Top 100 CCNA Interview Questions for Network Engineers (2026)
Interviewers asking CCNA-level questions are not trying to catch you out. They want to know if you understand why things work, not just that you memorized commands. The candidate who explains what actually happens when a switch receives a frame with an unknown destination MAC will always beat the one who recites the OSI model layer by layer. These 100 questions reflect what gets asked in real technical screens — with answers that hold up under follow-up.
April 2026 | ⏱ 35 min read | CCNA 200-301 • IOS-XE • IPv4 / IPv6 • Routing & Switching | ⚙ Entry to Mid-Level Engineers
Exam Version Covered
All questions align with the Cisco CCNA 200-301 exam blueprint (current as of 2026). Topics include network fundamentals, IP connectivity, IP services, security fundamentals, automation, and network access. Where a question goes slightly beyond the exam blueprint into practical job knowledge, it’s marked with a ★ symbol.
10 Categories — 10 Questions Each
|
① OSI Model & Network Fundamentals (Q1–Q10) ② IP Addressing & Subnetting (Q11–Q20) ③ VLANs & Switching (Q21–Q30) ④ Routing Protocols (Q31–Q40) ⑤ Network Services — DHCP, DNS, NAT (Q41–Q50) |
⑥ WAN Technologies & VPN (Q51–Q60) ⑦ Wireless Networking (Q61–Q70) ⑧ Network Security (Q71–Q80) ⑨ Troubleshooting & Network Management (Q81–Q90) ⑩ IPv6, SDN & Automation (Q91–Q100) |
|
Category 1 — Q1 to Q10 OSI Model & Network Fundamentals |
|
Q1. Name the seven OSI model layers and what each one does.
From bottom to top: Physical (bits on wire — cables, connectors, voltage), Data Link (frames, MAC addressing, error detection on a single network segment), Network (IP packets, routing between networks), Transport (TCP/UDP, end-to-end delivery, ports), Session (establishing and managing sessions between applications), Presentation (encryption, compression, data format translation), Application (HTTP, FTP, DNS — what the user interacts with).
Interview tip:
Interviewers follow up with: “Where does a switch operate?” (Layer 2 for a basic switch; Layer 3 if it routes). “Where does a router operate?” (Layer 3, but it processes down to Layer 1 physically). Know the PDU names: bits, frames, packets, segments.
Q2. What is the difference between TCP and UDP?
TCP is connection-oriented: it uses a three-way handshake (SYN, SYN-ACK, ACK), guarantees delivery through acknowledgments and retransmissions, and provides ordered delivery. UDP is connectionless: it sends datagrams with no handshake, no acknowledgment, no retransmission. TCP adds overhead but reliability. UDP is faster and suits real-time applications where a retransmitted old packet is worse than no packet — video calls, online gaming, DNS queries, VoIP.
TCP uses ports 80 (HTTP), 443 (HTTPS), 22 (SSH), 25 (SMTP), 21 (FTP). UDP uses 53 (DNS — although DNS can use TCP for zone transfers), 67/68 (DHCP), 161 (SNMP), 5060 (SIP). Expect the interviewer to ask you to place a specific protocol in one camp or the other.
Q3. What is the TCP three-way handshake?
Client sends SYN with its initial sequence number. Server replies with SYN-ACK — acknowledging the client’s sequence number and including its own. Client sends ACK back. Both sides now know each other’s sequence numbers and the connection is established. The four-way teardown replaces this: FIN → ACK → FIN → ACK.
Q4. What happens when you type a URL into a browser and press Enter?
The browser checks its cache for a DNS entry. If not cached, it sends a DNS query (UDP port 53) to the configured DNS resolver. The resolver returns the IP address. The browser initiates a TCP three-way handshake to port 80 (HTTP) or 443 (HTTPS) on that IP. For HTTPS, a TLS handshake follows. The browser sends an HTTP GET request. The server responds with the page content. ARP is also involved if the destination is on the same local subnet — the browser’s OS needs the MAC address before the first frame can go out.
Q5. What is ARP and how does it work?
Address Resolution Protocol maps an IP address to a MAC address on the same local network. When Device A needs to reach 192.168.1.10 and doesn’t have its MAC in the ARP cache, it broadcasts an ARP Request: “Who has 192.168.1.10?” The device with that IP replies with a unicast ARP Reply containing its MAC. Device A caches the mapping and builds the Ethernet frame. ARP only works within the same broadcast domain — routers don’t forward ARP broadcasts.
# View the ARP cache on a Cisco device Router# show arp # Clear a specific ARP entry Router# clear arp-cache
Q6. What is a broadcast domain vs a collision domain?
A collision domain is a network segment where two devices transmitting simultaneously cause a collision. Each switch port is its own collision domain — this is why half-duplex hubs are obsolete. A broadcast domain is the set of devices that receive a Layer 2 broadcast. Switches extend both: they create separate collision domains per port, but by default all ports share one broadcast domain. Routers break both — they create separate broadcast domains per interface. VLANs create separate broadcast domains on the same physical switch.
Q7. What is the difference between a hub, a switch, and a router?
A hub is a Layer 1 device that copies every incoming bit to every port — all devices in the same collision domain, half-duplex by nature. Nobody deploys hubs in production anymore. A switch operates at Layer 2, learns MAC addresses, and forwards frames only to the destination port. Each port is a separate collision domain. A router operates at Layer 3, forwards packets between different networks using IP addresses, and maintains a routing table. Each router interface is a separate broadcast domain.
Q8. What is encapsulation in networking?
As data moves down the OSI model from application to physical, each layer adds its own header (and sometimes a trailer). Application data gets a Transport header (segment), then a Network header (packet), then a Data Link header and trailer (frame), then converted to bits. The receiving side strips each header as it moves up. This is encapsulation going down and de-encapsulation going up. The term “PDU” (Protocol Data Unit) changes at each layer: data, segment, packet, frame, bits.
Q9. What is a MAC address and how is it structured?
A MAC (Media Access Control) address is a 48-bit identifier burned into a NIC’s hardware. Written as six pairs of hexadecimal digits separated by colons or hyphens: 00:1A:2B:3C:4D:5E. The first 24 bits (first three octets) are the Organizationally Unique Identifier (OUI) assigned to the manufacturer by IEEE. The last 24 bits are the device-specific identifier. Broadcast MAC is FF:FF:FF:FF:FF:FF. MACs are only relevant within the same network segment — routers strip and replace MAC addresses at each hop.
