Networking interviews test your understanding of how data moves across systems — from OSI layers and IP addressing to DNS resolution, TCP handshakes, and firewall rules. This guide covers the 50 most common questions with concise, accurate answers.
Quick reference
| Topic | Key concepts |
|---|---|
| OSI & TCP/IP | 7 layers, 4 layers, encapsulation |
| IP Addressing | IPv4/IPv6, CIDR, subnetting, NAT |
| Transport Layer | TCP vs UDP, handshakes, ports |
| Application Layer | HTTP/S, DNS, DHCP, FTP, SSH |
| Routing | Static vs dynamic, BGP, OSPF, RIP |
| Switching | VLANs, STP, MAC addresses, ARP |
| Security | Firewalls, VPN, TLS, IDS/IPS |
| Troubleshooting | ping, traceroute, netstat, Wireshark |
OSI Model & TCP/IP
1. What are the 7 layers of the OSI model?
The OSI (Open Systems Interconnection) model is a conceptual framework that describes how data is transmitted over a network:
| Layer | Name | Protocol examples | Data unit |
|---|---|---|---|
| 7 | Application | HTTP, DNS, FTP, SMTP | Data |
| 6 | Presentation | TLS/SSL, JPEG, ASCII | Data |
| 5 | Session | NetBIOS, RPC | Data |
| 4 | Transport | TCP, UDP | Segment/Datagram |
| 3 | Network | IP, ICMP, OSPF | Packet |
| 2 | Data Link | Ethernet, Wi-Fi, ARP | Frame |
| 1 | Physical | Ethernet cables, fibre, radio | Bits |
Mnemonic (top-down): "All People Seem To Need Data Processing"
2. How does TCP/IP differ from OSI?
TCP/IP (the internet protocol suite) has 4 layers that map to OSI's 7:
| TCP/IP Layer | Maps to OSI layers | Examples |
|---|---|---|
| Application | 5, 6, 7 | HTTP, DNS, FTP, SMTP |
| Transport | 4 | TCP, UDP |
| Internet | 3 | IP, ICMP, ARP |
| Network Access | 1, 2 | Ethernet, Wi-Fi |
OSI is a conceptual model; TCP/IP is the practical implementation used on the internet.
3. What happens when you type a URL into a browser?
High-level steps:
- DNS resolution — browser checks local cache → OS cache → recursive DNS resolver → authoritative name server → returns IP address
- TCP connection — 3-way handshake (SYN → SYN-ACK → ACK) with server on port 80 or 443
- TLS handshake (HTTPS) — negotiate cipher suite, exchange certificates, derive session keys
- HTTP request — GET / HTTP/1.1 (or HTTP/2 or HTTP/3)
- Server processes request — web server, application server, database query
- HTTP response — status code + headers + body (HTML)
- Browser renders — parses HTML, fetches CSS/JS/images (additional DNS + TCP connections)
- TCP teardown — FIN → FIN-ACK → ACK (or connection kept alive for reuse)
4. What is encapsulation in networking?
Each OSI layer wraps data from the layer above with its own header (and sometimes trailer):
Application data
→ [TCP header | Application data] ← Transport segment
→ [IP header | TCP header | App data] ← Network packet
→ [Eth header | IP | TCP | App | Eth FCS] ← Data link frame
→ 10101010... ← Physical bits
At the receiving end, each layer decapsulates (strips its header) and passes data up.
IP Addressing & Subnetting
5. What is an IP address?
An IP address uniquely identifies a device on a network.
- IPv4: 32-bit, written as 4 octets (e.g.,
192.168.1.1) — ~4.3 billion addresses - IPv6: 128-bit, written as 8 groups of hex (e.g.,
2001:0db8:85a3::8a2e:0370:7334) — ~340 undecillion addresses
6. What is CIDR notation?
CIDR (Classless Inter-Domain Routing) expresses an IP address and its subnet mask together:
