November 25, 2025
13 min read
Senior Network Engineer Interview Questions: Complete Guide
interview
career-advice
job-search
MB
Milad Bonakdar
Author
Master advanced networking concepts with comprehensive interview questions covering OSPF, BGP, network design, security, QoS, and enterprise network architecture for senior network engineer roles.
Introduction
Senior Network Engineers design enterprise-scale networks, implement advanced routing protocols, ensure security, and optimize performance. This role requires deep expertise in networking technologies, troubleshooting complex issues, and strategic planning.
This guide covers essential interview questions for senior network engineers, focusing on advanced concepts and enterprise solutions.
Advanced Routing
1. Explain OSPF and how it works.
Answer: OSPF (Open Shortest Path First) is a link-state routing protocol.
Key Features:
- Fast convergence
- Hierarchical design (areas)
- Classless (supports VLSM)
- Metric: Cost (based on bandwidth)
OSPF Areas:
Loading diagram...
OSPF Configuration:
! Enable OSPF
Router(config)# router ospf 1
Router(config-router)# network 192.168.1.0 0.0.0.255 area 0
Router(config-router)# network 10.0.0.0 0.255.255.255 area 1
! Set router ID
Router(config-router)# router-id 1.1.1.1
! Configure passive interface
Router(config-router)# passive-interface gigabitethernet 0/0
! Verify
Router# show ip ospf neighbor
Router# show ip ospf database
Router# show ip route ospfOSPF States:
- Down
- Init
- Two-Way
- ExStart
- Exchange
- Loading
- Full
Rarity: Very Common
Difficulty: Hard
2. How does BGP work and when would you use it?
Answer: BGP (Border Gateway Protocol) is the internet's routing protocol.
Use Cases:
- Internet service providers
- Multi-homed networks
- Large enterprises with multiple ISPs
BGP Types:
- eBGP: Between different AS (external)
- iBGP: Within same AS (internal)
BGP Configuration:
! Configure BGP
Router(config)# router bgp 65001
Router(config-router)# neighbor 203.0.113.1 remote-as 65002
Router(config-router)# network 192.168.1.0 mask 255.255.255.0
! BGP attributes
Router(config-router)# neighbor 203.0.113.1 route-map PREFER-PATH in
! Route map
Router(config)# route-map PREFER-PATH permit 10
Router(config-route-map)# set local-preference 200
! Verify
Router# show ip bgp summary
Router# show ip bgp neighbors
Router# show ip bgpBGP Path Selection:
- Highest Weight
- Highest Local Preference
- Locally originated
- Shortest AS Path
- Lowest Origin type
- Lowest MED
- eBGP over iBGP
- Lowest IGP metric
Rarity: Common
Difficulty: Hard
3. Explain MPLS vs SD-WAN and when to use each.
Answer: MPLS (Multiprotocol Label Switching) and SD-WAN (Software-Defined WAN) are enterprise WAN technologies.
MPLS:
- Label-based packet forwarding
- Predictable performance
- Traffic engineering capabilities
- Expensive
SD-WAN:
- Software-defined overlay network
- Uses internet connections
- Application-aware routing
- Cost-effective
Comparison:
| Feature | MPLS | SD-WAN |
|---|---|---|
| Cost | High | Low |
| Deployment | Slow (weeks/months) | Fast (days) |
| Bandwidth | Limited, expensive | Flexible, scalable |
| Management | Complex | Centralized, simple |
| Security | Inherently secure | Requires encryption |
| Flexibility | Low | High |
| Performance | Guaranteed | Variable |
MPLS Configuration:
! Enable MPLS on interface
Router(config)# interface gigabitethernet 0/0
Router(config-if)# mpls ip
! Configure LDP (Label Distribution Protocol)
Router(config)# mpls ldp router-id loopback0 force
! Configure MPLS VPN
Router(config)# ip vrf CUSTOMER_A
Router(config-vrf)# rd 65000:1
Router(config-vrf)# route-target export 65000:1
Router(config-vrf)# route-target import 65000:1
! Assign interface to VRF
Router(config)# interface gigabitethernet 0/1
Router(config-if)# ip vrf forwarding CUSTOMER_A
Router(config-if)# ip address 10.1.1.1 255.255.255.0
! Verify
Router# show mpls ldp neighbor
Router# show mpls forwarding-table
Router# show ip vrfSD-WAN Architecture:
Loading diagram...