Q10. Explain the difference between full-duplex and half-duplex.
Half-duplex: a device can either send or receive at one time, not both simultaneously. Hubs operate half-duplex; CSMA/CD (Carrier Sense Multiple Access/Collision Detection) manages access to the shared medium. Full-duplex: a device can send and receive simultaneously on dedicated transmit and receive wire pairs. Modern switches and NICs operate full-duplex by default. Full-duplex effectively doubles throughput and eliminates collisions. A duplex mismatch — one side full, one side half — causes performance degradation and CRC errors without necessarily dropping the link.
|
Category 2 — Q11 to Q20 IP Addressing & Subnetting |
|
Q11. What are the IPv4 address classes and their default subnet masks?
Class A: 1.0.0.0 – 126.255.255.255, default mask /8 (255.0.0.0), first bit is 0. Class A was for large organizations — 16 million host addresses. Class B: 128.0.0.0 – 191.255.255.255, /16 (255.255.0.0), first two bits are 10. Class C: 192.0.0.0 – 223.255.255.255, /24 (255.255.255.0), first three bits are 110. Class D: 224.0.0.0 – 239.255.255.255, multicast. Class E: reserved. In practice, classful addressing was replaced by CIDR in the early 1990s — but interviewers still ask about it.
Private ranges: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16. 127.0.0.0/8 is loopback (127.0.0.1 most commonly used). 169.254.0.0/16 is APIPA (Automatic Private IP Addressing) — assigned by a host when DHCP fails.
Q12. Subnet a /24 network into subnets that each support at least 30 hosts.
You need at least 30 hosts per subnet. The host bits formula is 2^n – 2 ≥ 30, where n is host bits. 2^5 = 32, minus 2 = 30. So you need 5 host bits, which means a /27 mask (255.255.255.224). From a /24, you get 8 subnets (2^3 = 8 subnet bits borrowed). Each /27 subnet has 32 addresses total, 30 usable hosts.
| Subnet | Network Address | First Host | Last Host | Broadcast |
| 1 | 192.168.1.0/27 | 192.168.1.1 | 192.168.1.30 | 192.168.1.31 |
| 2 | 192.168.1.32/27 | 192.168.1.33 | 192.168.1.62 | 192.168.1.63 |
| 3–8 | ...64, .96, .128, .160, .192, .224 | Pattern continues in blocks of 32 | ||
Q13. What is VLSM (Variable Length Subnet Masking) and why does it matter?
VLSM lets you subnet a network using different mask sizes to avoid wasting addresses. Example: if you have a /24 and need one subnet of 100 hosts, one of 50, and one of 10, you’d assign them /25, /26, and /28 respectively rather than giving all three a /24. This is how every real network is designed. Classful routing protocols (RIPv1, IGRP) can’t carry subnet mask information in updates — they assume classful boundaries — which is why they’re obsolete. All modern protocols (OSPF, EIGRP, RIPv2, BGP) support VLSM.
Q14. What is CIDR and how does it differ from classful addressing?
Classless Inter-Domain Routing (CIDR), introduced in 1993, replaced rigid class-based allocation with prefix notation (e.g., 192.168.0.0/24). Any prefix length from /0 to /32 is valid, so you can allocate exactly as many addresses as needed rather than a full Class A, B, or C block. CIDR also enables route summarization (supernetting) — advertising one aggregate route instead of hundreds of specific routes, which reduced the global BGP routing table size dramatically. The /notation is synonymous with CIDR prefix notation.
Q15. How do you determine the network address, broadcast address, and usable host range for 172.16.45.14/20?
/20 mask is 255.255.240.0. The third octet has 20 bits of network — the first 4 bits of the third octet are network bits (1111 0000 = 240). 45 in binary is 0010 1101. The network portion of the third octet keeps the first 4 bits (0010) and zeros the rest: 0010 0000 = 32. Network address: 172.16.32.0/20. The block size is 16 (256-240=16), so subnets go 0, 16, 32, 48... The broadcast is the last address before the next subnet: 172.16.47.255. Usable hosts: 172.16.32.1 – 172.16.47.254 (4094 hosts: 2^12 – 2).
Q16. What is route summarization and when should you use it?
Route summarization (aggregation) combines multiple specific routes into a single advertisement. If you have 10.1.0.0/24 through 10.1.15.0/24, you can summarize them as 10.1.0.0/20 and advertise one route instead of 16. Benefits: smaller routing tables, faster convergence, reduced CPU/memory load on routers, less routing protocol traffic. Use it at boundaries where you have contiguous address blocks. The catch: if one specific subnet is down, the summary still attracts traffic — make sure the summarizing router has the specific routes to correctly forward or discard.
Q17. What is a loopback interface and why is it used on Cisco routers?
A loopback is a logical interface that exists only in software. It’s always up as long as the device is up — it doesn’t go down because a physical cable is unplugged. Routers use loopbacks as stable router IDs for OSPF and BGP (they prefer the highest loopback IP as the router ID if no router-id is manually set). Also used for management connectivity: if you need to reliably SSH into a router, SSH to its loopback address and ensure that address is advertised into your routing protocol. Loopbacks are typically /32 masks.
Q18. What is the difference between a unicast, multicast, and broadcast address?
Unicast: traffic from one sender to one specific destination. Broadcast: traffic to all devices in a network or subnet. Limited broadcast is 255.255.255.255 (dropped by routers). Directed broadcast is the subnet broadcast address (e.g., 192.168.1.255). Multicast: traffic from one source to a subscribed group of receivers. Multicast addresses are in the 224.0.0.0/4 range (Class D). Devices subscribe to multicast groups rather than receiving all traffic. OSPF uses 224.0.0.5 (all OSPF routers) and 224.0.0.6 (DR/BDR).
Q19. How many usable hosts are in a /30 subnet and what is it used for?
