What networking topics come up most in IT technical interviews?
The most common topics are the OSI model with real protocol examples, TCP vs UDP differences and use cases, DNS record types and resolution flow, subnetting calculations, and the difference between routing protocols like OSPF and BGP. Cloud networking (VPCs, security groups) appears frequently in infrastructure and DevOps roles.
Networking knowledge is tested across a wide range of IT roles—not just network engineers. SysAdmins, cloud architects, security analysts, and DevOps engineers all encounter networking questions because the work they do depends on understanding how data moves. This article covers the most frequently asked networking questions in technical interviews, organized by topic, with the level of depth that actually gets asked at mid-to-senior level.
OSI Model and TCP/IP Questions
Layers, Protocols, and the TCP Three-Way Handshake
The OSI model appears in almost every infrastructure interview, but the follow-up questions reveal whether a candidate actually understands it or just memorized the seven layers.
"Walk me through the OSI model and give a real example at each layer."
Most candidates can name the layers. Stronger answers give concrete examples: Layer 2 is Ethernet frames and MAC addressing; Layer 3 is IP routing; Layer 4 is TCP and UDP port numbers; Layer 7 is HTTP, DNS, and application protocol behavior. The interviewer is checking whether you can map real protocols to the model.
"What is the difference between TCP and UDP? When would you use each?"
TCP provides connection-oriented, ordered, and reliable delivery via a three-way handshake (SYN, SYN-ACK, ACK) and retransmission of lost segments. UDP is connectionless, provides no guarantee of delivery or ordering, and carries less overhead. UDP is appropriate when latency matters more than reliability: DNS lookups, video streaming, VoIP, gaming. TCP is appropriate for anything requiring guaranteed delivery: file transfer, database connections, web requests.
"Explain the TCP three-way handshake and what happens at each step."
Client sends SYN with an initial sequence number (ISN)
Server responds SYN-ACK, acknowledging the client's ISN and sending its own ISN
Client sends ACK, acknowledging the server's ISN
Connection is now established. The four-way teardown (FIN, ACK, FIN, ACK) closes it. Understanding sequence numbers and how they are used for retransmission separates candidates who understand the protocol from those who know the abbreviation.
DNS Questions
Record Types, Resolution, and TTL Management
"It's not DNS. There's no way it's DNS. It was DNS." — This maxim, widely repeated among network engineers, reflects a genuine pattern: DNS misconfigurations cause a disproportionate share of production outages. Andrew Tanenbaum notes in Computer Networks (Prentice Hall, 5th ed.) that DNS's hierarchical, cached, eventually-consistent design creates multiple failure points that operators must understand cold.
DNS questions are extremely common because DNS failures cause a disproportionate number of real-world incidents.
"What happens when you type a URL into a browser and hit Enter?"
This is a classic interview question that can be answered at multiple depths. The key steps relevant to networking: DNS resolution (local cache, OS resolver, recursive resolver, root nameserver, TLD nameserver, authoritative nameserver), TCP connection establishment, TLS handshake if HTTPS, HTTP request/response. Candidates who can trace this end-to-end and discuss the role of each component demonstrate genuine understanding.
"What is the difference between an A record, CNAME, MX record, and TXT record?"
| Record Type | Purpose |
|---|---|
| A | Maps hostname to IPv4 address |
| AAAA | Maps hostname to IPv6 address |
| CNAME | Alias from one hostname to another |
| MX | Mail exchanger; specifies mail server for a domain |
| TXT | Arbitrary text; used for SPF, DKIM, domain verification |
| NS | Nameserver delegation |
| PTR | Reverse DNS; IP to hostname |
"What is a TTL in DNS and why does it matter for operations?"
TTL (Time to Live) is the number of seconds a resolver should cache a record before re-querying. Low TTLs allow rapid record updates but increase DNS query volume. High TTLs reduce query load but mean changes propagate slowly. Before a planned IP migration, an experienced engineer lowers TTL to 60-300 seconds well in advance so caches clear quickly when the change is made.
Routing and Switching Questions
VLANs, OSPF, and BGP
"What is the difference between a router and a switch?"
A switch operates at Layer 2 and forwards frames based on MAC addresses within a network segment. A router operates at Layer 3 and routes packets between different network segments based on IP addresses and routing tables. Many modern devices combine both functions, but the conceptual distinction still matters.
"Explain VLAN and why you would use one."
