HSR Sector 6 · Bangalore +91 96110 27980 Mon–Sat · 09:30–20:30
LMS Login Rack Booking Free Resume Maker ✦ Admissions Open →
👤 Meet Founder · Dual CCIE #22239 · ⭐ 4.7★ Google (1,173) · ⭐ 4.5★ JustDial (1,345) · ▶ 171K YouTube · 20 Years ·Cisco Capital Funded·Fortinet Partner· LMS: nhprep.com · 24/7 Labs · Free AI CV · QuickZTNA · QuickSDWAN
2026 EDITION · 51 Q&AS · 29 CATEGORIES · INDIA-SPECIFIC

Networking Interview Questions and Answers 2026

51 real networking interview questions with detailed answers covering OSI/TCP-IP fundamentals, subnetting, VLAN/STP, OSPF/EIGRP/BGP, ACLs, NAT, VPN, troubleshooting, SD-WAN, cloud networking, and security basics. Compiled from interview rounds at 800+ Bangalore hiring partners over 18 years of placement data — 45,000+ engineers placed across India's top product, services, and BFSI companies.

Curated by Vikas Swami (Dual CCIE #22239 — Security + Routing & Switching), ex-Cisco engineer who has interviewed 1,000+ candidates and run hands-on Cisco/Palo Alto/Fortinet labs at Networkers Home Bangalore since 2005.

Jump to category

Networking Fundamentals · 5 OSI / TCP-IP · 1 Subnetting · 2 VLAN / STP · 3 Routing · 5 ACLs / NAT · 2 VPN · 1 Switching · 1 Wireless · 1 Troubleshooting · 3 Network Automation · 2 Modern · 3 Cloud Networking · 2 Security · 2 Behavioural · 2 Palo Alto HA · 1 Palo Alto · 1 Routing Protocols · 2 BGP · 1 Transport Layer Protocols · 1 Routing & Switching · 1 Network Support Tiers · 1 Cisco Network Engineer Interview · 1 Palo Alto Firewall · 1 Interview Strategy · 1 Incident Response · 1 Log Analysis · 2 Network Sec · 1 Networking · 1

Specialised interview prep:

→ Cisco Network Engineer (30 Q&As) → SOC Analyst (25 Q&As) → Ethical Hacking (20 Q&As) → AI Cybersecurity (25 Q&As)

51

Real Q&As

800+

Hiring partners

45,000+

Engineers placed

18 yrs

Interview data

Networking Fundamentals · 5 questions

Q. What is a network and how does data move across it?
A network is two or more devices connected so they can exchange data. Data moves in encapsulated units (frames at L2, packets at L3, segments at L4) across physical media (copper/fiber/wireless). At each hop: source addresses route the data, MAC addresses identify devices on the same LAN, IP addresses identify them across LANs, and protocols (TCP/UDP/ICMP) define how applications interpret the payload. Modern networks layer L2 switching (within VLAN) + L3 routing (across networks) + transport reliability (TCP) + application protocols (HTTP/DNS) — every interview tests your ability to walk through this stack.
Q. Difference between TCP and UDP — when do you use each?
TCP — connection-oriented, reliable, ordered delivery. 3-way handshake (SYN/SYN-ACK/ACK) before data. Slower setup, but guaranteed delivery + retransmission + congestion control. Use for: HTTP/HTTPS, SSH, SMTP, file transfers, anything where missing bytes break the application. UDP — connectionless, no handshake, no retransmission, no ordering. Faster, smaller header. Use for: DNS queries, VoIP/video calls (RTP), DHCP, SNMP, gaming, anything where speed beats reliability or the app handles its own retry. Interview gotcha: HTTP/3 (QUIC) is built on UDP — modern web shifted away from TCP for performance reasons.
Q. Walk me through what happens when you type google.com in a browser.
(1) Browser checks local DNS cache → OS cache → hosts file. (2) If miss, queries configured DNS resolver (often ISP or 8.8.8.8). DNS query goes over UDP/53 (or TCP/53 if response truncated). (3) Resolver walks: root server → .com TLD server → authoritative server for google.com → returns A record (IPv4) or AAAA (IPv6). (4) Browser opens TCP connection to that IP on port 443. 3-way handshake completes. (5) TLS handshake (ClientHello → ServerHello → certificate exchange → key exchange → Finished). (6) HTTP GET request sent inside TLS tunnel. (7) Server returns HTML response. (8) Browser parses HTML, fires additional requests for CSS/JS/images (each may reuse connection or open new). (9) Renders page. Every step is interview-fair-game — be ready to drill into any layer.
Q. What's the difference between a hub, switch, and router?
Hub — Layer 1 device. Repeats incoming signal to every port. Half-duplex, single collision domain. Obsolete in modern networks. Switch — Layer 2 device. Learns MAC addresses, forwards frames only to the destination port. Each port is its own collision domain. Modern switches support VLANs, STP, QoS, L2 security features. Router — Layer 3 device. Routes packets between networks using IP addresses. Maintains routing table, runs routing protocols (OSPF, BGP), enforces ACLs. Each interface is its own broadcast domain. Modern multi-layer switches blur the line — Cisco Catalyst 9K does L2 + L3 in the same box. Interview tip: when asked about troubleshooting, mention that knowing which layer the device operates at narrows down the failure type.
Q. Explain DHCP — what happens when a new device joins a network?
DHCP (Dynamic Host Configuration Protocol) — 4-step process called DORA: (1) DISCOVER — client broadcasts to find DHCP server (source 0.0.0.0, dest 255.255.255.255, UDP/67). (2) OFFER — server responds with IP lease offer (DHCPOFFER packet with proposed IP, mask, lease time). (3) REQUEST — client broadcasts request to accept that offer (other servers see this and withdraw their offers). (4) ACK — server acknowledges, lease starts. Lease typically 24h-8d depending on policy. Renewal happens at 50% lease time (T1) directly with assigning server. Across-VLAN DHCP needs ip helper-address on router/L3 switch (forwards broadcast to specific server IP). Interview gotcha: DHCP runs over UDP/67 server / UDP/68 client — not the other way around.

