Top 50 Networking Interview Questions

• Layer 7 - Application: HTTP, FTP, SMTP, DNS. User-facing protocols.
• Layer 6 - Presentation: encryption, compression, encoding (SSL/TLS, JPEG).
• Layer 5 - Session: manages sessions between applications.
• Layer 4 - Transport: end-to-end communication, TCP/UDP, ports.
• Layer 3 - Network: routing, IP addressing, routers.
• Layer 2 - Data Link: MAC addresses, switches, frames (Ethernet).
• Layer 1 - Physical: cables, signals, bits.

• TCP - connection-oriented. Reliable delivery. Ordered. Flow control. Congestion control. Slower. Used for HTTP, FTP, email.
• UDP - connectionless. No reliability guarantee. No ordering. Faster. Lower overhead. Used for DNS, video streaming, gaming, VoIP.

• Step 1 - Client sends SYN (synchronize) to server.
• Step 2 - Server responds with SYN-ACK (synchronize-acknowledge).
• Step 3 - Client sends ACK (acknowledge). Connection established.
• TCP 4-way termination: FIN, ACK, FIN, ACK.

Client --> SYN (seq=x)          --> Server
Client <-- SYN-ACK (seq=y,ack=x+1) <-- Server
Client --> ACK (ack=y+1)          --> Server
# Connection established

• HTTP - HyperText Transfer Protocol. Plain text. Port 80. No encryption. Vulnerable to eavesdropping.
• HTTPS - HTTP over TLS/SSL. Encrypted. Port 443. Provides confidentiality, integrity, and authentication.
• HTTPS uses TLS handshake to establish encrypted channel before HTTP communication.

• DNS (Domain Name System) - translates domain names to IP addresses.
• Resolution steps: browser cache -> OS cache -> recursive resolver -> root nameserver -> TLD nameserver -> authoritative nameserver.
• Record types: A (IPv4), AAAA (IPv6), CNAME (alias), MX (mail), NS (nameserver), TXT (text).

• IPv4 - 32-bit address. ~4.3 billion addresses. Notation: 192.168.1.1. Exhausted.
• IPv6 - 128-bit address. 340 undecillion addresses. Notation: 2001:0db8::1. Built-in IPsec. No NAT needed.
• Transition mechanisms: dual-stack, tunneling, NAT64.

Subnetting divides a network into smaller sub-networks. Uses a subnet mask (e.g., /24 = 255.255.255.0) to separate network and host portions of an IP address. Benefits: reduces broadcast traffic, improves security, and efficient IP allocation.

Network: 192.168.1.0/24
Subnet mask: 255.255.255.0
Hosts: 192.168.1.1 - 192.168.1.254 (254 usable)
Broadcast: 192.168.1.255

• Hub - Layer 1. Broadcasts to all ports. No intelligence. Causes collisions. Obsolete.
• Switch - Layer 2. Forwards frames based on MAC address table. Reduces collisions. Creates separate collision domains.
• Router - Layer 3. Routes packets between networks using IP addresses. Connects different networks.

NAT translates private IP addresses to a public IP address (and vice versa). Allows multiple devices on a private network to share one public IP. Types: Static NAT (1:1), Dynamic NAT (pool), PAT/Masquerade (many:1 using ports).

• Firewall - filters traffic based on rules (IP, port, protocol). Operates at Layer 3/4. Blocks unauthorized access.
• Proxy - intermediary between client and server. Can cache, filter, and anonymize traffic. Operates at Layer 7.
• Reverse proxy - sits in front of servers (load balancing, SSL termination). Forward proxy - sits in front of clients.

• HTTP/1.1 - one request per connection (or pipelining). Head-of-line blocking. Plain text headers.
• HTTP/2 - multiplexing (multiple requests over one connection). Binary framing. Header compression (HPACK). Server push. Faster.
• HTTP/3 - uses QUIC (UDP-based). Eliminates TCP head-of-line blocking. Faster connection setup.

A CDN is a distributed network of servers (edge nodes) that cache and serve content from locations geographically close to users. Reduces latency, improves load times, and offloads traffic from origin servers. Examples: Cloudflare, AWS CloudFront, Akamai.

• Load balancing distributes incoming traffic across multiple servers to prevent overload.
• Algorithms: Round Robin, Least Connections, IP Hash, Weighted Round Robin.
• Layer 4 (transport) - routes based on IP/port. Layer 7 (application) - routes based on HTTP headers, URL, cookies.

• Symmetric - same key for encryption and decryption. Fast. Key distribution problem. Examples: AES, DES.
• Asymmetric - public key encrypts, private key decrypts (or vice versa for signing). Slower. Solves key distribution. Examples: RSA, ECC.
• HTTPS uses asymmetric encryption for key exchange, then symmetric for data transfer.

• SSL (Secure Sockets Layer) - deprecated. Replaced by TLS.
• TLS (Transport Layer Security) - cryptographic protocol providing encrypted communication. Current version: TLS 1.3.
• TLS handshake: client hello, server hello + certificate, key exchange, finished. Establishes session keys.