A VLAN (Virtual LAN) is a logical segmentation of a physical network into separate broadcast domains. VLANs allow you to isolate traffic between departments or functions (servers, workstations, IoT devices) without needing separate physical switches. Trunking allows multiple VLANs to traverse a single physical link using 802.1Q tagging.
"What is the difference between OSPF and BGP?"
OSPF is an interior gateway protocol (IGP) that runs within a single autonomous system. It uses link-state advertisements to build a topology map and calculates shortest paths using Dijkstra's algorithm. It is appropriate for internal enterprise or data center routing.
BGP is an exterior gateway protocol (EGP) designed to route between autonomous systems—it is how the internet itself routes. BGP is policy-based rather than metric-based and is used by large enterprises, ISPs, and cloud providers. In cloud environments, BGP is used for Direct Connect (AWS) and ExpressRoute (Azure) to peer on-premises networks with cloud infrastructure.
Subnetting Questions
CIDR Calculations and Subnet Division
Subnetting questions appear in almost every network and infrastructure interview. The typical format:
"Given the network 192.168.10.0/24, how many usable hosts can it support? How would you divide it into four equal subnets?"
A /24 has 256 addresses (2^8), minus 2 for network and broadcast = 254 usable hosts.
Dividing into four equal subnets requires borrowing 2 bits from the host portion, giving /26 subnets. Each /26 has 64 addresses, 62 usable:
192.168.10.0/26 (hosts 1-62)
192.168.10.64/26 (hosts 65-126)
192.168.10.128/26 (hosts 129-190)
192.168.10.192/26 (hosts 193-254)
Be comfortable doing these calculations mentally and explaining the logic, not just producing the answer.
Firewalls and Network Security Questions
Stateful vs Stateless, NAT, and DMZ Design
"What is the difference between a stateful and stateless firewall?"
A stateless firewall evaluates each packet independently against a set of rules without awareness of connection state. A stateful firewall tracks connection state and allows return traffic for established connections without needing explicit rules for each direction. Stateful inspection is standard in modern enterprise firewalls.
"What is NAT and what problem does it solve?"
Network Address Translation maps private IP addresses to one or more public IP addresses. It was introduced as a practical solution to IPv4 address exhaustion. In practice, an organization's internal hosts use RFC 1918 private addresses (10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16) and share one or a few public IPs through the NAT device.
"Explain the concept of a DMZ."
A demilitarized zone (DMZ) is a network segment that sits between the public internet and the internal trusted network. Servers that must be reachable from the internet (web servers, mail servers) are placed in the DMZ, limiting exposure if they are compromised. Traffic between the DMZ and internal network is controlled by a second firewall.
Common Diagnostic Commands
Tools for Network Troubleshooting
Interviewers for sysadmin and network roles often ask candidates to describe what commands they would use to diagnose a networking problem. Key tools:
# Check network interface configuration
ip addr show
ip route show
# Test connectivity
ping 8.8.8.8
traceroute google.com
# DNS lookup
dig google.com
nslookup google.com
# Check open ports and listening services
ss -tulnp
netstat -an
# Capture packets for analysis
tcpdump -i eth0 port 443
Knowing when to use each and what to look for in the output is the real test.
Cloud Networking Questions
AWS VPC, Security Groups, and Network ACLs
For roles that involve cloud platforms, expect questions about VPC architecture, security groups, routing tables, and peering.
"What is the difference between a security group and a network ACL in AWS?"
Security groups are stateful, apply at the instance level, and only support allow rules. Network ACLs are stateless, apply at the subnet level, and support both allow and deny rules. Because security groups are stateful, return traffic is automatically allowed. Because NACLs are stateless, you must explicitly allow both inbound and outbound directions.
See also: Linux and SysAdmin Interview Questions: The Commands and Concepts You Need
Networking role salaries and certification landscape
The networking career path has bifurcated: traditional enterprise networking roles track the Cisco certification ladder, while cloud networking roles increasingly value AWS/Azure certifications plus Terraform and automation skills.
