Top 30 Computer Networks Interview Questions & Answers (2026)

Computer networks is one of the highest-weightage subjects in GATE CS and a core topic in placement interviews at Cisco, Juniper, TCS, Infosys, Wipro, and product companies. Candidates report that networking questions span from protocol fundamentals to routing algorithm calculations. Based on public preparation resources and candidate-reported interview accounts, questions on the OSI/TCP-IP model, routing algorithms, switching, and protocol comparisons appear most frequently across campus and off-campus drives.

---

Network Fundamentals and Topologies

Q1. What is a computer network? What are the main types of networks by geographic scope? (Easy)

A computer network is a collection of interconnected devices (computers, routers, switches, servers) that communicate with each other using shared protocols and transmission media.

Types by geographic scope:

Network Type	Coverage	Typical Use
PAN (Personal Area Network)	10 meters	Bluetooth, USB, personal devices
LAN (Local Area Network)	Building/campus	Office networks, lab networks
MAN (Metropolitan Area Network)	City	ISP backbone, city-wide Wi-Fi
WAN (Wide Area Network)	Country/world	Internet, MPLS enterprise networks

Key LAN standards:

• Ethernet (IEEE 802.3): wired, 10Mbps to 100Gbps
• Wi-Fi (IEEE 802.11): wireless LAN, various speeds

---

Q2. Compare network topologies: Bus, Star, Ring, Mesh, and Tree. (Easy)

Bus topology: All nodes connect to a single shared cable. A failure in the cable breaks the whole network. Simple, low cost, but poor fault tolerance. Used in early Ethernet (10BASE2).

Star topology: All nodes connect to a central switch/hub. Failure of one node does not affect others. Hub/switch failure brings down the network. Most common in modern LANs.

Ring topology: Nodes form a circular chain. Data travels in one direction (token ring). A break anywhere disrupts all traffic. Used in legacy Token Ring (IEEE 802.5), SONET/SDH (dual ring for redundancy).

Mesh topology: Every node connects to every other node (full mesh) or multiple nodes (partial mesh). High redundancy and fault tolerance. Expensive (n*(n-1)/2 links for full mesh). Used in WANs and critical infrastructure.

Tree (hierarchical) topology: Root switch connects to distribution switches, which connect to access switches. Scalable and common in enterprise campus networks. Failure of a node affects its subtree.

Comparison table:

Topology	Fault Tolerance	Cost	Scalability	Common Use
Bus	Low	Very low	Poor	Legacy
Star	Medium	Medium	Good	Modern LAN
Ring	Medium	Medium	Poor	Legacy token ring
Full mesh	Very high	Very high	Poor	WAN backbone
Tree	Medium	Medium	Very good	Enterprise campus

---

Q3. What is bandwidth vs throughput vs latency? (Easy)

Bandwidth: Maximum data rate a link can carry, measured in bits per second (bps). This is the theoretical capacity. Example: a 100 Mbps Ethernet link has 100 Mbps bandwidth.

Throughput: Actual data rate achieved in practice, always less than or equal to bandwidth. Reduced by protocol overhead, congestion, errors, retransmissions. A 100 Mbps link may have 80 Mbps effective throughput.

Latency (delay): Time for a packet to travel from source to destination. Composed of:

• Propagation delay: distance / speed of light in medium
• Transmission delay: packet size / link bandwidth
• Processing delay: time to process packet headers at nodes
• Queuing delay: time waiting in router buffers

Bandwidth-Delay Product (BDP): BDP = Bandwidth x RTT (round-trip time) Represents the amount of data "in flight" in the network. A 100 Mbps link with 100ms RTT has BDP = 10 Mbps * 0.1s = 1 MB. TCP window size should equal BDP for maximum utilization.

---

Q4. What is the difference between a hub, switch, and router? (Easy)

Hub (Layer 1 - Physical):

• Broadcasts every received frame to all ports
• No intelligence about destination
• Creates a collision domain shared by all ports
• Obsolete in modern networks
• Physical layer device: just amplifies/repeats signals

Switch (Layer 2 - Data Link):

• Learns MAC addresses and builds a MAC address table
• Forwards frames only to the port where the destination MAC is located
• Each port is a separate collision domain
• All ports in one broadcast domain (unless VLANs configured)
• Makes forwarding decisions in hardware (ASICs), very fast

Router (Layer 3 - Network):

• Makes forwarding decisions based on IP addresses
• Connects different networks (subnets)
• Maintains routing tables (static or dynamic)
• Each port is a separate broadcast domain
• Performs NAT, QoS, access control, and other Layer 3 functions

MAC address learning on a switch: When a frame arrives on port 3 from source MAC AA:BB:CC:11:22:33, the switch records MAC -> Port 3 in its table. Future frames destined for that MAC go directly to port 3 (unicast). Unknown MACs are flooded to all ports until learned.