/30 has 4 total addresses (2^2), 2 usable hosts (subtract network address and broadcast). It’s the smallest subnet that can have two hosts — used almost exclusively for point-to-point WAN links between two routers. One IP for each router end, network and broadcast for the subnet. You’ll often see /31 on newer WAN links (RFC 3021) which provides 2 addresses with no broadcast — valid for point-to-point links where there’s no need for broadcast. /32 is a host route — used for loopbacks and identifying a specific single host.
Q20. What is the purpose of the subnet mask?
The subnet mask defines which portion of an IP address is the network identifier and which portion identifies the host. ANDing the IP address with the subnet mask gives the network address. Routers use this to determine whether a destination is on the local network (forward to the destination directly, using ARP) or on a remote network (forward to the default gateway or the next-hop router from the routing table). Without a correct subnet mask, a host can’t determine its own network or correctly address outgoing traffic.
|
Category 3 — Q21 to Q30 VLANs & Switching |
|
Q21. What is a VLAN and why do we use them?
A VLAN (Virtual LAN) logically segments a physical switch into multiple independent broadcast domains. Without VLANs, every device on a switch shares a single broadcast domain — every broadcast (ARP, DHCP discover) goes to every port. VLANs allow you to isolate departments (HR, Finance, Engineering) on the same physical hardware without needing separate switches, improve security by preventing inter-VLAN traffic without a router, and reduce broadcast overhead. VLANs are defined by the IEEE 802.1Q standard.
Q22. What is 802.1Q trunking and how does it work?
802.1Q is the IEEE standard for VLAN tagging on trunk links. When a switch sends a frame out a trunk port, it inserts a 4-byte tag into the Ethernet frame between the source MAC and the EtherType field. The tag contains a 12-bit VLAN ID (allowing 4094 VLANs, since 0 and 4095 are reserved). The receiving switch reads the tag, knows which VLAN the frame belongs to, and strips the tag before forwarding it out an access port. The native VLAN is the one VLAN that crosses a trunk untagged.
Switch(config)# interface GigabitEthernet0/1 Switch(config-if)# switchport mode trunk Switch(config-if)# switchport trunk allowed vlan 10,20,30 Switch(config-if)# switchport trunk native vlan 99
Q23. How does a switch learn MAC addresses?
When a switch receives a frame, it reads the source MAC address and records it in its MAC address table (CAM table) against the incoming port. The next time the switch needs to forward a frame to that MAC, it looks up the table and forwards to the correct port. If the destination MAC isn’t in the table (unknown unicast), the switch floods the frame out all ports except the one it arrived on. This flooding behavior is how switches build their tables over time. Entries age out after the aging timer (default 300 seconds on Cisco).
Q24. What is Spanning Tree Protocol (STP) and why is it needed?
Without STP, a redundant switched network creates Layer 2 loops. Broadcast frames circulate forever (a broadcast storm), MAC tables become unstable as the same MAC appears on multiple ports, and the network becomes unusable within seconds. STP (IEEE 802.1D) prevents loops by electing a Root Bridge and blocking redundant paths. Only one path to the root is active per VLAN; blocked ports activate if the active path fails. Rapid PVST+ (Cisco’s implementation of 802.1w) converges in under a second instead of 30–50 seconds for classic STP.
Q25. How is the STP Root Bridge elected?
The switch with the lowest Bridge ID becomes the Root Bridge. The Bridge ID is an 8-byte value combining a 2-byte priority (default 32768 plus VLAN ID in PVST+) and the switch’s MAC address. Lowest priority wins. If priorities tie, lowest MAC address wins. To control which switch becomes root, set a lower priority on the switch you want as root: spanning-tree vlan 10 priority 4096. Or use spanning-tree vlan 10 root primary which automatically sets the priority low enough to win.
Q26. What is PortFast and when should you enable it?
PortFast bypasses the STP listening and learning states (which take 15 seconds each in classic STP) and immediately moves a port to forwarding. Use it only on access ports connecting to end devices (PCs, printers, servers) — never on ports connecting to other switches. A switch connected to a PortFast port would immediately create a loop. Enable BPDU Guard alongside PortFast: if a BPDU arrives on a PortFast port (indicating a switch was plugged in), the port goes err-disabled.
Switch(config-if)# spanning-tree portfast Switch(config-if)# spanning-tree bpduguard enable
Q27. What is EtherChannel and what protocols negotiate it?
EtherChannel bundles multiple physical links between two switches into a single logical interface. STP sees it as one link (preventing blocked ports on redundant parallel links), and traffic load-balances across the member links. Two negotiation protocols: LACP (Link Aggregation Control Protocol, IEEE 802.3ad, open standard) and PAgP (Port Aggregation Protocol, Cisco proprietary). LACP modes: active (initiates) or passive (waits). PAgP modes: desirable (initiates) or auto (waits). For interoperability between vendors, use LACP. Both sides must have matching configuration: same speed, duplex, VLAN, trunk settings.
Q28. How does inter-VLAN routing work on a Layer 3 switch?
A Layer 3 switch creates a Switched Virtual Interface (SVI) for each VLAN. The SVI is a virtual interface with an IP address that acts as the default gateway for hosts in that VLAN. Enable ip routing on the switch, and it routes between SVIs directly in hardware — much faster than the alternative (Router-on-a-Stick with an external router). Router-on-a-Stick uses a single trunk link from a switch to a router, with sub-interfaces per VLAN on the router. It works but creates a bottleneck if the link is congested.
Q29. What is DTP and should you leave it enabled?
Dynamic Trunking Protocol is a Cisco-proprietary protocol that automatically negotiates trunk links between Cisco switches. It’s enabled by default. The security problem: an attacker connected to a switchport set to dynamic auto or dynamic desirable can send DTP frames to negotiate a trunk and gain access to all VLANs. Best practice: disable DTP on all access ports with switchport nonegotiate, and hardcode ports as access or trunk mode rather than relying on dynamic negotiation.
Q30. What is DHCP Snooping and how does it work?
DHCP Snooping intercepts DHCP messages on a switch and distinguishes between trusted ports (toward your legitimate DHCP server) and untrusted ports (all other ports). Untrusted ports cannot send DHCP offers or ACKs — only discovers and requests. This prevents rogue DHCP servers from assigning addresses. The switch builds a DHCP snooping binding table mapping IP-to-MAC-to-port-to-VLAN, which Dynamic ARP Inspection and IP Source Guard use for further validation.
|
Category 4 — Q31 to Q40 Routing Protocols |
|
Q31. What is administrative distance and why does it matter?
