ISPs ignore it. This is the kind of operational detail that tells an interviewer you’ve done this work, not just read about it.
8. How does OSPF elect a DR and BDR? When does a flapping DR cause real problems?
On multi-access segments (like Ethernet), OSPF elects a Designated Router and Backup Designated Router to reduce flooding. All other routers (DROthers) form adjacencies only with DR and BDR, not each other. DR is elected by highest OSPF priority (default 1; 0 makes a router ineligible), tie-broken by highest router-ID.
The flapping problem: OSPF doesn’t preempt. If a new higher-priority router joins, it doesn’t kick out the existing DR. But if the current DR is flapping (link going up/down due to a bad cable, bad NIC, or overloaded CPU), every flap triggers a re-election, which causes LSAs to flood across the area, which causes SPF recalculations on every router. On a large area that’s noticeable CPU spikes and brief micro-outages. Fix: tune hello/dead timers, set priority to 0 on unstable routers, use point-to-point network type where possible to skip DR election entirely.
9. Explain administrative distance. Why does it matter when you have multiple routing sources?
Administrative distance is a router’s trust score for a route source – lower is more trusted. Connected: 0. Static: 1. EIGRP: 90. OSPF: 110. RIP: 120. External EIGRP: 170. iBGP: 200.
Why it matters: if you’re redistributing between OSPF and BGP, and the same prefix appears in both, the router picks based on AD. A floating static route (higher AD than your primary routing protocol) is a common failover technique – it only installs when the protocol-learned route disappears. Get this wrong and you route traffic the wrong way during a partial failure. I’ve seen operators accidentally set a floating static with AD 1 and wonder why OSPF wasn’t working.
10. Route redistribution. Why is it dangerous and what are the two classic failure modes?
Route redistribution shares routing information between different protocols. Necessary when you have a network running OSPF internally but need to inject BGP-learned prefixes, or vice versa.
Classic failure mode one: routing loops. Routes learned from BGP get redistributed into OSPF, which redistributes them back into BGP at a different point in the network, which may prefer the redistributed (now-OSPF) path over the original BGP one. Fix: careful use of route-maps to tag redistributed routes, then filter them at the other redistribution point. Failure mode two: metric incompatibility. OSPF uses cost; RIP uses hop count. When you redistribute from RIP into OSPF, the receiving OSPF domain needs a seed metric – forget to set it and the route either doesn’t install or installs with an absurd cost. Always explicit-metric your redistributions.
Switching and VLANs: where the “easy” questions have hard edge cases
11. VLANs and 802.1Q. What’s a native VLAN and why is it a security risk?
VLANs are logical broadcast domain separations on a shared physical switch. 802.1Q trunking carries multiple VLANs over one link by inserting a 4-byte tag between the source MAC and EtherType – the tag contains the VLAN ID (12 bits, so up to 4094 VLANs).
The native VLAN is the VLAN whose frames are sent untagged on a trunk. Default is VLAN 1 on most Cisco gear.
The security risk: double-tagging attack. An attacker on the native VLAN sends a frame with two VLAN tags – the outer tag matches the native VLAN and gets stripped at the first trunk, leaving the inner tag targeting a different VLAN. The second switch forwards it into that VLAN. Fix: never put user devices on the native VLAN, change the native VLAN from 1 to an unused VLAN, and explicitly trunk-tag the native VLAN with vlan dot1q tag native. Cisco’s VLAN Best Practices guide (updated 2024 in the Cisco Secure Design documentation) covers this specifically.
12. Spanning Tree. What problem does it solve and what problem does it create?
STP solves broadcast storms in redundant switched networks by blocking ports that would create loops. It elects a root bridge (lowest bridge ID = priority + MAC), calculates path costs, and blocks non-designated ports.
What it creates: slow convergence. Classic STP takes up to 50 seconds to reconverge after a topology change. RSTP (802.1w) cuts this to a few seconds with a different negotiation mechanism. MSST (802.1s, Multiple Spanning Tree) maps VLANs to instances to avoid running a separate STP instance per VLAN in large environments.
The other problem: STP is stateful and its failures are subtle. A misconfigured switch with a lower bridge priority can accidentally become root bridge for your production network, rerouting all traffic through a path that wasn’t designed to carry it. PortFast and BPDU Guard on access ports prevent end-user devices from accidentally disrupting STP topology – forgetting these is a common junior mistake that causes hard-to-diagnose flaps.
