Top 20 Networks Interview Questions

The OSI (Open Systems Interconnection) model standardizes communication functions in 7 layers (mnemonic: 'Please Do Not Throw Sausage Pizza Away'):

7) Application — user interface, HTTP, FTP, SMTP, DNS.

6) Presentation — data format, encryption/decryption, compression (SSL/TLS).

5) Session — manages sessions, synchronization, authentication.

4) Transport — end-to-end communication, segmentation, TCP/UDP, port numbers.

3) Network — logical addressing, routing, IP protocol, routers.

2) Data Link — MAC addresses, framing, error detection (CRC), switches, bridges.

1) Physical — bits over physical medium, cables, hubs, NIC.

TCP/IP (DoD) model has 4 layers: Application (OSI layers 5-7 combined — HTTP, FTP, SMTP, DNS), Transport (TCP, UDP), Internet (IP, ICMP, ARP), Network Access/Link (OSI layers 1-2 — Ethernet, Wi-Fi). TCP/IP is the practical internet protocol suite while OSI is a reference model. TCP/IP was developed from ARPANET; OSI was designed by ISO. TCP/IP is simpler and widely implemented; OSI is comprehensive but mainly used as a teaching framework for understanding network concepts.

TCP (Transmission Control Protocol): connection-oriented (3-way handshake: SYN → SYN-ACK → ACK), reliable delivery (acknowledgments, retransmission), ordered delivery, flow control (sliding window), congestion control. Slower but guaranteed. Use cases: HTTP/HTTPS, FTP, email (SMTP), SSH. UDP (User Datagram Protocol): connectionless, unreliable (no ACK/retransmission), unordered, minimal overhead, faster. Use cases: DNS (small queries), streaming video, VoIP, online gaming, DHCP, SNMP. Choose TCP for correctness; UDP for speed where some loss is tolerable.

3-Way Handshake (Connection Establishment):

1) SYN — Client sends TCP segment with SYN flag and initial sequence number.

2) SYN-ACK — Server responds with SYN+ACK, acknowledging client's ISN and sending its own ISN.

3) ACK — Client acknowledges server's ISN. Connection established. 4-Way Termination:

1) FIN — initiating side sends FIN (done sending).

2) ACK — other side acknowledges.

3) FIN — other side sends its FIN when done.

4) ACK — initiating side acknowledges. TIME_WAIT state: initiating side waits 2×MSL before closing to handle delayed packets.

IPv4: 32-bit address (4 octets, e.g., 192.168.1.1), ~4.3 billion addresses. Classes: A (0.0.0.0–127.255.255.255), B (128–191), C (192–223), D (multicast), E (reserved). Subnetting: divide network using subnet mask — `/24` means 24 bits for network, 8 for hosts (256 addresses, 254 usable). CIDR notation. IPv6: 128-bit address (8 groups of 4 hex digits), vastly more addresses, built-in IPSec, no NAT needed, auto-configuration. Private ranges: 10.x, 172.16-31.x, 192.168.x (RFC 1918). NAT translates private to public IPs.

DNS (Domain Name System) translates human-readable domain names to IP addresses. Resolution process:

1) Browser checks local cache.

2) OS checks hosts file and local DNS cache.

3) Query sent to Recursive Resolver (usually ISP/8.8.8.8).

4) Resolver queries Root Server (returns TLD server address).

5) Resolver queries TLD Server (.com/.org — returns authoritative NS).

6) Resolver queries Authoritative Name Server (returns actual IP).

7) Resolver caches and returns IP to client. DNS record types: A (IPv4), AAAA (IPv6), CNAME (alias), MX (mail), TXT (verification), NS (name server), SOA. Default port: 53/UDP.

HTTP (HyperText Transfer Protocol): stateless application layer protocol for web communication on port

80. Data transmitted in plaintext — vulnerable to eavesdropping and MITM attacks. HTTPS = HTTP + TLS (Transport Layer Security): encrypts data using asymmetric + symmetric encryption. TLS Handshake:

1) Client Hello (supported cipher suites, TLS version).

2) Server Hello + Certificate (public key).

3) Client verifies certificate via CA.

4) Key exchange (Diffie-Hellman or RSA).

5) Session keys established.

6) Encrypted communication begins. TLS 1.3 removed weak ciphers, faster handshake (1-RTT). HTTPS port: 443.

