November 25, 2025
12 min read
Junior Network Engineer Interview Questions: Complete Guide
interview
career-advice
job-search
entry-level
MB
Milad Bonakdar
Author
Master essential networking fundamentals with comprehensive interview questions covering TCP/IP, routing, switching, VLANs, and core network concepts for junior network engineer roles.
Introduction
Network Engineers design, implement, and maintain computer networks that enable communication and data transfer. As a junior network engineer, you'll need foundational knowledge of TCP/IP, routing, switching, and network troubleshooting.
This guide covers essential interview questions for junior network engineers, focusing on core networking concepts.
TCP/IP Fundamentals
1. Explain the OSI model and TCP/IP model.
Answer:
OSI Model (7 Layers):
- Physical - Cables, signals
- Data Link - MAC addresses, switches
- Network - IP addresses, routing
- Transport - TCP/UDP, ports
- Session - Connections
- Presentation - Encryption, formatting
- Application - HTTP, FTP, DNS
TCP/IP Model (4 Layers):
- Network Access - Physical + Data Link
- Internet - IP
- Transport - TCP/UDP
- Application - Application + Presentation + Session
Loading diagram...
Rarity: Very Common
Difficulty: Easy
2. What's the difference between TCP and UDP?
Answer:
| Feature | TCP | UDP |
|---|---|---|
| Connection | Connection-oriented | Connectionless |
| Reliability | Guaranteed delivery | Best effort |
| Ordering | Ordered | Unordered |
| Speed | Slower | Faster |
| Overhead | Higher | Lower |
| Use Cases | HTTP, FTP, Email | DNS, Streaming, Gaming |
TCP Three-Way Handshake:
Client Server
|---SYN---> |
|<--SYN-ACK--| |
|---ACK---> |
Rarity: Very Common
Difficulty: Easy
IP Addressing
3. Explain subnetting and calculate subnet masks.
Answer: Subnetting divides a network into smaller subnetworks.
Example: 192.168.1.0/24
- Network: 192.168.1.0
- Subnet Mask: 255.255.255.0
- Usable IPs: 192.168.1.1 - 192.168.1.254
- Broadcast: 192.168.1.255
Subnetting Example:
Network: 192.168.1.0/24
Need: 4 subnets
/24 → /26 (4 subnets, 62 hosts each)
Subnet 1: 192.168.1.0/26 (192.168.1.1 - 192.168.1.62)
Subnet 2: 192.168.1.64/26 (192.168.1.65 - 192.168.1.126)
Subnet 3: 192.168.1.128/26 (192.168.1.129 - 192.168.1.190)
Subnet 4: 192.168.1.192/26 (192.168.1.193 - 192.168.1.254)
CIDR Notation:
- /24 = 255.255.255.0 (256 addresses)
- /25 = 255.255.255.128 (128 addresses)
- /26 = 255.255.255.192 (64 addresses)
- /27 = 255.255.255.224 (32 addresses)
Rarity: Very Common
Difficulty: Medium
4. Explain NAT and its types.
Answer: NAT (Network Address Translation) translates private IP addresses to public IP addresses.
Why Use NAT:
- Conserve public IP addresses
- Security (hide internal network)
- Flexibility in network design
NAT Types:
1. Static NAT:
- One-to-one mapping
- Private IP ↔ Public IP
- Used for servers
2. Dynamic NAT:
- Pool of public IPs
- First-come, first-served
- Temporary mapping
3. PAT (Port Address Translation):
- Many-to-one mapping
- Uses port numbers
- Most common (home routers)
Loading diagram...