13. VXLAN. Why 16 million VNIs matters and where the complexity lives.
VXLAN encapsulates Layer 2 Ethernet frames inside UDP packets (port 4789). This lets you extend Layer 2 domains across a Layer 3 routed network. VXLAN uses a 24-bit VNI (Virtual Network Identifier), giving you ~16.7 million virtual networks vs the 4094 VLAN limit.
The complexity lives in control-plane distribution. Early VXLAN used multicast flooding for BUM (Broadcast, Unknown unicast, Multicast) traffic, which required multicast routing across the underlay. Modern deployments use EVPN (Ethernet VPN, RFC 7432) over BGP as the control plane – EVPN distributes MAC and IP reachability information without flooding, and enables active-active multi-homing. If an interviewer asks about VXLAN in a data center context and you don’t mention EVPN, that’s a gap they’ll probe.
14. HSRP vs VRRP vs GLBP. When would you actually use GLBP?
All three provide first-hop redundancy – a virtual IP and virtual MAC that hosts use as their default gateway, backed by multiple physical routers.
HSRP: Cisco proprietary, active/standby. VRRP (RFC 5798): open standard, master/backup, nearly identical to HSRP. Use VRRP when you have multi-vendor gear.
GLBP: Cisco proprietary, but uniquely enables load balancing. Multiple routers are active simultaneously, and the AVG (Active Virtual Gateway) distributes different virtual MACs to ARP responses, sending different hosts to different routers. In practice GLBP is underused because most people don’t think about gateway load balancing, and the configuration is less familiar. But in environments where the default gateway is a real bottleneck (not common, but it happens in dense access layers), it’s worth knowing. The honest answer is: most shops just use VRRP and don’t bother with GLBP.
Security and troubleshooting: the part where people show their actual experience
A lot of network engineer interview question lists skip the troubleshooting section or treat it as a soft add-on. Don’t. Senior panels at cloud companies spend a disproportionate amount of time here because systematic troubleshooting is genuinely hard to fake.
15. Stateful vs stateless firewalls. Where does each belong in a real network design?
Stateless firewalls (ACLs) match individual packets against rules – source IP, destination IP, port, protocol. Fast and simple. No connection tracking.
Stateful firewalls track TCP/UDP sessions and allow return traffic automatically without explicit allow rules. Much harder to misconfigure in ways that break legitimate traffic.
Where each belongs: stateless ACLs make sense at network edges where you’re doing coarse filtering at high line rates (hardware ACLs on switches, edge router ACLs). Stateful firewalls belong at zone boundaries where you actually need to enforce policy – DMZ to internal, internet to inside. NGFW (Next-Gen Firewalls) add application-layer inspection (Layer 7) and threat intelligence, which matters when you’re not willing to trust port-based rules alone. In a zero-trust architecture the perimeter firewall becomes less important and micro-segmentation between workloads becomes the main control.
16. SDN. What does separating control plane and data plane actually change operationally?
Traditional networking: each device runs its own control plane (routing protocols, STP calculations) and data plane (packet forwarding). SDN separates these – a centralized controller holds the control plane logic and programs forwarding rules into “dumb” switches via OpenFlow or similar protocols.
Operationally it changes: you get consistent policy across the fabric from one place, easier automation (the controller exposes an API), and the ability to do traffic engineering that’s difficult to coordinate when each router is making independent decisions. The trade-off: the controller is now a single point of failure in terms of policy (though not necessarily traffic, since most SDN devices can continue forwarding on cached rules). AWS, Google, and Azure run SDN fabrics internally – their virtual switches (VPCs, VNets) are SDN constructs. Cisco ACI and VMware NSX are the enterprise equivalents. If you’re interviewing at a cloud provider, knowing the difference between underlay (physical network) and overlay (SDN virtual network) is not optional.
17. Your OSPF neighbor adjacency keeps resetting every few minutes. What’s your first five minutes?
First: check the exact error. show ip ospf neighbor tells you the state (if it’s cycling between INIT and FULL, different problem than stuck in EXSTART). debug ip ospf adj gives you the reason for the reset.
Common causes in priority order based on what I’ve actually seen: mismatched hello/dead timers (a timer mismatch causes the dead timer to expire and tear the adjacency; easy to check with show ip ospf interface). Mismatched area type (stub vs normal). MTU mismatch causing DBD packets to be too large, which causes EXSTART to never complete. Flapping physical interface. Authentication mismatch. Duplicate router-IDs on the segment.
Senior-level answer also includes: what changed recently? If this is a new problem on an existing network, a config change is more likely than a protocol bug. Check change logs first, then dig into the protocol.