Hub (Layer 1 — Physical): broadcasts data to ALL connected devices, no intelligence. Causes collisions, high network traffic. Obsolete. Switch (Layer 2 — Data Link): forwards data only to the intended device using MAC address table (CAM table). Reduces collisions, creates separate collision domains. Smart switches add VLAN support. Router (Layer 3 — Network): connects different networks, routes packets using IP addresses and routing tables. Performs NAT, DHCP (often), firewall functions. Uses routing protocols (OSPF, BGP, RIP) to determine best path. Routers create separate broadcast domains.

ARP resolves IP addresses to MAC addresses within a local network segment. Process:

1) Host A wants to send to IP 192.168.1.5 but doesn't know its MAC.

2) A broadcasts ARP Request: 'Who has 192.168.1.5?' to FF:FF:FF:FF:FF:FF.

3) Host with IP 192.168.1.5 sends ARP Reply with its MAC address (unicast).

4) A caches the IP-MAC mapping in ARP cache (`arp -a`). ARP cache entries have TTL. ARP Poisoning/Spoofing: attacker sends fake ARP replies to redirect traffic — MITM attack. Defended by Dynamic ARP Inspection (DAI) on switches. Gratuitous ARP: host broadcasts its own IP-MAC mapping.

Routing protocols determine best path for packet delivery. Types: IGP (within AS) and EGP (between AS). RIP (Routing Information Protocol): Distance Vector, uses hop count metric (max 15), slow convergence, sends full table every 30s. Suitable for small networks. OSPF (Open Shortest Path First): Link State, uses Dijkstra's algorithm, faster convergence, uses bandwidth as metric, scalable, supports VLSM/CIDR. Industry standard for enterprise networks. BGP (Border Gateway Protocol): Path Vector, EGP, routes between Autonomous Systems on the internet, policy-based routing, complex but highly scalable. Powers the internet's routing infrastructure.

DHCP (Dynamic Host Configuration Protocol) automatically assigns IP addresses and network config to devices. DORA process: D — Discover: client broadcasts (0.0.0.0 → 255.255.255.255) to find DHCP servers. O — Offer: DHCP server offers an IP address (includes IP, subnet mask, gateway, DNS, lease time). R — Request: client broadcasts which offer it's accepting. A — Acknowledge: server acknowledges and binds the address. DHCP uses UDP port 67 (server) and 68 (client). Lease renewal: client attempts renewal at 50% of lease time, then at 87.5%. DHCP Snooping prevents rogue DHCP servers.

NAT translates private IP addresses to public IP addresses, allowing multiple devices to share one public IP. Types: Static NAT — one-to-one mapping (private to public). Dynamic NAT — maps to a pool of public IPs. PAT (Port Address Translation) / NAT Overload — many-to-one mapping using port numbers to distinguish connections. Most common in home routers. Benefits: conserves IPv4 addresses, adds security layer (hides internal topology). Drawbacks: breaks end-to-end connectivity, complicates P2P and VoIP, stateful (single point of failure). NAT Table: tracks active connections (private IP:port ↔ public IP:port).

HTTP/1.1: one request per TCP connection (HOL blocking), keep-alive connections, text-based headers, no multiplexing. HTTP/2: binary framing (more efficient), multiplexing (multiple requests over single TCP connection), header compression (HPACK), server push, stream prioritization. Still uses TCP — TCP HOL blocking remains. HTTP/3: built on QUIC (UDP-based), eliminates TCP HOL blocking (each stream independent), faster connection establishment (0-RTT for known servers), built-in TLS 1.3, better mobile performance (connection migration). HTTP/3 is the future, especially for high-latency connections.

A Firewall monitors and controls incoming/outgoing network traffic based on security rules. Types: Packet Filter Firewall (Layer 3-4): inspects IP headers and port numbers, stateless, fast but limited context. Stateful Inspection Firewall: tracks connection state tables, understands TCP sessions, more secure than packet filtering. Application/Proxy Firewall (Layer 7): inspects application-layer content (HTTP URLs, DNS queries), deep packet inspection. WAF (Web Application Firewall): specifically protects web applications from XSS, SQLi, CSRF. Next-Gen Firewall (NGFW): combines stateful + deep inspection + IDS/IPS + application awareness. Implemented in hardware, software, or cloud.

SSL (Secure Sockets Layer, deprecated) / TLS (Transport Layer Security) provides encrypted communication. Certificate Validation:

1) Server presents X.509 digital certificate containing domain name, public key, validity period, and CA signature.

