November 25, 2025
13 min read

Senior Network Engineer Interview Questions and Answers

interview
career-advice
job-search
Senior Network Engineer Interview Questions and Answers
Milad Bonakdar

Milad Bonakdar

Author

Prepare for senior network engineer interviews with practical questions on OSPF, BGP, SD-WAN, high availability, security, QoS, automation, and troubleshooting.

Introduction

Senior network engineer interviews usually test how you reason through design and incidents, not whether you can recite commands. Be ready to explain why you would choose OSPF areas, BGP policy, SD-WAN or MPLS, segmentation, QoS, and automation controls in a real enterprise network.

Use these questions to practice concise answers: state the goal, name the trade-offs, describe the checks you would run, and connect the design to reliability, security, cost, and user impact.

Advanced Routing

1. Explain OSPF and how it works.

Answer: OSPF (Open Shortest Path First) is a link-state routing protocol.

Key Features:

  • Fast convergence
  • Hierarchical design (areas)
  • Classless (supports VLSM)
  • Metric: Cost (based on bandwidth)

OSPF Areas:

Loading diagram...

OSPF Configuration:

! Enable OSPF
Router(config)# router ospf 1
Router(config-router)# network 192.168.1.0 0.0.0.255 area 0
Router(config-router)# network 10.0.0.0 0.255.255.255 area 1

! Set router ID
Router(config-router)# router-id 1.1.1.1

! Configure passive interface
Router(config-router)# passive-interface gigabitethernet 0/0

! Verify
Router# show ip ospf neighbor
Router# show ip ospf database
Router# show ip route ospf

OSPF States:

  1. Down
  2. Init
  3. Two-Way
  4. ExStart
  5. Exchange
  6. Loading
  7. Full

Rarity: Very Common
Difficulty: Hard

2. How does BGP work and when would you use it?

Answer: BGP (Border Gateway Protocol) is the internet's routing protocol.

Use Cases:

  • Internet service providers
  • Multi-homed networks
  • Large enterprises with multiple ISPs

BGP Types:

  • eBGP: Between different AS (external)
  • iBGP: Within same AS (internal)

BGP Configuration:

! Configure BGP
Router(config)# router bgp 65001
Router(config-router)# neighbor 203.0.113.1 remote-as 65002
Router(config-router)# network 192.168.1.0 mask 255.255.255.0

! BGP attributes
Router(config-router)# neighbor 203.0.113.1 route-map PREFER-PATH in

! Route map
Router(config)# route-map PREFER-PATH permit 10
Router(config-route-map)# set local-preference 200

! Verify
Router# show ip bgp summary
Router# show ip bgp neighbors
Router# show ip bgp

BGP Path Selection:

  1. Highest Weight
  2. Highest Local Preference
  3. Locally originated
  4. Shortest AS Path
  5. Lowest Origin type
  6. Lowest MED
  7. eBGP over iBGP
  8. Lowest IGP metric

Rarity: Common
Difficulty: Hard

3. Explain MPLS vs SD-WAN and when to use each.

Answer: MPLS (Multiprotocol Label Switching) and SD-WAN (Software-Defined WAN) are enterprise WAN technologies.

MPLS:

  • Label-based packet forwarding
  • Predictable performance
  • Traffic engineering capabilities
  • Predictable but usually higher-cost

SD-WAN:

  • Software-defined overlay network
  • Uses internet connections
  • Application-aware routing
  • Can reduce WAN cost when designed with security and monitoring

Comparison:

FeatureMPLSSD-WAN
CostUsually higher carrier costOften lower transport cost, with platform/license cost
DeploymentCarrier-led; can take longerUsually faster for branches and cloud paths
BandwidthLimited, expensiveFlexible, scalable
ManagementComplexCentralized, simple
SecurityPrivate transport, but still needs encryption and segmentationEncrypted overlay with centralized policy
FlexibilityLowHigh
PerformancePredictable SLA on provisioned circuitsPolicy-based; depends on underlay and SLA monitoring