18. You have intermittent packet loss between two servers in the same data center. Walk through the diagnosis.
Same data center means same-building traffic, so this is almost certainly a Layer 1-3 issue, not a WAN latency problem.
Start with ping with large packet sizes to check MTU-related drops. Check interface error counters on both ends and the switch ports between them – input errors, CRC errors, and output drops tell you a lot. If there are CRC errors, it’s likely a physical layer problem (bad cable, SFP, or NIC). If there are output drops, it’s a queue/congestion problem.
If counters look clean: check if the loss is periodic. Periodic loss often points to STP topology changes (TCN events reset the CAM table and cause flooding until MAC addresses are relearned, which briefly drops unicast traffic). show spanning-tree detail will show topology change counts. Also check if both servers are in the same VLAN – if not, inter-VLAN routing is involved and the Layer 3 device becomes a suspect. For packet-level debugging: tcpdump or Wireshark on both ends simultaneously, with synchronized timestamps, is the only way to tell whether drops are before or after a given device.
19. How does QoS work and when is it the right tool?
QoS prioritizes certain traffic flows over others using classification (matching packets by protocol, port, DSCP markings), marking (setting DSCP bits in the IP header), queuing (holding lower-priority packets when the link is congested), and scheduling (deciding which queue to service next).
When it’s the right tool: QoS is useful when you have competing traffic types and you cannot just throw more bandwidth at the problem. VoIP and interactive video need low latency and jitter; bulk data transfers don’t. DSCP EF (Expedited Forwarding, value 46) is the standard marking for voice. When it’s NOT the right tool: if your links are consistently congested at 90%+ utilization, QoS just determines which traffic suffers, not which traffic is fine. The right answer there is more capacity. I have a mild opinion that QoS is overused as a Band-Aid for under-provisioned WAN links.
20. What is network convergence and what drives the difference between OSPF’s seconds and BGP’s minutes?
Convergence time is how long the network takes to reach a consistent routing state after a topology change. During convergence, some traffic may be blackholed or routed suboptimally.
OSPF converges in seconds because it floods LSAs immediately on detection, recalculates SPF, and updates the RIB quickly. BGP converges in minutes because it’s intentionally slow – BGP has route flap dampening, hold timers (typically 90 seconds, configurable), and MRAI (Minimum Route Advertisement Interval) that rate-limits updates. This is a feature for internet-scale stability, not a bug. You don’t want the global routing table reconverging every time a flaky ISP link bounces. For internal BGP in data centers, operators tune BGP timers aggressively (sub-second BFD for failure detection, 1-second hold timers) to get OSPF-like convergence with BGP’s policy model.
Design questions: what senior roles actually test
Design questions in network engineer interviews are open-ended on purpose. There’s rarely one right answer. What the interviewer is watching for is how you think through constraints, not whether you land on their preferred topology.
21. Design a network for 500 employees across 3 offices. Walk me through your questions before you touch a whiteboard.
The right move is to ask requirements before proposing anything. What are the bandwidth-heavy apps and where do they live? Is there a primary data center or is everything in a cloud provider? What’s the failure tolerance requirement for the WAN links? What’s the security posture – does traffic between offices need to flow through a central firewall?
Given a typical setup: access layer at each office (switches with VLANs for guest, corporate, VOIP, management), distribution layer (routers doing inter-VLAN routing and WAN termination), MPLS or SD-WAN for site-to-site connectivity. SD-WAN makes sense if the WAN connectivity mix is heterogeneous (broadband + MPLS + LTE), because it handles path selection and failover automatically.
What gets junior candidates in trouble: proposing a full design before asking any questions, over-specifying technology choices before understanding requirements, and not mentioning redundancy. Every layer should have a failure-mode answer. What happens when the primary WAN link drops? What happens when the core switch loses power?
22. Spine-leaf architecture. Why did data centers move away from three-tier?
Traditional three-tier (core/distribution/access) was designed for north-south traffic – clients accessing servers through the layers. East-west traffic (server to server, which is dominant in modern microservices architectures) had to traverse up to the core and back down, adding hops and latency.
Spine-leaf solves this: every leaf switch connects to every spine switch. Any-to-any traffic takes at most two hops (leaf to spine to leaf). The trade-off is wiring complexity and that you need all-active forwarding on the inter-switch links (ECMP, usually with BGP as the routing protocol), which means STP has to be disabled or isolated. VXLAN/EVPN over the spine-leaf fabric handles Layer 2 extension where VMs need to migrate or where tenants need isolated Layer 2 segments. This is the standard modern data center design, and if you’re interviewing at a company with its own data center infrastructure, you should know it cold.