Administrative distance (AD) is a value that indicates how trustworthy a routing source is. When a router learns the same route from multiple sources, it installs the one with the lowest AD. Key values on Cisco: Connected (0), Static (1), EIGRP summary (5), eBGP (20), EIGRP internal (90), OSPF (110), IS-IS (115), RIP (120), iBGP (200).
| Protocol | Admin Distance |
| Connected Interface | 0 |
| Static Route | 1 |
| EIGRP Internal | 90 |
| OSPF | 110 |
| RIP | 120 |
Q32. What is the difference between distance-vector and link-state routing protocols?
Distance-vector protocols (RIP, EIGRP in a simplified sense) send their entire routing table to directly connected neighbors at regular intervals. Each router only knows what its neighbors told it — it doesn’t have a complete map of the network. Susceptible to routing loops; use mechanisms like split horizon and route poisoning to prevent them. Link-state protocols (OSPF, IS-IS) flood link-state advertisements throughout the network. Every router builds a complete topology database (LSDB) and runs SPF (Dijkstra’s algorithm) to calculate the best path. Faster convergence, more accurate, scales better. Higher CPU and memory requirements.
Q33. How does OSPF elect a Designated Router (DR) and Backup Designated Router (BDR)?
On multi-access networks (Ethernet), OSPF elects a DR and BDR to reduce flooding overhead. All other routers (DROthers) form adjacencies only with the DR and BDR, not with each other. Election: highest OSPF priority wins (range 1–255, default 1). If tied, highest router ID (highest loopback IP, or highest physical IP if no loopback). Priority 0 makes a router ineligible for DR/BDR. The election is non-preemptive — a higher-priority router that comes up later won’t take over the DR role until the current DR fails.
Q34. What is OSPF cost and how is it calculated?
OSPF cost is the metric used to select the best path. The formula is: Cost = Reference Bandwidth / Interface Bandwidth. Cisco’s default reference bandwidth is 100 Mbps (100,000,000 bps). A FastEthernet interface (100 Mbps) has cost 1. A GigabitEthernet interface (1 Gbps) also calculates to cost 1 because 100/1000 = 0.1, which rounds up to 1. This is a well-known problem — Fast Ethernet and Gigabit Ethernet get the same cost by default. The fix: change the reference bandwidth to a higher value on all routers in the domain: auto-cost reference-bandwidth 10000 (for a 10 Gbps reference).
Q35. What are the OSPF neighbor states and what does each mean?
Down: no Hellos received. Init: Hello received from neighbor but they haven’t seen our Hello yet (router ID not in their neighbor list). 2-Way: both routers have seen each other’s Hellos; DR/BDR election happens here. DROther routers stay at 2-Way with each other (not Full). Exstart: Master/Slave negotiation for database exchange begins. Exchange: DBD (Database Description) packets exchanged. Loading: LSR/LSU exchange to fill in missing LSAs. Full: databases synchronized; full adjacency established. Full is the healthy operational state.
Q36. What are the EIGRP successor and feasible successor?
EIGRP uses the DUAL (Diffusing Update Algorithm) to maintain loop-free paths. The successor is the best path to a destination (lowest feasible distance). The feasible successor is a backup path that is guaranteed loop-free because its reported distance (the neighbor’s distance to the destination) is less than the current feasible distance of the successor. If the successor fails, EIGRP immediately switches to the feasible successor without running DUAL again — this makes EIGRP convergence extremely fast when a feasible successor exists. If there’s no feasible successor, EIGRP sends queries to neighbors to find a new path.
Q37. What is a floating static route?
A floating static route has a manually configured administrative distance higher than the primary routing protocol. Normally, a static route has AD 1 and would override dynamic routing. But if you set AD to 250, it only appears in the routing table when the dynamic route disappears (because the dynamic route at AD 110 takes precedence). Used for WAN backup: the primary route comes from OSPF; if that path fails and the OSPF route is removed, the floating static via a backup link activates. Example: ip route 0.0.0.0 0.0.0.0 10.0.0.1 250
Q38. What is the purpose of a routing table and how does a router select a best path?
The routing table contains the router’s current best paths to all known destinations. When a packet arrives, the router does a longest-prefix match — the most specific route wins. If 10.1.1.0/24 and 10.0.0.0/8 are both in the table and the destination is 10.1.1.5, the /24 wins because it’s more specific. If two routes have the same prefix and same AD, metric determines the winner. OSPF uses cost; EIGRP uses composite metric (bandwidth + delay by default); RIP uses hop count. Equal-cost routes can be installed for load balancing (ECMP).
Q39. What is BGP and when would a CCNA-level engineer encounter it?
Border Gateway Protocol is the routing protocol of the internet — it exchanges routing information between autonomous systems (ASes). It’s a path-vector protocol that uses TCP port 179 for neighbor connections. CCNA covers basic BGP concepts but not deep configuration. You’d encounter BGP at ISP connections, multi-homed internet setups, or SD-WAN deployments. iBGP (internal BGP) runs between routers in the same AS; eBGP (external BGP) runs between different ASes. eBGP has an administrative distance of 20; iBGP is 200.
Q40. What commands show you the routing table and verify OSPF neighbors?
# Full routing table Router# show ip route # OSPF routes only Router# show ip route ospf # OSPF neighbor adjacencies Router# show ip ospf neighbor # OSPF interface details Router# show ip ospf interface brief # EIGRP topology table (shows successors/feasible successors) Router# show ip eigrp topology
|
Category 5 — Q41 to Q50 Network Services — DHCP, DNS & NAT |
⚙️ |
Q41. Walk me through the DHCP DORA process.
Discover: client broadcasts (src: 0.0.0.0, dst: 255.255.255.255, UDP 67) to find DHCP servers. Offer: DHCP server responds with an available IP address offer. Request: client broadcasts its acceptance of the offer (still broadcast, because multiple servers might have offered). Acknowledge: server confirms and sends the lease: IP address, subnet mask, default gateway, DNS server, and lease duration. The client ARP-probes the offered IP before accepting to confirm no conflicts.