192.168.1.0/24
↑
24 bits are the network portion → subnet mask 255.255.255.0
8 bits left for hosts → 256 addresses, 254 usable
| CIDR | Subnet mask | Hosts |
|---|---|---|
| /8 | 255.0.0.0 | 16,777,214 |
| /16 | 255.255.0.0 | 65,534 |
| /24 | 255.255.255.0 | 254 |
| /25 | 255.255.255.128 | 126 |
| /30 | 255.255.255.252 | 2 (point-to-point links) |
| /32 | 255.255.255.255 | 1 (single host route) |
7. What are private IP address ranges?
Defined by RFC 1918, these ranges are not routable on the public internet:
| Range | CIDR | Notes |
|---|---|---|
| 10.0.0.0 – 10.255.255.255 | 10.0.0.0/8 | Class A private |
| 172.16.0.0 – 172.31.255.255 | 172.16.0.0/12 | Class B private |
| 192.168.0.0 – 192.168.255.255 | 192.168.0.0/16 | Class C private |
| 127.0.0.0 – 127.255.255.255 | 127.0.0.0/8 | Loopback (localhost) |
| 169.254.0.0 – 169.254.255.255 | 169.254.0.0/16 | Link-local (APIPA) |
8. What is NAT and why is it used?
Network Address Translation (NAT) allows multiple devices on a private network to share a single public IP address:
Private: 192.168.1.10:50000 → NAT → Public: 203.0.113.1:12345 → Internet
- SNAT (Source NAT): modifies source IP — used for outbound traffic (most common)
- DNAT (Destination NAT): modifies destination IP — used for inbound traffic / port forwarding
- PAT (Port Address Translation): maps many private IPs to one public IP using different ports (also called NAPT or "NAT overload")
NAT conserves IPv4 addresses but breaks end-to-end connectivity — IPv6 was designed to eliminate the need for NAT.
9. What is the difference between IPv4 and IPv6?
| Feature | IPv4 | IPv6 |
|---|---|---|
| Address size | 32-bit (4 bytes) | 128-bit (16 bytes) |
| Address space | ~4.3 billion | ~3.4 × 10³⁸ |
| Notation | Decimal dotted (192.168.1.1) | Hex colon (2001:db8::1) |
| Header size | Variable (20–60 bytes) | Fixed 40 bytes |
| Fragmentation | Routers and hosts | Hosts only |
| Broadcast | Yes | No (uses multicast) |
| IPSec | Optional | Mandatory (built-in) |
| DHCP | DHCPv4 | SLAAC or DHCPv6 |
| NAT | Widely used | Not needed |
10. How do you subnet 192.168.10.0/24 into 4 equal subnets?
You need 4 subnets → borrow 2 bits from the host portion → new prefix = /26
| Subnet | Network | Usable range | Broadcast |
|---|---|---|---|
| 1 | 192.168.10.0/26 | .1 – .62 | .63 |
| 2 | 192.168.10.64/26 | .65 – .126 | .127 |
| 3 | 192.168.10.128/26 | .129 – .190 | .191 |
| 4 | 192.168.10.192/26 | .193 – .254 | .255 |
Each subnet has 64 addresses, 62 usable (first = network address, last = broadcast).
Transport Layer: TCP & UDP
11. What is the difference between TCP and UDP?
| Feature | TCP | UDP |
|---|---|---|
| Connection | Connection-oriented (handshake) | Connectionless |
| Reliability | Guaranteed delivery, ordering, retransmission | Best-effort, no guarantee |
| Flow control | Yes (sliding window) | No |
| Congestion control | Yes | No |
| Header size | 20–60 bytes | 8 bytes |
| Speed | Slower (overhead) | Faster |
| Use cases | HTTP, HTTPS, FTP, SMTP, SSH | DNS, DHCP, VoIP, video streaming, gaming |
12. Explain the TCP 3-way handshake.
Establishes a TCP connection before data transfer:
Client Server
| |
|──── SYN (seq=x) ────────>| Client: "I want to connect, my seq starts at x"
| |
|<─── SYN-ACK (seq=y, ack=x+1) ─| Server: "OK, my seq starts at y, expecting x+1"
| |
|──── ACK (ack=y+1) ──────>| Client: "Got it, expecting y+1"
| |
| DATA TRANSFER |
13. What is the TCP 4-way teardown?
Closing a TCP connection requires 4 steps because each direction is closed independently:
Client Server
|── FIN ─────────>| Client: "Done sending"
|<─ ACK ──────────| Server: "Got FIN"
|<─ FIN ──────────| Server: "Done sending too"
|── ACK ─────────>| Client: "Got FIN, closing"
After the last ACK, the client waits in TIME_WAIT (2×MSL ≈ 60–120 seconds) to ensure the server received the ACK.