OSI / TCP-IP · 1 question

Q. Explain the OSI model — and which layers do TCP and IP operate at?
The OSI model has 7 layers: Physical, Data Link, Network, Transport, Session, Presentation, Application. IP operates at Layer 3 (Network — handles addressing and routing between networks). TCP operates at Layer 4 (Transport — handles connection-oriented reliable delivery). UDP also at Layer 4 (connectionless). Memorising this is non-negotiable for any networking interview.

Subnetting · 2 questions

Q. What's the broadcast address and number of usable hosts for 192.168.1.0/26?
/26 = 255.255.255.192 = 64 addresses per subnet. For 192.168.1.0/26: network address 192.168.1.0, broadcast 192.168.1.63, usable hosts 192.168.1.1–192.168.1.62 (62 usable). Formula: 2^(32-prefix) - 2 = 2^6 - 2 = 62 usable hosts.
Q. How do you subnet 10.0.0.0/16 to support 50 subnets each with at least 100 hosts?
Need 50 subnets → 2^6 = 64, so 6 subnet bits. Need 100 hosts/subnet → 2^7 - 2 = 126, so 7 host bits. 16 + 6 + 7 = 29 bits used → /23 prefix would give us 7 host bits and 7 subnet bits (128 subnets). Most accurate answer: /23 mask (255.255.254.0) works — gives 128 subnets of 510 hosts each. Trade-off: address efficiency vs subnet count.

VLAN / STP · 3 questions

Q. Difference between access port and trunk port?
Access port — carries traffic for a single VLAN, untagged. Connects end devices (PCs, printers). Frames going in are assigned to the access VLAN; frames going out are untagged. Trunk port — carries traffic for multiple VLANs, tagged with 802.1Q (or ISL legacy). Connects switches together or to routers/firewalls. Native VLAN traffic is untagged; all other VLAN traffic is tagged.
Q. What's the role of Spanning Tree Protocol (STP) and how is the root bridge elected?
STP prevents loops in switched networks by blocking redundant paths. Root bridge election: switch with the lowest Bridge ID (Priority + MAC address) wins. Default priority is 32768 (or 32768 + VLAN ID for PVST+). Lower priority = better candidate. Once root is elected, every switch calculates the lowest-cost path to the root and blocks alternate paths. Variants: STP (802.1D), RSTP (802.1w, faster convergence), MST (802.1s, multiple instances).
Q. What's the difference between RSTP and traditional STP?
RSTP (Rapid Spanning Tree Protocol, 802.1w) converges in seconds vs STP's 30-50 seconds. Key changes: (1) eliminated listening + learning states (replaced with discarding), (2) introduced edge ports + alternate ports + backup ports for faster failover, (3) uses BPDUs as keepalives bidirectionally between switches. Backwards-compatible — RSTP downshifts to STP when paired with legacy switches.