Static NAT Configuration (Cisco):
! Configure inside interface
Router(config)# interface fastethernet 0/0
Router(config-if)# ip address 192.168.1.1 255.255.255.0
Router(config-if)# ip nat inside
Router(config-if)# exit
! Configure outside interface
Router(config)# interface fastethernet 0/1
Router(config-if)# ip address 203.0.113.5 255.255.255.0
Router(config-if)# ip nat outside
Router(config-if)# exit
! Create static NAT mapping
Router(config)# ip nat inside source static 192.168.1.10 203.0.113.10
! Verify
Router# show ip nat translationsDynamic NAT Configuration:
! Define pool of public IPs
Router(config)# ip nat pool PUBLIC_POOL 203.0.113.10 203.0.113.20 netmask 255.255.255.0
! Define which private IPs can use NAT
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
! Link ACL to pool
Router(config)# ip nat inside source list 1 pool PUBLIC_POOL
! Verify
Router# show ip nat translations
Router# show ip nat statisticsPAT Configuration (Overload):
! Use single public IP with port translation
Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255
Router(config)# ip nat inside source list 1 interface fastethernet 0/1 overload
! Or with a pool
Router(config)# ip nat inside source list 1 pool PUBLIC_POOL overloadNAT Translation Example:
Inside Local Inside Global Outside Global Outside Local
192.168.1.10 203.0.113.5 8.8.8.8 8.8.8.8
192.168.1.11 203.0.113.5 8.8.8.8 8.8.8.8
With PAT:
192.168.1.10:1234 → 203.0.113.5:50001 → 8.8.8.8:80
192.168.1.11:1234 → 203.0.113.5:50002 → 8.8.8.8:80
Troubleshooting NAT:
! Clear NAT translations
Router# clear ip nat translation *
! Debug NAT
Router# debug ip nat
Router# debug ip nat detailed
! Show NAT statistics
Router# show ip nat statisticsLimitations:
- Breaks end-to-end connectivity
- Complicates some protocols (FTP, SIP)
- Not suitable for servers (use static NAT)
- IPv6 eliminates need for NAT
Rarity: Very Common
Difficulty: Easy-Medium
Switching
4. What is a VLAN and why use it?
Answer: VLAN (Virtual LAN) logically segments a network.
Benefits:
- Security (isolate traffic)
- Performance (reduce broadcast domains)
- Flexibility (group by function, not location)
- Cost savings (fewer physical switches)
VLAN Configuration (Cisco):
! Create VLAN
Switch(config)# vlan 10
Switch(config-vlan)# name Sales
Switch(config-vlan)# exit
Switch(config)# vlan 20
Switch(config-vlan)# name IT
Switch(config-vlan)# exit
! Assign port to VLAN
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport access vlan 10
! Configure trunk port
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# switchport mode trunk
Switch(config-if)# switchport trunk allowed vlan 10,20
! Verify
Switch# show vlan brief
Switch# show interfaces trunkRarity: Very Common
Difficulty: Medium
6. What is Spanning Tree Protocol and why is it needed?
Answer: STP (Spanning Tree Protocol) prevents Layer 2 loops in switched networks.
Problem Without STP:
- Broadcast storms
- MAC table instability
- Multiple frame copies
- Network meltdown
How STP Works:
Loading diagram...
STP Port States:
- Blocking: Doesn't forward frames, prevents loops
- Listening: Preparing to forward, listening for BPDUs
- Learning: Learning MAC addresses
- Forwarding: Normal operation
- Disabled: Administratively down
Port Roles:
- Root Port: Best path to root bridge
- Designated Port: Forwarding port on segment
- Blocked Port: Prevents loops
STP Selection Process:
1. Elect Root Bridge (lowest Bridge ID)
Bridge ID = Priority (default 32768) + MAC Address
2. Select Root Ports (best path to root)
Based on: Path Cost → Bridge ID → Port ID
3. Select Designated Ports (one per segment)
4. Block remaining ports
STP Configuration (Cisco):
! View STP status
Switch# show spanning-tree
! Set bridge priority (make this switch root)
Switch(config)# spanning-tree vlan 1 priority 4096
# Priority must be multiple of 4096 (0-61440)
! Or use shortcut
Switch(config)# spanning-tree vlan 1 root primary
Switch(config)# spanning-tree vlan 1 root secondary
! Configure port cost
Switch(config)# interface gigabitethernet 0/1
Switch(config-if)# spanning-tree cost 4
! Configure port priority
Switch(config-if)# spanning-tree port-priority 64
! Enable PortFast (for end devices only!)