MPLS Configuration:

! Enable MPLS on interface
Router(config)# interface gigabitethernet 0/0
Router(config-if)# mpls ip

! Configure LDP (Label Distribution Protocol)
Router(config)# mpls ldp router-id loopback0 force

! Configure MPLS VPN
Router(config)# ip vrf CUSTOMER_A
Router(config-vrf)# rd 65000:1
Router(config-vrf)# route-target export 65000:1
Router(config-vrf)# route-target import 65000:1

! Assign interface to VRF
Router(config)# interface gigabitethernet 0/1
Router(config-if)# ip vrf forwarding CUSTOMER_A
Router(config-if)# ip address 10.1.1.1 255.255.255.0

! Verify
Router# show mpls ldp neighbor
Router# show mpls forwarding-table
Router# show ip vrf

SD-WAN Architecture:

Loading diagram...

SD-WAN Policy Example:

# SD-WAN application routing policy
policy = {
    'voice': {
        'priority': 'high',
        'preferred_path': 'mpls',
        'backup_path': 'internet',
        'sla': {
            'latency': '< 100ms',
            'jitter': '< 30ms',
            'packet_loss': '< 1%'
        }
    },
    'video': {
        'priority': 'medium',
        'preferred_path': 'internet',
        'bandwidth': '5 Mbps',
        'sla': {
            'latency': '< 150ms',
            'packet_loss': '< 2%'
        }
    },
    'web': {
        'priority': 'low',
        'load_balance': ['internet', 'lte'],
        'sla': {
            'latency': '< 300ms'
        }
    }
}

Migration Strategy:

1. Hybrid Approach:

  • Keep MPLS for critical applications
  • Add SD-WAN for internet breakout
  • Gradual migration

2. Full SD-WAN:

  • Reduce or replace MPLS where SLA and security requirements allow
  • Use multiple internet circuits
  • Implement a security stack: firewall policy, encryption, segmentation, and logging

Use Cases:

Choose MPLS when:

  • Strict latency, loss, or private-transport requirements
  • Strong compliance or segmentation requirements
  • Predictable performance critical
  • Budget allows

Choose SD-WAN when:

  • Cost optimization needed
  • Cloud-first strategy
  • Rapid deployment required
  • Multiple branch locations
  • Need application visibility

Rarity: Common
Difficulty: Hard

Network Design

4. Design a highly available enterprise network.

Answer: Enterprise network with redundancy:

Loading diagram...

Key Components:

1. Redundancy:

  • Dual ISP connections
  • Redundant routers (HSRP/VRRP)
  • Redundant core switches
  • Redundant links (EtherChannel)

2. HSRP Configuration:

! Router 1 (Active)
Router1(config)# interface gigabitethernet 0/0
Router1(config-if)# ip address 192.168.1.2 255.255.255.0
Router1(config-if)# standby 1 ip 192.168.1.1
Router1(config-if)# standby 1 priority 110
Router1(config-if)# standby 1 preempt

! Router 2 (Standby)
Router2(config)# interface gigabitethernet 0/0
Router2(config-if)# ip address 192.168.1.3 255.255.255.0
Router2(config-if)# standby 1 ip 192.168.1.1
Router2(config-if)# standby 1 priority 100

3. Spanning Tree:

! Configure RSTP
Switch(config)# spanning-tree mode rapid-pvst

! Set root bridge
Switch(config)# spanning-tree vlan 1-100 root primary

! PortFast for access ports
Switch(config)# interface range fastethernet 0/1-24
Switch(config-if-range)# spanning-tree portfast

Rarity: Very Common
Difficulty: Hard

5. How do you design an enterprise wireless network?

Answer: Enterprise wireless requires careful planning for coverage, capacity, and security.

Architecture Options:

1. Controller-Based (Centralized):

Loading diagram...