14. What are common TCP port numbers?
| Port | Protocol | Description |
|---|---|---|
| 20, 21 | FTP | File Transfer (data/control) |
| 22 | SSH | Secure Shell |
| 23 | Telnet | Unencrypted remote access |
| 25 | SMTP | Email sending |
| 53 | DNS | Domain Name System (TCP+UDP) |
| 67, 68 | DHCP | IP lease (UDP) |
| 80 | HTTP | Web (unencrypted) |
| 110 | POP3 | Email retrieval |
| 143 | IMAP | Email retrieval |
| 443 | HTTPS | Web (TLS encrypted) |
| 3306 | MySQL | Database |
| 5432 | PostgreSQL | Database |
| 6379 | Redis | Cache/message broker |
| 8080 | HTTP alt | Dev servers, proxies |
15. What is a socket?
A socket is an endpoint for network communication, uniquely identified by:
(IP address, Port number, Transport protocol)
e.g., (192.168.1.10, 443, TCP)
A socket pair identifies a connection:
(client_IP:client_port, server_IP:server_port)
(10.0.0.5:54321, 93.184.216.34:443)
A server in LISTEN state accepts connections; each accepted connection gets its own socket.
16. What is TCP flow control vs congestion control?
- Flow control — prevents sender from overwhelming the receiver. Receiver advertises a receive window (rwnd); sender limits unacknowledged data to that window size.
- Congestion control — prevents sender from overwhelming the network. TCP maintains a congestion window (cwnd) and uses algorithms:
- Slow start: cwnd doubles each RTT
- Congestion avoidance: cwnd grows linearly (additive increase)
- Fast retransmit/recovery: on 3 duplicate ACKs, retransmit without waiting for timeout
Effective send rate = min(rwnd, cwnd).
Application Layer Protocols
17. How does DNS work?
DNS translates domain names to IP addresses:
Browser → Recursive Resolver → Root NS (.com? → a.gtld-servers.net)
→ TLD NS (example.com? → ns1.example.com)
→ Authoritative NS → returns 93.184.216.34
DNS record types:
| Record | Purpose | Example |
|---|---|---|
| A | IPv4 address | example.com → 93.184.216.34 |
| AAAA | IPv6 address | example.com → 2606:2800::1 |
| CNAME | Alias to another name | www → example.com |
| MX | Mail server | example.com → mail.example.com (priority 10) |
| TXT | Arbitrary text (SPF, DKIM) | v=spf1 include:... |
| NS | Authoritative name servers | example.com → ns1.example.com |
| PTR | Reverse DNS (IP → name) | 34.216.184.93.in-addr.arpa → example.com |
| SOA | Zone authority info | Serial, refresh, retry, expire |
18. What is the difference between DNS A and CNAME records?
- A record: maps a domain name directly to an IPv4 address. Can only point to an IP.
- CNAME record: maps a domain name to another domain name (canonical name). The second lookup returns the IP.
www.example.com CNAME example.com
example.com A 93.184.216.34
CNAME cannot coexist with other records (e.g., MX) at the same name — use A/AAAA at the zone apex instead. Some DNS providers offer "CNAME flattening" (ALIAS/ANAME records) to work around this.
19. What is DHCP and how does it work?
DHCP (Dynamic Host Configuration Protocol) automatically assigns IP addresses to network devices:
Client DHCP Server
|── DISCOVER (broadcast) ──────>| "Anyone have an IP for me?"
|<─ OFFER (unicast/broadcast) ──| "Here's 192.168.1.100, lease 24h"
|── REQUEST (broadcast) ────────>| "I'll take 192.168.1.100"
|<─ ACK ────────────────────────| "Confirmed, it's yours"
DHCP provides: IP address, subnet mask, default gateway, DNS servers, lease time.
DORA: Discover → Offer → Request → Acknowledge.