Switch(config-if)# spanning-tree portfast
! Enable BPDU Guard (shuts port if BPDU received)
Switch(config-if)# spanning-tree bpduguard enableSTP Variants:
| Protocol | Standard | Convergence | VLANs |
|---|---|---|---|
| STP | 802.1D | 50 seconds | All |
| RSTP | 802.1w | ~6 seconds | All |
| PVST+ | Cisco | 50 seconds | Per-VLAN |
| Rapid PVST+ | Cisco | ~6 seconds | Per-VLAN |
RSTP (Rapid Spanning Tree):
! Enable RSTP
Switch(config)# spanning-tree mode rapid-pvst
! Verify
Switch# show spanning-tree summaryRSTP Port States (Simplified):
- Discarding: Combines Blocking, Listening, Disabled
- Learning: Learning MAC addresses
- Forwarding: Normal operation
Troubleshooting STP:
! Check STP status
Switch# show spanning-tree
! Check specific VLAN
Switch# show spanning-tree vlan 10
! Check interface details
Switch# show spanning-tree interface gigabitethernet 0/1
! View root bridge
Switch# show spanning-tree root
! Debug STP
Switch# debug spanning-tree eventsCommon Issues:
-
Topology Changes:
- Frequent changes cause instability
- Use PortFast on access ports
-
Root Bridge Placement:
- Should be central, high-capacity switch
- Set priority manually
-
Loops:
- Enable BPDU Guard on access ports
- Monitor for unexpected topology changes
Rarity: Common
Difficulty: Medium
Routing
7. What's the difference between static and dynamic routing?
Answer:
Static Routing:
- Manually configured
- No overhead
- Doesn't adapt to changes
- Good for small, stable networks
Dynamic Routing:
- Automatically learns routes
- Adapts to topology changes
- More overhead
- Good for large, complex networks
Static Route Example:
! Add static route
Router(config)# ip route 192.168.2.0 255.255.255.0 10.0.0.1
! Default route
Router(config)# ip route 0.0.0.0 0.0.0.0 10.0.0.1
! Verify
Router# show ip routeDynamic Routing Protocols:
- RIP: Simple, distance-vector
- OSPF: Link-state, fast convergence
- EIGRP: Cisco proprietary, hybrid
- BGP: Internet routing
Rarity: Very Common
Difficulty: Easy-Medium
8. How do you configure Access Control Lists (ACLs)?
Answer: ACLs filter network traffic based on defined rules.
ACL Types:
1. Standard ACL (1-99, 1300-1999):
- Filters based on source IP only
- Applied close to destination
2. Extended ACL (100-199, 2000-2699):
- Filters based on source/dest IP, protocol, port
- Applied close to source
Standard ACL Example:
! Create standard ACL
Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 10 deny any
! Apply to interface
Router(config)# interface fastethernet 0/0
Router(config-if)# ip access-group 10 in
! Verify
Router# show access-lists
Router# show ip interface fastethernet 0/0Extended ACL Example:
! Create extended ACL
Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 80
Router(config)# access-list 100 permit tcp 192.168.1.0 0.0.0.255 any eq 443
Router(config)# access-list 100 deny ip any any
! Apply to interface
Router(config)# interface fastethernet 0/1
Router(config-if)# ip access-group 100 outNamed ACL (Recommended):
! Standard named ACL
Router(config)# ip access-list standard ALLOW_INTERNAL
Router(config-std-nacl)# permit 192.168.1.0 0.0.0.255
Router(config-std-nacl)# deny any
Router(config-std-nacl)# exit
! Extended named ACL
Router(config)# ip access-list extended WEB_TRAFFIC
Router(config-ext-nacl)# permit tcp any any eq 80
Router(config-ext-nacl)# permit tcp any any eq 443
Router(config-ext-nacl)# permit icmp any any echo-reply
Router(config-ext-nacl)# deny ip any any
Router(config-ext-nacl)# exit
! Apply to interface
Router(config)# interface gigabitethernet 0/0
Router(config-if)# ip access-group WEB_TRAFFIC inWildcard Masks:
0 = must match
1 = don't care
Examples:
0.0.0.0 = exact match
0.0.0.255 = match first 3 octets (/24)
0.0.255.255 = match first 2 octets (/16)
255.255.255.255 = match any (same as "any")
Host:
192.168.1.10 0.0.0.0 = single host
Or use: host 192.168.1.10