Routing · 5 questions

Q. What's the difference between OSPF, EIGRP, and BGP?
OSPF (link-state, IGP, open standard, RFC 2328) — runs Dijkstra SPF inside each area, fast convergence, hierarchical with areas. EIGRP (advanced distance-vector, IGP, originally Cisco-proprietary now open) — uses DUAL algorithm, fastest convergence among IGPs, less complex than OSPF. BGP (path-vector, EGP, RFC 4271) — used between autonomous systems (the internet's backbone), policy-driven, slow convergence, scales to 1M+ routes. Use OSPF for enterprise multi-vendor, EIGRP for Cisco-only, BGP for ISP/multi-AS.
Q. Explain OSPF area types — backbone, regular, stub, totally stubby, NSSA.
Backbone (area 0) — must be present, all other areas connect to it. Regular area — accepts all LSA types (1, 2, 3, 4, 5). Stub area — blocks Type 5 (external LSAs); ABR injects default route. Totally stubby (Cisco proprietary) — blocks Type 3, 4, 5; only default route from ABR. NSSA (Not-So-Stubby Area) — like stub but allows Type 7 LSAs (redistributed routes from non-OSPF), translated to Type 5 at ABR. Use case: branch offices that need external route info but want a small LSDB.
Q. What's an OSPF DR/BDR and why are they elected?
On multi-access networks (Ethernet broadcast), OSPF elects a Designated Router (DR) and Backup DR (BDR) to reduce LSA flooding. Without DR, every router would establish full adjacencies with every other router on the segment (n*(n-1)/2 adjacencies). With DR, all routers form adjacencies with DR only — n adjacencies. Election: highest OSPF priority wins (default 1). Tie-broken by highest router ID. Priority 0 = ineligible. DR/BDR not used on point-to-point links.
Q. EIGRP DUAL algorithm — explain Successor and Feasible Successor.
Successor — the route with the lowest metric to a destination, installed in the routing table. Feasible Successor (FS) — a backup route that satisfies the Feasibility Condition: FS reported distance < Successor feasible distance. FS is pre-computed, kept in topology table, and installed instantly if Successor fails — no recomputation needed. This is what gives EIGRP sub-second convergence. If no FS exists, DUAL goes Active and queries neighbors — slower.
Q. BGP path attributes — list the 6 well-known mandatory ones.
Per RFC 4271: AS_PATH, NEXT_HOP, ORIGIN, LOCAL_PREF (well-known discretionary, only for iBGP), ATOMIC_AGGREGATE (well-known discretionary), MED (optional non-transitive). Path selection order: Highest Weight (Cisco-only) → Highest LOCAL_PREF → Locally Originated → Shortest AS_PATH → Lowest ORIGIN → Lowest MED → eBGP over iBGP → Lowest IGP metric to next-hop → Oldest Route → Lowest Router-ID. Memorising this order is a CCNP / CCIE benchmark question.

ACLs / NAT · 2 questions

Q. Standard vs extended ACL — when do you use each?
Standard ACL (1–99 or 1300–1999) — filters by source IP only. Apply close to destination (because filtering only by source means you don't want to block legitimate traffic to other destinations from same source). Extended ACL (100–199 or 2000–2699) — filters by source IP + destination IP + protocol + ports. Apply close to source for efficiency (drops unwanted traffic before it traverses the network). Modern best practice: use named ACLs for both readability.
Q. Difference between NAT, PAT, and dynamic NAT?
NAT (static) — 1:1 mapping between inside-local and inside-global. Used for servers needing fixed external IPs. Dynamic NAT — pool of inside-global IPs assigned dynamically to inside-local IPs as needed. Once mapping established, it persists for connection. PAT (NAT overload) — many-to-one mapping using port numbers to differentiate. The default for most internet-facing routers — millions of internal IPs sharing a single public IP via different source ports. Cisco command: ip nat inside source list 1 interface GigabitEthernet0/0 overload.

VPN · 1 question

Q. Site-to-site IPsec VPN — explain Phase 1 and Phase 2.
Phase 1 (IKE/ISAKMP) — establishes a secure channel for negotiating Phase 2. Negotiates: encryption algo (AES, 3DES), authentication (PSK or certs), DH group, lifetime. Two modes: Main Mode (6 messages, more secure) or Aggressive Mode (3 messages, faster but exposes identity). Phase 2 (IPsec) — establishes the actual data tunnel. Negotiates: transform set (ESP/AH + encryption + hash), proxy IDs (interesting traffic), tunnel mode (typical) or transport mode. Phase 1 SA is bidirectional; Phase 2 SAs are unidirectional pairs.

