All topics › Cisco / Network Engineer
Cisco / Network Engineer Interview Questions
30 real interview questions from cisco / network engineer interviews at Bangalore's top product, services, and BFSI companies. Each answer is the atomic version — for the full explanation, related concepts, and a complete topic guide, follow the link to the full version on Networkers Home.
OSI / TCP-IP
OSI / TCP-IP
Q. Explain the OSI model — and which layers do TCP and IP operate at?
The OSI model has 7 layers: Physical, Data Link, Network, Transport, Session, Presentation, Application. IP operates at Layer 3 (Network — handles addressing and routing between networks). TCP operates at Layer 4 (Transport — handles connection-oriented reliable delivery). UDP also at Layer 4 (conne…
Read full atomic answer → Subnetting
Subnetting
Q. What's the broadcast address and number of usable hosts for 192.168.1.0/26?
/26 = 255.255.255.192 = 64 addresses per subnet. For 192.168.1.0/26: network address 192.168.1.0, broadcast 192.168.1.63, usable hosts 192.168.1.1–192.168.1.62 (62 usable). Formula: 2^(32-prefix) - 2 = 2^6 - 2 = 62 usable hosts.
Read full atomic answer → Subnetting
Q. How do you subnet 10.0.0.0/16 to support 50 subnets each with at least 100 hosts?
Need 50 subnets → 2^6 = 64, so 6 subnet bits. Need 100 hosts/subnet → 2^7 - 2 = 126, so 7 host bits. 16 + 6 + 7 = 29 bits used → /23 prefix would give us 7 host bits and 7 subnet bits (128 subnets). Most accurate answer: /23 mask (255.255.254.0) works — gives 128 subnets of 510 hosts each. Trade-off…
Read full atomic answer → VLAN / STP
VLAN / STP
Q. Difference between access port and trunk port?
Access port — carries traffic for a single VLAN, untagged. Connects end devices (PCs, printers). Frames going in are assigned to the access VLAN; frames going out are untagged. Trunk port — carries traffic for multiple VLANs, tagged with 802.1Q (or ISL legacy). Connects switches together or to route…
Read full atomic answer → VLAN / STP
Q. What's the role of Spanning Tree Protocol (STP) and how is the root bridge elected?
STP prevents loops in switched networks by blocking redundant paths. Root bridge election: switch with the lowest Bridge ID (Priority + MAC address) wins. Default priority is 32768 (or 32768 + VLAN ID for PVST+). Lower priority = better candidate. Once root is elected, every switch calculates the lo…
Read full atomic answer → VLAN / STP
Q. What's the difference between RSTP and traditional STP?
RSTP (Rapid Spanning Tree Protocol, 802.1w) converges in seconds vs STP's 30-50 seconds. Key changes: (1) eliminated listening + learning states (replaced with discarding), (2) introduced edge ports + alternate ports + backup ports for faster failover, (3) uses BPDUs as keepalives bidirectionally be…
Read full atomic answer → Routing
Routing
Q. What's the difference between OSPF, EIGRP, and BGP?
OSPF (link-state, IGP, open standard, RFC 2328) — runs Dijkstra SPF inside each area, fast convergence, hierarchical with areas. EIGRP (advanced distance-vector, IGP, originally Cisco-proprietary now open) — uses DUAL algorithm, fastest convergence among IGPs, less complex than OSPF. BGP (path-vecto…
Read full atomic answer → Routing
Q. Explain OSPF area types — backbone, regular, stub, totally stubby, NSSA.
Backbone (area 0) — must be present, all other areas connect to it. Regular area — accepts all LSA types (1, 2, 3, 4, 5). Stub area — blocks Type 5 (external LSAs); ABR injects default route. Totally stubby (Cisco proprietary) — blocks Type 3, 4, 5; only default route from ABR. NSSA (Not-So-Stubby A…
Read full atomic answer → Routing
Q. What's an OSPF DR/BDR and why are they elected?
On multi-access networks (Ethernet broadcast), OSPF elects a Designated Router (DR) and Backup DR (BDR) to reduce LSA flooding. Without DR, every router would establish full adjacencies with every other router on the segment (n*(n-1)/2 adjacencies). With DR, all routers form adjacencies with DR only…
Read full atomic answer → Routing
Q. EIGRP DUAL algorithm — explain Successor and Feasible Successor.
Successor — the route with the lowest metric to a destination, installed in the routing table. Feasible Successor (FS) — a backup route that satisfies the Feasibility Condition: FS reported distance < Successor feasible distance. FS is pre-computed, kept in topology table, and installed instantly if…