Q42. What is a DHCP relay agent?
DHCP Discover messages are broadcasts and routers don’t forward broadcasts by default. If your DHCP server is on a different subnet than the clients, clients can’t reach it. A DHCP relay agent (configured on the router interface with ip helper-address) converts the broadcast Discover into a unicast directed at the DHCP server IP. The server can then reply. This allows one DHCP server to serve multiple subnets.
Q43. How does DNS resolution work, from client to authoritative server?
Client queries its configured recursive resolver (often the ISP or 8.8.8.8). If not cached, the resolver queries a Root Name Server (knows where the TLD servers are). Root server returns the TLD (.com) name server address. Resolver queries the TLD server, which returns the authoritative name server for the domain. Resolver queries the authoritative server and gets the A record (IP address). Resolver caches the response (for the TTL duration) and returns it to the client. The full round trip typically takes under 100ms; cached responses are near-instant.
Q44. What is NAT and what are the three types?
Static NAT: one private IP maps permanently to one public IP (1:1). Used for servers that need a consistent public address (web server, mail server). Dynamic NAT: private IPs map to a pool of public IPs from a first-come-first-served pool. No longer common because public IPs are scarce. PAT (Port Address Translation, or NAT Overload): many private IPs share a single public IP, differentiated by source port numbers. This is how almost every home and enterprise internet connection works. The router tracks the port mappings in a NAT table and translates return traffic back to the correct private IP.
Q45. What is the difference between NTP client and NTP server modes?
NTP (Network Time Protocol) synchronizes clocks across devices. An NTP server provides time to clients. An NTP client receives time from a server. A device can be both — syncing from an upstream server while also serving time to downstream clients. NTP uses a stratum system: Stratum 0 is the atomic clock reference; Stratum 1 servers sync directly from Stratum 0; Stratum 2 from Stratum 1, and so on. Accurate timestamps matter for log correlation, certificate validity, and routing protocol authentication. Configure on Cisco: ntp server 216.239.35.0
Q46. What ports do common protocols use? List at least 10.
| Protocol | Port | Transport |
| HTTP | 80 | TCP |
| HTTPS | 443 | TCP |
| SSH | 22 | TCP |
| DNS | 53 | UDP / TCP |
| DHCP (Server) | 67 | UDP |
| DHCP (Client) | 68 | UDP |
| SNMP | 161 / 162 | UDP |
| SMTP | 25 | TCP |
| FTP (Data/Control) | 20 / 21 | TCP |
Q47. What is SNMP and what are its three versions?
SNMP v1: original, uses community strings in plaintext. Insecure; don’t use. SNMP v2c: improved error handling and bulk operations, still uses plaintext community strings. Widely deployed but security is weak. SNMP v3: adds authentication (SHA/MD5) and encryption (AES/DES). The only version that should run in production. SNMP uses UDP port 161 for queries and 162 for traps (unsolicited alerts from devices to the NMS). MIBs (Management Information Bases) define the structure of manageable objects on each device.
Q48. What is Syslog and how does Cisco IOS use it?
Syslog is the standard protocol for sending log messages to a central server. Cisco IOS generates syslog messages with a severity level 0–7: 0 Emergencies, 1 Alerts, 2 Critical, 3 Errors, 4 Warnings, 5 Notifications, 6 Informational, 7 Debugging. Configure a syslog server: logging host 192.168.1.100. Set the minimum severity to send: logging trap informational. Always configure timestamps: service timestamps log datetime msec.
Q49. What is FTP and how does active vs passive mode differ?
FTP uses port 21 for control (commands) and port 20 for data (file transfer). Active mode: the client opens a random port, tells the server its port number, and the server initiates the data connection from port 20 to the client. Firewalls often block this inbound connection. Passive mode: the server opens a random port and tells the client. The client initiates both connections outbound. Passive mode works through firewalls better because the client always initiates. SFTP (SSH File Transfer Protocol on port 22) and FTPS (FTP over TLS) are the secure alternatives.
Q50. What is QoS and what are the three models?
Best effort: no QoS, all traffic treated equally (default on most networks). IntServ (Integrated Services): per-flow resource reservation using RSVP. Doesn’t scale on large networks. DiffServ (Differentiated Services): traffic classified and marked at the network edge using DSCP values, then treated according to those markings at each hop. DiffServ is the dominant enterprise model. Key concepts: classification (what is the traffic?), marking (set DSCP), queuing (prioritize voice and critical data), policing (drop excess), shaping (buffer excess). Voice needs a priority queue with guaranteed bandwidth and maximum latency of 150ms one-way.
|
Category 6 — Q51 to Q60 WAN Technologies & VPN |
|
Q51. What is the difference between a leased line, MPLS, and broadband WAN?
Leased line: a dedicated, private point-to-point circuit between two locations. Guaranteed bandwidth, no shared medium. Expensive. Common for critical WAN links. MPLS: provider manages a private network where customer traffic is labeled and switched through the provider backbone. Traffic is isolated from other customers but shares the provider infrastructure. Provides SLAs. Broadband (cable, fiber, DSL): shared consumer-grade internet connectivity. Lower cost, variable performance. SD-WAN has made broadband a viable enterprise WAN option by adding path selection and optimization on top.
Q52. What is a GRE tunnel and what problem does it solve?
Generic Routing Encapsulation wraps (encapsulates) any network layer protocol inside IP packets. It creates a virtual point-to-point link across a routed network. The problem it solves: routing protocols (OSPF, EIGRP) can’t run directly over IPsec tunnels because IPsec only handles unicast. GRE supports multicast, so routing protocols can run over a GRE tunnel. A common pattern: GRE over IPsec — GRE provides the tunnel for routing protocols, IPsec encrypts everything inside. GRE adds 24 bytes of overhead per packet.
Q53. What is IPsec and what are its two protocols?
IPsec is a suite of protocols for securing IP communications through authentication and encryption. Two main protocols: AH (Authentication Header) — provides data integrity and authentication but no encryption. Protects the entire IP packet but breaks with NAT (because NAT changes the IP header, invalidating the AH checksum). ESP (Encapsulating Security Payload) — provides encryption, integrity, and authentication. Used in almost all real deployments; works with NAT-T (NAT Traversal). IPsec uses two phases: IKE Phase 1 (negotiate the security association for the key exchange channel) and Phase 2 (negotiate the SA for the actual data traffic).
