How to use this bank
Three passes, then drill:
- Pass 1 (~2 hours): Read every question and the talking points. Note which ones you couldn't answer without notes.
- Pass 2 (per area, ~30 min each): For weak areas, expand the talking points into your own full answers. Write them out — typing not just reading.
- Pass 3 (~1 hour): Out-loud rehearsal. Set a timer for 2 minutes per question. Speak the answer like you would in an interview. Record yourself if uncomfortable speaking technically — listen back.
- Drill: One mock interview per week with a friend or mentor, picking 8–10 questions at random.
The structure of a strong senior-engineer answer
Most candidates either (a) recite the textbook definition or (b) jump straight to commands. Both feel junior. The senior answer pattern is:
- One-line summary — "BGP path selection has nine steps in order; the most important in practice are local preference, AS-path length, and origin."
- The 'why' — "We use local preference to influence outbound traffic and AS-path prepending to influence inbound — they're the two levers that actually work in eBGP design."
- A war story or concrete example — "Last year we had a situation where..."
- Pause for follow-up — let the interviewer steer to depth.
Every question below is structured to invite that pattern. The talking points are seeds, not scripts.
Routing (10)
Q1. Walk me through what happens when an OSPF link goes down on an internal router.
Talking points: Talk about: LSA flood from owner, LSDB update on every router in the area, SPF run, FIB update, traffic re-routes via alternate path. Mention sub-second convergence in modern designs.
Q2. How does BGP path selection actually work — list the steps in order.
Talking points: Local preference (highest wins), AS-path length (shortest wins), origin (IGP > EGP > Incomplete), MED (lowest wins), eBGP over iBGP, IGP metric to next-hop, router-ID tiebreaker.
Q3. When would you choose EIGRP over OSPF, and vice versa?
Talking points: EIGRP: Cisco-only environment, simpler unequal-cost load balancing (variance), faster convergence in some topologies. OSPF: multi-vendor, IETF standard, hierarchical scaling via areas. In greenfield 2026 design, OSPF is the default unless there is a hard Cisco-only constraint.
Q4. Explain route summarization at an OSPF ABR.
Talking points: area X range — summarizes prefixes from that area into a single LSA before flooding to Area 0. Pros: smaller LSDB on remote areas, fewer SPF triggers. Cons: black-hole risk if all child prefixes are down but summary still advertised. Walk through this trade-off.
Q5. What is iBGP full-mesh, and how do route reflectors solve it?
Talking points: iBGP requires every iBGP speaker to peer with every other (no transit through iBGP-learned routes). N(N-1)/2 sessions — does not scale. Route reflectors break the rule by re-advertising routes to clients, reducing full-mesh to hub-and-spoke. Mention RR clusters for redundancy.
Q6. Difference between recursive and direct next-hop in routing.
Talking points: Direct: next-hop is on a directly-connected interface, FIB has Layer-2 rewrite info immediately. Recursive: next-hop is via another route in the RIB, FIB has to walk further. Important when troubleshooting BGP next-hop reachability and for understanding CEF.
Q7. How do you troubleshoot an OSPF neighbor stuck in 2-WAY state?
Talking points: On broadcast networks, neighbors form 2-WAY with all OSPF speakers and FULL only with DR/BDR. If two routers have priority 0, neither becomes DR and they sit in 2-WAY — that is expected. If on point-to-point and stuck, check MTU mismatch.
Q8. Walk me through MPLS L3VPN packet forwarding end to end.
Talking points: CE→PE: customer IP packet. PE: VRF lookup, push inner (VPN) label + outer (transport) label. P routers: swap outer label based on LDP. Egress PE: pop outer (PHP), look up inner label → VRF + interface → strip and forward to CE.
Q9. What is anycast and how is it used in DC fabrics?
Talking points: Anycast = same IP advertised from multiple locations; routing picks nearest. In DC fabrics: anycast gateway lets VMs/pods move across racks without re-ARPing, anycast DNS spreads load, anycast loopbacks for BGP path diversity.
Q10. Why would you use BFD with a routing protocol?
Talking points: BFD = sub-second link liveness detection independent of routing protocol timers. Lets you keep OSPF hellos at default but still get 50–100ms failover. Critical for voice/video over WANs and for fast convergence requirements.
Security (8)
Q1. How would you design 802.1X for a 1000-device enterprise?
Talking points: ISE (or other RADIUS) with EAP-TLS for managed devices (cert-based), EAP-PEAP for BYOD, MAB fallback for printers/IoT. Dynamic VLAN assignment based on identity group. Open-mode rollout first, then strict mode. CoA for revocation.
Q2. Explain dynamic ARP inspection at a packet level.
Talking points: Switch checks every ARP packet against the DHCP snooping binding table (IP-to-MAC bindings learned from DHCP). If ARP request/reply does not match a known binding, drop. Prevents ARP spoofing on the LAN. Requires DHCP snooping to be enabled first.
Q3. What is the difference between Standard and Extended ACL and when to use each?