---

Q5. What is a MAC address? How does it differ from an IP address? (Easy)

MAC address:

• 48-bit hardware address burned into NIC by manufacturer
• Format: 6 bytes, typically written as XX:XX:XX:XX:XX:XX (hex)
• First 3 bytes: OUI (Organizationally Unique Identifier) assigned to vendor
• Last 3 bytes: device-specific identifier
• Unique in theory (same OUI used by all NICs from one vendor)
• Layer 2 addressing

IP address:

• Logical address assigned administratively or via DHCP
• 32 bits (IPv4) or 128 bits (IPv6)
• Hierarchical (network + host portions)
• Changes when a device moves networks
• Layer 3 addressing

Key differences:

Feature	MAC Address	IP Address
Layer	2 (Data Link)	3 (Network)
Scope	Local network (one hop)	Global (across networks)
Assignment	Burned in hardware	Configured/DHCP
Changes?	No (usually)	Yes (when network changes)
Used for	LAN frame delivery	Internet routing

When a packet crosses a router, the IP address stays the same (source and destination), but MAC addresses change at every hop (because MAC only has local scope).

---

Protocols and Layers

Q6. Explain the OSI model and where protocols like HTTP, IP, TCP, and Ethernet fit. (Easy)

The OSI model has 7 layers, each with specific responsibilities:

Layer	Name	Protocols/Standards
7	Application	HTTP, HTTPS, FTP, SMTP, DNS, DHCP
6	Presentation	TLS/SSL, JPEG, MPEG, encoding
5	Session	NetBIOS, RPC
4	Transport	TCP, UDP, SCTP
3	Network	IP, ICMP, ARP*, OSPF, BGP
2	Data Link	Ethernet, PPP, 802.11 (Wi-Fi), HDLC
1	Physical	Cables, fiber, RS-232, 802.3 electrical specs

*ARP is sometimes classified as Layer 2/3 boundary.

Protocol data units (PDUs) by layer:

• Application: Message/Data
• Transport: Segment (TCP) / Datagram (UDP)
• Network: Packet
• Data Link: Frame
• Physical: Bit

Encapsulation: As data moves down the stack, each layer adds its header (and sometimes trailer). At the receiver, each layer removes its header (decapsulation) as data moves up the stack.

---

Q7. What is the difference between TCP and UDP? When do you use each? (Easy)

TCP (Transmission Control Protocol):

• Connection-oriented (3-way handshake before data)
• Reliable delivery (acknowledgments, retransmission)
• In-order delivery (sequence numbers)
• Flow control (receiver window)
• Congestion control (CUBIC, BBR)
• Higher overhead (20-byte header minimum)

UDP (User Datagram Protocol):

• Connectionless (no handshake)
• No delivery guarantee
• No ordering guarantee
• No flow or congestion control
• Lower overhead (8-byte header)
• Lower latency

When to use TCP: File transfer (FTP), web browsing (HTTP), email (SMTP/IMAP), database queries, remote login (SSH) - anywhere data integrity matters.

When to use UDP: DNS queries (fast, single round trip), VoIP (latency-sensitive), video streaming (can tolerate drops), online gaming (low latency critical), DHCP, TFTP.

Well-known port numbers:

Protocol	Port	Transport
HTTP	80	TCP
HTTPS	443	TCP
DNS	53	UDP (and TCP for zone transfers)
DHCP	67/68	UDP
SSH	22	TCP
FTP	20/21	TCP
SMTP	25	TCP
SNMP	161	UDP

---

Q8. How does ARP work? What is a Gratuitous ARP? (Medium)

ARP (Address Resolution Protocol): When a host needs to send a packet to an IP address on the same subnet but does not know the MAC address:

1. Source broadcasts: "Who has IP 192.168.1.10? Tell 192.168.1.1"
   • Destination MAC in frame: FF:FF:FF:FF:FF:FF (broadcast)
2. Host with IP 192.168.1.10 responds with its MAC address (unicast)
3. Source caches the mapping in its ARP table (ARP cache)
4. Future packets use cached MAC directly without ARP

ARP cache entries expire (typically 20-30 minutes on Linux, configurable). Use arp -a to view.

Gratuitous ARP: A host sends an ARP reply without having received a request, advertising its own IP-to-MAC mapping. Used for:

• IP conflict detection on startup (if another host replies, conflict exists)
• Updating ARP caches after NIC replacement (MAC changed, same IP)
• Virtual IP failover in HA clusters (VRRP, HSRP): when a standby takes over, it sends gratuitous ARP to update all hosts' caches with the new MAC for the virtual IP

ARP poisoning attack: An attacker sends fraudulent ARP replies to associate their MAC with a legitimate IP. This redirects traffic through the attacker (man-in-the-middle). Mitigated by Dynamic ARP Inspection (DAI) on managed switches.

---

Q9. What is ICMP? How do ping and traceroute use it? (Medium)

ICMP (Internet Control Message Protocol, RFC 792) is a network-layer protocol for error reporting and diagnostics. It is not a transport protocol and does not carry application data.