20. What is the difference between HTTP/1.1, HTTP/2, and HTTP/3?
| Feature | HTTP/1.1 | HTTP/2 | HTTP/3 |
|---|---|---|---|
| Year | 1997 | 2015 | 2022 |
| Transport | TCP | TCP | QUIC (UDP) |
| Multiplexing | No (1 req/connection unless pipelining) | Yes (multiple streams over 1 TCP connection) | Yes (QUIC streams) |
| Head-of-line blocking | Connection-level | Stream-level (TCP HOL remains) | Eliminated (QUIC) |
| Header compression | None | HPACK | QPACK |
| Server push | No | Yes | Yes |
| TLS | Optional | Effectively required | Required |
| Connection setup | TCP + TLS | TCP + TLS | 0-RTT or 1-RTT (QUIC) |
21. What is the difference between HTTP GET and POST?
| Aspect | GET | POST |
|---|---|---|
| Purpose | Retrieve data | Submit data |
| Body | No body | Has request body |
| URL params | Parameters in URL | Parameters in body |
| Idempotent | Yes | No |
| Safe (no side effects) | Yes | No |
| Cacheable | Yes (by default) | No (by default) |
| Bookmarkable | Yes | No |
| Max size | URL length limit (~2KB–8KB) | No practical limit |
22. What are common HTTP status codes?
| Code | Meaning | Notes |
|---|---|---|
| 200 | OK | Request succeeded |
| 201 | Created | Resource created (after POST/PUT) |
| 204 | No Content | Success, no body (DELETE) |
| 301 | Moved Permanently | Use new URL, update links |
| 302 | Found | Temporary redirect |
| 304 | Not Modified | Use cache (ETag/Last-Modified matched) |
| 400 | Bad Request | Client sent invalid data |
| 401 | Unauthorized | Authentication required |
| 403 | Forbidden | Authenticated but not authorised |
| 404 | Not Found | Resource doesn't exist |
| 405 | Method Not Allowed | Wrong HTTP method |
| 409 | Conflict | Conflict with current state |
| 422 | Unprocessable Entity | Validation error |
| 429 | Too Many Requests | Rate limit exceeded |
| 500 | Internal Server Error | Server-side bug |
| 502 | Bad Gateway | Upstream server error |
| 503 | Service Unavailable | Server overloaded / down |
| 504 | Gateway Timeout | Upstream server timeout |
Routing & Switching
23. What is the difference between a hub, switch, and router?
| Device | OSI Layer | Forwarding | Intelligence |
|---|---|---|---|
| Hub | Layer 1 (Physical) | Broadcasts to all ports | None |
| Switch | Layer 2 (Data Link) | Forwards by MAC address (unicast) | MAC address table |
| Router | Layer 3 (Network) | Routes by IP address | Routing table |
- Hub: all traffic to all ports — creates collision domain; deprecated
- Switch: learns MAC addresses, forwards frames to correct port; each port is its own collision domain
- Router: connects different networks, determines best path using IP routing table
24. What is ARP?
ARP (Address Resolution Protocol) maps an IP address to a MAC address on a local network:
Host A (IP: 192.168.1.10, MAC: aa:bb:cc:dd:ee:01)
Host B (IP: 192.168.1.20, MAC: aa:bb:cc:dd:ee:02)
A → (ARP broadcast): "Who has 192.168.1.20?"
B → (ARP reply, unicast to A): "I do. My MAC is aa:bb:cc:dd:ee:02"
A stores this in its ARP cache.
ARP only works within a subnet (same broadcast domain). To reach another subnet, traffic goes to the default gateway instead.
ARP poisoning/spoofing is a MITM attack where an attacker sends fake ARP replies to associate their MAC with a legitimate IP.
25. What is a VLAN?
A VLAN (Virtual LAN) segments a physical network into logical isolated networks:
- Devices in different VLANs cannot communicate directly (they're in separate broadcast domains)
- Communication between VLANs requires a Layer 3 device (router or Layer 3 switch)
- VLANs are configured on switches using IEEE 802.1Q tagging — a 4-byte tag added to frames
Uses: separate guest/corporate traffic, isolate IoT devices, reduce broadcast domains, enforce security policies.
26. What is Spanning Tree Protocol (STP)?
STP (IEEE 802.1D) prevents Layer 2 loops in networks with redundant switch paths:
- Elect root bridge — switch with lowest Bridge ID (priority + MAC)
- Find root ports — each non-root switch selects the port with lowest path cost to root
- Find designated ports — one designated port per segment (lowest cost path to root)
- Block remaining ports — puts redundant ports in blocking state
Port states: Blocking → Listening → Learning → Forwarding
RSTP (802.1w) — faster convergence (seconds vs 30–50s for STP). MSTP (802.1s) — multiple spanning trees per VLAN group.