Benefits:

  • Centralized management
  • Seamless roaming
  • Consistent policies
  • Easier troubleshooting

2. Controller-Less (Distributed):

  • Each AP is autonomous
  • Lower cost
  • No single point of failure
  • More complex management

Design Considerations:

1. Site Survey:

# RF planning factors
- Coverage area
- User density
- Application requirements
- Building materials
- Interference sources

# Tools
- Ekahau Site Survey
- AirMagnet Survey
- NetSpot

2. Channel Planning:

2.4 GHz:

  • Channels: 1, 6, 11 (non-overlapping)
  • 20 MHz channel width
  • Better range, more interference

5 GHz:

  • More channels available (25+ non-overlapping)
  • 20/40/80/160 MHz channel widths
  • Less interference, shorter range
! Configure AP channels
ap dot11 24ghz shutdown
ap dot11 24ghz channel 1
ap dot11 24ghz power-level 3
ap dot11 24ghz no shutdown

ap dot11 5ghz shutdown
ap dot11 5ghz channel 36
ap dot11 5ghz power-level 2
ap dot11 5ghz no shutdown

3. Roaming:

802.11r (Fast Roaming):

  • Pre-authentication
  • Faster handoff (< 50ms)
  • Better for VoIP

Configuration:

! Enable 802.11r
wlan CORPORATE 1 CORPORATE
 security wpa akm ft psk
 security wpa akm ft dot1x
 mobility anchor 10.1.1.1

4. Security:

WPA3-Enterprise (802.1X):

! RADIUS configuration
wlan CORPORATE 1 CORPORATE
 security wpa akm dot1x
 security wpa wpa3
 security wpa cipher aes
 radius server auth RADIUS-SERVER

! RADIUS server
radius server RADIUS-SERVER
 address ipv4 10.1.1.100 auth-port 1812 acct-port 1813
 key MySecretKey

Guest Network Isolation:

! Guest WLAN
wlan GUEST 2 GUEST
 security open
 security web-auth
 security web-passthrough
 no security wpa
 no security wpa wpa2
 no security wpa wpa3

! Client isolation
wlan GUEST 2 GUEST
 peer-blocking drop

5. QoS for Wireless:

! Prioritize voice traffic
wlan CORPORATE 1 CORPORATE
 qos wmm required

! Platinum QoS profile
qos profile VOICE
 priority platinum
 average-data-rate 6000
 burst-data-rate 6000

Capacity Planning:

# Calculate AP requirements
def calculate_aps(area_sqft, users, throughput_per_user_mbps):
    # Coverage-based
    coverage_per_ap = 5000  # sq ft (varies by environment)
    aps_for_coverage = area_sqft / coverage_per_ap
    
    # Capacity-based
    ap_throughput = 300  # Mbps (realistic for 802.11ac)
    users_per_ap = 25  # Recommended maximum
    
    total_throughput = users * throughput_per_user_mbps
    aps_for_capacity = total_throughput / ap_throughput
    
    # Use higher value
    return max(aps_for_coverage, aps_for_capacity)

# Example
required_aps = calculate_aps(
    area_sqft=50000,
    users=500,
    throughput_per_user_mbps=2
)
print(f"Required APs: {required_aps}")

Best Practices:

  • 20-30% AP overlap for seamless roaming
  • Separate SSIDs for different user types
  • Regular spectrum analysis
  • Monitor client health and performance
  • Plan for growth (50% capacity buffer)

Rarity: Common
Difficulty: Medium-Hard

Network Security

6. How do you secure a network infrastructure?

Answer: For a senior role, describe security as layered controls across users, devices, network segments, applications, and the management plane:

1. Access Control Lists (ACLs):

! Standard ACL
Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 10 deny any

! Extended ACL
Router(config)# ip access-list extended BLOCK-TELNET
Router(config-ext-nacl)# deny tcp any any eq 23
Router(config-ext-nacl)# permit ip any any

! Apply to interface
Router(config)# interface gigabitethernet 0/0
Router(config-if)# ip access-group BLOCK-TELNET in