Common ICMP message types:

Type	Code	Meaning
0	0	Echo Reply (ping response)
3	0-15	Destination Unreachable (various codes)
5	0-3	Redirect
8	0	Echo Request (ping)
11	0	Time Exceeded (TTL expired)
12	0	Parameter Problem

How ping works:

1. Source sends ICMP Echo Request (type 8) to destination
2. Destination replies with ICMP Echo Reply (type 0)
3. Ping measures round-trip time and reports packet loss

How traceroute works (Linux/Unix using UDP; Windows uses ICMP Echo):

1. Send a packet with TTL=1. First router decrements TTL to 0 and sends "ICMP Time Exceeded" back (revealing first hop).
2. Send with TTL=2. Second router replies.
3. Increment TTL until destination responds (either ICMP Echo Reply or UDP Port Unreachable).
4. Collect all hop IP addresses and RTTs.

Windows tracert uses ICMP Echo Request with increasing TTL. Linux traceroute uses UDP by default. Both work because any router dropping a packet for TTL=0 must send ICMP Time Exceeded.

---

Q10. What is NAT? Explain source NAT and destination NAT. (Medium)

NAT (Network Address Translation) maps IP addresses between private (RFC 1918) and public address space. Required because private addresses are not internet-routable.

Source NAT (SNAT / IP masquerade): Modifies the source IP address of outgoing packets. Most common form. When a private host sends traffic to the internet:

1. Host sends packet: src=192.168.1.10:3000, dst=8.8.8.8:53
2. NAT router rewrites: src=203.0.113.1:45000 (public IP + new port), dst=8.8.8.8:53
3. Response returns to 203.0.113.1:45000
4. NAT table maps 45000 back to 192.168.1.10:3000
5. Packet delivered to original host

Destination NAT (DNAT / port forwarding): Modifies destination IP. Used to expose internal servers to the internet:

• External request to 203.0.113.1:80
• DNAT rule: rewrite dst to 192.168.1.100:80 (internal web server)
• Response returns via SNAT

NAT types (relevant for P2P/gaming):

• Full cone NAT: any external host can send to mapped port
• Restricted cone: only hosts you've sent to can reply
• Port-restricted cone: only same host AND port can reply
• Symmetric NAT: different external mapping per destination; breaks most P2P

NAT tables are maintained in connection tracking (conntrack on Linux iptables/nftables).

---

Routing

Q11. What is routing? Differentiate between static routing and dynamic routing. (Easy)

Routing is the process of selecting paths for traffic to travel from source to destination across one or more networks. Routers use routing tables to make forwarding decisions.

Static routing:

• Administrator manually configures routes
• No protocol overhead
• Does not adapt to topology changes
• Suitable for small, stable networks or specific policy routes
• Example (Cisco): ip route 192.168.2.0 255.255.255.0 10.0.0.1

Dynamic routing:

• Routers exchange routing information via protocols
• Adapts automatically to link failures and topology changes
• Overhead: routing protocol traffic and CPU processing
• Required for large networks

Dynamic routing protocols:

Protocol	Type	Algorithm	Use case
RIPv2	Distance vector	Bellman-Ford	Small networks
OSPF	Link state	Dijkstra (SPF)	Enterprise, ISP
EIGRP	Advanced distance vector	DUAL	Cisco enterprises
BGP	Path vector	Best-path selection	Internet (ASes)
IS-IS	Link state	Dijkstra	ISP backbone

---

Q12. Explain Dijkstra's shortest path algorithm and how OSPF uses it. (Medium)

Dijkstra's algorithm finds the shortest path from a source node to all other nodes in a weighted graph (where weights are non-negative).

Algorithm steps:

1. Initialize: set source distance to 0, all others to infinity. Mark all unvisited.
2. Select unvisited node with smallest current distance (start with source).
3. For each neighbor, if current distance + edge weight < neighbor's current distance, update it.
4. Mark current node as visited.
5. Repeat until all nodes visited or destination reached.

Example graph:

A --1-- B --2-- D
|       |       |
4       1       3
|       |       |
C --3-- E --1-- F

SPF from A: A=0, B=1, C=4, D=3, E=2, F=3. Path to F: A->B->E->F (cost 3).

OSPF (Open Shortest Path First) uses Dijkstra:

1. Each router floods Link State Advertisements (LSAs) to all routers in the area.
2. Each router builds an identical LSDB (Link State Database).
3. Each router runs Dijkstra on the LSDB to compute shortest paths.
4. Resulting Routing Information Base (RIB) populates the routing table.

OSPF metric = cost = reference bandwidth / interface bandwidth. Default reference: 100 Mbps. A 100 Mbps link has cost 1; a 10 Mbps link has cost 10.

---

Q13. What is the Bellman-Ford algorithm? How does RIP use it? (Medium)

Bellman-Ford finds shortest paths in a graph that may have negative edges (unlike Dijkstra). For routing, edges are link costs (always positive), but Bellman-Ford tolerates more topology types.

Algorithm: For each node v, distance[v] = min over all neighbors u of (distance[u] + cost(u,v)).

