Junior Network Engineer Interview Questions and Answers

Introduction

Junior network engineer interviews usually test whether you can explain the fundamentals clearly and troubleshoot in a structured way. Expect questions on OSI and TCP/IP, subnetting, VLANs, DHCP, DNS, routing, switching, basic security controls, and how you would isolate a connectivity problem.

Use each answer as a model, then practice saying it in your own words. A strong junior answer is not just a definition; it connects the concept to a real network problem, the commands you would check, and the risk you would avoid.

TCP/IP Fundamentals

1. Explain the OSI model and TCP/IP model.

Answer:

OSI Model (7 Layers):

1. Physical - Cables, signals
2. Data Link - MAC addresses, switches
3. Network - IP addresses, routing
4. Transport - TCP/UDP, ports
5. Session - Connections
6. Presentation - Encryption, formatting
7. Application - HTTP, FTP, DNS

TCP/IP Model (4 Layers):

1. Network Access - Physical + Data Link
2. Internet - IP
3. Transport - TCP/UDP
4. Application - Application + Presentation + Session

In an interview, explain that OSI is often used as a troubleshooting framework, while TCP/IP maps more closely to how real networks and protocols are implemented. For example, if a user says "the internet is down," you can move from Layer 1 checks like cable/link status to Layer 3 IP/gateway checks and then Layer 7 DNS or application checks.

Rarity: Very Common
Difficulty: Easy

2. What's the difference between TCP and UDP?

Answer:

TCP is better when correctness matters, such as web sessions, file transfers, SSH, and email. UDP is better when low latency matters and the application can tolerate or handle loss, such as DNS lookups, voice, video, gaming, and some streaming protocols.

TCP Three-Way Handshake:

Client          Server
  |---SYN--->      |
  |<--SYN-ACK--|   |
  |---ACK--->      |

Rarity: Very Common
Difficulty: Easy

IP Addressing

3. Explain subnetting and calculate subnet masks.

Answer: Subnetting divides a network into smaller subnetworks.

Example: 192.168.1.0/24

• Network: 192.168.1.0
• Subnet Mask: 255.255.255.0
• Usable IPs: 192.168.1.1 - 192.168.1.254
• Broadcast: 192.168.1.255

Subnetting Example:

Network: 192.168.1.0/24
Need: 4 subnets

/24 → /26 (4 subnets, 62 hosts each)

Subnet 1: 192.168.1.0/26   (192.168.1.1 - 192.168.1.62)
Subnet 2: 192.168.1.64/26  (192.168.1.65 - 192.168.1.126)
Subnet 3: 192.168.1.128/26 (192.168.1.129 - 192.168.1.190)
Subnet 4: 192.168.1.192/26 (192.168.1.193 - 192.168.1.254)

CIDR Notation:

• /24 = 255.255.255.0 (256 addresses)
• /25 = 255.255.255.128 (128 addresses)
• /26 = 255.255.255.192 (64 addresses)
• /27 = 255.255.255.224 (32 addresses)

Interview shortcut: each borrowed bit doubles the number of subnets and halves the size of each subnet. For a /26, there are 64 addresses per subnet, and two are normally reserved for the network and broadcast addresses.

Rarity: Very Common
Difficulty: Medium

4. Explain NAT and its types.

Answer: NAT (Network Address Translation) translates private IP addresses to public IP addresses.

Why Use NAT:

• Conserve public IP addresses
• Reduce direct exposure of internal private addresses
• Flexibility in network design

NAT Types:

1. Static NAT:

• One-to-one mapping
• Private IP ↔ Public IP
• Used for servers

2. Dynamic NAT:

• Pool of public IPs
• First-come, first-served
• Temporary mapping

3. PAT (Port Address Translation):

• Many-to-one mapping
• Uses port numbers
• Most common (home routers)

Static NAT Configuration (Cisco):

! Configure inside interface
Router(config)# interface fastethernet 0/0
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# ip nat inside
Router(config-if)# exit

! Configure outside interface
Router(config)# interface fastethernet 0/1
Router(config-if)# ip address 203.0.113.5 255.255.255.0
Router(config-if)# ip nat outside
Router(config-if)# exit

! Create static NAT mapping
Router(config)# ip nat inside source static 192.168.1.10 203.0.113.10

! Verify
Router# show ip nat translations

Dynamic NAT Configuration:

! Define pool of public IPs
Router(config)# ip nat pool PUBLIC_POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0

! Define which private IPs can use NAT
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255

! Link ACL to pool
Router(config)# ip nat inside source list 1 pool PUBLIC_POOL

! Verify
Router# show ip nat translations
Router# show ip nat statistics

PAT Configuration (Overload):

! Use single public IP with port translation
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# ip nat inside source list 1 interface fastethernet 0/1 overload

! Or with a pool
Router(config)# ip nat inside source list 1 pool PUBLIC_POOL overload

NAT Translation Example:

Inside Local    Inside Global    Outside Global    Outside Local
192.168.1.10    203.0.113.5      8.8.8.8          8.8.8.8
192.168.1.11    203.0.113.5      8.8.8.8          8.8.8.8

With PAT:
192.168.1.10:1234 → 203.0.113.5:50001 → 8.8.8.8:80
192.168.1.11:1234 → 203.0.113.5:50002 → 8.8.8.8:80

Troubleshooting NAT:

! Clear NAT translations
Router# clear ip nat translation *

! Debug NAT
Router# debug ip nat
Router# debug ip nat detailed

! Show NAT statistics
Router# show ip nat statistics

Limitations:

• Breaks end-to-end connectivity
• Complicates some protocols (FTP, SIP)
• Not suitable for servers (use static NAT)
• IPv6 eliminates need for NAT

Rarity: Very Common
Difficulty: Easy-Medium

Switching

5. What is a VLAN and why use it?

Answer: VLAN (Virtual LAN) logically segments a network.

Benefits:

• Segmentation (separate users, servers, voice, guest, or management traffic)
• Performance (reduce broadcast domains)
• Flexibility (group by function, not location)
• Policy control (apply different firewall, ACL, or quality-of-service rules)

An access port belongs to one VLAN and is usually used for an endpoint. A trunk carries multiple VLANs between switches, routers, or hypervisors by tagging frames. If a user cannot reach expected resources, verify the access VLAN, trunk allowed VLANs, native VLAN, and whether inter-VLAN routing exists.

VLAN Configuration (Cisco):

! Create VLAN
Switch(config)# vlan 10
Switch(config-vlan)# name Sales
Switch(config-vlan)# exit

Switch(config)# vlan 20
Switch(config-vlan)# name IT
Switch(config-vlan)# exit

! Assign port to VLAN
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10

! Configure trunk port
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,20

! Verify
Switch# show vlan brief
Switch# show interfaces trunk

Rarity: Very Common
Difficulty: Medium

6. What is Spanning Tree Protocol and why is it needed?

Answer: STP (Spanning Tree Protocol) prevents Layer 2 loops in switched networks.

Problem Without STP:

• Broadcast storms
• MAC table instability
• Multiple frame copies
• Network meltdown

How STP Works:

STP Port States:

1. Blocking: Doesn't forward frames, prevents loops
2. Listening: Preparing to forward, listening for BPDUs
3. Learning: Learning MAC addresses
4. Forwarding: Normal operation
5. Disabled: Administratively down

Port Roles:

• Root Port: Best path to root bridge
• Designated Port: Forwarding port on segment
• Blocked Port: Prevents loops

STP Selection Process:

1. Elect Root Bridge (lowest Bridge ID)
   Bridge ID = Priority (default 32768) + MAC Address

2. Select Root Ports (best path to root)
   Based on: Path Cost → Bridge ID → Port ID

3. Select Designated Ports (one per segment)

4. Block remaining ports

STP Configuration (Cisco):

! View STP status
Switch# show spanning-tree

! Set bridge priority (make this switch root)
Switch(config)# spanning-tree vlan 1 priority 4096
# Priority must be multiple of 4096 (0-61440)

! Or use shortcut
Switch(config)# spanning-tree vlan 1 root primary
Switch(config)# spanning-tree vlan 1 root secondary

! Configure port cost
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# spanning-tree cost 4

! Configure port priority
Switch(config-if)# spanning-tree port-priority 64

! Enable PortFast (for end devices only!)
Switch(config-if)# spanning-tree portfast

! Enable BPDU Guard (shuts port if BPDU received)
Switch(config-if)# spanning-tree bpduguard enable

STP Variants:

RSTP (Rapid Spanning Tree):

! Enable RSTP
Switch(config)# spanning-tree mode rapid-pvst

! Verify
Switch# show spanning-tree summary

RSTP Port States (Simplified):