SD-WAN Policy Example:
# SD-WAN application routing policy
policy = {
'voice': {
'priority': 'high',
'preferred_path': 'mpls',
'backup_path': 'internet',
'sla': {
'latency': '< 100ms',
'jitter': '< 30ms',
'packet_loss': '< 1%'
}
},
'video': {
'priority': 'medium',
'preferred_path': 'internet',
'bandwidth': '5 Mbps',
'sla': {
'latency': '< 150ms',
'packet_loss': '< 2%'
}
},
'web': {
'priority': 'low',
'load_balance': ['internet', 'lte'],
'sla': {
'latency': '< 300ms'
}
}
}Migration Strategy:
1. Hybrid Approach:
- Keep MPLS for critical applications
- Add SD-WAN for internet breakout
- Gradual migration
2. Full SD-WAN:
- Replace MPLS entirely
- Use multiple internet circuits
- Implement security stack (firewall, encryption)
Use Cases:
Choose MPLS when:
- Guaranteed SLA required
- Highly sensitive data
- Predictable performance critical
- Budget allows
Choose SD-WAN when:
- Cost optimization needed
- Cloud-first strategy
- Rapid deployment required
- Multiple branch locations
- Need application visibility
Rarity: Common
Difficulty: Hard
Network Design
4. Design a highly available enterprise network.
Answer: Enterprise network with redundancy:
Loading diagram...
Key Components:
1. Redundancy:
- Dual ISP connections
- Redundant routers (HSRP/VRRP)
- Redundant core switches
- Redundant links (EtherChannel)
2. HSRP Configuration:
! Router 1 (Active)
Router1(config)# interface gigabitethernet 0/0
Router1(config-if)# ip address 192.168.1.2 255.255.255.0
Router1(config-if)# standby 1 ip 192.168.1.1
Router1(config-if)# standby 1 priority 110
Router1(config-if)# standby 1 preempt
! Router 2 (Standby)
Router2(config)# interface gigabitethernet 0/0
Router2(config-if)# ip address 192.168.1.3 255.255.255.0
Router2(config-if)# standby 1 ip 192.168.1.1
Router2(config-if)# standby 1 priority 1003. Spanning Tree:
! Configure RSTP
Switch(config)# spanning-tree mode rapid-pvst
! Set root bridge
Switch(config)# spanning-tree vlan 1-100 root primary
! PortFast for access ports
Switch(config)# interface range fastethernet 0/1-24
Switch(config-if-range)# spanning-tree portfastRarity: Very Common
Difficulty: Hard
5. How do you design an enterprise wireless network?
Answer: Enterprise wireless requires careful planning for coverage, capacity, and security.
Architecture Options:
1. Controller-Based (Centralized):
Loading diagram...