Distance vector protocol operation (RIP):

1. Each router starts knowing only its directly connected networks (distance 0).
2. Each router sends its entire routing table to immediate neighbors every 30 seconds.
3. Receiving router updates its table: if learned_distance + link_cost < current_distance, update.
4. After enough exchanges, all routers converge to correct paths.

RIP specifics:

• Metric: hop count (max 15; 16 = infinite/unreachable)
• Slow convergence: changes propagate one hop per update cycle (30 sec)
• Count-to-infinity problem: bad news propagates slowly; split horizon and route poisoning mitigate it

Count-to-infinity example: A--B--C (A can reach network X with cost 1). If A-X link fails:

• A marks X as unreachable
• B still has route to X via A at cost 2
• A hears B's route, thinks X reachable via B at cost 3
• B hears A's update (cost 3), sets its own to 4
• Counts to infinity (max 16 in RIP) Fix: split horizon (never advertise a route back to the interface you learned it from).

---

Q14. What is BGP? Why is it called the "protocol of the internet"? (Hard)

BGP (Border Gateway Protocol, RFC 4271) is the routing protocol that connects Autonomous Systems (AS) on the internet. An AS is a network under a single administrative domain with a unique AS number (ASN).

Why BGP is the protocol of the internet:

• Every ISP, cloud provider, CDN, and large enterprise runs BGP
• BGP routes determine how packets traverse the global internet
• Around 900,000+ routes in the global BGP table (IPv4 + IPv6)
• No BGP = no global internet routing

eBGP vs iBGP:

Feature	eBGP (External)	iBGP (Internal)
Between	Different ASes	Same AS
TTL	1 (adjacent routers only)	64
AD	20	200
Next-hop change	Yes	No (full mesh or RR needed)
Loop prevention	AS path (removes own ASN)	Split horizon

BGP path selection (best-path algorithm, simplified):

1. Highest Weight (Cisco-specific)
2. Highest LOCAL_PREF (prefer routes within AS)
3. Locally originated routes
4. Shortest AS_PATH
5. Lowest ORIGIN (IGP < EGP < Incomplete)
6. Lowest MED (from same AS)
7. eBGP over iBGP
8. Lowest IGP metric to next-hop
9. Lowest BGP router ID

BGP is policy-routing: Unlike OSPF, BGP allows operators to influence route selection based on business relationships (customer, peer, provider) using route maps and community attributes.

---

Q15. What are routing metrics? Compare OSPF cost, RIP hop count, and EIGRP composite metric. (Medium)

A routing metric is a value used by a routing protocol to determine the best path when multiple paths to a destination exist.

RIP - Hop count:

• Counts number of routers traversed
• Simple but ignores bandwidth
• Max 15 hops (16 = unreachable)
• A path through 3 fast links counts same as 3 slow links

OSPF - Cost:

• Cost = reference bandwidth / interface bandwidth
• Default reference: 100 Mbps
• 100 Mbps link: cost 1; 10 Mbps: cost 10; 1 Gbps: cost 1 (same as 100M, so adjust reference)
• Only considers bandwidth, not delay
• Lower cost = better path

EIGRP - Composite metric: K1bandwidth + K2bandwidth/(256-load) + K3delay + K4reliability + K5*reliability/(load+K4) Default: K1=1, K2=0, K3=1, K4=0, K5=0

Simplified default: metric = bandwidth + delay

• Bandwidth: 10^7 / min_bandwidth_kbps (minimum along path)
• Delay: sum of delays / 10 (in microseconds, divided by 10)

EIGRP metric is more accurate than RIP (considers bandwidth and delay) and more flexible than OSPF (can also consider load and reliability if K values changed).

---

Switching and VLANs

Q16. How does a Layer 2 switch forward frames? What is a spanning tree? (Medium)

Layer 2 switching operation:

When a frame arrives:

1. Source MAC + incoming port recorded in MAC address table (learning)
2. Destination MAC lookup in table
   • Found: forward to specific port (unicast)
   • Not found: flood to all ports except incoming (unknown unicast)
   • Broadcast/multicast MAC: flood to all ports except incoming

MAC address table ages out entries (default 300 seconds). Prevents stale entries from consuming table space.

Spanning Tree Protocol (STP, IEEE 802.1D): Redundant links between switches are physically connected for fault tolerance but create loops. Ethernet frames have no TTL, so looped frames circulate forever, causing broadcast storms.

STP prevents loops by blocking redundant ports:

1. Elect one root bridge (lowest Bridge ID = priority + MAC)
2. Each non-root switch finds its root port (lowest cost to root)
3. Each segment elects a designated port (switch with lowest cost to root)
4. All other ports are blocked (still receive BPDUs, do not forward traffic)

STP port states: Blocking -> Listening -> Learning -> Forwarding (50 second default convergence)

RSTP (802.1w): Faster convergence (1-2 seconds) by pre-negotiating port roles.

MSTP (802.1s): Multiple STP instances, one per VLAN group, allows load balancing across redundant links.