2. Port Security:

! Enable port security
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security violation restrict
Switch(config-if)# switchport port-security mac-address sticky

3. VPN Configuration:

! IPsec VPN
crypto isakmp policy 10
 encryption aes 256
 hash sha256
 authentication pre-share
 group 14

crypto isakmp key MySecretKey address 203.0.113.1

crypto ipsec transform-set MYSET esp-aes 256 esp-sha256-hmac

crypto map MYMAP 10 ipsec-isakmp
 set peer 203.0.113.1
 set transform-set MYSET
 match address VPN-TRAFFIC

4. Network Segmentation:

  • DMZ for public services
  • Separate VLANs for departments
  • Firewall between segments
  • Least-privilege management access with AAA, MFA where supported, and TACACS+/RADIUS
  • Zero Trust principles where practical: identify assets, segment critical flows, and continuously verify access
  • Protected management plane with out-of-band access, SSH only, SNMPv3, centralized logging, and regular ACL/firewall reviews

Rarity: Very Common
Difficulty: Hard

Quality of Service (QoS)

7. Explain QoS and how to implement it.

Answer: QoS does not create bandwidth; it protects important traffic during congestion by classifying, marking, queuing, and shaping or policing flows.

QoS Mechanisms:

  1. Classification: Identify traffic
  2. Marking: Tag packets (DSCP, CoS)
  3. Queuing: Prioritize traffic
  4. Policing/Shaping: Control bandwidth

QoS Configuration:

! Class map (identify traffic)
Router(config)# class-map match-any VOICE
Router(config-cmap)# match protocol rtp
Router(config-cmap)# match ip dscp ef

Router(config)# class-map match-any VIDEO
Router(config-cmap)# match protocol http

! Policy map (define actions)
Router(config)# policy-map QOS-POLICY
Router(config-pmap)# class VOICE
Router(config-pmap-c)# priority percent 30
Router(config-pmap-c)# class VIDEO
Router(config-pmap-c)# bandwidth percent 40
Router(config-pmap-c)# class class-default
Router(config-pmap-c)# fair-queue

! Apply to interface
Router(config)# interface gigabitethernet 0/0
Router(config-if)# service-policy output QOS-POLICY

! Verify
Router# show policy-map interface gigabitethernet 0/0

DSCP Values:

  • EF (46): Voice
  • AF41 (34): Video
  • AF31 (26): Critical data
  • BE (0): Best effort

Rarity: Common
Difficulty: Medium-Hard

8. How do you automate network configuration and management?

Answer: Network automation should be treated like software delivery: use source control, templates, peer review, staged rollout, validation, backups, and rollback plans.

Automation Tools:

1. Python with Netmiko:

from netmiko import ConnectHandler
import getpass

# Device connection
device = {
    'device_type': 'cisco_ios',
    'host': '192.168.1.1',
    'username': 'admin',
    'password': getpass.getpass(),
    'secret': getpass.getpass('Enable password: ')
}

# Connect and execute commands
with ConnectHandler(**device) as conn:
    conn.enable()
    
    # Show commands
    output = conn.send_command('show ip interface brief')
    print(output)
    
    # Configuration commands
    config_commands = [
        'interface GigabitEthernet0/1',
        'description Uplink to Core',
        'ip address 10.1.1.1 255.255.255.0',
        'no shutdown'
    ]
    output = conn.send_config_set(config_commands)
    print(output)
    
    # Save configuration
    conn.save_config()

2. Ansible for Network Automation:

# inventory/hosts
[routers]
router1 ansible_host=192.168.1.1
router2 ansible_host=192.168.1.2

[routers: vars]
ansible_network_os=ios
ansible_connection=network_cli
ansible_user=admin
ansible_password=vault_encrypted_password
# playbooks/configure_interfaces.yml
---
- name: Configure router interfaces
  hosts: routers
  gather_facts: no
  tasks:
    - name: Configure interface settings
      cisco.ios.ios_interfaces:
        config:
          - name: GigabitEthernet0/1
            description: Configured by Ansible
            enabled: true
        state: merged