27. What is the difference between static and dynamic routing?
| Feature | Static Routing | Dynamic Routing |
|---|---|---|
| Configuration | Manual by admin | Automatic via protocol |
| Scalability | Poor (large networks) | Good |
| Overhead | None | Protocol traffic (small) |
| Convergence | Immediate (no re-routing on failure) | Auto-adjusts to failures |
| Use case | Small networks, specific routes | Medium to large networks |
| Examples | ip route 10.0.2.0 255.255.255.0 10.0.1.1 |
OSPF, EIGRP, BGP |
28. What is BGP?
BGP (Border Gateway Protocol) is the routing protocol of the internet — used between autonomous systems (AS):
- eBGP: between different ASes (internet service providers, organisations)
- iBGP: within the same AS
BGP selects routes based on path attributes (not just distance): AS-path, local preference, MED, next-hop, etc. It's a path-vector protocol — very policy-driven.
BGP is at the core of internet routing: when you see "BGP hijack" news, an AS is incorrectly advertising routes it doesn't own.
29. What is OSPF?
OSPF (Open Shortest Path First) is a link-state routing protocol used within an AS (interior gateway protocol):
- Each router maintains a Link State Database (LSDB) — a complete map of the network topology
- Uses Dijkstra's algorithm to compute shortest paths
- Areas (area 0 = backbone) reduce LSDB size and LSA flooding
- Supports VLSM/CIDR, authentication, fast convergence
Metrics: cost = reference bandwidth / interface bandwidth (default reference: 100 Mbps)
Network Security
30. What is a firewall and what types exist?
A firewall controls incoming and outgoing network traffic based on rules:
| Type | How it works | Strengths |
|---|---|---|
| Packet filter | Inspects IP/TCP headers (source/dest IP, port) | Fast, simple |
| Stateful inspection | Tracks connection state; only allows established/related traffic | Better security, blocks invalid packets |
| Application-layer (proxy) | Understands application protocols (HTTP, DNS) | Deep inspection, stops app-layer attacks |
| Next-generation (NGFW) | Combines stateful + DPI + IPS + user identity | Most comprehensive |
| WAF | HTTP-specific; blocks SQL injection, XSS, CSRF | Protects web apps |
31. What is the difference between IDS and IPS?
| IDS (Intrusion Detection System) | IPS (Intrusion Prevention System) | |
|---|---|---|
| Position | Passive (out-of-band, mirror port) | Inline (in traffic path) |
| Action | Alerts only | Alerts + blocks traffic |
| Impact on latency | None | Slight (inspects live traffic) |
| False positive risk | Annoying alerts | Can block legitimate traffic |
Detection methods: signature-based (known patterns), anomaly-based (baseline deviation), heuristic (behavioural analysis).
32. What is a VPN?
A VPN (Virtual Private Network) creates an encrypted tunnel over a public network:
Types:
- Site-to-site VPN: connects two office networks (IPsec tunnels between gateways)
- Remote access VPN: individual users connect to a corporate network (OpenVPN, WireGuard, Cisco AnyConnect)
Protocols:
| Protocol | Notes |
|---|---|
| IPsec | Standard, two modes (transport/tunnel); ESP + AH |
| OpenVPN | SSL/TLS-based, highly configurable |
| WireGuard | Modern, fast, minimal codebase |
| L2TP/IPsec | L2TP for tunnelling + IPsec for encryption |
| PPTP | Deprecated (broken security) |
33. Explain TLS and how it secures HTTPS.
TLS (Transport Layer Security) provides confidentiality, integrity, and authentication:
TLS 1.3 Handshake (simplified):
Client → Server: ClientHello (TLS version, cipher suites, key share)
Server → Client: ServerHello (chosen cipher, key share, certificate)
Both: Derive session keys from ECDHE shared secret
Client → Server: Finished (encrypted with session key)
Server → Client: Finished
Application data flows encrypted
Key concepts:
- Certificate: proves server identity (signed by trusted CA)
- ECDHE: Ephemeral Diffie-Hellman for forward secrecy
- AEAD: authenticated encryption (AES-GCM, ChaCha20-Poly1305) — provides both confidentiality and integrity