---

Q17. What is a VLAN? How does 802.1Q tagging work? (Medium)

A VLAN (Virtual LAN) is a logical grouping of switch ports into a separate broadcast domain, regardless of physical location. Each VLAN behaves as if it were a separate physical switch.

Benefits:

• Security: separate sensitive systems (HR, Finance) from general network
• Broadcast control: limit broadcast domains to smaller groups
• Flexibility: move users between VLANs without rewiring
• Traffic prioritization: VoIP VLAN can have QoS policies

802.1Q tagging: When a frame traverses a trunk link (carrying multiple VLANs), a 4-byte 802.1Q tag is inserted into the Ethernet frame after the source MAC address:

• TPID: 0x8100 (identifies the frame as 802.1Q tagged)
• PCP: 3-bit priority (CoS for QoS)
• DEI: drop eligible indicator
• VID: 12-bit VLAN ID (supports VLANs 1-4094)

Access vs Trunk ports:

• Access port: belongs to one VLAN, frames untagged on the wire (tag stripped on send, added on receive)
• Trunk port: carries multiple VLANs, frames tagged with 802.1Q (except native VLAN which is untagged by default)

Inter-VLAN routing: Since VLANs are separate Layer 2 domains, a Layer 3 device is required for communication between VLANs:

• Router-on-a-stick: single physical router with sub-interfaces per VLAN
• Layer 3 switch with SVIs (Switched Virtual Interfaces): more efficient, wirespeed routing

---

Wireless Networking

Q18. Explain the 802.11 Wi-Fi standards and their key differences. (Medium)

IEEE 802.11 defines Wi-Fi standards. Key generations:

Standard	Common Name	Max Speed	Frequency	Key Feature
802.11b	Wi-Fi 1	11 Mbps	2.4 GHz	Early broadband
802.11a	Wi-Fi 2	54 Mbps	5 GHz	Less interference
802.11g	Wi-Fi 3	54 Mbps	2.4 GHz	Backward compatible with b
802.11n	Wi-Fi 4	600 Mbps	2.4/5 GHz	MIMO (4x4)
802.11ac	Wi-Fi 5	3.5 Gbps	5 GHz	MU-MIMO, 80/160 MHz channels
802.11ax	Wi-Fi 6	9.6 Gbps	2.4/5 GHz	OFDMA, BSS coloring, TWT
802.11ax	Wi-Fi 6E	9.6 Gbps	6 GHz	New 6 GHz band
802.11be	Wi-Fi 7	46 Gbps	2.4/5/6 GHz	Multi-link operation

Key technical advances:

• MIMO (Multiple Input Multiple Output): multiple antennas for spatial streams
• MU-MIMO (Multi-User MIMO): Wi-Fi 5+ serves multiple clients simultaneously
• OFDMA (Wi-Fi 6): subdivides channels for multiple clients simultaneously; improves dense environments
• BSS Coloring (Wi-Fi 6): reduces interference by marking overlapping network frames

Access mechanism: 802.11 uses CSMA/CA (Carrier Sense Multiple Access with Collision Avoidance), not CSMA/CD used in wired Ethernet. Wireless cannot detect collisions while transmitting, so it avoids them via backoff timers and RTS/CTS.

---

Q19. What is the difference between infrastructure mode and ad-hoc mode in wireless networking? (Easy)

Infrastructure mode (BSS - Basic Service Set):

• Clients communicate through an Access Point (AP)
• AP connects to wired network
• AP handles channel management, beacons, association
• Most common mode for home, office, and enterprise Wi-Fi
• Extended Service Set (ESS): multiple APs form a single logical network (same SSID) for roaming

Ad-hoc mode (IBSS - Independent BSS):

• Peer-to-peer direct communication between clients
• No AP required
• Limited range and throughput
• Used for temporary file sharing, device-to-device
• Replaced largely by Wi-Fi Direct (P2P mode) in modern devices

Wi-Fi Direct (Wi-Fi P2P): Modern peer-to-peer Wi-Fi where one device acts as a "software AP" (P2P Group Owner). Used for screen mirroring (Miracast), file sharing (AirDrop, Nearby Share), and IoT device setup.

---

Network Security Basics

Q20. What is a firewall? Compare stateful vs stateless firewalls. (Medium)

A firewall monitors and controls incoming and outgoing network traffic based on configured security rules.

Stateless firewall (packet filter):

• Examines each packet independently
• Matches on: source IP, destination IP, protocol, source port, destination port
• Fast and simple but cannot track connection state
• Problem: cannot distinguish legitimate return traffic from attack traffic without also allowing the reply direction permanently

Stateful firewall:

• Tracks connection state in a state table
• For TCP: records three-way handshake, tracks sequence numbers
• For UDP: tracks recent UDP exchanges
• Return traffic automatically permitted if it matches an established connection
• Can detect SYN floods, session hijacking, and out-of-state packets

Modern NGFW (Next-Generation Firewall): Adds application awareness (Layer 7), user identity, SSL/TLS inspection, intrusion prevention, and reputation-based filtering on top of stateful inspection.