Switching · 1 question

Q. EtherChannel — LACP vs PAgP vs static. Trade-offs?
LACP (802.3ad, IEEE standard, multi-vendor) — modes: active (initiates), passive (responds). Negotiation overhead but interoperable across vendors. PAgP (Cisco-proprietary) — modes: desirable (initiates), auto (responds). Faster negotiation but Cisco-only. Static (mode on) — no negotiation, just bundles physically. Fast setup but error-prone (silent misconfig). Best practice: LACP active-active for production multi-vendor environments.

Wireless · 1 question

Q. What are the differences between 802.11ax (Wi-Fi 6) and 802.11ac (Wi-Fi 5)?
Wi-Fi 6 (802.11ax) introduced: OFDMA (better multi-user efficiency vs OFDM in Wi-Fi 5), MU-MIMO uplink + downlink (Wi-Fi 5 was downlink only), Target Wake Time (TWT) for IoT power savings, BSS Coloring (interference reduction in dense deployments), and 1024-QAM modulation (higher peak speeds). Real-world impact: Wi-Fi 6 shines in dense environments (office floors, conference centres) where Wi-Fi 5 chokes.

Troubleshooting · 3 questions

Q. User reports they can't reach 8.8.8.8 from their PC — walk through troubleshooting.
Layer-by-layer: (1) Layer 1: ping default gateway — if fails, check cable/link status. (2) Layer 2: arp -a to verify MAC of default gateway is learned. (3) Layer 3: ping default gateway works; ping 8.8.8.8 fails. Check routing table on PC + on default gateway. Trace route to 8.8.8.8. (4) DNS: nslookup google.com — if DNS fails but ping 8.8.8.8 works, DNS server issue. (5) Firewall: check ACLs / firewall rules at perimeter. (6) NAT: check NAT translation table (if private IP). Each layer eliminates a class of issues.
Q. show ip ospf neighbor returns 'EXCHANGE' state stuck — what's wrong?
OSPF neighbor stuck in EXCHANGE typically means MTU mismatch. During DBD (Database Description) packet exchange in Phase 2, OSPF requires same MTU on both ends. Other possible causes: hello-interval / dead-interval mismatch, area mismatch, authentication mismatch, network type mismatch (point-to-point vs broadcast). Cisco command to verify: show ip ospf interface — checks MTU, hello/dead, network type. Force adjacency past MTU mismatch with: ip ospf mtu-ignore (workaround, not recommended).
Q. BGP neighbor stuck in 'Active' state — what does it mean?
Counter-intuitively, 'Active' state means BGP can NOT establish — it's actively trying. Compare to 'Established' which is the working state. Causes: (1) TCP port 179 blocked between peers (firewall), (2) Wrong neighbor IP configured, (3) eBGP-multihop required but not configured, (4) AS number mismatch, (5) authentication password mismatch, (6) prefix-list / route-map filtering all routes. Debug: debug ip bgp events. Check show ip bgp summary for state progression.

Network Automation · 2 questions

Q. What is Netmiko and how does it differ from Paramiko?
Paramiko — generic Python SSH library, low-level. You handle connect, authenticate, send commands, parse output yourself. Netmiko — built on top of Paramiko, network-device-specific. Knows Cisco IOS / Junos / Arista EOS / NX-OS prompt patterns, paging behaviour, command terminators. Auto-handles 'Press any key to continue', 'config-prompt', etc. Netmiko is the standard for Cisco device automation in Python. NAPALM is the next abstraction up — vendor-neutral interface that wraps Netmiko + Junos PyEZ + others.
Q. Show me a basic Ansible playbook to push a config to 10 Cisco switches.
---\n- name: Push VLAN config to switches\n hosts: cisco_switches\n gather_facts: no\n connection: network_cli\n tasks:\n - name: Configure VLAN 100\n cisco.ios.ios_config:\n lines:\n - vlan 100\n - name DATA_VLAN\n match: line\n replace: line\n register: result\n - name: Save config\n cisco.ios.ios_config:\n save_when: modified\n— Inventory file lists hosts under [cisco_switches]. Run with: ansible-playbook playbook.yml -i inventory.ini -u admin --ask-pass.