Benefits:
- Centralized management
- Seamless roaming
- Consistent policies
- Easier troubleshooting
2. Controller-Less (Distributed):
- Each AP is autonomous
- Lower cost
- No single point of failure
- More complex management
Design Considerations:
1. Site Survey:
# RF planning factors
- Coverage area
- User density
- Application requirements
- Building materials
- Interference sources
# Tools
- Ekahau Site Survey
- AirMagnet Survey
- NetSpot2. Channel Planning:
2.4 GHz:
- Channels: 1, 6, 11 (non-overlapping)
- 20 MHz channel width
- Better range, more interference
5 GHz:
- More channels available (25+ non-overlapping)
- 20/40/80/160 MHz channel widths
- Less interference, shorter range
! Configure AP channels
ap dot11 24ghz shutdown
ap dot11 24ghz channel 1
ap dot11 24ghz power-level 3
ap dot11 24ghz no shutdown
ap dot11 5ghz shutdown
ap dot11 5ghz channel 36
ap dot11 5ghz power-level 2
ap dot11 5ghz no shutdown3. Roaming:
802.11r (Fast Roaming):
- Pre-authentication
- Faster handoff (< 50ms)
- Better for VoIP
Configuration:
! Enable 802.11r
wlan CORPORATE 1 CORPORATE
security wpa akm ft psk
security wpa akm ft dot1x
mobility anchor 10.1.1.14. Security:
WPA3-Enterprise (802.1X):
! RADIUS configuration
wlan CORPORATE 1 CORPORATE
security wpa akm dot1x
security wpa wpa3
security wpa cipher aes
radius server auth RADIUS-SERVER
! RADIUS server
radius server RADIUS-SERVER
address ipv4 10.1.1.100 auth-port 1812 acct-port 1813
key MySecretKeyGuest Network Isolation:
! Guest WLAN
wlan GUEST 2 GUEST
security open
security web-auth
security web-passthrough
no security wpa
no security wpa wpa2
no security wpa wpa3
! Client isolation
wlan GUEST 2 GUEST
peer-blocking drop5. QoS for Wireless:
! Prioritize voice traffic
wlan CORPORATE 1 CORPORATE
qos wmm required
! Platinum QoS profile
qos profile VOICE
priority platinum
average-data-rate 6000
burst-data-rate 6000Capacity Planning:
# Calculate AP requirements
def calculate_aps(area_sqft, users, throughput_per_user_mbps):
# Coverage-based
coverage_per_ap = 5000 # sq ft (varies by environment)
aps_for_coverage = area_sqft / coverage_per_ap
# Capacity-based
ap_throughput = 300 # Mbps (realistic for 802.11ac)
users_per_ap = 25 # Recommended maximum
total_throughput = users * throughput_per_user_mbps
aps_for_capacity = total_throughput / ap_throughput
# Use higher value
return max(aps_for_coverage, aps_for_capacity)
# Example
required_aps = calculate_aps(
area_sqft=50000,
users=500,
throughput_per_user_mbps=2
)
print(f"Required APs: {required_aps}")Best Practices:
- 20-30% AP overlap for seamless roaming
- Separate SSIDs for different user types
- Regular spectrum analysis
- Monitor client health and performance
- Plan for growth (50% capacity buffer)
Rarity: Common
Difficulty: Medium-Hard
Network Security
6. How do you secure a network infrastructure?
Answer: Multi-layered security approach:
1. Access Control Lists (ACLs):
! Standard ACL
Router(config)# access-list 10 permit 192.168.1.0 0.0.0.255
Router(config)# access-list 10 deny any
! Extended ACL
Router(config)# ip access-list extended BLOCK-TELNET
Router(config-ext-nacl)# deny tcp any any eq 23
Router(config-ext-nacl)# permit ip any any
! Apply to interface
Router(config)# interface gigabitethernet 0/0
Router(config-if)# ip access-group BLOCK-TELNET in2. Port Security:
! Enable port security
Switch(config)# interface fastethernet 0/1
Switch(config-if)# switchport mode access
Switch(config-if)# switchport port-security
Switch(config-if)# switchport port-security maximum 2
Switch(config-if)# switchport port-security violation restrict
Switch(config-if)# switchport port-security mac-address sticky3. VPN Configuration:
! IPsec VPN
crypto isakmp policy 10
encryption aes 256
hash sha256
authentication pre-share
group 14
crypto isakmp key MySecretKey address 203.0.113.1
crypto ipsec transform-set MYSET esp-aes 256 esp-sha256-hmac
crypto map MYMAP 10 ipsec-isakmp
set peer 203.0.113.1
set transform-set MYSET
match address VPN-TRAFFIC4. Network Segmentation:
- DMZ for public services
- Separate VLANs for departments
- Firewall between segments
Rarity: Very Common
Difficulty: Hard
Quality of Service (QoS)
7. Explain QoS and how to implement it.
Answer: QoS prioritizes network traffic for better performance.