34. What is a DDoS attack and how is it mitigated?
DDoS (Distributed Denial of Service) floods a target with traffic from many sources to exhaust resources:
Types:
| Type | Method | Example |
|---|---|---|
| Volumetric | Saturate bandwidth | UDP flood, DNS amplification |
| Protocol | Exhaust state tables | SYN flood, ICMP flood |
| Application layer | Exhaust server resources | HTTP flood, slow HTTP |
Mitigations:
- Rate limiting at edge routers/firewalls
- IP reputation / blacklisting (known botnet IPs)
- Anycast diffusion (spread traffic across many PoPs)
- Scrubbing centres (route traffic through filtering infrastructure)
- CDN / cloud DDoS protection (Cloudflare, AWS Shield, Akamai)
- SYN cookies (for SYN flood — no state until handshake complete)
35. What is the difference between symmetric and asymmetric encryption?
| Feature | Symmetric | Asymmetric |
|---|---|---|
| Keys | Same key for encrypt/decrypt | Public key encrypts, private key decrypts |
| Speed | Fast | Slow (10–1000×) |
| Key exchange | Problem: how to share securely? | Key exchange is the purpose |
| Algorithms | AES, ChaCha20, 3DES | RSA, ECC, Diffie-Hellman |
| Use in TLS | Session data encryption | Key exchange + certificate verification |
In practice, TLS uses hybrid encryption: asymmetric to establish session key, symmetric for bulk data.
Network Troubleshooting
36. What does the ping command do?
ping sends ICMP Echo Request packets and waits for ICMP Echo Reply:
ping google.com
# PING google.com (142.250.74.46): 56 data bytes
# 64 bytes from 142.250.74.46: icmp_seq=0 ttl=117 time=12.3 ms
- RTT (Round Trip Time): latency to destination
- Packet loss:
%of packets with no reply → congestion or host unreachable - TTL: decremented at each hop; if TTL reaches 0, router sends "Time Exceeded" ICMP
Note: some hosts/firewalls block ICMP — no ping response doesn't necessarily mean unreachable.
37. What does traceroute (or tracert on Windows) show?
traceroute reveals each hop between source and destination by sending packets with incrementing TTL (1, 2, 3…). Each router that discards a TTL-expired packet sends back an ICMP "Time Exceeded" message revealing its IP:
traceroute google.com
# 1 192.168.1.1 (your router) 1.2 ms
# 2 10.10.0.1 (ISP hop) 5.4 ms
# 3 72.14.198.66 (Google border) 10.1 ms
# 4 142.250.74.46 (google.com) 12.3 ms
Useful for diagnosing where packets are being dropped or experiencing high latency.
38. What does netstat / ss show?
Both display socket and connection information:
ss -tuln # listening TCP/UDP ports (no DNS lookup)
ss -tunap # all connections with process name
netstat -an # all connections (older, slower)
Columns: Local address:port, Foreign address:port, State (LISTEN/ESTABLISHED/TIME_WAIT/CLOSE_WAIT)
39. How do you check which process is using a port?
# Linux
ss -tulnp | grep :8080
lsof -i :8080
# macOS
lsof -i :8080
# Windows
netstat -ano | findstr :8080
# then: tasklist | findstr <PID>
40. What is Wireshark used for?
Wireshark is a packet analyser (network sniffer) that captures and inspects network traffic in real time:
- Capture on any network interface
- Filter traffic:
http,tcp.port == 443,ip.addr == 192.168.1.1,http.request.method == "POST" - Decode protocol layers (reassemble TCP streams, decrypt TLS with session keys)
- Identify packet loss, retransmissions, latency
Common uses: debugging protocol issues, analysing security incidents, understanding application behaviour.