• GET - retrieves data. Parameters in URL. Idempotent. Cached. Bookmarkable. Limited data size.
• POST - sends data in request body. Not idempotent. Not cached. No size limit. Used for creating/updating resources.
• PUT - idempotent update. PATCH - partial update. DELETE - remove resource.

• 2xx Success: 200 OK, 201 Created, 204 No Content.
• 3xx Redirection: 301 Moved Permanently, 302 Found, 304 Not Modified.
• 4xx Client Error: 400 Bad Request, 401 Unauthorized, 403 Forbidden, 404 Not Found, 429 Too Many Requests.
• 5xx Server Error: 500 Internal Server Error, 502 Bad Gateway, 503 Service Unavailable.

A VPN creates an encrypted tunnel between a client and a VPN server, routing traffic through it. Provides privacy, security on public networks, and access to private networks remotely. Protocols: OpenVPN, WireGuard, IPsec, L2TP.

DHCP (Dynamic Host Configuration Protocol) automatically assigns IP addresses, subnet masks, gateways, and DNS servers to devices on a network. Process: DORA - Discover, Offer, Request, Acknowledge. Reduces manual configuration.

ARP maps IP addresses to MAC addresses on a local network. When a device wants to communicate with an IP, it broadcasts an ARP request. The device with that IP replies with its MAC address. ARP cache stores recent mappings.

# View ARP cache
arp -a
# ARP request: "Who has 192.168.1.1? Tell 192.168.1.100"
# ARP reply:   "192.168.1.1 is at aa:bb:cc:dd:ee:ff"

• LAN (Local Area Network) - small geographic area (home, office). High speed. Low latency.
• MAN (Metropolitan Area Network) - city-wide network. Connects multiple LANs.
• WAN (Wide Area Network) - large geographic area (country, global). Internet is the largest WAN. Higher latency.

ICMP (Internet Control Message Protocol) is used for network diagnostics and error reporting. Not for data transfer. Used by ping (echo request/reply) and traceroute. Common messages: echo request/reply, destination unreachable, time exceeded.

A socket is an endpoint for network communication identified by IP address + port number. Types: TCP socket (stream), UDP socket (datagram), Unix domain socket (local IPC). Socket API: socket(), bind(), listen(), accept(), connect(), send(), recv().

# Python TCP server
import socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", 8080))
s.listen(5)
conn, addr = s.accept()

• Bandwidth - maximum data transfer rate (bits per second). How much data can flow.
• Latency - time for a packet to travel from source to destination (milliseconds). How fast data arrives.
• Throughput - actual data transfer rate achieved. Affected by both bandwidth and latency.

A Distributed Denial of Service (DDoS) attack floods a target with traffic from many sources (botnet) to exhaust resources and make it unavailable. Types: volumetric (bandwidth flood), protocol (SYN flood), application layer (HTTP flood). Mitigated by rate limiting, CDN, and traffic scrubbing.

• MAC address - Layer 2. Hardware address burned into NIC. 48-bit (6 bytes). Unique per device. Used within local network.
• IP address - Layer 3. Logical address assigned by network admin/DHCP. 32-bit (IPv4) or 128-bit (IPv6). Used for routing across networks.

• Flow control - prevents sender from overwhelming receiver. Uses sliding window (receiver advertises window size).
• Congestion control - prevents sender from overwhelming the network. Algorithms: Slow Start, Congestion Avoidance, Fast Retransmit, Fast Recovery (TCP Reno/CUBIC).

• DNS - single request/response. Low overhead.
• Video/audio streaming - occasional packet loss acceptable. Latency more important than reliability.
• Online gaming - real-time updates. Old data is useless.
• VoIP - real-time voice. Retransmission would cause worse audio than packet loss.
• QUIC (HTTP/3) - implements reliability at application layer on top of UDP.

• 1. Browser checks local cache.
• 2. OS checks hosts file and DNS cache.
• 3. Query sent to recursive resolver (ISP or 8.8.8.8).
• 4. Resolver queries root nameserver (returns TLD server).
• 5. Resolver queries TLD nameserver (.com, .org).
• 6. Resolver queries authoritative nameserver (returns IP).
• 7. IP returned to browser. Cached with TTL.

• X.509 certificate issued by a Certificate Authority (CA). Contains: domain name, public key, CA signature, validity period.
• Browser verifies: certificate is signed by trusted CA, domain matches, not expired, not revoked (CRL/OCSP).
• Types: DV (domain validated), OV (organization validated), EV (extended validation).

• 20/21 - FTP (data/control)
• 22 - SSH
• 23 - Telnet
• 25 - SMTP
• 53 - DNS
• 80 - HTTP
• 110 - POP3
• 143 - IMAP
• 443 - HTTPS
• 3306 - MySQL
• 5432 - PostgreSQL
• 6379 - Redis
• 27017 - MongoDB

• HTTP - request-response. Client initiates every request. Stateless. New connection per request (HTTP/1.1) or multiplexed (HTTP/2).
• WebSocket - full-duplex persistent connection. Server can push data to client. Starts as HTTP upgrade. Used for real-time apps (chat, live updates, gaming).