Q54. What is the difference between transport mode and tunnel mode in IPsec?
Transport mode: only the payload (Layer 4 and above) is encrypted; the original IP header remains. Used for host-to-host encryption where both endpoints are IPsec peers. Tunnel mode: the entire original IP packet (header and payload) is encrypted and encapsulated inside a new IP packet with new source and destination addresses. Used for network-to-network VPNs (site-to-site) where the VPN gateways are not the final source/destination. Almost all site-to-site VPNs use tunnel mode.
Q55. What is PPPoE and where is it used?
PPP over Ethernet encapsulates PPP frames inside Ethernet. It’s the standard for DSL internet connections — the ISP requires PPPoE authentication (username/password) before assigning an IP. The router runs a PPPoE client, authenticates with the ISP, and gets an IP address dynamically. PPPoE adds overhead: a 6-byte PPPoE header reduces the usable MTU to 1492 bytes instead of the standard 1500. If you see MTU issues on DSL connections, this is usually why.
Q56. What is SD-WAN and how is it different from traditional WAN?
SD-WAN separates the WAN control plane from the data plane and adds application-aware routing. Instead of static routing decisions, SD-WAN continuously measures link quality (latency, jitter, loss) and steers specific applications to the best available path in real time. A branch with both MPLS and broadband internet can route voice over MPLS (better quality) and bulk transfers over broadband (cheaper), with automatic failover if a path degrades. Traditional WAN uses static configurations; SD-WAN uses dynamic policy with centralized orchestration.
Q57. ★ What is DMVPN and what problem does it solve?
Dynamic Multipoint VPN allows hub-and-spoke IPsec VPN deployments where spoke-to-spoke tunnels can be created on demand without pre-configuring every spoke pair. A classic hub-and-spoke requires all spoke-to-spoke traffic to traverse the hub, creating a bottleneck and adding latency. DMVPN uses NHRP (Next Hop Resolution Protocol) to resolve spoke addresses dynamically. When spoke A wants to reach spoke B, it queries NHRP (hosted on the hub) for B’s public IP, then builds a direct IPsec tunnel to B. Cisco’s ISR routers support DMVPN natively.
Q58. What is the difference between a site-to-site VPN and a remote access VPN?
Site-to-site VPN: a persistent IPsec tunnel between two network gateways (routers or firewalls). Connects two entire networks. Users at either site don’t need VPN clients — the routers handle encryption transparently. Remote access VPN: an individual user connects to a VPN gateway using a client (software or SSL/browser-based). The client gets a virtual IP address and can access corporate resources as if on the internal network. SSL VPN works over HTTPS (port 443) and often requires no special client software beyond a browser.
Q59. What is MTU and why does it cause problems in tunnels?
Maximum Transmission Unit is the largest IP packet a link can carry. Standard Ethernet MTU is 1500 bytes. Tunnels add headers: GRE adds 24 bytes, IPsec ESP adds 50–60 bytes, so the effective MTU inside a GRE over IPsec tunnel can be as low as ~1400 bytes. If a host sends a 1500-byte packet that can’t fit, it needs to be fragmented or the router sends an ICMP “Fragmentation Needed” (Type 3, Code 4) message. Many firewalls block ICMP, causing black-hole issues where large packets disappear. Solution: set MSS (Maximum Segment Size) clamping on the tunnel interface: ip tcp adjust-mss 1360.
Q60. What is HSRP and how does it provide gateway redundancy?
Hot Standby Router Protocol (Cisco proprietary) runs between two routers that share a virtual IP and virtual MAC address. Clients use the virtual IP as their default gateway. One router is Active (handles traffic); the other is Standby (monitoring). If Active fails, Standby takes over the virtual IP within seconds. VRRP (Virtual Router Redundancy Protocol) is the open standard equivalent. GLBP (Gateway Load Balancing Protocol, Cisco proprietary) extends this to load-balance across both routers. Configure HSRP: standby 1 ip 192.168.1.1 followed by standby 1 priority 110 on the preferred active router.
|
Category 7 — Q61 to Q70 Wireless Networking |
|
Q61. What are the key differences between 802.11 Wi-Fi standards?
| Standard | Wi-Fi Name | Frequency | Max Speed | Key Feature |
| 802.11b | — | 2.4 GHz | 11 Mbps | First widespread |
| 802.11g | — | 2.4 GHz | 54 Mbps | Backward compat with b |
| 802.11n | Wi-Fi 4 | 2.4 / 5 GHz | 600 Mbps | MIMO, 40 MHz channels |
| 802.11ac | Wi-Fi 5 | 5 GHz only | 3.5 Gbps | MU-MIMO, 160 MHz |
| 802.11ax | Wi-Fi 6/6E | 2.4 / 5 / 6 GHz | 9.6 Gbps | OFDMA, TWT, BSS Color |
Q62. What is CSMA/CA and how does it differ from CSMA/CD?
CSMA/CD (Collision Detection) is used in wired Ethernet half-duplex. A device transmits, detects a collision if two transmit simultaneously, then waits a random time before retrying. CSMA/CA (Collision Avoidance) is used in 802.11 wireless. Because wireless stations can’t easily detect collisions while transmitting (the transmitted signal drowns out received signals), 802.11 avoids collisions proactively. Stations listen before transmitting, wait for the medium to be idle, add a random backoff time, then transmit. The hidden terminal problem (two stations that can’t hear each other but both reach the AP) is addressed with RTS/CTS (Request to Send/Clear to Send).
Q63. What is the difference between 2.4 GHz and 5 GHz Wi-Fi?
2.4 GHz: longer range, better wall penetration, more crowded (microwave ovens, Bluetooth, neighbors). Only 3 non-overlapping 20 MHz channels in most countries (1, 6, 11). Lower maximum throughput. 5 GHz: shorter range, less wall penetration, far less interference, many more non-overlapping channels (23+ in the US). Higher throughput. 6 GHz (Wi-Fi 6E) adds even more spectrum with even less interference but shorter range still. For most enterprise deployments, 5 GHz is preferred for performance; 2.4 GHz remains for legacy devices and longer-range coverage requirements.