Advanced Networking Concepts
41. What is a load balancer and what algorithms does it use?
A load balancer distributes incoming traffic across multiple servers:
| Algorithm | How it works | Best for |
|---|---|---|
| Round Robin | Rotate through servers sequentially | Servers with similar capacity |
| Weighted Round Robin | Rotate but proportional to weight | Different server capacities |
| Least Connections | Send to server with fewest active connections | Long-lived connections |
| Least Response Time | Send to server with lowest latency + fewest connections | Latency-sensitive apps |
| IP Hash | Hash client IP → consistent server | Session stickiness (no shared session store) |
| Random | Pick randomly | Simple, low overhead |
Layer 4 LB: works at TCP level (fast, no content inspection) Layer 7 LB: understands HTTP — can route by URL, headers, cookies (Nginx, HAProxy, AWS ALB)
42. What is a CDN?
A CDN (Content Delivery Network) distributes content across globally distributed servers (Points of Presence / PoPs):
- Users are served from the nearest PoP → reduced latency
- Static assets (JS, CSS, images) cached at edge
- Some CDNs handle dynamic content acceleration too
- Benefits: lower origin load, DDoS protection, higher availability
How caching works: CDN respects Cache-Control and Expires headers. Origin can set max-age, s-maxage, stale-while-revalidate.
43. What is the difference between unicast, multicast, and broadcast?
| Type | Destination | Example |
|---|---|---|
| Unicast | Single specific host | HTTP request (one client → one server) |
| Broadcast | All hosts on subnet | ARP requests (255.255.255.255 or subnet broadcast) |
| Multicast | Group of interested hosts | Video streaming (239.x.x.x range), OSPF (224.0.0.5) |
| Anycast | Nearest member of a group | DNS root servers, CDN PoP selection |
IPv6 eliminates broadcast entirely — uses multicast instead.
44. What is QoS (Quality of Service)?
QoS mechanisms prioritise certain traffic types to ensure acceptable performance:
- DSCP (Differentiated Services Code Point): marks packets with a 6-bit priority value in IP header
- Traffic shaping: smooth out bursts by buffering traffic
- Policing: drop or re-mark packets exceeding rate limit
- Queuing: prioritise queues (LLQ puts voice/video first)
Example: VoIP packets marked with DSCP EF (Expedited Forwarding) are queued before bulk data.
45. What is network latency and what causes it?
Latency = time for a packet to travel from source to destination:
| Component | Cause |
|---|---|
| Propagation delay | Physical distance (speed of light in fibre ~200,000 km/s) |
| Transmission delay | Packet size / link bandwidth |
| Processing delay | Router/switch forwarding decisions |
| Queuing delay | Waiting in router buffers (congestion) |
Rule of thumb: ~1ms per 100km in fibre. NYC↔London ≈ 70ms RTT minimum.
How to reduce latency: CDN/edge servers, use closer cloud regions, HTTP/2 or HTTP/3, reduce round trips (connection pooling, pipelining, caching).
46. What is SDN (Software-Defined Networking)?
SDN separates the control plane (routing decisions) from the data plane (packet forwarding):
Traditional: Control + Data plane on each router (distributed)
SDN:
┌──────────────────────────┐
│ SDN Controller │ ← Control plane (centralised)
│ (OpenFlow, ONOS, etc.) │
└──────────┬───────────────┘
│ OpenFlow API
┌──────────┴───────────────────┐
│ Forwarding devices (dumb) │ ← Data plane
└──────────────────────────────┘
Benefits: centralised management, programmable, rapid policy changes, better visibility.
47. What is network address space exhaustion and how is it addressed?
IPv4 exhaustion: IANA assigned the last /8 blocks in 2011. Solutions:
- NAT — many private addresses behind one public IP (short-term fix)
- IPv6 — 128-bit addresses, virtually unlimited
- IPv4 market — organisations sell/transfer unused blocks
- CGNAT (Carrier-Grade NAT) — ISPs put customers behind shared NAT
Long-term solution is IPv6 adoption, which is ongoing but incomplete.
48. What is a proxy server vs a reverse proxy?
| Forward Proxy | Reverse Proxy | |
|---|---|---|
| Sits in front of | Clients | Servers |
| Hides | Client identity from internet | Server identity from clients |
| Used for | Outbound filtering, caching, anonymity | Load balancing, TLS termination, caching |
| Examples | Squid, corporate web filter | Nginx, HAProxy, Cloudflare |
[Clients] → [Forward Proxy] → [Internet]
[Internet] → [Reverse Proxy] → [Backend servers]
49. What is network segmentation and why is it important?
Network segmentation divides a network into smaller isolated zones:
- Security: limits blast radius of breaches — attacker in DMZ can't reach database network
- Compliance: PCI-DSS requires cardholder data environment isolation
- Performance: reduces broadcast traffic
Common zones:
Internet → [Firewall] → DMZ (web/email servers)
→ [Inner Firewall] → Corporate LAN
→ [DB Firewall] → Database zone
Micro-segmentation: fine-grained policies at workload level (east-west traffic); used in zero-trust architectures.
