CCNA + Network Engineer Interview Questions & Answers 2026

The OSI model has 7 layers: Physical, Data Link, Network, Transport, Session, Presentation, Application. IP operates at Layer 3 (Network — handles addressing and routing between networks). TCP operates at Layer 4 (Transport — handles connection-oriented reliable delivery). UDP also at Layer 4 (connectionless). Memorising this is non-negotiable for any networking interview.

/26 = 255.255.255.192 = 64 addresses per subnet. For 192.168.1.0/26: network address 192.168.1.0, broadcast 192.168.1.63, usable hosts 192.168.1.1–192.168.1.62 (62 usable). Formula: 2^(32-prefix) - 2 = 2^6 - 2 = 62 usable hosts.

Need 50 subnets → 2^6 = 64, so 6 subnet bits. Need 100 hosts/subnet → 2^7 - 2 = 126, so 7 host bits. 16 + 6 + 7 = 29 bits used → /23 prefix would give us 7 host bits and 7 subnet bits (128 subnets). Most accurate answer: /23 mask (255.255.254.0) works — gives 128 subnets of 510 hosts each. Trade-off: address efficiency vs subnet count.

Access port — carries traffic for a single VLAN, untagged. Connects end devices (PCs, printers). Frames going in are assigned to the access VLAN; frames going out are untagged. Trunk port — carries traffic for multiple VLANs, tagged with 802.1Q (or ISL legacy). Connects switches together or to routers/firewalls. Native VLAN traffic is untagged; all other VLAN traffic is tagged.

STP prevents loops in switched networks by blocking redundant paths. Root bridge election: switch with the lowest Bridge ID (Priority + MAC address) wins. Default priority is 32768 (or 32768 + VLAN ID for PVST+). Lower priority = better candidate. Once root is elected, every switch calculates the lowest-cost path to the root and blocks alternate paths. Variants: STP (802.1D), RSTP (802.1w, faster convergence), MST (802.1s, multiple instances).

RSTP (Rapid Spanning Tree Protocol, 802.1w) converges in seconds vs STP's 30-50 seconds. Key changes: (1) eliminated listening + learning states (replaced with discarding), (2) introduced edge ports + alternate ports + backup ports for faster failover, (3) uses BPDUs as keepalives bidirectionally between switches. Backwards-compatible — RSTP downshifts to STP when paired with legacy switches.

OSPF (link-state, IGP, open standard, RFC 2328) — runs Dijkstra SPF inside each area, fast convergence, hierarchical with areas. EIGRP (advanced distance-vector, IGP, originally Cisco-proprietary now open) — uses DUAL algorithm, fastest convergence among IGPs, less complex than OSPF. BGP (path-vector, EGP, RFC 4271) — used between autonomous systems (the internet's backbone), policy-driven, slow convergence, scales to 1M+ routes. Use OSPF for enterprise multi-vendor, EIGRP for Cisco-only, BGP for ISP/multi-AS.

Backbone (area 0) — must be present, all other areas connect to it. Regular area — accepts all LSA types (1, 2, 3, 4, 5). Stub area — blocks Type 5 (external LSAs); ABR injects default route. Totally stubby (Cisco proprietary) — blocks Type 3, 4, 5; only default route from ABR. NSSA (Not-So-Stubby Area) — like stub but allows Type 7 LSAs (redistributed routes from non-OSPF), translated to Type 5 at ABR. Use case: branch offices that need external route info but want a small LSDB.

On multi-access networks (Ethernet broadcast), OSPF elects a Designated Router (DR) and Backup DR (BDR) to reduce LSA flooding. Without DR, every router would establish full adjacencies with every other router on the segment (n*(n-1)/2 adjacencies). With DR, all routers form adjacencies with DR only — n adjacencies. Election: highest OSPF priority wins (default 1). Tie-broken by highest router ID. Priority 0 = ineligible. DR/BDR not used on point-to-point links.

Successor — the route with the lowest metric to a destination, installed in the routing table. Feasible Successor (FS) — a backup route that satisfies the Feasibility Condition: FS reported distance < Successor feasible distance. FS is pre-computed, kept in topology table, and installed instantly if Successor fails — no recomputation needed. This is what gives EIGRP sub-second convergence. If no FS exists, DUAL goes Active and queries neighbors — slower.

Per RFC 4271: AS_PATH, NEXT_HOP, ORIGIN, LOCAL_PREF (well-known discretionary, only for iBGP), ATOMIC_AGGREGATE (well-known discretionary), MED (optional non-transitive). Path selection order: Highest Weight (Cisco-only) → Highest LOCAL_PREF → Locally Originated → Shortest AS_PATH → Lowest ORIGIN → Lowest MED → eBGP over iBGP → Lowest IGP metric to next-hop → Oldest Route → Lowest Router-ID. Memorising this order is a CCNP / CCIE benchmark question.