2) Client checks certificate hasn't expired.

3) Client verifies the domain matches.

4) Client verifies the CA signature using the CA's public key from its trusted store.

5) Client checks certificate revocation (CRL or OCSP). Chain of Trust: Server Cert → Intermediate CA → Root CA (pre-installed in OS/browser). Self-signed certificates bypass CA validation — not trusted by default. Certificate Pinning: app accepts only specific certificates.

VPN (Virtual Private Network) creates an encrypted tunnel over a public network, making traffic appear to originate from the VPN server. Protocols: OpenVPN (TLS-based, open source), IPSec (network layer, commonly used with IKEv2), WireGuard (modern, fast, minimal codebase), L2TP/IPSec, PPTP (deprecated). How it works:

1) Client establishes encrypted tunnel to VPN server.

2) Traffic encrypted before leaving device.

3) VPN server decrypts and forwards to internet.

4) Response encrypted and sent back. Uses: secure remote access, bypass geo-restrictions, site-to-site corporate connectivity. Split tunneling: route only specific traffic through VPN.

Unicast: one-to-one communication; packet sent from one source to one specific destination. Most internet traffic. Broadcast: one-to-all in a network segment; sent to all hosts on a subnet (e.g., 255.255.255.255 for limited broadcast, or subnet broadcast address). Used by ARP, DHCP Discovery. Broadcast domain bounded by routers. Multicast: one-to-many (specific group); sent to a group of interested receivers identified by Class D IP (224.0.0.0 – 239.255.255.255). Uses IGMP to manage group membership. Efficient for streaming to multiple receivers (IPTV, video conferencing). Anycast (IPv6): routed to the nearest node in a group — used in CDNs and DNS.

Common attacks: DDoS (Distributed Denial of Service): overwhelm target with traffic — mitigation: rate limiting, anycast scrubbing, CDN. Man-in-the-Middle (MITM): intercept/modify traffic — mitigation: TLS/HTTPS, certificate pinning, HSTS. DNS Spoofing/Cache Poisoning — mitigation: DNSSEC. ARP Poisoning — mitigation: Dynamic ARP Inspection, static ARP entries. Port Scanning (Nmap) — mitigation: firewalls, IDS/IPS. SQL Injection (application layer) — mitigation: WAF, parameterized queries. Replay Attack — mitigation: timestamps, nonces, TLS. SYN Flood — mitigation: SYN cookies, firewall rate limiting.

ICMP (Internet Control Message Protocol) is a network layer protocol used for error reporting and diagnostics (not for data transfer). Key messages: Echo Request/Reply (used by ping) — tests connectivity. Time Exceeded (TTL=0) — used by traceroute. Destination Unreachable — host/port/network unreachable. Redirect — suggests better route. Ping: sends ICMP Echo Requests, measures RTT (Round Trip Time). Traceroute: sends packets with increasing TTL (1, 2, 3...) — each hop decrements TTL to 0 and sends ICMP Time Exceeded, revealing the path. ICMP can be blocked by firewalls (stealth/ping-blocking).

Private IP addresses are reserved ranges not routable on the internet, used within local networks: Class A: 10.0.0.0/8, Class B: 172.16.0.0/12, Class C: 192.168.0.0/16 (RFC 1918). Loopback: 127.0.0.1. Link-local: 169.254.x.x (APIPA, when DHCP fails). Public IP addresses are globally unique and routable on the internet, assigned by ISPs. NAT enables multiple private-IP devices to share one public IP by translating addresses at the router. The router maintains a NAT table mapping (internal IP:port ↔ external IP:port). This conserved IPv4 addresses and delayed IPv4 exhaustion. IPv6 eliminates the need for NAT with its massive address space.

Symmetric Encryption: same key for encryption and decryption. Fast, efficient for large data. Problem: secure key distribution. Algorithms: AES (most widely used, 128/256-bit), DES (weak, deprecated), 3DES, RC4. Used for bulk data encryption (HTTPS data transfer). Asymmetric Encryption: key pair (public key encrypts, private key decrypts — or private signs, public verifies). Solves key distribution problem. Slower, CPU-intensive. Algorithms: RSA, ECC, Diffie-Hellman (key exchange). Used for: TLS handshake, digital signatures, certificate signing. Hybrid approach: asymmetric to securely exchange a symmetric session key, then symmetric for bulk data — this is how TLS works.