Read full atomic answer → Routing
Q. BGP path attributes — list the 6 well-known mandatory ones.
Per RFC 4271: AS_PATH, NEXT_HOP, ORIGIN, LOCAL_PREF (well-known discretionary, only for iBGP), ATOMIC_AGGREGATE (well-known discretionary), MED (optional non-transitive). Path selection order: Highest Weight (Cisco-only) → Highest LOCAL_PREF → Locally Originated → Shortest AS_PATH → Lowest ORIGIN → …
Read full atomic answer → ACLs / NAT
ACLs / NAT
Q. Standard vs extended ACL — when do you use each?
Standard ACL (1–99 or 1300–1999) — filters by source IP only. Apply close to destination (because filtering only by source means you don't want to block legitimate traffic to other destinations from same source). Extended ACL (100–199 or 2000–2699) — filters by source IP + destination IP + protocol …
Read full atomic answer → ACLs / NAT
Q. Difference between NAT, PAT, and dynamic NAT?
NAT (static) — 1:1 mapping between inside-local and inside-global. Used for servers needing fixed external IPs. Dynamic NAT — pool of inside-global IPs assigned dynamically to inside-local IPs as needed. Once mapping established, it persists for connection. PAT (NAT overload) — many-to-one mapping u…
Read full atomic answer → VPN
VPN
Q. Site-to-site IPsec VPN — explain Phase 1 and Phase 2.
Phase 1 (IKE/ISAKMP) — establishes a secure channel for negotiating Phase 2. Negotiates: encryption algo (AES, 3DES), authentication (PSK or certs), DH group, lifetime. Two modes: Main Mode (6 messages, more secure) or Aggressive Mode (3 messages, faster but exposes identity). Phase 2 (IPsec) — esta…
Read full atomic answer → Switching
Switching
Q. EtherChannel — LACP vs PAgP vs static. Trade-offs?
LACP (802.3ad, IEEE standard, multi-vendor) — modes: active (initiates), passive (responds). Negotiation overhead but interoperable across vendors. PAgP (Cisco-proprietary) — modes: desirable (initiates), auto (responds). Faster negotiation but Cisco-only. Static (mode on) — no negotiation, just bun…
Read full atomic answer → Wireless
Wireless
Q. What are the differences between 802.11ax (Wi-Fi 6) and 802.11ac (Wi-Fi 5)?
Wi-Fi 6 (802.11ax) introduced: OFDMA (better multi-user efficiency vs OFDM in Wi-Fi 5), MU-MIMO uplink + downlink (Wi-Fi 5 was downlink only), Target Wake Time (TWT) for IoT power savings, BSS Coloring (interference reduction in dense deployments), and 1024-QAM modulation (higher peak speeds). Real-…
Read full atomic answer → Troubleshooting
Troubleshooting
Q. User reports they can't reach 8.8.8.8 from their PC — walk through troubleshooting.
Layer-by-layer: (1) Layer 1: ping default gateway — if fails, check cable/link status. (2) Layer 2: arp -a to verify MAC of default gateway is learned. (3) Layer 3: ping default gateway works; ping 8.8.8.8 fails. Check routing table on PC + on default gateway. Trace route to 8.8.8.8. (4) DNS: nslook…
Read full atomic answer → Troubleshooting
Q. show ip ospf neighbor returns 'EXCHANGE' state stuck — what's wrong?
OSPF neighbor stuck in EXCHANGE typically means MTU mismatch. During DBD (Database Description) packet exchange in Phase 2, OSPF requires same MTU on both ends. Other possible causes: hello-interval / dead-interval mismatch, area mismatch, authentication mismatch, network type mismatch (point-to-poi…
Read full atomic answer → Troubleshooting
Q. BGP neighbor stuck in 'Active' state — what does it mean?
Counter-intuitively, 'Active' state means BGP can NOT establish — it's actively trying. Compare to 'Established' which is the working state. Causes: (1) TCP port 179 blocked between peers (firewall), (2) Wrong neighbor IP configured, (3) eBGP-multihop required but not configured, (4) AS number misma…
Read full atomic answer → Network Automation
Network Automation
Q. What is Netmiko and how does it differ from Paramiko?
Paramiko — generic Python SSH library, low-level. You handle connect, authenticate, send commands, parse output yourself. Netmiko — built on top of Paramiko, network-device-specific. Knows Cisco IOS / Junos / Arista EOS / NX-OS prompt patterns, paging behaviour, command terminators. Auto-handles 'Pr…
