Network Engineer Interview 2026: 35 Infrastructure Design & Troubleshooting Questions

By /

A candidate I spoke with last year walked into a senior network engineer interview at a mid-size cloud provider and was asked to design a multi-tenant data center for 10,000 VMs. No whiteboard prep. No warm-up questions. Just that. He froze on the VXLAN vs VLAN tradeoff and never recovered.

Network engineering interviews in 2026 have shifted. Companies care less about whether you can recite the OSI model in order and more about whether you can reason through a degraded BGP session at 2 AM without panicking. The questions below reflect that shift.

OSI fundamentals they still ask (and why)

Every hiring manager I’ve talked to says they’re tired of OSI questions. Then they keep asking them. The reason is simple: candidates who can’t place ARP at Layer 2 or explain why DNS sits at Layer 7 tend to struggle with everything else. It’s a filter, not an assessment.

  • Walk me through what happens, layer by layer, when a browser requests https://example.com from scratch. (They want to see TCP handshake, TLS negotiation, DNS resolution, and ARP, in the right order.)
  • What’s the difference between a collision domain and a broadcast domain? How does a managed switch affect each?
  • At which layer does NAT operate, and what are the practical consequences of CGNAT for end-to-end protocols like SIP?
  • Explain why ICMP unreachable messages don’t always reach the sender in a corporate network.

For these questions, draw the packet path on paper before your interview. Saying “it goes through layers 1 through 7” is not the same as tracing a specific TCP SYN packet through a switch’s MAC table lookup, a router’s longest-prefix match, and a firewall’s stateful table. Those are three separate operations.

Routing protocol questions that separate juniors from seniors

OSPF and BGP questions show up in nearly every network engineering interview above L3. The tricky part is that the surface-level answers are easy to memorize, so interviewers push harder.

  • OSPF converges in roughly 5 seconds under default timers. BGP can take minutes. When would you choose BGP inside a data center instead of OSPF or ISIS?
  • Explain the difference between eBGP and iBGP, and why iBGP requires a full mesh (or a route reflector).
  • You have two OSPF areas. Area 1 is not receiving routes from Area 2. What’s your first three diagnostic steps?
  • What is BGP route dampening and when does it do more harm than good?
  • Administrative distance: if a router learns the same prefix via OSPF (AD 110) and a static route (AD 1), which wins? What if the static route’s next-hop becomes unreachable?

The static route question at the end is a trap. A lot of candidates say the static route always wins because AD 1 beats AD 110. That’s true until the next-hop goes down, at which point the static route is removed from the RIB and OSPF takes over. Interviewers watch for that second half of the answer.

VLANs, switching, and the questions that trip up mid-levels

VLAN questions seem basic until they aren’t. The classic interview trap is asking about VXLAN as a follow-up.

  • What’s the difference between a trunk port and an access port? What does the native VLAN do on a trunk?
  • You’re running 1,200 VLANs in your data center. A colleague proposes VXLAN. What does that buy you that 802.1Q doesn’t?
  • VXLAN supports roughly 16 million VNIs versus 4,096 VLAN IDs. In what real scenario does that ceiling actually matter?
  • Explain STP port states. Why does Rapid PVST converge faster than classic 802.1D?
  • A loop forms in your switched network at 3 AM. What are the first three things you check?

On the VXLAN ceiling question: the answer is multi-tenant cloud environments where you need per-tenant isolation across thousands of customers. If a candidate says “we just needed more VLANs,” that’s technically correct but misses the architectural intent.

Security and troubleshooting under pressure

These are the questions that actually predict job performance. Anyone can study protocols. Fewer people can walk through a live outage methodically while an interviewer pushes back on every step.

  • A BGP session between your edge router and upstream ISP drops intermittently. You have no change window for 72 hours. Walk me through remote diagnosis.
  • What is a TCAM and why does it matter when you’re debugging high-CPU on a switch?
  • Describe a scenario where ACLs at the wrong layer caused a security gap you wouldn’t catch until an audit.
  • Your multicast group (somewhere in 224.0.0.0/4) stops receiving traffic. What protocol are you looking at first and why?
  • Explain the difference between stateful and stateless firewalls. For a web application behind a load balancer, which approach creates asymmetric routing problems?
  • What does a spoofed SYN flood look like in your switch port statistics, and how does your current setup mitigate it?

I’d argue the TCAM question is underused by interviewers. A candidate who knows that TCAM exhaustion causes a switch to fall back to software forwarding, dropping throughput by 90%, has clearly operated real hardware under load. That knowledge doesn’t come from certification study guides.

Architecture questions for senior and staff-level roles

If you’re interviewing for L5 or above at a company with real infrastructure, expect at least one open-ended design question. These don’t have single correct answers, which is the point.

  • Design a spine-leaf fabric for a 200-rack data center. What protocol runs on the spine, and how do you handle east-west traffic at scale?
  • Your company is moving from on-prem to AWS. The security team wants a dedicated Direct Connect. Walk through the architecture decision and the failure modes.
  • What’s the difference between SD-WAN and MPLS for a company with 47 branch offices? When does SD-WAN make economic sense and when does it introduce unacceptable risk?
  • You need to support IPv6 without dropping IPv4. Walk through a dual-stack deployment for a mixed on-prem and cloud environment.

For these, interviewers aren’t looking for the “right” answer. They’re watching how you structure ambiguous problems, what tradeoffs you name first, and whether you ask clarifying questions about budget and SLA before diving into a design. If you launch straight into a solution without asking about the company’s RTO, that’s a flag.

How to actually prepare

The BLS projects network and systems administrator roles to grow 5% through 2033, which means competition stays real. Senior roles still get flooded with applicants who pass the knowledge screen but struggle in live diagnostic scenarios.

Study protocol theory, sure. But also practice narrating your troubleshooting steps out loud. Video yourself if you have to. The candidate who froze on the VXLAN question knew the answer. His problem was that he’d never practiced saying it under pressure while someone watched.

If you’re prepping for interviews and want to practice talking through live technical scenarios, Craqly’s interview copilot mode can surface follow-up questions mid-answer, similar to what a real interviewer does when they probe a response. That feedback loop is hard to replicate with static flashcards.

One thing I genuinely don’t know: how much the move toward SRE-adjacent roles affects what network engineers are asked in 2026. The line between “network engineer” and “infra engineer” has blurred at companies like Google and Cloudflare. If you’re targeting those roles, I’d add Kubernetes networking (CNI, eBPF, service mesh) to this list.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top