Talking points: Standard: source IP only, numbered 1-99 or 1300-1999, apply close to destination. Extended: source + destination + protocol + ports, numbered 100-199 or 2000-2699, apply close to source for efficiency. In 2026 always prefer named ACLs over numbered.
Q4. How does IPsec IKEv2 establish a tunnel?
Talking points: Phase 1: IKE_SA_INIT (DH key exchange) + IKE_AUTH (authentication + child SA). Phase 2: optional CREATE_CHILD_SA for additional tunnels. Encryption + integrity algorithms negotiated. PSK or cert-based auth.
Q5. What is the role of Cisco TrustSec / SGT?
Talking points: Scalable Group Tags assigned by ISE at authentication time. Switches/routers enforce policy based on SGT pairs (e.g., "Employees → Servers = permit; Contractors → Servers = deny") instead of per-VLAN ACLs. Scales identity-based segmentation without ACL sprawl.
Q6. How do you mitigate a DDoS attack at the edge?
Talking points: Layered: cloud scrubbing service (Cloudflare/Akamai/AWS Shield) absorbs volumetric. ISP RTBH (Remotely Triggered Black Hole) for emergency null-routing. Local rate limiting + connection tracking on perimeter firewall. Egress filtering to prevent your network being source.
Q7. Why is SNMPv2c risky and what does v3 fix?
Talking points: v2c uses community strings sent in plain text — anyone sniffing the management VLAN reads them. v3 adds per-user auth (HMAC-SHA) and optional AES encryption. Always SNMPv3 in 2026 production. v2c only on isolated mgmt segments.
Q8. Walk me through how 802.1X with EAP-TLS works.
Talking points: Supplicant has a certificate (issued by enterprise CA). Switch is authenticator. ISE/RADIUS is auth server. EAP-TLS does mutual cert validation (client trusts server cert, server trusts client cert chain). On success, RADIUS returns Accept + VLAN/dACL/SGT attributes.
SDN/Automation (7)
Q1. What is the difference between traditional networking and SDN?
Talking points: Traditional: control plane and data plane both run on every device. SDN: control plane abstracted to a centralized controller; devices become forwarding elements. Benefit: centralized policy + programmability. Cost: controller becomes critical infrastructure.
Q2. How does NETCONF differ from SNMP?
Talking points: NETCONF: XML-based config + state protocol over SSH (port 830), transactional, supports candidate/running/startup datastores, structured YANG models. SNMP: query/get/set, mostly read-oriented in practice, limited structured-write support. NETCONF is the modern standard for programmatic config.
Q3. Walk me through using Python to push a config change to 50 switches.
Talking points: Use Netmiko (SSH) or NAPALM (multi-vendor) or ncclient (NETCONF). Loop over inventory, connect, send config, validate with show command, log results. Pre-checks (is device reachable, current state), change, post-checks. Pair with version control for the config templates.
Q4. What is Ansible idempotency and why does it matter for network config?
Talking points: Idempotent = running the same playbook twice produces the same result. Network tasks must be idempotent so re-runs do not duplicate ACL entries, do not flap interfaces, etc. cisco.ios modules are designed around this. Critical for safe automation.
Q5. Difference between SD-Access and SD-WAN.
Talking points: SD-Access: campus / branch LAN segmentation using VXLAN overlay + ISE + Catalyst Center. SD-WAN: WAN overlay across MPLS/internet/LTE using IPsec tunnels managed by Catalyst SD-WAN (Viptela). Different problems, similar SDN pattern.
Q6. How does gNMI relate to NETCONF?
Talking points: gNMI is the streaming-telemetry + config protocol over gRPC. Same YANG models as NETCONF for config; adds publish-subscribe telemetry that scales much better than SNMP polling. Used heavily in hyperscale and modern DC environments.
Q7. What problems does Ansible solve that bash scripts do not?
Talking points: Idempotency, parallel execution, structured inventory, role-based reuse, jinja2 templating, error handling, dry-run mode, integration with CI/CD. Bash scripts are fine for one-off; Ansible is right for fleet-scale, repeatable, reviewable change management.
Design (5)
Q1. How would you design a 50-branch enterprise WAN today?
Talking points: SD-WAN over diverse underlays: each branch gets MPLS + broadband + LTE backup. App-aware routing (voice on MPLS, SaaS direct via broadband). Centralized policy via vManage. DIA with cloud-delivered firewall (Umbrella/Zscaler). Branch routers (cEdge) zero-touch provisioned.
Q2. Walk me through campus 3-tier vs spine-leaf design.
Talking points: 3-tier: access/distribution/core, optimized for north-south traffic (user-to-DC). Spine-leaf: every leaf to every spine, optimized for east-west (DC server-to-server). Spine-leaf scales better for modern apps but is overkill for office campuses where north-south still dominates.
Q3. How do you decide between VRF-lite and MPLS L3VPN?
Talking points: VRF-lite: single device or hop-by-hop, simple, no MPLS expertise needed, works at small scale. MPLS L3VPN: provider-grade, scales to thousands of customers, requires MP-BGP + LDP + ABR knowledge. Enterprise multi-tenant: usually VRF-lite. Service provider: always MPLS.