• Discarding: Combines Blocking, Listening, Disabled
• Learning: Learning MAC addresses
• Forwarding: Normal operation

Troubleshooting STP:

! Check STP status
Switch# show spanning-tree

! Check specific VLAN
Switch# show spanning-tree vlan 10

! Check interface details
Switch# show spanning-tree interface gigabitethernet 0/1

! View root bridge
Switch# show spanning-tree root

! Debug STP
Switch# debug spanning-tree events

Common Issues:

1. Topology Changes:

   • Frequent changes cause instability
   • Use PortFast on access ports

2. Root Bridge Placement:

   • Should be central, high-capacity switch
   • Set priority manually

3. Loops:

   • Enable BPDU Guard on access ports
   • Monitor for unexpected topology changes

Rarity: Common
Difficulty: Medium

Routing

7. What's the difference between static and dynamic routing?

Answer:

Static Routing:

• Manually configured
• No overhead
• Doesn't adapt to changes
• Good for small, stable networks

Dynamic Routing:

• Automatically learns routes
• Adapts to topology changes
• More overhead
• Good for large, complex networks

Static Route Example:

! Add static route
Router(config)# ip route 192.168.2.0 255.255.255.0 10.0.0.1

! Default route
Router(config)# ip route 0.0.0.0 0.0.0.0 10.0.0.1

! Verify
Router# show ip route

Dynamic Routing Protocols:

• RIP: Simple, distance-vector
• OSPF: Link-state, fast convergence
• EIGRP: Cisco proprietary, hybrid
• BGP: Internet routing

Rarity: Very Common
Difficulty: Easy-Medium

8. How do you configure Access Control Lists (ACLs)?

Answer: ACLs filter network traffic based on defined rules.

ACL Types:

1. Standard ACL (1-99, 1300-1999):

• Filters based on source IP only
• Applied close to destination

2. Extended ACL (100-199, 2000-2699):

• Filters based on source/dest IP, protocol, port
• Applied close to source

Standard ACL Example:

! Create standard ACL
Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 10 deny any

! Apply to interface
Router(config)# interface fastethernet 0/0
Router(config-if)# ip access-group 10 in

! Verify
Router# show access-lists
Router# show ip interface fastethernet 0/0

Extended ACL Example:

! Create extended ACL
Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80
Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 443
Router(config)# access-list 100 deny ip any any

! Apply to interface
Router(config)# interface fastethernet 0/1
Router(config-if)# ip access-group 100 out

Named ACL (Recommended):

! Standard named ACL
Router(config)# ip access-list standard ALLOW_INTERNAL
Router(config-std-nacl)# permit 192.168.1.0 0.0.0.255
Router(config-std-nacl)# deny any
Router(config-std-nacl)# exit

! Extended named ACL
Router(config)# ip access-list extended WEB_TRAFFIC
Router(config-ext-nacl)# permit tcp any any eq 80
Router(config-ext-nacl)# permit tcp any any eq 443
Router(config-ext-nacl)# permit icmp any any echo-reply
Router(config-ext-nacl)# deny ip any any
Router(config-ext-nacl)# exit

! Apply to interface
Router(config)# interface gigabitethernet 0/0
Router(config-if)# ip access-group WEB_TRAFFIC in

Wildcard Masks:

0 = must match
1 = don't care

Examples:
0.0.0.0 = exact match
0.0.0.255 = match first 3 octets (/24)
0.0.255.255 = match first 2 octets (/16)
255.255.255.255 = match any (same as "any")

Host:
192.168.1.10 0.0.0.0 = single host
Or use: host 192.168.1.10

Common ACL Scenarios:

1. Block specific host:

Router(config)# ip access-list extended BLOCK_HOST
Router(config-ext-nacl)# deny ip host 192.168.1.50 any
Router(config-ext-nacl)# permit ip any any

2. Allow only SSH and HTTPS:

Router(config)# ip access-list extended SECURE_ACCESS
Router(config-ext-nacl)# permit tcp any any eq 22
Router(config-ext-nacl)# permit tcp any any eq 443
Router(config-ext-nacl)# deny ip any any

3. Prevent spoofing:

Router(config)# ip access-list extended ANTI_SPOOF
Router(config-ext-nacl)# deny ip 192.168.1.0 0.0.0.255 any
Router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any
Router(config-ext-nacl)# permit ip any any