Q64. What are the main wireless security protocols and which should you use?
WEP (Wired Equivalent Privacy): broken, crackable in minutes. Never use. WPA (Wi-Fi Protected Access): interim fix using TKIP. Also vulnerable. WPA2: uses AES-CCMP encryption. Personal mode uses a pre-shared key (PSK). Enterprise mode uses 802.1X with RADIUS. WPA2 is still widely deployed and generally adequate with a strong PSK. WPA3: uses SAE (Simultaneous Authentication of Equals) which prevents offline dictionary attacks against captured handshakes. WPA3-Enterprise adds 192-bit security. Use WPA2-Enterprise (802.1X) or WPA3 for corporate wireless; WPA2-Personal with a strong passphrase minimum for SOHO.
Q65. What is the difference between an autonomous AP and a controller-based AP?
An autonomous AP is a standalone device that you configure individually. It handles both control functions (authentication, roaming decisions) and data forwarding locally. Fine for small deployments. Controller-based APs (also called lightweight APs or CAPWAP mode APs) offload control functions to a central Wireless LAN Controller (WLC). The WLC manages all APs uniformly: RF management, client authentication, roaming, firmware updates. CAPWAP (Control And Provisioning of Wireless Access Points) is the protocol between APs and the WLC, using UDP ports 5246 (control) and 5247 (data). Enterprise deployments almost always use controllers for manageability.
Q66. What is a BSS, SSID, and BSSID?
BSS (Basic Service Set): the basic building block of 802.11 — one AP and its associated clients. SSID (Service Set Identifier): the network name users see (e.g., “CorpWifi”). An AP can broadcast multiple SSIDs. BSSID (Basic Service Set Identifier): the MAC address of a specific radio on a specific AP. Each SSID on each radio has its own BSSID. ESSID: an Extended Service Set spans multiple APs with the same SSID — this is how seamless roaming works. Clients roam between APs in the same ESS without reconnecting to the SSID.
Q67. What is 802.1X authentication for wireless?
802.1X is port-based network access control. For wireless, the client (supplicant) authenticates to the AP (authenticator), which relays credentials to a RADIUS server (authentication server — often Cisco ISE, FreeRADIUS, or Microsoft NPS). If authentication succeeds, the RADIUS server returns an Access-Accept and optionally assigns a VLAN. Common EAP methods: EAP-TLS (most secure — mutual certificate authentication), PEAP (password-based with server certificate), EAP-TTLS. 802.1X eliminates shared passwords — each user authenticates individually, and compromised credentials can be revoked per-user.
Q68. What causes wireless interference and how do you mitigate it?
Co-channel interference: multiple APs on the same channel in range of each other. All APs on the same channel must share the medium. Mitigation: plan channel assignments so adjacent APs use non-overlapping channels (1, 6, 11 on 2.4 GHz). Adjacent channel interference: APs on channels that overlap (e.g., channels 3 and 6). Mitigation: only use 1, 6, 11. Other 2.4 GHz interference: microwave ovens, Bluetooth, baby monitors. Mitigation: move to 5 GHz where possible. Use a spectrum analyzer to identify non-802.11 interference sources before deploying APs.
Q69. What is a wireless site survey and when is one needed?
A site survey maps the RF environment of a physical space to determine optimal AP placement, channel assignments, and transmit power settings. A passive survey listens to existing RF signals to map coverage, signal strength, and interference. An active survey deploys temporary APs and measures actual throughput and signal quality. Site surveys are needed for: new building deployments, environments with many obstacles (warehouses with metal shelving, hospitals with RF-dense equipment), high-density areas (conference rooms, auditoriums), and anywhere you’re troubleshooting coverage or performance complaints.
Q70. What is the difference between FlexConnect and local switching in wireless?
Central switching (the default): all client data traffic is tunneled via CAPWAP to the WLC for switching and forwarding. The WLC makes all forwarding decisions. This works well when APs are near the WLC, but backhauling traffic over a WAN link wastes bandwidth and adds latency. FlexConnect / Local switching: the AP switches client traffic locally at the branch without sending it back to the WLC. The WLC still provides management. If the WAN link to the WLC fails, FlexConnect APs continue to serve clients using cached configurations. Essential for branch office wireless deployments where WAN links are the bottleneck.
|
Category 8 — Q71 to Q80 Network Security |
|
Q71. What is an ACL and what are the two types on Cisco?
Standard ACL: filters traffic based on source IP address only. Applied close to the destination (to avoid blocking traffic unnecessarily). Numbered 1–99 or 1300–1999 (extended range). Extended ACL: filters on source IP, destination IP, protocol, source port, and destination port. Applied close to the source. Numbered 100–199 or 2000–2699. Named ACLs use a name instead of a number and support both standard and extended. An implicit deny any at the end of every ACL drops anything not explicitly permitted.
Q72. What is the difference between a firewall and an IPS?
A stateful firewall tracks connection state and permits or denies traffic based on IP addresses, ports, and direction. It knows if a packet is part of an established session. An IDS (Intrusion Detection System) analyzes traffic patterns against known attack signatures and alerts but doesn’t block. An IPS (Intrusion Prevention System) is an IDS that sits inline and actively blocks malicious traffic. A Next-Generation Firewall (NGFW) combines stateful firewall, IPS, application identification, user awareness, URL filtering, and SSL inspection in one device. Cisco ASA is a stateful firewall; Firepower NGFW adds IPS and application control.
Q73. What is AAA in network security?
Authentication: verifying who you are (username/password, certificate, token). Authorization: determining what you’re allowed to do (VLAN assignment, command privilege level, accessible resources). Accounting: tracking what you did (logging commands entered, session duration, data transferred). In Cisco context, AAA is typically implemented with RADIUS (open standard, used for network access) or TACACS+ (Cisco proprietary, used for device administration — separates authentication, authorization, and accounting into distinct exchanges, giving finer control over what admins can do on the device).
Q74. What is the difference between RADIUS and TACACS+?