Read full atomic answer → Network Automation
Q. Show me a basic Ansible playbook to push a config to 10 Cisco switches.
---\n- name: Push VLAN config to switches\n hosts: cisco_switches\n gather_facts: no\n connection: network_cli\n tasks:\n - name: Configure VLAN 100\n cisco.ios.ios_config:\n lines:\n - vlan 100\n - name DATA_VLAN\n match: line\n replace: line\n …
Read full atomic answer → Modern
Modern
Q. What is SD-WAN and how does it differ from MPLS?
MPLS — provider-managed Layer 2.5 technology with QoS guarantees and predictable latency. Reliable but expensive (~10x cost of broadband per Mbps). Single carrier dependency. SD-WAN — software-defined overlay using multiple underlay transports (broadband internet, LTE, MPLS) with intelligent path se…
Read full atomic answer → Modern
Q. Explain Zero Trust Network Architecture (ZTNA) and how it differs from VPN.
Traditional VPN — 'castle and moat' model. User authenticates once, gets full network access. Once breached, attacker has network-wide access. ZTNA — 'never trust, always verify'. Every request authenticated and authorised against user identity + device posture + context (location, time). User conne…
Read full atomic answer → Modern
Q. What is BGP EVPN and where is it used?
BGP EVPN (RFC 7432) — uses MP-BGP to advertise MAC and IP addresses (instead of just IP prefixes). Primary use: VXLAN-based datacentre fabrics. Replaces older flood-and-learn approaches with control-plane-driven learning. Cisco implementations: ACI fabric, Nexus 9K with VXLAN. Major use case in mode…
Read full atomic answer → Cloud Networking
Cloud Networking
Q. Explain AWS VPC peering vs Transit Gateway — when to use each?
VPC Peering — direct 1:1 connection between two VPCs. Non-transitive (A→B and A→C does NOT enable B→C). Cheap, simple. Use for small hub-and-spoke or 2-3 VPC integrations. Transit Gateway — central hub for many VPCs (up to 5,000) and on-prem connections. Transitive routing. More expensive but scales…
Read full atomic answer → Cloud Networking
Q. What's the difference between AWS Network Load Balancer (NLB) and Application Load Balancer (ALB)?
ALB — Layer 7 (application). Routes by URL path, hostname, headers. SSL termination at LB. Best for HTTP/HTTPS web apps and microservices. Integrates with ECS, EKS, Lambda. NLB — Layer 4 (TCP/UDP/TLS). Preserves source IP, ultra-low latency, handles millions of req/sec. Best for non-HTTP protocols (…
Read full atomic answer → Security
Security
Q. Difference between IPS, IDS, and a firewall?
Firewall — policy-based traffic filtering by IP/port/protocol. Stateless (legacy) or stateful (modern). Default-deny rule set. IDS (Intrusion Detection System) — passive monitoring. Detects malicious patterns and alerts. Doesn't block traffic by itself. Sits on a SPAN/mirror port. IPS (Intrusion Pre…
Read full atomic answer → Security
Q. What is 802.1X and how does it integrate with NAC?
802.1X — port-based network access control. Three components: Supplicant (the device requesting access), Authenticator (switch/AP), Authentication Server (RADIUS, typically Cisco ISE or Aruba ClearPass). User/device must authenticate before getting network access. NAC (Network Access Control) extend…
Read full atomic answer → Behavioural
Behavioural
Q. Tell me about a time you broke something in production. What happened, and how did you fix it?
Ideal answer structure (STAR): Situation — context of the change. Task — what you were doing. Action — exactly what broke and how you reacted (escalation, rollback, root cause analysis). Result — what was fixed, what was learned, what process changed afterward. Recruiters look for: did you take owne…
Read full atomic answer → Behavioural
Q. Why are you switching from your current job?
Non-negotiable framing: focus on what you're going TOWARD, not what you're running FROM. Acceptable: 'My current role is great for skill X but doesn't have growth in cloud networking — and that's where I see my career going. Your team is building exactly the cloud network architecture I want to work…
Read full atomic answer → Palo Alto HA
Palo Alto HA
Q. What is HA1 and HA2 in Palo Alto high availability configuration?
HA1 is the control link carrying heartbeats, hello messages, and configuration synchronization between active and passive firewalls. HA2 is the data link that synchronizes session tables, forwarding tables, IPsec security associations, and ARP entries to ensure stateful failover. HA1 uses port 28769…