Standard ACL (1–99 or 1300–1999) — filters by source IP only. Apply close to destination (because filtering only by source means you don't want to block legitimate traffic to other destinations from same source). Extended ACL (100–199 or 2000–2699) — filters by source IP + destination IP + protocol + ports. Apply close to source for efficiency (drops unwanted traffic before it traverses the network). Modern best practice: use named ACLs for both readability.

NAT (static) — 1:1 mapping between inside-local and inside-global. Used for servers needing fixed external IPs. Dynamic NAT — pool of inside-global IPs assigned dynamically to inside-local IPs as needed. Once mapping established, it persists for connection. PAT (NAT overload) — many-to-one mapping using port numbers to differentiate. The default for most internet-facing routers — millions of internal IPs sharing a single public IP via different source ports. Cisco command: ip nat inside source list 1 interface GigabitEthernet0/0 overload.

Phase 1 (IKE/ISAKMP) — establishes a secure channel for negotiating Phase 2. Negotiates: encryption algo (AES, 3DES), authentication (PSK or certs), DH group, lifetime. Two modes: Main Mode (6 messages, more secure) or Aggressive Mode (3 messages, faster but exposes identity). Phase 2 (IPsec) — establishes the actual data tunnel. Negotiates: transform set (ESP/AH + encryption + hash), proxy IDs (interesting traffic), tunnel mode (typical) or transport mode. Phase 1 SA is bidirectional; Phase 2 SAs are unidirectional pairs.

LACP (802.3ad, IEEE standard, multi-vendor) — modes: active (initiates), passive (responds). Negotiation overhead but interoperable across vendors. PAgP (Cisco-proprietary) — modes: desirable (initiates), auto (responds). Faster negotiation but Cisco-only. Static (mode on) — no negotiation, just bundles physically. Fast setup but error-prone (silent misconfig). Best practice: LACP active-active for production multi-vendor environments.

Wi-Fi 6 (802.11ax) introduced: OFDMA (better multi-user efficiency vs OFDM in Wi-Fi 5), MU-MIMO uplink + downlink (Wi-Fi 5 was downlink only), Target Wake Time (TWT) for IoT power savings, BSS Coloring (interference reduction in dense deployments), and 1024-QAM modulation (higher peak speeds). Real-world impact: Wi-Fi 6 shines in dense environments (office floors, conference centres) where Wi-Fi 5 chokes.

Layer-by-layer: (1) Layer 1: ping default gateway — if fails, check cable/link status. (2) Layer 2: arp -a to verify MAC of default gateway is learned. (3) Layer 3: ping default gateway works; ping 8.8.8.8 fails. Check routing table on PC + on default gateway. Trace route to 8.8.8.8. (4) DNS: nslookup google.com — if DNS fails but ping 8.8.8.8 works, DNS server issue. (5) Firewall: check ACLs / firewall rules at perimeter. (6) NAT: check NAT translation table (if private IP). Each layer eliminates a class of issues.

OSPF neighbor stuck in EXCHANGE typically means MTU mismatch. During DBD (Database Description) packet exchange in Phase 2, OSPF requires same MTU on both ends. Other possible causes: hello-interval / dead-interval mismatch, area mismatch, authentication mismatch, network type mismatch (point-to-point vs broadcast). Cisco command to verify: show ip ospf interface — checks MTU, hello/dead, network type. Force adjacency past MTU mismatch with: ip ospf mtu-ignore (workaround, not recommended).

Counter-intuitively, 'Active' state means BGP can NOT establish — it's actively trying. Compare to 'Established' which is the working state. Causes: (1) TCP port 179 blocked between peers (firewall), (2) Wrong neighbor IP configured, (3) eBGP-multihop required but not configured, (4) AS number mismatch, (5) authentication password mismatch, (6) prefix-list / route-map filtering all routes. Debug: debug ip bgp events. Check show ip bgp summary for state progression.

Paramiko — generic Python SSH library, low-level. You handle connect, authenticate, send commands, parse output yourself. Netmiko — built on top of Paramiko, network-device-specific. Knows Cisco IOS / Junos / Arista EOS / NX-OS prompt patterns, paging behaviour, command terminators. Auto-handles 'Press any key to continue', 'config-prompt', etc. Netmiko is the standard for Cisco device automation in Python. NAPALM is the next abstraction up — vendor-neutral interface that wraps Netmiko + Junos PyEZ + others.