Stateful inspection example: Rule: permit TCP from 192.168.1.0/24 to any port 80 (outbound HTTP)

• Stateless: must also add a rule allowing return traffic from port 80 to high ports
• Stateful: return traffic automatically allowed because firewall tracks the established TCP connection

---

Q21. What is a VPN? Compare IPSec and SSL/TLS VPNs. (Medium)

A VPN (Virtual Private Network) creates an encrypted tunnel over a public network, allowing secure communication as if on a private network.

IPSec VPN:

• Operates at Layer 3 (Network layer)
• Two modes: Tunnel mode (entire IP packet encrypted, new header added) and Transport mode (only payload encrypted, original header preserved)
• Protocols: AH (Authentication Header) for integrity-only, ESP (Encapsulating Security Payload) for encryption + integrity
• IKE (Internet Key Exchange) for key negotiation
• Full network access to remote network
• Common for site-to-site VPNs between offices

SSL/TLS VPN:

• Operates at Application layer using TLS
• Accessed via web browser or lightweight client
• More firewall-friendly (uses HTTPS port 443)
• Clientless option for web apps only, or full tunnel client
• Easier to deploy for remote user access
• Common for remote worker access (AnyConnect, GlobalProtect, OpenVPN)

Comparison:

Feature	IPSec	SSL/TLS VPN
Layer	3	7
Port	UDP 500/4500 (IKE)	TCP 443
Client required	Yes	Optional
Firewall traversal	Can be blocked	Rarely blocked
Use case	Site-to-site	Remote access
Performance	High	Good

---

Advanced Topics

Q22. What is QoS? Explain DiffServ and how it prioritizes traffic. (Hard)

QoS (Quality of Service) provides differentiated treatment to network traffic, ensuring critical applications (VoIP, video conferencing) receive bandwidth and low latency even during congestion.

Without QoS: all packets treated equally (best-effort). A large file download can cause VoIP call quality to degrade.

DiffServ (Differentiated Services): Uses a 6-bit DSCP (Differentiated Services Code Point) field in the IP header to mark traffic. Markings are assigned at the network edge and respected by core routers.

Common DSCP markings:

Traffic Type	DSCP Name	DSCP Value	Per-Hop Behavior
VoIP	EF	46	Expedited Forwarding
Video conference	AF41	34	Assured Forwarding
Business critical	AF31	26	Assured Forwarding
Best effort	BE/CS0	0	Default forwarding
Scavenger (backups)	CS1	8	Low priority

QoS mechanisms:

• Classification and marking: identify traffic at edge, mark DSCP
• Queuing: multiple output queues, scheduler prioritizes
• CBWFQ (Class-Based Weighted Fair Queuing): guaranteed bandwidth per class
• LLQ (Low Latency Queuing): strict priority queue for voice, plus fair queuing for other classes
• Traffic shaping/policing: rate-limit traffic exceeding agreed rates

---

Q23. What is MPLS? How does label switching differ from IP routing? (Hard)

MPLS (Multiprotocol Label Switching) forwards packets based on short fixed-length labels rather than performing longest-prefix IP routing lookups at each hop.

How MPLS works:

1. Edge router (LER - Label Edge Router) receives IP packet, determines FEC (Forwarding Equivalence Class) - typically the destination prefix
2. LER pushes an MPLS label onto the packet (label stack: 4 bytes between Layer 2 and Layer 3 headers, sometimes called "Layer 2.5")
3. Core MPLS routers (LSR - Label Switch Routers) forward based on label only (swap label, forward)
4. Egress LER pops the label and forwards the IP packet normally

Label vs IP routing:

Feature	IP Routing	MPLS
Lookup type	Longest prefix match (variable length)	Exact label match (fixed)
Lookup location	Every router	Only edge routers
Speed	Slower (complex lookup)	Faster (simple exact match)
Traffic engineering	Limited	Explicit path setup (RSVP-TE)
VPN support	Complex	Inherent (L3VPN, L2VPN)

MPLS use cases:

• Enterprise WAN (MPLS VPN): guaranteed bandwidth, QoS, traffic engineering
• ISP backbone: traffic engineering to avoid congestion
• L2VPN: transport Layer 2 frames across IP backbone (pseudowires)
• Note: MPLS is declining as SD-WAN and internet-based VPNs gain adoption

---

Q24. What is SDN (Software-Defined Networking)? How does it differ from traditional networking? (Hard)

SDN separates the control plane (routing decisions) from the data plane (packet forwarding) and centralizes control in a software controller.

Traditional networking:

• Each device runs its own control plane software (routing protocols, STP)
• Configuration distributed across all devices
• Changes require touching each device individually
• Vendor-locked: Cisco CLI, Junos, etc.

SDN architecture:

• Control plane: centralized SDN controller (OpenDaylight, ONOS, OpenContrail)
• Data plane: forwarding hardware on network devices (OpenFlow switches)
• Northbound API: controller to management applications (REST API)
• Southbound API: controller to network devices (OpenFlow protocol)

OpenFlow: Allows the SDN controller to program flow tables in switches. A flow entry: match (src IP, dst IP, port, etc.) + actions (forward, drop, modify, meter).