    - name: Configure IPv4 address
      cisco.ios.ios_l3_interfaces:
        config:
          - name: GigabitEthernet0/1
            ipv4:
              - address: 10.1.1.1/24
        state: merged

    - name: Save configuration when changed
      cisco.ios.ios_config:
        save_when: modified

3. NETCONF/RESTCONF APIs:

import requests
from requests.auth import HTTPBasicAuth
import json

# RESTCONF example
url = 'https://192.168.1.1/restconf/data/ietf-interfaces:interfaces'
headers = {
    'Content-Type': 'application/yang-data+json',
    'Accept': 'application/yang-data+json'
}
auth = HTTPBasicAuth('admin', 'password')

# Get interfaces
response = requests.get(url, headers=headers, auth=auth, verify=False)
interfaces = response.json()
print(json.dumps(interfaces, indent=2))

# Configure interface
interface_config = {
    "ietf-interfaces:interface": {
        "name": "GigabitEthernet0/1",
        "description": "Configured via RESTCONF",
        "type": "iana-if-type:ethernetCsmacd",
        "enabled": True,
        "ietf-ip:ipv4": {
            "address": [{
                "ip": "10.1.1.1",
                "netmask": "255.255.255.0"
            }]
        }
    }
}

response = requests.put(
    f"{url}/interface=GigabitEthernet0/1",
    headers=headers,
    auth=auth,
    data=json.dumps(interface_config),
    verify=False
)
print(f"Status: {response.status_code}")

4. Configuration Backup Automation:

import os
from datetime import datetime
from netmiko import ConnectHandler

def backup_device_config(device_info, backup_dir='/backups'):
    """Backup device configuration"""
    try:
        # Connect to device
        with ConnectHandler(**device_info) as conn:
            conn.enable()
            
            # Get running config
            config = conn.send_command('show running-config')
            
            # Create backup filename
            hostname = conn.send_command('show run | include hostname').split()[1]
            timestamp = datetime.now().strftime('%Y%m%d_%H%M%S')
            filename = f"{backup_dir}/{hostname}_{timestamp}.cfg"
            
            # Save to file
            os.makedirs(backup_dir, exist_ok=True)
            with open(filename, 'w') as f:
                f.write(config)
            
            print(f"[+] Backup saved: {filename}")
            return True
    except Exception as e:
        print(f"[-] Backup failed: {e}")
        return False

# Backup multiple devices
devices = [
    {'device_type': 'cisco_ios', 'host': '192.168.1.1', 'username': 'admin', 'password': 'pass'},
    {'device_type': 'cisco_ios', 'host': '192.168.1.2', 'username': 'admin', 'password': 'pass'},
]

for device in devices:
    backup_device_config(device)

5. Network Validation:

# Validate network state
def validate_network(device):
    """Validate network configuration and state"""
    with ConnectHandler(**device) as conn:
        conn.enable()
        
        checks = {
            'interfaces_up': [],
            'bgp_neighbors': [],
            'ospf_neighbors': [],
            'issues': []
        }
        
        # Check interface status
        output = conn.send_command('show ip interface brief')
        for line in output.split('\n')[1:]:
            if 'up' in line.lower():
                checks['interfaces_up'].append(line.split()[0])
            elif 'down' in line.lower() and 'administratively' not in line.lower():
                checks['issues'].append(f"Interface down: {line.split()[0]}")
        
        # Check BGP neighbors
        output = conn.send_command('show ip bgp summary')
        # Parse BGP neighbors
        
        # Check OSPF neighbors
        output = conn.send_command('show ip ospf neighbor')
        # Parse OSPF neighbors
        
        return checks

Benefits:

  • Reduced configuration time
  • Consistent configurations
  • Reduced human error
  • Easy rollback
  • Audit trail
  • Scalability