QoS Mechanisms:
- Classification: Identify traffic
- Marking: Tag packets (DSCP, CoS)
- Queuing: Prioritize traffic
- Policing/Shaping: Control bandwidth
QoS Configuration:
! Class map (identify traffic)
Router(config)# class-map match-any VOICE
Router(config-cmap)# match protocol rtp
Router(config-cmap)# match ip dscp ef
Router(config)# class-map match-any VIDEO
Router(config-cmap)# match protocol http
! Policy map (define actions)
Router(config)# policy-map QOS-POLICY
Router(config-pmap)# class VOICE
Router(config-pmap-c)# priority percent 30
Router(config-pmap-c)# class VIDEO
Router(config-pmap-c)# bandwidth percent 40
Router(config-pmap-c)# class class-default
Router(config-pmap-c)# fair-queue
! Apply to interface
Router(config)# interface gigabitethernet 0/0
Router(config-if)# service-policy output QOS-POLICY
! Verify
Router# show policy-map interface gigabitethernet 0/0DSCP Values:
- EF (46): Voice
- AF41 (34): Video
- AF31 (26): Critical data
- BE (0): Best effort
Rarity: Common
Difficulty: Medium-Hard
8. How do you automate network configuration and management?
Answer: Network automation improves consistency, reduces errors, and scales operations.
Automation Tools:
1. Python with Netmiko:
from netmiko import ConnectHandler
import getpass
# Device connection
device = {
'device_type': 'cisco_ios',
'host': '192.168.1.1',
'username': 'admin',
'password': getpass.getpass(),
'secret': getpass.getpass('Enable password: ')
}
# Connect and execute commands
with ConnectHandler(**device) as conn:
conn.enable()
# Show commands
output = conn.send_command('show ip interface brief')
print(output)
# Configuration commands
config_commands = [
'interface GigabitEthernet0/1',
'description Uplink to Core',
'ip address 10.1.1.1 255.255.255.0',
'no shutdown'
]
output = conn.send_config_set(config_commands)
print(output)
# Save configuration
conn.save_config()2. Ansible for Network Automation:
# inventory/hosts
[routers]
router1 ansible_host=192.168.1.1
router2 ansible_host=192.168.1.2
[routers: vars]
ansible_network_os=ios
ansible_connection=network_cli
ansible_user=admin
ansible_password=vault_encrypted_password# playbooks/configure_interfaces.yml
---
- name: Configure router interfaces
hosts: routers
gather_facts: no
tasks:
- name: Configure interface description
ios_config:
lines:
- description Configured by Ansible
parents: interface GigabitEthernet0/1
- name: Configure IP address
ios_l3_interface:
name: GigabitEthernet0/1
ipv4: 10.1.1.1/24
state: present
- name: Enable interface
ios_interface:
name: GigabitEthernet0/1
enabled: true
- name: Save configuration
ios_command:
commands:
- write memory3. NETCONF/RESTCONF APIs:
import requests
from requests.auth import HTTPBasicAuth
import json
# RESTCONF example
url = 'https://192.168.1.1/restconf/data/ietf-interfaces:interfaces'
headers = {
'Content-Type': 'application/yang-data+json',
'Accept': 'application/yang-data+json'
}
auth = HTTPBasicAuth('admin', 'password')
# Get interfaces
response = requests.get(url, headers=headers, auth=auth, verify=False)
interfaces = response.json()
print(json.dumps(interfaces, indent=2))
# Configure interface
interface_config = {
"ietf-interfaces:interface": {
"name": "GigabitEthernet0/1",
"description": "Configured via RESTCONF",
"type": "iana-if-type:ethernetCsmacd",
"enabled": True,
"ietf-ip:ipv4": {
"address": [{
"ip": "10.1.1.1",
"netmask": "255.255.255.0"
}]
}
}
}
response = requests.put(
f"{url}/interface=GigabitEthernet0/1",
headers=headers,
auth=auth,
data=json.dumps(interface_config),
verify=False
)
print(f"Status: {response.status_code}")4. Configuration Backup Automation:
import os
from datetime import datetime
from netmiko import ConnectHandler