// WebSocket client
const ws = new WebSocket("wss://example.com/ws");
ws.onmessage = (event) => console.log(event.data);
ws.send("Hello server");

• REST - multiple endpoints, each returning fixed data. Over-fetching or under-fetching common. Stateless. Cacheable.
• GraphQL - single endpoint. Client specifies exactly what data it needs. No over/under-fetching. Strongly typed schema. More complex caching.

An API gateway is a server that acts as the single entry point for all client requests to backend services. Handles: routing, authentication, rate limiting, SSL termination, load balancing, request/response transformation, and monitoring.

A reverse proxy sits in front of backend servers and forwards client requests to them. Benefits: load balancing, SSL termination, caching, compression, and hiding backend topology. Examples: Nginx, HAProxy, Traefik.

CORS is a browser security mechanism that restricts web pages from making requests to a different domain than the one that served the page. Server must include CORS headers (Access-Control-Allow-Origin) to allow cross-origin requests. Preflight OPTIONS request checks permissions.

Rate limiting restricts the number of requests a client can make in a time window. Prevents abuse, DDoS, and API overuse. Algorithms: Token Bucket, Leaky Bucket, Fixed Window, Sliding Window. Returns HTTP 429 Too Many Requests when exceeded.

• Edge caching stores copies of content at CDN edge nodes close to users.
• Cache-Control headers control what is cached and for how long (max-age, s-maxage, no-cache, no-store).
• Cache invalidation: TTL expiry, purge API, versioned URLs (cache busting).

BGP is the routing protocol of the internet. It manages how packets are routed between autonomous systems (AS) - large networks like ISPs. BGP is a path-vector protocol that selects routes based on policies, not just shortest path. BGP hijacking is a major security concern.

OSPF is a link-state interior gateway routing protocol. Each router builds a complete map of the network topology using LSAs (Link State Advertisements). Uses Dijkstra's algorithm to find shortest paths. Used within an autonomous system. Faster convergence than RIP.

After a TCP connection closes, the initiating side enters TIME_WAIT for 2*MSL (Maximum Segment Lifetime, typically 60-120 seconds). Purpose: ensures delayed packets from old connection are discarded, and allows remote side to retransmit FIN if ACK was lost. Can cause port exhaustion under high connection rates.

• Star - all devices connect to central switch/hub. Easy to manage. Single point of failure at center.
• Mesh - every device connects to every other. Highly redundant. Expensive. Used in WANs.
• Bus - all devices on single cable. Simple. Single point of failure. Obsolete.
• Ring - devices connected in a circle. Token passing. Failure of one node breaks ring.

• Circuit switching - dedicated path established for entire communication. Guaranteed bandwidth. Inefficient if idle. Used in traditional telephone networks.
• Packet switching - data split into packets routed independently. Efficient. No dedicated path. Used in internet. Packets may arrive out of order.

A VLAN logically segments a physical network into separate broadcast domains without requiring separate physical infrastructure. Configured on managed switches using 802.1Q tagging. Benefits: security isolation, reduced broadcast traffic, and flexible network design.

QoS mechanisms prioritize certain types of network traffic to ensure performance for critical applications. Techniques: traffic classification, queuing (priority queuing, WFQ), traffic shaping, and policing. Used to prioritize VoIP and video over bulk file transfers.

• ping - sends ICMP echo requests to test reachability and measure round-trip time (RTT).
• traceroute - sends packets with increasing TTL values to discover each hop (router) on the path to destination. Shows latency at each hop.

ping google.com
traceroute google.com   # Linux/Mac
tracert google.com      # Windows

• 1. Client Hello - TLS version, cipher suites, random number.
• 2. Server Hello - chosen cipher suite, server certificate, random number.
• 3. Client verifies certificate. Generates pre-master secret, encrypts with server public key.
• 4. Both sides derive session keys from pre-master secret + random numbers.
• 5. Finished messages exchanged. Encrypted communication begins.
• TLS 1.3 reduces handshake to 1 round-trip (1-RTT).

HSTS is a web security policy that forces browsers to use HTTPS for a domain. Server sends Strict-Transport-Security header with max-age. Browser remembers and refuses HTTP connections for that domain. Prevents SSL stripping attacks. HSTS preload list is built into browsers.

• QUIC - transport protocol built on UDP. Developed by Google. Provides reliability, ordering, and congestion control at application layer.
• HTTP/3 - HTTP over QUIC. Eliminates TCP head-of-line blocking. Faster connection setup (0-RTT for returning clients). Better performance on lossy networks.
• Adopted by major platforms: Google, Facebook, Cloudflare.

• CA-signed certificate - issued by a trusted Certificate Authority. Browsers trust it automatically. Required for public-facing HTTPS.
• Self-signed certificate - signed by the entity itself. Not trusted by browsers by default. Suitable for internal/development use only.
• Chain of trust: root CA -> intermediate CA -> end-entity certificate.