---\n- name: Push VLAN config to switches\n hosts: cisco_switches\n gather_facts: no\n connection: network_cli\n tasks:\n - name: Configure VLAN 100\n cisco.ios.ios_config:\n lines:\n - vlan 100\n - name DATA_VLAN\n match: line\n replace: line\n register: result\n - name: Save config\n cisco.ios.ios_config:\n save_when: modified\n— Inventory file lists hosts under [cisco_switches]. Run with: ansible-playbook playbook.yml -i inventory.ini -u admin --ask-pass.

MPLS — provider-managed Layer 2.5 technology with QoS guarantees and predictable latency. Reliable but expensive (~10x cost of broadband per Mbps). Single carrier dependency. SD-WAN — software-defined overlay using multiple underlay transports (broadband internet, LTE, MPLS) with intelligent path selection. Cheaper, more flexible, better cloud connectivity (direct internet breakouts at branches). Major vendors: Cisco SD-WAN (Viptela), VMware VeloCloud (now Velocloud SD-WAN), Versa Networks. Migration is a major Bangalore hiring trend in 2026.

Traditional VPN — 'castle and moat' model. User authenticates once, gets full network access. Once breached, attacker has network-wide access. ZTNA — 'never trust, always verify'. Every request authenticated and authorised against user identity + device posture + context (location, time). User connects to specific applications, not the network. Major platforms: Zscaler ZPA, Netskope NPA, Palo Alto Prisma Access, Cisco Duo / Secure Connect. Hiring growth for ZTNA engineers is 35% YoY in 2026.

BGP EVPN (RFC 7432) — uses MP-BGP to advertise MAC and IP addresses (instead of just IP prefixes). Primary use: VXLAN-based datacentre fabrics. Replaces older flood-and-learn approaches with control-plane-driven learning. Cisco implementations: ACI fabric, Nexus 9K with VXLAN. Major use case in modern Bangalore datacentres — every cloud service provider's underlay uses EVPN-VXLAN.

VPC Peering — direct 1:1 connection between two VPCs. Non-transitive (A→B and A→C does NOT enable B→C). Cheap, simple. Use for small hub-and-spoke or 2-3 VPC integrations. Transit Gateway — central hub for many VPCs (up to 5,000) and on-prem connections. Transitive routing. More expensive but scales massively. Use for: enterprise multi-account architectures, multi-region replication, hybrid cloud connectivity. Senior network engineer roles in Bangalore now ask AWS networking depth — TGW is common interview topic.

ALB — Layer 7 (application). Routes by URL path, hostname, headers. SSL termination at LB. Best for HTTP/HTTPS web apps and microservices. Integrates with ECS, EKS, Lambda. NLB — Layer 4 (TCP/UDP/TLS). Preserves source IP, ultra-low latency, handles millions of req/sec. Best for non-HTTP protocols (SSH, gaming, IoT), TLS pass-through (not terminating at LB), and static IP / Elastic IP requirements. NLB is harder to misconfigure but less feature-rich at app layer.

Firewall — policy-based traffic filtering by IP/port/protocol. Stateless (legacy) or stateful (modern). Default-deny rule set. IDS (Intrusion Detection System) — passive monitoring. Detects malicious patterns and alerts. Doesn't block traffic by itself. Sits on a SPAN/mirror port. IPS (Intrusion Prevention System) — inline detection + automatic blocking of malicious traffic. Sits in-line in traffic path. Modern next-gen firewalls (NGFW like Palo Alto, Fortinet, Cisco Firepower) combine all three.

802.1X — port-based network access control. Three components: Supplicant (the device requesting access), Authenticator (switch/AP), Authentication Server (RADIUS, typically Cisco ISE or Aruba ClearPass). User/device must authenticate before getting network access. NAC (Network Access Control) extends 802.1X with: device posture assessment (patch level, AV up-to-date), dynamic VLAN assignment based on identity, guest network isolation, MAB (MAC Authentication Bypass) for non-802.1X devices like printers.

Ideal answer structure (STAR): Situation — context of the change. Task — what you were doing. Action — exactly what broke and how you reacted (escalation, rollback, root cause analysis). Result — what was fixed, what was learned, what process changed afterward. Recruiters look for: did you take ownership? Did you panic or follow process? Did you learn something durable? Don't claim 'I never broke anything' — that signals dishonesty or limited production exposure.

Non-negotiable framing: focus on what you're going TOWARD, not what you're running FROM. Acceptable: 'My current role is great for skill X but doesn't have growth in cloud networking — and that's where I see my career going. Your team is building exactly the cloud network architecture I want to work on.' Avoid: 'My manager is bad', 'salary is too low', 'I'm bored'. Even if true, those signal red flags to interviewers. Always tie the answer back to the role you're interviewing for.