| Role | Seniority | US salary range (2024-2025) [1] | Typical cert mix |
|---|---|---|---|
| Network Technician | Entry | $55,000-$80,000 | CompTIA Network+, CCST |
| Network Administrator | Mid | $75,000-$110,000 | CCNA, Network+ |
| Network Engineer | Mid | $100,000-$140,000 | CCNA, CCNP, AWS Advanced Networking |
| Senior Network Engineer | Senior | $135,000-$185,000 | CCNP, CCIE Written, AWS Advanced Networking |
| Network Architect | Senior | $155,000-$220,000 | CCIE, AWS Advanced Networking Specialty |
| Cloud Network Engineer | Mid-Senior | $125,000-$180,000 | AWS Advanced Networking, Azure AZ-700, Terraform |
| SDN/NFV Engineer | Senior | $150,000-$200,000 | CCNP Enterprise, DevNet Professional |
Networking certifications most cited in 2024 interviews
| Certification | Current exam code | Fee | Interview signal |
|---|---|---|---|
| CompTIA Network+ | N10-009 | $369 | Entry-level credibility |
| Cisco CCST Networking | CCST | $125 | Entry-level Cisco signal |
| Cisco CCNA | 200-301 | $300 | Mid-level Cisco signal; widely respected |
| Cisco CCNP Enterprise | 350-401 + concentration | $400 + $300 | Senior Cisco signal |
| Cisco CCIE (Written + Lab) | Various | $450 + $1,600 | Elite-tier; rarely required but highly valued |
| Cisco DevNet Associate | 200-901 | $300 | Network automation signal |
| AWS Advanced Networking Specialty | ANS-C01 | $300 | Cloud networking specialty |
| Azure Network Engineer | AZ-700 | $165 | Azure-focused cloud networking |
| Juniper JNCIA/JNCIS | Various | $200-$400 | Required for Juniper-heavy environments |
Deep-dive: BGP, OSPF, and routing decisions
BGP and OSPF questions appear in virtually every network engineer interview. Candidates who can describe them generally but cannot articulate route selection logic typically signal shallow preparation.
BGP path selection sequence - weight (Cisco proprietary), local preference, locally originated, AS path length, origin code, MED, eBGP vs iBGP, IGP metric, oldest route, router ID, neighbor IP. Candidates should be able to walk through this list in order.
OSPF DR/BDR election - happens on broadcast and NBMA networks; based on OSPF priority (default 1) then highest router ID as tiebreaker. Priority 0 excludes a router from election.
OSPF LSA types - Type 1 (Router), Type 2 (Network), Type 3 (Summary), Type 4 (ASBR Summary), Type 5 (External), Type 7 (NSSA External). Understanding which types cross which area boundaries is critical.
EIGRP metric components - K-values (bandwidth, delay, load, reliability, MTU); only K1 and K3 are used by default.
Administrative distance hierarchy - Connected (0), Static (1), eBGP (20), EIGRP internal (90), IGRP (100), OSPF (110), IS-IS (115), RIP (120), EIGRP external (170), iBGP (200).
"The difference between a senior network engineer and a mid-level one is rarely in what commands they know. It is in how they think about traffic flow and how they design for failure. A senior candidate, when asked to design a WAN, will ask about expected traffic patterns, failure scenarios, and budget before drawing a topology. A mid-level candidate starts drawing immediately." - Gary Donahue, author of Network Warrior [2].
Cloud-native networking interview trends
The shift to cloud has created a category of networking questions that would have been irrelevant a decade ago but are now central.
Transit Gateway vs VPC Peering - scalability trade-offs, routing complexity, cost implications ($0.05/GB transited through TGW vs free VPC peering within-region).
Hub-and-spoke vs mesh topologies - when to use each; Azure Virtual WAN, AWS TGW, GCP Network Connectivity Center.
Private connectivity options - PrivateLink vs VPC Endpoint Gateway vs VPC Endpoint Interface; Direct Connect vs VPN vs Express Route vs Cloud Interconnect.
Network ACL vs Security Group - stateless vs stateful, subnet vs instance level, deny rule support.
Egress cost optimization - NAT Gateway pricing, VPC Endpoint Gateway (free for S3/DynamoDB), inter-AZ data charges, cross-region data charges.
DNS architecture - Route 53 resolver rules, Private Hosted Zones, split-horizon DNS, conditional forwarding.
Candidates interviewing for senior cloud network roles should be able to sketch a multi-region, multi-VPC architecture with connectivity between on-premises (via Direct Connect), multiple VPCs (via Transit Gateway), and SaaS services (via PrivateLink) within a 20-minute whiteboard session.
Troubleshooting methodology
The command knowledge is only half of networking interview preparation. The methodology that candidates bring to troubleshooting questions is the other half.
OSI-layer bottom-up - physical first (is the cable plugged in, is the interface up), then data link (VLAN, MAC learning, STP), then network (routing, ACLs), then transport (firewall, port blocking), then application.