Modern · 3 questions

Q. What is SD-WAN and how does it differ from MPLS?
MPLS — provider-managed Layer 2.5 technology with QoS guarantees and predictable latency. Reliable but expensive (~10x cost of broadband per Mbps). Single carrier dependency. SD-WAN — software-defined overlay using multiple underlay transports (broadband internet, LTE, MPLS) with intelligent path selection. Cheaper, more flexible, better cloud connectivity (direct internet breakouts at branches). Major vendors: Cisco SD-WAN (Viptela), VMware VeloCloud (now Velocloud SD-WAN), Versa Networks. Migration is a major Bangalore hiring trend in 2026.
Q. Explain Zero Trust Network Architecture (ZTNA) and how it differs from VPN.
Traditional VPN — 'castle and moat' model. User authenticates once, gets full network access. Once breached, attacker has network-wide access. ZTNA — 'never trust, always verify'. Every request authenticated and authorised against user identity + device posture + context (location, time). User connects to specific applications, not the network. Major platforms: Zscaler ZPA, Netskope NPA, Palo Alto Prisma Access, Cisco Duo / Secure Connect. Hiring growth for ZTNA engineers is 35% YoY in 2026.
Q. What is BGP EVPN and where is it used?
BGP EVPN (RFC 7432) — uses MP-BGP to advertise MAC and IP addresses (instead of just IP prefixes). Primary use: VXLAN-based datacentre fabrics. Replaces older flood-and-learn approaches with control-plane-driven learning. Cisco implementations: ACI fabric, Nexus 9K with VXLAN. Major use case in modern Bangalore datacentres — every cloud service provider's underlay uses EVPN-VXLAN.

Cloud Networking · 2 questions

Q. Explain AWS VPC peering vs Transit Gateway — when to use each?
VPC Peering — direct 1:1 connection between two VPCs. Non-transitive (A→B and A→C does NOT enable B→C). Cheap, simple. Use for small hub-and-spoke or 2-3 VPC integrations. Transit Gateway — central hub for many VPCs (up to 5,000) and on-prem connections. Transitive routing. More expensive but scales massively. Use for: enterprise multi-account architectures, multi-region replication, hybrid cloud connectivity. Senior network engineer roles in Bangalore now ask AWS networking depth — TGW is common interview topic.
Q. What's the difference between AWS Network Load Balancer (NLB) and Application Load Balancer (ALB)?
ALB — Layer 7 (application). Routes by URL path, hostname, headers. SSL termination at LB. Best for HTTP/HTTPS web apps and microservices. Integrates with ECS, EKS, Lambda. NLB — Layer 4 (TCP/UDP/TLS). Preserves source IP, ultra-low latency, handles millions of req/sec. Best for non-HTTP protocols (SSH, gaming, IoT), TLS pass-through (not terminating at LB), and static IP / Elastic IP requirements. NLB is harder to misconfigure but less feature-rich at app layer.

Security · 2 questions

Q. Difference between IPS, IDS, and a firewall?
Firewall — policy-based traffic filtering by IP/port/protocol. Stateless (legacy) or stateful (modern). Default-deny rule set. IDS (Intrusion Detection System) — passive monitoring. Detects malicious patterns and alerts. Doesn't block traffic by itself. Sits on a SPAN/mirror port. IPS (Intrusion Prevention System) — inline detection + automatic blocking of malicious traffic. Sits in-line in traffic path. Modern next-gen firewalls (NGFW like Palo Alto, Fortinet, Cisco Firepower) combine all three.
Q. What is 802.1X and how does it integrate with NAC?
802.1X — port-based network access control. Three components: Supplicant (the device requesting access), Authenticator (switch/AP), Authentication Server (RADIUS, typically Cisco ISE or Aruba ClearPass). User/device must authenticate before getting network access. NAC (Network Access Control) extends 802.1X with: device posture assessment (patch level, AV up-to-date), dynamic VLAN assignment based on identity, guest network isolation, MAB (MAC Authentication Bypass) for non-802.1X devices like printers.