Benefits of SDN:

• Centralized visibility and policy
• Programmable network behavior
• Vendor-agnostic (in theory)
• Easier traffic engineering and network slicing
• Foundation for NFV (Network Functions Virtualization)

Deployment: Primarily in data centers (VMware NSX, Cisco ACI), cloud provider networks (Google B4, Amazon Orion), and 5G mobile core.

---

Q25. What is network address translation and how does it affect peer-to-peer applications? (Medium)

NAT translates private IP addresses to public IP addresses, enabling multiple devices to share one public IP. It breaks the end-to-end connectivity principle of the internet.

NAT traversal problems for P2P:

• Peer A is behind NAT (private IP 192.168.1.5)
• Peer B is behind different NAT (private IP 10.0.0.5)
• Neither can initiate connection to the other's private address
• Neither knows the other's public IP:port mapping

Solutions:

STUN (Session Traversal Utilities for NAT):

• Client contacts public STUN server to discover its external IP:port
• Share this mapping with peer via a signaling server
• Works for Full Cone and Restricted Cone NAT
• Fails for Symmetric NAT

TURN (Traversal Using Relays around NAT):

• Media goes through a TURN relay server
• Works for all NAT types including Symmetric
• Higher cost (server bandwidth), higher latency
• Fallback when STUN fails

ICE (Interactive Connectivity Establishment):

• Framework that tries STUN first, then TURN as fallback
• Used in WebRTC, SIP/VoIP, many P2P apps

NAT hole punching: Both peers send packets to each other's external address simultaneously, exploiting that NAT creates state for the outgoing packet and allows the reply.

---

Q26. What is the difference between half-duplex and full-duplex communication? (Easy)

Half-duplex: Communication can occur in both directions but not simultaneously. Only one side transmits at a time.

• Walkie-talkies, CSMA/CD (early Ethernet with hubs)
• CSMA/CD needed because collision detection only works in half-duplex
• 10 Mbps effective throughput on a 10 Mbps link due to collisions

Full-duplex: Both sides transmit simultaneously on separate channels.

• Modern switched Ethernet (no shared medium, no collisions)
• CSMA/CD disabled on full-duplex Ethernet
• Both upload and download run at full link speed simultaneously
• Fiber: separate TX and RX fibers, inherently full-duplex
• Twisted pair: separate wire pairs for TX and RX

Duplex mismatch: If one end of a link is configured full-duplex and the other is half-duplex (auto-negotiation failure), performance degrades severely:

• Full-duplex side sends continuously
• Half-duplex side detects collisions, backs off, retransmits
• Results in very low throughput and high error counts

Symptom: interface shows errors/late collisions on one or both ends.

---

Q27. Explain the concept of a "socket" in networking. What makes a socket unique? (Medium)

A socket is a software endpoint for network communication. It is the interface between application code and the network stack.

Socket uniquely identified by a 5-tuple: (Protocol, Source IP, Source Port, Destination IP, Destination Port)

All five values must be unique together. This allows a server to maintain many connections on the same port:

• A web server on port 80 can have 1000 simultaneous connections
• Each connection has a different source IP and/or source port
• TCP stack demultiplexes incoming packets to the correct socket using the 5-tuple

Socket types:

• SOCK_STREAM: TCP (connection-oriented, reliable)
• SOCK_DGRAM: UDP (connectionless, datagram)
• SOCK_RAW: raw socket (access to IP or lower, used by ping/traceroute)

Socket lifecycle (server):

socket() -> bind(IP, port) -> listen() -> accept() -> recv()/send() -> close()

Socket lifecycle (client):

socket() -> connect(server_IP, port) -> send()/recv() -> close()

Ephemeral ports: Client sockets are assigned ephemeral (temporary) source ports by the OS, typically from range 49152-65535 (IANA), or 1024-65535 on Linux (configurable via /proc/sys/net/ipv4/ip_local_port_range).

---

Q28. What is network congestion? How do TCP congestion control algorithms address it? (Hard)

Network congestion occurs when traffic demand exceeds network capacity, causing router buffers to fill and packets to be dropped.

Congestion signals:

• Packet loss (detected by sender via missing ACKs or duplicate ACKs)
• Explicit Congestion Notification (ECN): router marks packets instead of dropping; receiver echoes to sender

TCP congestion control phases:

Slow Start:

• Begin with cwnd = 1 MSS
• Double cwnd each RTT (exponential growth)
• Until cwnd reaches ssthresh (slow start threshold)

Congestion Avoidance:

• Increase cwnd by 1 MSS per RTT (linear growth)
• Continue until loss detected

Fast Retransmit:

• 3 duplicate ACKs signals loss (not waiting for timeout)
• Immediately retransmit lost segment
• ssthresh = cwnd / 2, cwnd = ssthresh (TCP Reno)

Fast Recovery:

• After fast retransmit, enter congestion avoidance (not slow start again)
• This is the Reno improvement over Tahoe

CUBIC (default in Linux kernel since 2.6.19): Uses a cubic function to set window size based on time since last congestion event, rather than purely ACK-driven. Better utilization on high-bandwidth, high-latency paths (satellites, long-haul fiber).