Common ACL Scenarios:
1. Block specific host:
Router(config)# ip access-list extended BLOCK_HOST
Router(config-ext-nacl)# deny ip host 192.168.1.50 any
Router(config-ext-nacl)# permit ip any any2. Allow only SSH and HTTPS:
Router(config)# ip access-list extended SECURE_ACCESS
Router(config-ext-nacl)# permit tcp any any eq 22
Router(config-ext-nacl)# permit tcp any any eq 443
Router(config-ext-nacl)# deny ip any any3. Prevent spoofing:
Router(config)# ip access-list extended ANTI_SPOOF
Router(config-ext-nacl)# deny ip 192.168.1.0 0.0.0.255 any
Router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any
Router(config-ext-nacl)# permit ip any anyACL Best Practices:
-
Order Matters:
- Processed top to bottom
- Most specific rules first
- Implicit deny at end
-
Placement:
- Standard ACL: Close to destination
- Extended ACL: Close to source
-
Documentation:
- Use named ACLs
- Add remarks
Router(config)# ip access-list extended FIREWALL
Router(config-ext-nacl)# remark Allow web traffic
Router(config-ext-nacl)# permit tcp any any eq 80
Router(config-ext-nacl)# remark Block internal network
Router(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 anyEditing ACLs:
! View ACL with line numbers
Router# show ip access-lists WEB_TRAFFIC
! Remove specific line
Router(config)# ip access-list extended WEB_TRAFFIC
Router(config-ext-nacl)# no 10
! Insert at specific line
Router(config-ext-nacl)# 15 permit tcp any any eq 8080Troubleshooting:
! Show ACL hits
Router# show access-lists
! Show ACL on interface
Router# show ip interface gigabitethernet 0/0
! Clear ACL counters
Router# clear access-list countersRarity: Common
Difficulty: Medium
Network Services
9. How does DHCP work?
Answer: DHCP (Dynamic Host Configuration Protocol) automatically assigns IP addresses.
DORA Process:
- Discover: Client broadcasts request
- Offer: Server offers IP address
- Request: Client requests offered IP
- Acknowledge: Server confirms assignment
Loading diagram...
DHCP Configuration (Cisco):
! Configure DHCP pool
Router(config)# ip dhcp pool LAN
Router(dhcp-config)# network 192.168.1.0 255.255.255.0
Router(dhcp-config)# default-router 192.168.1.1
Router(dhcp-config)# dns-server 8.8.8.8 8.8.4.4
Router(dhcp-config)# lease 7
! Exclude addresses
Router(config)# ip dhcp excluded-address 192.168.1.1 192.168.1.10
! Verify
Router# show ip dhcp binding
Router# show ip dhcp poolRarity: Very Common
Difficulty: Easy-Medium
Troubleshooting
10. How do you troubleshoot network connectivity issues?
Answer: Systematic troubleshooting approach:
1. Verify Physical Layer:
# Check cable connection
# Check link lights
# Check port status2. Test Connectivity:
# Ping localhost
ping 127.0.0.1
# Ping default gateway
ping 192.168.1.1
# Ping external IP
ping 8.8.8.8
# Ping domain name
ping google.com3. Check IP Configuration:
# Windows
ipconfig /all
# Linux
ip addr show
ip route show
# Verify:
# - IP address
# - Subnet mask
# - Default gateway
# - DNS servers4. Test DNS:
# Windows
nslookup google.com
# Linux
dig google.com
host google.com5. Check Routing:
# Trace route
traceroute google.com # Linux
tracert google.com # Windows6. Check Firewall:
# Test specific port
telnet server.com 80
nc -zv server.com 80Rarity: Very Common
Difficulty: Medium
Conclusion
Preparing for a junior network engineer interview requires understanding networking fundamentals and hands-on practice. Focus on:
- TCP/IP: OSI model, protocols, addressing
- IP Addressing: Subnetting, CIDR, IPv4/IPv6
- NAT: Types, configuration, use cases
- Switching: VLANs, trunking, MAC addresses
- STP: Loop prevention, port states, RSTP
- Routing: Static vs dynamic, routing tables
- ACLs: Standard vs extended, wildcard masks
- Network Services: DHCP, DNS, NAT
- Troubleshooting: Systematic approach, tools
Practice with network simulators (Packet Tracer, GNS3) and real equipment. Good luck!