50. What is the zero-trust network model?
Zero trust assumes no implicit trust — every access request is verified regardless of network location:
Principles:
- "Never trust, always verify" — authenticated even inside the network
- Least-privilege access — only grant what's needed
- Assume breach — design for lateral movement prevention
- Micro-segmentation — limit blast radius
Implementation: identity verification (MFA), device health checks, policy-based access (ZTNA replaces VPN), network microsegmentation, continuous monitoring.
Contrasts with perimeter-based security ("castle and moat") where inside the network = trusted.
Common mistakes
| Mistake | Correct approach |
|---|---|
| Confusing collision domain with broadcast domain | Switches separate collision domains; routers separate broadcast domains |
| Thinking NAT provides security | NAT is not a firewall; stateful firewall rules provide security |
| Using 0.0.0.0/0 in firewall rules everywhere | Apply least-privilege; restrict by IP, port, and protocol |
| Forgetting that DNS uses both UDP and TCP | UDP for queries <512B; TCP for large responses, zone transfers |
| Treating bandwidth as latency | High bandwidth doesn't mean low latency |
| Confusing authentication and encryption | Authentication = who you are; encryption = data is unreadable |
| Not considering IPv6 | IPv6 is widely deployed; test firewall rules and routing for both |
| Assuming ping failure = host down | ICMP may be blocked; try TCP connection instead |
Networking vs. related fields
| Field | Focus | Networking overlap |
|---|---|---|
| Cloud computing | Virtualised infra (AWS, Azure) | VPCs, security groups, load balancers |
| Security | Protecting systems | Firewalls, IDS, VPN, encryption |
| DevOps | Deploy pipelines, infra | DNS, load balancers, service mesh |
| SRE/Ops | Reliability, SLOs | Network monitoring, latency debugging |
| Systems programming | OS internals | Sockets, TCP stack, kernel networking |
FAQ
Q: What is the difference between a subnet mask and a wildcard mask? Subnet mask and wildcard mask are bitwise opposites. Subnet mask uses 1s for the network bits (255.255.255.0); wildcard mask uses 0s for exact match and 1s for "don't care" (0.0.0.255). Wildcard masks are used in ACLs (Cisco) and OSPF configurations.
Q: How does a switch know where to send a frame?
A switch maintains a MAC address table (CAM table). When a frame arrives on a port, the switch records {source MAC → port}. When forwarding, it looks up the destination MAC. If not found, it floods the frame to all ports except the source. Over time, the table fills and flooding decreases.
Q: What is the difference between routing and forwarding? Routing is the control-plane process of building routing tables (running OSPF, BGP, calculating best paths). Forwarding is the data-plane action of looking up a destination IP in the table and sending the packet to the correct interface — happens at line rate in hardware.
Q: Why does UDP have no handshake? UDP is designed for low-latency applications where some packet loss is acceptable (VoIP, video streaming, online gaming, DNS). The overhead of establishing a connection, retransmitting, and maintaining state is unwanted. Applications that need reliability over UDP implement it themselves (e.g., QUIC, SCTP).
Q: What is the difference between a public and private IP address? Public IPs are globally unique and routable on the internet; assigned by ISPs and IANA. Private IPs (RFC 1918: 10.x.x.x, 172.16-31.x.x, 192.168.x.x) are only valid within a local network and must go through NAT to reach the internet.
Q: How does HTTPS prevent man-in-the-middle attacks? TLS uses certificates signed by trusted CAs. The browser validates the certificate chain against its built-in CA store and verifies the server's hostname matches the certificate. An attacker can intercept traffic but cannot present a valid certificate for the target domain without the private key (or compromising a CA). Corporate HTTPS inspection (SSL bump) is a controlled exception using a trusted internal CA.