Rarity: Common
Difficulty: Medium-Hard

Advanced Troubleshooting

9. How do you troubleshoot complex network issues?

Answer: Systematic approach to complex problems:

1. Gather Information:

! Check interfaces
show ip interface brief
show interfaces status

! Check routing
show ip route
show ip protocols

! Check neighbors
show cdp neighbors
show lldp neighbors

! Check logs
show logging

2. Packet Capture:

# tcpdump
tcpdump -i eth0 -w capture.pcap

# Wireshark filters
tcp.port == 80
ip.addr == 192.168.1.1
http.request.method == "GET"

3. Network Monitoring:

# SNMP monitoring
snmpwalk -v2c -c public 192.168.1.1

# NetFlow analysis
# Analyze traffic patterns
# Identify bandwidth hogs
# Detect anomalies

4. Layer-by-Layer Troubleshooting:

  • Layer 1: Physical (cables, ports)
  • Layer 2: Data Link (VLANs, STP)
  • Layer 3: Network (routing, IP)
  • Layer 4: Transport (TCP/UDP)
  • Layer 7: Application (DNS, HTTP)

5. Common Issues:

! Duplex mismatch
show interfaces gigabitethernet 0/0
interface gigabitethernet 0/0
 duplex auto
 speed auto

! Routing loop
show ip route
traceroute 192.168.1.1

! VLAN mismatch
show vlan brief
show interfaces trunk

Rarity: Very Common
Difficulty: Hard

Conclusion

A strong senior answer combines protocol knowledge with operational judgment. For each topic, prepare one example from your own work: the problem, constraints, design choice, validation steps, and result.

Focus your prep on:

  1. Advanced routing: OSPF design, BGP policy, route manipulation, and failure behavior
  2. WAN strategy: MPLS, SD-WAN, cloud connectivity, migration risk, and SLA trade-offs
  3. Network design: Redundancy, high availability, scaling limits, and change planning
  4. Wireless: Capacity planning, roaming, security, and client experience
  5. Security: Segmentation, management-plane protection, VPNs, ACLs, logging, and Zero Trust principles
  6. QoS: Classification, marking, queuing, shaping, policing, and congestion behavior
  7. Automation: Source control, templates, validation, staged rollout, rollback, and audit trails
  8. Troubleshooting: Layered diagnosis, packet analysis, monitoring data, and clear incident communication

Before the interview, map each answer to a real incident, migration, or design decision you can discuss without exaggerating your role.

Newsletter subscription

Weekly career tips that actually work

Get the latest insights delivered straight to your inbox

Related Posts

Junior Network Engineer Interview Questions and Answers
Nov 25, 2025
12 min read

Junior Network Engineer Interview Questions and Answers

Prepare for entry-level networking interviews with practical questions on TCP/IP, subnetting, VLANs, DHCP, routing, switching, and troubleshooting.

Milad BonakdarMilad Bonakdar
Senior System Administrator Interview Questions and Answers
Nov 25, 2025
14 min read

Senior System Administrator Interview Questions and Answers

Prepare for senior sysadmin interviews with practical questions on Linux, Windows, Active Directory, automation, security hardening, monitoring, backup, and incident troubleshooting.

Milad BonakdarMilad Bonakdar
Senior DevOps Engineer Interview Questions for Production Systems
Nov 25, 2025
25 min read

Senior DevOps Engineer Interview Questions for Production Systems

Prepare for senior DevOps interviews with practical questions on Kubernetes, Terraform state, GitOps, security, observability, incident response, and production trade-offs.

Milad BonakdarMilad Bonakdar

Your Next Interview is Just One Resume Away

Create a professional, optimized resume in minutes. No design skills needed—just proven results.

Create my resume

Share this post

Cut Your Resume Writing Time by 90%

The average job seeker spends 3+ hours formatting a resume. Our AI does it in under 15 minutes, getting you to the application phase 12x faster.

Build in 15 Minutes