Read full atomic answer → Palo Alto
Palo Alto
Q. What constitutes the 6-tuple for session matching in Palo Alto Networks firewalls?
The 6-tuple used by Palo Alto Networks firewalls for session matching comprises the source IP address, destination IP address, source port, destination port, protocol, and the ingress zone. This combination uniquely identifies a network flow, allowing the firewall to apply security policies consiste…
Read full atomic answer → Routing Protocols
Routing Protocols
Q. What is MP-BGP and how does it differ from regular BGP-4?
MP-BGP (Multiprotocol BGP) extends BGP-4 to carry routing information for multiple address families beyond IPv4 unicast, including IPv6, VPNv4, EVPN, and multicast routes. Regular BGP-4 only advertises IPv4 unicast prefixes. MP-BGP uses Address Family Identifier (AFI) and Subsequent AFI (SAFI) field…
Read full atomic answer → Routing Protocols
Q. What is the difference between OSPF and EIGRP, and when would you choose each in 2026?
OSPF is an open-standard link-state protocol using Dijkstra's algorithm, while EIGRP is Cisco's advanced distance-vector protocol using DUAL. OSPF floods LSAs across all routers in an area; EIGRP sends bounded updates only to affected neighbors. In 2026, choose OSPF for multi-vendor environments—Ban…
Read full atomic answer → BGP
BGP
Q. Explain MP-BGP address families and their use cases (VPNv4, EVPN, IPv6, multicast).
MP-BGP extends BGP to carry routing information for multiple protocols beyond IPv4 unicast using Address Family Identifiers (AFI) and Subsequent AFI (SAFI). VPNv4 (AFI 1, SAFI 128) carries MPLS L3VPN routes with route distinguishers, used by Cisco India and Aryaka for customer VPN separation. EVPN (…
Read full atomic answer → Transport Layer Protocols
Transport Layer Protocols
Q. What is the difference between TCP and UDP, and how does this affect interview answer choice for protocol questions?
TCP is connection-oriented with three-way handshake, sequencing, and guaranteed delivery; UDP is connectionless with no acknowledgments or retransmission. TCP uses ports like 80 (HTTP), 443 (HTTPS), 22 (SSH); UDP uses 53 (DNS), 69 (TFTP), 161 (SNMP). In Bangalore interviews at Cisco India or Infosys…
Read full atomic answer → Routing & Switching
Routing & Switching
Q. What is VRRP and how does it differ from HSRP and GLBP for first-hop redundancy?
VRRP (Virtual Router Redundancy Protocol, RFC 5798) is an open-standard first-hop redundancy protocol that elects one master router from a group to forward traffic using a shared virtual IP. Unlike Cisco-proprietary HSRP, VRRP uses IP protocol 112 (not UDP) and allows the physical interface IP to ma…
Read full atomic answer → Network Support Tiers
Network Support Tiers
Q. What is L1, L2, L3 in network engineer support tiers and how do responsibilities differ?
L1 handles ticket logging, basic troubleshooting (ping, traceroute), password resets, and escalates unresolved issues—typically 6-12 months experience. L2 engineers diagnose routing protocol failures (OSPF neighbor states, BGP path selection), VLAN misconfigurations, and firewall ACL issues—requires…
Read full atomic answer → Cisco Network Engineer Interview
Cisco Network Engineer Interview
Q. What questions does Cisco India ask in a network engineer technical interview?
Cisco India typically asks protocol-deep questions: OSPF LSA types and area design, BGP path selection (local-pref, AS-path, MED), STP root election and BPDU mechanics, VLANs vs. VRFs, and troubleshooting scenarios using show commands. Expect CLI-based config tasks—configure EIGRP named mode, set up…
Read full atomic answer → Palo Alto Firewall
Palo Alto Firewall
Q. Explain how a Palo Alto Security Policy is evaluated — top-down rule processing.
Palo Alto firewalls evaluate security policies sequentially from top to bottom, stopping at the first matching rule. Each session is checked against rules in order: source zone, destination zone, application, service, and user. Once a match occurs, the action (allow/deny/drop) is applied and no furt…
Read full atomic answer → Interview Strategy
Interview Strategy
Q. What is the 30-60-90 day plan question in an interview, and how should a network engineer answer it?
The 30-60-90 day plan question asks candidates to outline their first three months on the job. Network engineers should structure it as: Days 1-30 — learn network topology, documentation standards, ticketing tools (ServiceNow/Remedy), shadow senior engineers; Days 31-60 — handle L2 incidents indepen…
Read full atomic answer → Deeper context lives at networkershome.com.
Each of these Q&As is part of a structured topic guide on the main site, with
multi-part answers, code samples where relevant, strong vs weak answer notes, and
follow-up question patterns. View
the full cisco / network engineer interview hub →