Behavioural · 2 questions

Q. Tell me about a time you broke something in production. What happened, and how did you fix it?
Ideal answer structure (STAR): Situation — context of the change. Task — what you were doing. Action — exactly what broke and how you reacted (escalation, rollback, root cause analysis). Result — what was fixed, what was learned, what process changed afterward. Recruiters look for: did you take ownership? Did you panic or follow process? Did you learn something durable? Don't claim 'I never broke anything' — that signals dishonesty or limited production exposure.
Q. Why are you switching from your current job?
Non-negotiable framing: focus on what you're going TOWARD, not what you're running FROM. Acceptable: 'My current role is great for skill X but doesn't have growth in cloud networking — and that's where I see my career going. Your team is building exactly the cloud network architecture I want to work on.' Avoid: 'My manager is bad', 'salary is too low', 'I'm bored'. Even if true, those signal red flags to interviewers. Always tie the answer back to the role you're interviewing for.

Palo Alto HA · 1 question

Q. What is HA1 and HA2 in Palo Alto high availability configuration?
HA1 is the control link carrying heartbeats, hello messages, and configuration synchronization between active and passive firewalls. HA2 is the data link that synchronizes session tables, forwarding tables, IPsec security associations, and ARP entries to ensure stateful failover. HA1 uses port 28769 and 28260; HA2 uses 29281. Both require dedicated physical interfaces—typically management or dedicated data ports. Bangalore enterprises like Razorpay and Flipkart run active-passive HA pairs in their data centers. Interview tip: Explain that HA1 failure triggers split-brain scenarios, while HA2 failure causes session drops during failover because state isn't synchronized.

Palo Alto · 1 question

Q. What constitutes the 6-tuple for session matching in Palo Alto Networks firewalls?
The 6-tuple used by Palo Alto Networks firewalls for session matching comprises the source IP address, destination IP address, source port, destination port, protocol, and the ingress zone. This combination uniquely identifies a network flow, allowing the firewall to apply security policies consistently. The ingress zone is critical for policy enforcement, as it determines which security rules are evaluated. Bangalore companies like Akamai and Aryaka, heavily reliant on Palo Alto, expect engineers to understand how this 6-tuple impacts policy lookup and NAT application. Interview tip: Always mention the ingress zone; it's a common differentiator from other firewall vendors' session identification methods.

Routing Protocols · 2 questions

Q. What is MP-BGP and how does it differ from regular BGP-4?
MP-BGP (Multiprotocol BGP) extends BGP-4 to carry routing information for multiple address families beyond IPv4 unicast, including IPv6, VPNv4, EVPN, and multicast routes. Regular BGP-4 only advertises IPv4 unicast prefixes. MP-BGP uses Address Family Identifier (AFI) and Subsequent AFI (SAFI) fields to distinguish route types within the same BGP session. Cisco India and service providers like Aryaka use MP-BGP extensively for MPLS L3VPN deployments where VPNv4 routes carry both customer prefix and Route Distinguisher. Interview tip: Mention that MP-BGP enables a single BGP peering to handle multiple routing tables simultaneously, critical for modern multi-tenant networks.
Q. What is the difference between OSPF and EIGRP, and when would you choose each in 2026?
OSPF is an open-standard link-state protocol using Dijkstra's algorithm, while EIGRP is Cisco's advanced distance-vector protocol using DUAL. OSPF floods LSAs across all routers in an area; EIGRP sends bounded updates only to affected neighbors. In 2026, choose OSPF for multi-vendor environments—Bangalore enterprises like Flipkart and Razorpay prefer it for vendor neutrality. Use EIGRP in pure Cisco shops (Cisco India, HCL) where sub-second convergence and simpler configuration matter. Interview tip: Mention OSPF area design and EIGRP's feasible successor concept—both are tested in Cisco interviews at Movate and Aryaka.

BGP · 1 question

Q. Explain MP-BGP address families and their use cases (VPNv4, EVPN, IPv6, multicast).
MP-BGP extends BGP to carry routing information for multiple protocols beyond IPv4 unicast using Address Family Identifiers (AFI) and Subsequent AFI (SAFI). VPNv4 (AFI 1, SAFI 128) carries MPLS L3VPN routes with route distinguishers, used by Cisco India and Aryaka for customer VPN separation. EVPN (AFI 25, SAFI 70) transports MAC/IP bindings for data center fabric overlays—Flipkart and Razorpay deploy this in VXLAN environments. IPv6 unicast (AFI 2, SAFI 1) enables dual-stack routing. Multicast (SAFI 2) distributes multicast topology separately from unicast. Interview tip: Bangalore ISPs like Tata Communications expect you to configure 'address-family vpnv4' and explain RD/RT mechanics for L3VPN troubleshooting.