BBR (Bottleneck Bandwidth and RTT, Google): Models the network by probing bandwidth and minimum RTT. Does not use packet loss as a primary congestion signal. Better for paths with shallow buffers and high bandwidth-delay products.

---

Q29. Compare IPv4 and IPv6 header structures. Why is IPv6 simpler? (Medium)

IPv4 header (20-60 bytes):

• Version, IHL (header length), DSCP, ECN
• Total length, ID, flags, fragment offset (fragmentation fields)
• TTL, protocol, header checksum
• Source IP (32 bits), destination IP (32 bits)
• Options (variable length, rare)

IPv6 header (fixed 40 bytes):

• Version, Traffic Class, Flow Label (20 bits for QoS/flow identification)
• Payload Length, Next Header (like protocol), Hop Limit
• Source IP (128 bits), destination IP (128 bits)

Key simplifications in IPv6:

Feature	IPv4	IPv6
Header size	Variable (20-60 bytes)	Fixed 40 bytes
Fragmentation	Done by routers	Only at source
Header checksum	Yes (must recompute at each hop)	Removed (link layers and transport handle it)
Options	Inline (complicates parsing)	Extension headers chained
ARP	Yes	Replaced by NDP (Neighbor Discovery Protocol)
Auto-config	DHCP only	SLAAC (Stateless Address Autoconfiguration) built-in

IPv6 fixed header means routers process headers faster (no variable-length parsing). Removing fragmentation at routers and header checksum reduces per-hop processing.

---

Q30. What is network monitoring? Name tools and what metrics to watch. (Medium)

Network monitoring involves continuously measuring network health, performance, and availability to detect issues proactively.

Key metrics to monitor:

Metric	Threshold concern	Tools
Bandwidth utilization	>80% sustained	SNMP, NetFlow, IPFIX
Packet loss	>1% for real-time apps	ICMP probes, ping
Latency (RTT)	Varies by app type	ping, synthetic monitoring
Jitter	>30ms affects VoIP	iPerf3, VoIP probes
Interface errors	CRC errors, runts, giants	SNMP MIB-II, interface counters
CPU/memory (routers)	>80% CPU	SNMP
BGP/OSPF neighbor state	Any neighbor down	SNMP traps, syslog

Tools:

• Wireshark / tcpdump: Packet capture and protocol analysis
• SNMP: Agent on network devices, manager polls OIDs for interface counters, CPU, etc.
• NetFlow/sFlow/IPFIX: Flow data exported from routers; shows who is consuming bandwidth
• Nagios / Zabbix / Prometheus + Grafana: Alerting and dashboards
• iPerf3: Active bandwidth and throughput testing between endpoints
• PRTG / LibreNMS: All-in-one SNMP-based network monitoring
• ping / mtr: Connectivity and path latency testing

SNMP versions:

• SNMPv1/v2c: community string authentication (insecure, cleartext)
• SNMPv3: authentication (MD5/SHA) + encryption (DES/AES). Use in production.

---

Frequently Asked Questions

Q: What is the difference between a collision domain and a broadcast domain? A collision domain is a network segment where simultaneous transmissions cause collisions (wired Ethernet with hubs, or half-duplex links). Each switch port is a separate collision domain. A broadcast domain is the set of devices that receive a broadcast frame. Switches do not break broadcast domains; routers and VLANs do.

Q: What does "full mesh" mean for n nodes and how many links does it require? Full mesh means every node connects directly to every other node. Links required = n*(n-1)/2. For 10 nodes: 45 links. This is why full mesh is impractical at large scale.

Q: What is the difference between a Layer 2 and Layer 3 switch? A Layer 2 switch forwards frames based on MAC addresses. A Layer 3 switch also performs IP routing between VLANs using hardware ASICs (instead of a separate router). Layer 3 switches have SVIs (Switched Virtual Interfaces) that serve as gateway IPs for VLANs.

Q: How is DNS resolution different from ARP resolution? DNS resolves hostnames to IP addresses (operates at Application layer, uses UDP/TCP port 53). ARP resolves IP addresses to MAC addresses (operates at Layer 2/3 boundary, broadcast-based, local subnet only). They operate at different layers and solve different parts of the addressing problem.

Q: What is the purpose of TTL in IP packets? TTL (Time To Live) is a hop counter decremented by each router. When TTL reaches 0, the router discards the packet and sends an ICMP Time Exceeded message. TTL prevents packets from circulating indefinitely if routing loops occur.

---

Internal Links

• TCP/IP Interview Questions
• OSI Model Interview Questions
• HTTP, HTTPS and DNS Interview Questions
• Subnetting Interview Questions
• TCS Interview Questions
• Infosys Interview Questions
• Cisco Interview Questions