23. How do you design for multi-tenancy in a network context?
Multi-tenancy means multiple customers (or internal business units) sharing the same physical infrastructure while maintaining strict isolation.
Tools: VRFs (Virtual Routing and Forwarding) create separate routing tables on a single router/switch so tenant A’s routes never touch tenant B’s. MPLS VPNs (L2VPN and L3VPN) extend this across a provider network. VXLAN VNIs provide Layer 2 segmentation. At the cloud level, VPCs (Virtual Private Clouds) are the abstraction on top of all of this. Security controls: strict ACLs at VRF boundaries, route-targets that control which prefixes get imported/exported between VRFs, and monitoring at the boundary to catch any attempted cross-tenant traffic.
24-31. Rapid-fire questions that show up in phone screens and deserve solid one-minute answers
24. What’s the difference between a switch and a router? Switch operates at Layer 2, forwards based on MAC addresses, keeps traffic within a broadcast domain. Router operates at Layer 3, forwards based on IP addresses, separates broadcast domains.
25. How does a switch learn MAC addresses? Inspects source MAC of incoming frames, associates with ingress port in the CAM table. Unknown unicast is flooded out all ports except the one it arrived on. Entries age out (typically 300 seconds).
26. What is BFD? Bidirectional Forwarding Detection. A lightweight hello protocol that detects link or path failures much faster than routing protocol timers. Runs at sub-second intervals, often paired with OSPF, BGP, or VRRP to trigger fast failover.
27. What is MPLS? Multiprotocol Label Switching. Forwarding based on labels rather than IP lookups. Labels are assigned at the ingress edge router and swapped at each hop. Enables traffic engineering, VPNs, and can carry multiple protocols.
28. Explain ECMP. Equal-Cost Multi-Path routing. When multiple routes to the same destination have identical cost, the router load-balances across all paths. Typically hashes on (src IP, dst IP, src port, dst port) to keep individual flows on consistent paths.
29. What is a broadcast storm and how do you stop one in progress? A loop in a switched network causes broadcast frames to circulate endlessly, consuming all bandwidth. To stop one in progress: disable the port causing the loop, or if you can’t identify it quickly, disable ports until storm traffic drops. STP should prevent this but can fail if STP is misconfigured or a switch crashes mid-election.
30. IPsec tunnel vs IPsec transport mode. Tunnel mode encapsulates the entire original IP packet inside a new IP header – used for site-to-site VPNs where the VPN endpoints are the gateways, not the actual hosts. Transport mode encrypts only the payload, keeping the original IP header – used for end-to-end encryption between hosts.
31. What’s your go-to sequence for network troubleshooting? Bottom-up: physical first (link lights, interface error counters), then Layer 2 (VLAN membership, STP state, MAC table), then Layer 3 (routing table, next-hop reachability, ARP table), then transport (TCP state, port connectivity), then application. Most experienced engineers jump around rather than walking linearly, but for an interview, bottom-up is what the interviewer wants to hear because it demonstrates systematic thinking.
The certification question
Interviewers at most companies don’t care deeply about certifications for senior roles, but the knowledge foundation they build matters a lot. Cisco’s CCNA certification covers networking fundamentals, IP connectivity, IP services, and security basics – updated in 2024-2025 to include generative AI foundations and cloud network management. CCNP Enterprise (one core exam plus one concentration) is what hiring managers at large enterprises and cloud providers look for when they want evidence that a candidate can operate at scale.
My take, and it’s debatable: for early-career engineers, CCNA is genuinely worth it as a structured way to fill protocol knowledge gaps. For senior engineers with 5+ years of hands-on experience, the certification process is useful for filling specific gaps (maybe you’ve done a lot of switching but never touched BGP) but a portfolio of production incidents you’ve solved will carry more weight in a panel interview than any cert. The candidates who do best in the loops I’ve watched are the ones who can reference a specific failure they debugged, not the ones who recite RFC numbers from memory.
Practice network questions out loud
Reading protocol docs and answering questions in a live panel are different skills. LastRound AI’s interview copilot lets you practice explaining BGP path selection or STP convergence in real time, with feedback on whether your answers have the depth senior panels expect.
Related interview prep
- Cybersecurity engineer interview questions – for roles that need networking depth plus security specialization
- SRE interview questions – reliability engineering often overlaps significantly with network operations
- Full-stack interview questions – useful if you’re moving into application-layer roles that still require TCP/HTTP depth