OSI-layer top-down - appropriate when you have application-level symptoms but need to eliminate application-layer causes before descending.
Split-half / divide and conquer - test connectivity from the middle of the path to narrow down which half contains the problem.
Recent change elimination - "what changed in the last 24 hours" is the highest-hit-rate question in real-world incident response.
Packet capture as ground truth - tcpdump or Wireshark captures resolve debates that verbal reasoning cannot.
References
[1] Robert Half. (2024). 2024 Technology Salary Guide. https://www.roberthalf.com/us/en/insights/salary-guide/technology
[2] Donahue, G. A. (2011). Network Warrior (2nd ed.). O'Reilly Media. ISBN: 978-1449387259
Tanenbaum, A. S., & Wetherall, D. J. (2011). Computer Networks (5th ed.). Prentice Hall. ISBN: 978-0132126953
Kozierok, C. M. (2005). The TCP/IP Guide: A Comprehensive, Illustrated Internet Protocols Reference. No Starch Press. ISBN: 978-1593270476
Forouzan, B. A. (2012). Data Communications and Networking (5th ed.). McGraw-Hill. ISBN: 978-0073376226
Amazon Web Services. (2024). "Amazon VPC: Security Groups and Network ACLs." https://docs.aws.amazon.com/vpc/latest/userguide/vpc-security-groups.html
Cloudflare. (2024). "DNS Record Types." https://www.cloudflare.com/learning/dns/dns-records/
Rosen, R., & Schoephoerster, T. (2014). Linux Kernel Networking: Implementation and Theory. Apress. ISBN: 978-1430261964
Doyle, J. (2016). Routing TCP/IP, Volume I (2nd ed.). Cisco Press. ISBN: 978-1587055874. The canonical reference for OSPF, IS-IS, EIGRP, and BGP route selection algorithms, cited in Cisco CCIE preparation materials for over two decades.
Amazon Web Services. (2024). AWS Transit Gateway vs VPC Peering Decision Guide. https://docs.aws.amazon.com/vpc/latest/tgw/
Cisco Systems. (2024). CCIE Enterprise Infrastructure v1.1 Lab Exam Topics. https://learningnetwork.cisco.com/s/ccie-enterprise-infrastructure
Payscale. (2024). Network Engineer Salary Survey Data. https://www.payscale.com/research/US/Job=Network_Engineer
Glassdoor. (2024). Cloud Network Engineer Compensation Report. https://www.glassdoor.com/Salaries/cloud-network-engineer-salary-SRCH_KO0,22.htm
Edgeworth, B., Gooley, J., Hucaby, D., Tischer, R., & Scordilis, J. (2020). CCNP and CCIE Enterprise Core ENCOR 350-401 Official Cert Guide. Cisco Press. ISBN: 978-1587145230. Official reference for modern enterprise network engineering at the Cisco Professional and Expert tiers.
Frequently Asked Questions
What networking topics come up most in IT technical interviews?
The most common topics are the OSI model with real protocol examples, TCP vs UDP differences and use cases, DNS record types and resolution flow, subnetting calculations, and the difference between routing protocols like OSPF and BGP. Cloud networking (VPCs, security groups) appears frequently in infrastructure and DevOps roles.
How deep do interviewers go on subnetting questions?
Mid-level interviews typically ask you to calculate subnet sizes, usable host counts, and how to divide a network into equal subnets. Senior interviews may ask you to design an addressing scheme for a multi-tier application or explain CIDR aggregation. Be comfortable calculating /24 through /30 subnets mentally.
What is the difference between OSPF and BGP?
OSPF is an interior gateway protocol that runs within a single autonomous system, uses link-state advertisements to build a topology, and calculates shortest paths with Dijkstra's algorithm. BGP is an exterior gateway protocol used between autonomous systems (including cloud provider peering) and makes decisions based on policy rather than a single metric.
What networking commands should I know for a sysadmin interview?
Know ip addr, ip route, ping, traceroute, dig, nslookup, ss or netstat for open ports, and tcpdump for packet capture. Be prepared to explain what the output means and what specific output patterns indicate problems like dropped routes or DNS failures.
What is the difference between a security group and a network ACL in AWS?
Security groups are stateful, apply at the instance level, and only support allow rules. Network ACLs are stateless, apply at the subnet level, and support both allow and deny rules. Because security groups track connection state, return traffic is automatically permitted without an explicit outbound rule.