def backup_device_config(device_info, backup_dir='/backups'):
"""Backup device configuration"""
try:
# Connect to device
with ConnectHandler(**device_info) as conn:
conn.enable()
# Get running config
config = conn.send_command('show running-config')
# Create backup filename
hostname = conn.send_command('show run | include hostname').split()[1]
timestamp = datetime.now().strftime('%Y%m%d_%H%M%S')
filename = f"{backup_dir}/{hostname}_{timestamp}.cfg"
# Save to file
os.makedirs(backup_dir, exist_ok=True)
with open(filename, 'w') as f:
f.write(config)
print(f"[+] Backup saved: {filename}")
return True
except Exception as e:
print(f"[-] Backup failed: {e}")
return False
# Backup multiple devices
devices = [
{'device_type': 'cisco_ios', 'host': '192.168.1.1', 'username': 'admin', 'password': 'pass'},
{'device_type': 'cisco_ios', 'host': '192.168.1.2', 'username': 'admin', 'password': 'pass'},
]
for device in devices:
backup_device_config(device)5. Network Validation:
# Validate network state
def validate_network(device):
"""Validate network configuration and state"""
with ConnectHandler(**device) as conn:
conn.enable()
checks = {
'interfaces_up': [],
'bgp_neighbors': [],
'ospf_neighbors': [],
'issues': []
}
# Check interface status
output = conn.send_command('show ip interface brief')
for line in output.split('\n')[1:]:
if 'up' in line.lower():
checks['interfaces_up'].append(line.split()[0])
elif 'down' in line.lower() and 'administratively' not in line.lower():
checks['issues'].append(f"Interface down: {line.split()[0]}")
# Check BGP neighbors
output = conn.send_command('show ip bgp summary')
# Parse BGP neighbors
# Check OSPF neighbors
output = conn.send_command('show ip ospf neighbor')
# Parse OSPF neighbors
return checksBenefits:
- Reduced configuration time
- Consistent configurations
- Reduced human error
- Easy rollback
- Audit trail
- Scalability
Rarity: Common
Difficulty: Medium-Hard
Advanced Troubleshooting
9. How do you troubleshoot complex network issues?
Answer: Systematic approach to complex problems:
1. Gather Information:
! Check interfaces
show ip interface brief
show interfaces status
! Check routing
show ip route
show ip protocols
! Check neighbors
show cdp neighbors
show lldp neighbors
! Check logs
show logging2. Packet Capture:
# tcpdump
tcpdump -i eth0 -w capture.pcap
# Wireshark filters
tcp.port == 80
ip.addr == 192.168.1.1
http.request.method == "GET"3. Network Monitoring:
# SNMP monitoring
snmpwalk -v2c -c public 192.168.1.1
# NetFlow analysis
# Analyze traffic patterns
# Identify bandwidth hogs
# Detect anomalies4. Layer-by-Layer Troubleshooting:
- Layer 1: Physical (cables, ports)
- Layer 2: Data Link (VLANs, STP)
- Layer 3: Network (routing, IP)
- Layer 4: Transport (TCP/UDP)
- Layer 7: Application (DNS, HTTP)
5. Common Issues:
! Duplex mismatch
show interfaces gigabitethernet 0/0
interface gigabitethernet 0/0
duplex auto
speed auto
! Routing loop
show ip route
traceroute 192.168.1.1
! VLAN mismatch
show vlan brief
show interfaces trunkRarity: Very Common
Difficulty: Hard
Conclusion
Senior network engineer interviews require deep technical expertise and practical experience. Focus on:
- Advanced Routing: OSPF, BGP, route manipulation
- WAN Technologies: MPLS vs SD-WAN, migration strategies
- Network Design: High availability, redundancy, scalability
- Wireless: Enterprise WiFi design, roaming, security
- Security: ACLs, VPNs, segmentation, best practices
- QoS: Traffic prioritization, bandwidth management
- Automation: Python, Ansible, NETCONF/RESTCONF
- Troubleshooting: Systematic approach, tools, packet analysis
Demonstrate real-world experience with complex networks and strategic decision-making. Good luck!