Transport Layer Protocols · 1 question

Q. What is the difference between TCP and UDP, and how does this affect interview answer choice for protocol questions?
TCP is connection-oriented with three-way handshake, sequencing, and guaranteed delivery; UDP is connectionless with no acknowledgments or retransmission. TCP uses ports like 80 (HTTP), 443 (HTTPS), 22 (SSH); UDP uses 53 (DNS), 69 (TFTP), 161 (SNMP). In Bangalore interviews at Cisco India or Infosys, protocol choice questions test real-world judgment—answer TCP for reliability-critical apps (file transfer, database replication), UDP for latency-sensitive traffic (VoIP, video streaming, OSPF hellos). Interview tip: Mention TCP overhead (20-byte header vs UDP's 8 bytes) and explain why DNS queries use UDP but zone transfers use TCP—shows depth beyond textbook answers.

Routing & Switching · 1 question

Q. What is VRRP and how does it differ from HSRP and GLBP for first-hop redundancy?
VRRP (Virtual Router Redundancy Protocol, RFC 5798) is an open-standard first-hop redundancy protocol that elects one master router from a group to forward traffic using a shared virtual IP. Unlike Cisco-proprietary HSRP, VRRP uses IP protocol 112 (not UDP) and allows the physical interface IP to match the virtual IP, eliminating one hop. GLBP differs by load-balancing across up to four routers simultaneously via multiple virtual MAC addresses, while VRRP and HSRP keep standby routers idle. Bangalore employers like Cisco India and Aryaka expect you to know VRRP's preemption is enabled by default (disabled in HSRP). Interview tip: mention VRRP's faster hello timer (1s default vs HSRP's 3s) when discussing convergence.

Network Support Tiers · 1 question

Q. What is L1, L2, L3 in network engineer support tiers and how do responsibilities differ?
L1 handles ticket logging, basic troubleshooting (ping, traceroute), password resets, and escalates unresolved issues—typically 6-12 months experience. L2 engineers diagnose routing protocol failures (OSPF neighbor states, BGP path selection), VLAN misconfigurations, and firewall ACL issues—requires 2-4 years and CCNA/CCNP. L3 architects solutions, handles complex multi-vendor integrations, capacity planning, and mentors junior staff—demands 5+ years with CCIE or equivalent. Bangalore employers like Cisco India, Aryaka, and Akamai clearly separate these tiers in NOC/TAC roles. Interview tip: Be honest about your tier—claiming L3 skills without design experience is immediately evident in technical rounds.

Cisco Network Engineer Interview · 1 question

Q. What questions does Cisco India ask in a network engineer technical interview?
Cisco India typically asks protocol-deep questions: OSPF LSA types and area design, BGP path selection (local-pref, AS-path, MED), STP root election and BPDU mechanics, VLANs vs. VRFs, and troubleshooting scenarios using show commands. Expect CLI-based config tasks—configure EIGRP named mode, set up route redistribution, or fix a misconfigured trunk. They probe failure domains: what happens if HSRP active fails, or if a BGP peer flaps. Interview tip: Cisco Bangalore teams value hands-on lab proof—mention GNS3/EVE-NG projects and real outage root-cause experience. Candidates who cite specific show outputs (show ip bgp summary, show spanning-tree) stand out.

Palo Alto Firewall · 1 question

Q. Explain how a Palo Alto Security Policy is evaluated — top-down rule processing.
Palo Alto firewalls evaluate security policies sequentially from top to bottom, stopping at the first matching rule. Each session is checked against rules in order: source zone, destination zone, application, service, and user. Once a match occurs, the action (allow/deny/drop) is applied and no further rules are evaluated. The default interzone rule at the bottom denies all traffic. Interview tip: Bangalore employers like Cisco India and Aryaka expect you to explain why rule order matters — placing broad permit-any rules at the top breaks security posture. Always position specific deny rules above general allow rules.

Interview Strategy · 1 question

Q. What is the 30-60-90 day plan question in an interview, and how should a network engineer answer it?
The 30-60-90 day plan question asks candidates to outline their first three months on the job. Network engineers should structure it as: Days 1-30 — learn network topology, documentation standards, ticketing tools (ServiceNow/Remedy), shadow senior engineers; Days 31-60 — handle L2 incidents independently, contribute to change requests, audit VLAN/routing configs; Days 61-90 — propose optimization (OSPF tuning, ACL cleanup), document undocumented segments. Bangalore employers like Cisco India and Aryaka value this because it shows ownership mindset, not just technical skills. Interview tip: Reference the company's tech stack from the job description to show you researched their environment.