ACL Best Practices:

1. Order Matters:

   • Processed top to bottom
   • Most specific rules first
   • Implicit deny at end

2. Placement:

   • Standard ACL: Close to destination
   • Extended ACL: Close to source

3. Documentation:

   • Use named ACLs
   • Add remarks

Router(config)# ip access-list extended FIREWALL
Router(config-ext-nacl)# remark Allow web traffic
Router(config-ext-nacl)# permit tcp any any eq 80
Router(config-ext-nacl)# remark Block internal network
Router(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any

Editing ACLs:

! View ACL with line numbers
Router# show ip access-lists WEB_TRAFFIC

! Remove specific line
Router(config)# ip access-list extended WEB_TRAFFIC
Router(config-ext-nacl)# no 10

! Insert at specific line
Router(config-ext-nacl)# 15 permit tcp any any eq 8080

Troubleshooting:

! Show ACL hits
Router# show access-lists

! Show ACL on interface
Router# show ip interface gigabitethernet 0/0

! Clear ACL counters
Router# clear access-list counters

Rarity: Common
Difficulty: Medium

Network Services

9. How does DHCP work?

Answer: DHCP (Dynamic Host Configuration Protocol) automatically assigns IP addresses.

DORA Process:

1. Discover: Client broadcasts request
2. Offer: Server offers IP address
3. Request: Client requests offered IP
4. Acknowledge: Server confirms assignment

DHCP Configuration (Cisco):

! Configure DHCP pool
Router(config)# ip dhcp pool LAN
Router(dhcp-config)# network 192.168.1.0 255.255.255.0
Router(dhcp-config)# default-router 192.168.1.1
Router(dhcp-config)# dns-server 8.8.8.8 8.8.4.4
Router(dhcp-config)# lease 7

! Exclude addresses
Router(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.10

! Verify
Router# show ip dhcp binding
Router# show ip dhcp pool

Rarity: Very Common
Difficulty: Easy-Medium

Troubleshooting

10. How do you troubleshoot network connectivity issues?

Answer: Use a top-down or bottom-up method, but be consistent and say what each step proves. A clear junior-level answer is:

1. Scope the issue: Ask who is affected, what changed, whether wired and wireless users are both affected, and whether the problem is one app, one subnet, one site, or all traffic.

2. Verify Physical and Data Link Layers:

# Check cable connection
# Check link lights
# Check port status

On switches, also check whether the port is up, in the expected VLAN, blocked by STP, or shut down by port security.

3. Test Connectivity:

# Ping localhost
ping 127.0.0.1

# Ping default gateway
ping 192.168.1.1

# Ping external IP
ping 8.8.8.8

# Ping domain name
ping google.com

If pinging an external IP works but a domain name fails, the likely issue is DNS. If the gateway fails, check local IP configuration, VLAN assignment, DHCP, and switch/router interfaces.

4. Check IP Configuration:

# Windows
ipconfig /all

# Linux
ip addr show
ip route show

# Verify:
# - IP address
# - Subnet mask
# - Default gateway
# - DNS servers

5. Test DNS:

# Windows
nslookup google.com

# Linux
dig google.com
host google.com

6. Check Routing:

# Trace route
traceroute google.com  # Linux
tracert google.com     # Windows

7. Check Firewall or Port Access:

# Test specific port
telnet server.com 80
nc -zv server.com 80

Finish by explaining the fix, verifying service is restored, and documenting the cause so the same issue is easier to prevent next time.

Rarity: Very Common
Difficulty: Medium

Conclusion

For a junior network engineer interview, focus less on memorizing every command and more on showing a calm troubleshooting process. You should be able to explain:

1. TCP/IP: OSI model, protocols, addressing
2. IP Addressing: Subnetting, CIDR, IPv4/IPv6
3. NAT: Types, configuration, use cases
4. Switching: VLANs, trunking, MAC addresses
5. STP: Loop prevention, port states, RSTP
6. Routing: Static vs dynamic, routing tables
7. ACLs: Standard vs extended, wildcard masks
8. Network Services: DHCP, DNS, NAT
9. Troubleshooting: Scope, layer-by-layer checks, tools, verification

Practice with a lab or simulator, but also rehearse short verbal answers. Interviewers are usually looking for fundamentals, curiosity, and the ability to narrow a problem without guessing.