Q4. What is your strategy for IPv6 adoption in a brownfield enterprise?
Talking points: Dual-stack everywhere you can — that is the default. Tunneling (GRE/DMVPN) for IPv6 islands over IPv4 transit. NAT64+DNS64 only when an IPv6-only client must reach an IPv4-only service. Avoid 6to4 and Teredo (deprecated).
Q5. How would you architect QoS for VoIP traffic across a WAN?
Talking points: Mark at source (EF/DSCP 46) or at the access switch using a trust boundary. Classify with class-map. Police non-conforming. Apply LLQ (low-latency queue) on egress for EF; CBWFQ for everything else. Verify with packet capture + jitter measurements.
Troubleshooting (5)
Q1. A user complains the network is slow. Walk me through your diagnosis.
Talking points: Scope (one user/many?) → recent change? → bottom-up: cable/port/duplex → DNS resolves? → traceroute to target → bandwidth/latency at each hop. Use NetFlow if available to identify top talkers. Almost never the network at the user-VLAN layer — usually DNS or upstream saturation.
Q2. BGP session is stuck in IDLE. What do you check?
Talking points: Reachability between loopbacks (ping with source). TCP 179 open (no firewall block). neighbor IP and remote-as match on both sides. Authentication if used. If still stuck, debug bgp events with caution.
Q3. How would you debug intermittent packet loss between two sites?
Talking points: Set up IP SLA continuous ping with logging. Monitor interface counters for errors/drops over time. Check for duplex mismatches on intermediate links. Capture on both ends simultaneously. Suspect: half-duplex, MTU black-hole, asymmetric routing dropping return traffic at a stateful firewall.
Q4. Voice quality is poor only during business hours. Where do you look?
Talking points: WAN saturation during business hours — check utilization graphs. QoS classification working? (show policy-map interface). One-way audio = NAT/firewall issue with media ports. Jitter = bursty contention. Solve with QoS first, then capacity.
Q5. Show me your mental model for layer-2 vs layer-3 troubleshooting.
Talking points: L2 first if both hosts on same VLAN: ARP, MAC table, port state, native VLAN, STP blocking. L3 if different VLANs: routing table, ACL on transit interface, asymmetric routing, NAT/firewall in path. Always traceroute first to localize.
Process (5)
Q1. How do you approach a change in a production network?
Talking points: Change record with risk/rollback. Pre-change snapshot (config + show commands). Maintenance window with downstream notice. Execute in stages — test after each. Post-change verification. Document outcome. If something breaks, roll back before debugging unless safe to investigate live.
Q2. A vendor pushes back saying "your network is the problem." How do you respond?
Talking points: Calm, evidence-based. Show packet captures, interface counters, IP SLA results. Reproduce on different paths/devices if possible. Frame as collaborative debugging not adversarial. Most "network problems" are app or DNS — be ready to find that out and accept it.
Q3. How do you decide whether to escalate during an outage?
Talking points: 30 minutes with no working hypothesis = page the second engineer. Cross-team dependency = page that team early. Customer-visible = page comms/management early so they manage stakeholders while you work. Better to escalate too early than too late.
Q4. Tell me about a time you made a configuration change that caused an outage.
Talking points: STAR format: Situation (what), Task (your role), Action (what you did and what went wrong), Result (how you fixed + what you learned). Be honest — interviewers want to see you own mistakes and have process changes from them.
Q5. How do you stay current with networking technology?
Talking points: Cisco Live + DEF CON Network talks on YouTube. RFC reading for new standards. Vendor newsletters (Cisco Field Notices). Subscribe to a few engineering blogs (PacketLife, Daniels Network Notes). Lab in EVE-NG/CML monthly. Specific cert refresh every 3 years.
What to do after this bank
- Map weak areas to the library. If you struggled with BGP path selection, re-read BGP basics. If you struggled with 802.1X design, re-read 802.1X and ISE basics.
- Practice the war stories. The single biggest senior-engineer differentiator vs CCNA-fresh candidates is concrete examples. Write down 5 outage / change / design stories from your career using the STAR format and rehearse them.
- Book a mock interview. Self-rehearsal hits diminishing returns after a few hours. A mentor who can interrupt and ask "but how exactly?" is worth 10× the prep. Free first session with PacketMentor is one such mock — no payment until you decide to continue.
What this bank does not cover
- Coding interviews — some NetEng roles include Python/scripting questions; those need separate prep.
- System design at scale — staff / principal-level interviews include "design a global anycast DNS" — that's a different bank.
- Behavioral interviews — STAR-format stories, conflict resolution, leadership scenarios. Critical for senior roles; book a 1:1 to rehearse.
- Compensation negotiation — what to say when the offer lands. We cover this in the 1:1 program.
For coverage of those four — including mock interview rounds tuned to specific US employers — see the CCNP Senior Track.
© PacketMentor. Free to share with attribution. Cisco®, CCNP®, and CCIE® are trademarks of Cisco Systems, Inc. PacketMentor is independent and not affiliated with Cisco.