Incident Response · 1 question

Q. Walk me through your incident response process for a confirmed malware infection.
NIST IR lifecycle: (1) Preparation — done before incident: tools, runbooks, contacts, comms plan; (2) Detection + Analysis — confirm true positive, scope (1 host vs lateral spread), severity classification; (3) Containment — isolate affected host(s) via EDR, block C2 IPs at firewall, disable affected accounts; (4) Eradication — remove malware, patch initial entry vector; (5) Recovery — restore from clean backup, monitor for re-infection; (6) Lessons Learned — root cause analysis, runbook updates, detection rule additions. Time-criticality matters: aim for containment within 1 hour of confirmation for ransomware.

Log Analysis · 2 questions

Q. User reports their account is being locked out repeatedly. How do you investigate?
Multi-source investigation: (1) Active Directory — query event 4740 (account lockout) for source workstation/IP; (2) Filter logs from that workstation — what's authenticating? Could be: cached credentials on phone/Outlook/RDP after password change; service running with old credentials; brute-force attack from compromised host. (3) PowerShell Get-WinEvent or Splunk SPL: index=ad EventCode=4740 user=affected_user | stats count by Caller_Computer_Name. (4) On caller machine: check scheduled tasks, services, drive mappings using old creds. (5) Check for actual brute force: many failed authentications from external IP = compromised user, not just 'forgot password' lockout.
Q. What's the difference between Windows Security event 4624 vs 4625 vs 4634?
Critical events for SOC analysts: 4624 — successful login (logon type 2=interactive, 3=network, 10=remote interactive/RDP, 4=batch, 5=service). 4625 — failed login. 4634 — logoff. 4647 — user-initiated logoff (interactive). Investigation patterns: 4625 + 4624 from same source = brute-force success. Logon type 10 from external IP = potential RDP attack. Service account 4624 with logon type 3 from unusual source = potential lateral movement. Mastering these event IDs is non-negotiable for any Windows-heavy SOC role.

Network Sec · 1 question

Q. Explain how you'd detect DNS tunneling using Splunk.
DNS tunneling = encoding data in DNS queries/responses to bypass firewalls. Detection patterns: (1) Unusually long subdomain names (legitimate DNS rarely has 200+ char subdomains): index=dns | eval subdomain_length=len(query) | where subdomain_length > 100. (2) High query volume from single client: index=dns | stats count by src_ip | where count > 1000 (per hour). (3) High entropy in subdomains (random-looking strings): use Splunk MLTK shannon entropy command or custom Python. (4) Unusual record types (TXT, NULL queries from clients): index=dns query_type IN (TXT, NULL) NOT src_ip IN (legit_resolver_list). Tools: Splunk Enterprise Security has DNS analytics; standalone: bandit / Suricata DNS rules; ML option: MLTK anomaly detection on DNS metrics.

Networking · 1 question

Q. Why does a SOC analyst need to know networking?
Most SOC investigations involve network logs (firewalls, IDS/IPS, NetFlow). Without networking foundations, you can't: (1) Read packet captures effectively (Wireshark requires TCP/IP fluency); (2) Distinguish normal vs anomalous traffic patterns (TCP handshake anomalies, port scans, unusual protocol use); (3) Validate firewall denies (was the deny correct? what would have happened if allowed?); (4) Understand cloud network logs (VPC Flow Logs, Azure NSG flow logs require networking baseline); (5) Investigate lateral movement (internal network paths, remote service access). CCNA-level depth is the minimum bar. SOC L2/L3 roles often expect Network+ or higher.

Ready to ace your next networking interview?

Our flagship CCNA + CCNP combo in Bangalore includes mock interview sessions, lab assignments built around these exact question patterns, and direct introductions to 800+ hiring partners.

View Networking Course CCNA Course Details Book Free Career Consultation

About the author

Vikas Swami is the founder of Networkers Home (HSR Layout, Bangalore — since 2005) and one of India's earliest Dual CCIE certified engineers (CCIE #22239 in both Security and Routing & Switching). Ex-Cisco engineer. Has personally conducted technical interviews with over 1,000 candidates and built hiring partnerships with 800+ companies across Bangalore's product, services, BFSI, and GCC sectors. The question patterns in this guide are drawn directly from 18 years of interviewer + interviewee feedback.

Published 2026-05-12 · Last updated 2026-05-12 · 45,000+ engineers placed