RADIUS (UDP 1812/1813) is an open standard used primarily for network access (Wi-Fi 802.1X, VPN). It combines authentication and authorization in a single Access-Accept response, and only encrypts the password in the packet. TACACS+ (TCP 49) is Cisco proprietary and used for device administration. It separates authentication, authorization, and accounting into distinct packets, encrypts the entire payload (not just the password), and provides per-command authorization (you can define exactly which CLI commands an admin can run). Most enterprises use RADIUS for end-user network access and TACACS+ for network device management.
Q75. What is a common Layer 2 attack and how do you prevent it?
MAC flooding: attacker floods the switch with frames using fake source MACs, filling the CAM table. The switch then acts like a hub (unknown unicast flooding), allowing the attacker to capture all traffic. Prevention: port security limits the number of MACs per port. VLAN hopping: attacker uses double-tagging or DTP negotiation to send traffic to a different VLAN. Prevention: disable DTP on user-facing ports, change native VLAN from default VLAN 1, use switchport nonegotiate. ARP spoofing: attacker sends gratuitous ARPs to poison the ARP cache. Prevention: Dynamic ARP Inspection (DAI).
Q76. How do you secure a Cisco switch against unauthorized access?
A non-exhaustive list of standard hardening steps: disable unused ports and put them in an unused VLAN, disable Telnet (use SSH version 2 only), set a strong enable secret (not enable password), configure AAA with TACACS+, use SNMPv3 instead of v1/v2c, set VTY timeouts, configure no ip domain-lookup on production switches (prevents accidental DNS lookups on typos), disable CDP/LLDP on external-facing ports, configure DHCP Snooping and Dynamic ARP Inspection, set PortFast and BPDU Guard on access ports, and ensure all management traffic uses an out-of-band management VLAN.
Q77. What is port security and what are the three violation modes?
Port security limits the number of MAC addresses allowed on a switch port and optionally locks it to specific MACs. Three violation modes: Shutdown (default): the port goes err-disabled when a violation occurs. Requires manual shutdown / no shutdown to recover (or configure err-disable recovery). Restrict: drops frames from violating MACs, increments violation counter, sends a log message, port stays up. Protect: drops frames from violating MACs silently, port stays up, no log. For visibility, use Restrict over Protect. Shutdown is most aggressive.
Q78. What is the CIA triad in security?
Confidentiality: ensuring information is accessible only to those authorized to have access. Implemented through encryption, access controls, authentication. Integrity: ensuring data is accurate and hasn’t been tampered with. Implemented through hashing (MD5, SHA-256), digital signatures, checksums. Availability: ensuring systems and data are accessible when needed. Implemented through redundancy, HA clustering, backups, DoS mitigation, RAID. Security controls are evaluated against how well they protect each of the three pillars. A DoS attack targets availability specifically; encryption addresses confidentiality.
Q79. What is the difference between symmetric and asymmetric encryption?
Symmetric encryption: the same key encrypts and decrypts. Fast. The problem: how do you securely exchange the key? Examples: AES, DES, 3DES. Asymmetric encryption: a public key encrypts, a private key decrypts (or vice versa for signatures). The public key can be shared freely — it can only encrypt, not decrypt. Only the holder of the private key can decrypt. Slow and computationally expensive. Examples: RSA, ECDSA, Diffie-Hellman. In practice, protocols like TLS use asymmetric encryption to securely exchange a symmetric session key, then switch to symmetric encryption for the actual data transfer — combining the security of asymmetric with the speed of symmetric.
Q80. What is a VPN and what are the key components that make it secure?
A VPN creates an encrypted tunnel over an untrusted network (usually the internet), allowing private communication. The security depends on: Confidentiality (encryption — AES-256 is current best practice), Integrity (hashing — SHA-256 or SHA-384, not MD5 which is broken), Authentication (verifying the peer is who they claim: pre-shared keys, certificates, or username/password), Anti-replay (sequence numbers prevent captured packets from being replayed). The Diffie-Hellman key exchange allows two parties to derive a shared secret over a public channel without sending the key itself — the foundation of IKE Phase 1.
|
Category 9 — Q81 to Q90 Troubleshooting & Network Management |
|
Q81. What is the OSI troubleshooting methodology and which direction do you go?
Two common approaches: bottom-up (start at Layer 1 — is the cable plugged in? Is the light green? Move up through Layer 2, then 3, etc.) or top-down (start at Layer 7 — can the application connect? Work down to find where it breaks). In practice, most engineers use a divide-and-conquer approach based on symptoms: if a ping fails, start at Layer 3. If a VPN tunnel is up but traffic isn’t flowing, check Layer 3 routes and Layer 4 ACLs. Picking the right starting layer based on the symptom is more efficient than always starting at Layer 1.
Q82. What does each field mean in the output of show interfaces?
The first line shows the interface state. “GigabitEthernet0/0 is up, line protocol is up” means physical layer OK and data link layer OK. “Up/Down” means physical is connected but no keepalives or Layer 2 negotiation (often mismatched encapsulation or keepalive mismatch on WAN links). “Down/Down” means no physical connection. CRC errors indicate Layer 1 problems (bad cable, duplex mismatch, physical damage). Input errors and output drops indicate congestion or buffer issues. Late collisions on full-duplex Gigabit indicates a duplex mismatch. Input queue drops indicate the interface is overwhelmed faster than the CPU can process.
Q83. What is the ping and traceroute command used for?
Ping tests Layer 3 reachability between source and destination using ICMP Echo Request / Echo Reply. It confirms the IP path works in both directions. On Cisco IOS, extended ping (ping then press Enter) lets you specify source interface, packet size, repeat count, and timeout. Traceroute discovers the path packets take and measures RTT at each hop by incrementing the IP TTL. Each router that drops a packet with TTL=0 sends back an ICMP Time Exceeded message, revealing its IP. Asterisks mean the hop didn’t respond (firewall blocking ICMP) — not necessarily a path failure if the ultimate destination responds.
Q84. What does “show ip interface brief” tell you?
A quick summary of all interfaces: name, IP address, OK (yes if the IP is usable), Method (how the IP was assigned: NVRAM=static from config, DHCP=dynamically), Status (physical layer), and Protocol (data link layer). It’s the fastest way to survey all interfaces on a router. Equivalent for switches: show interfaces status which shows port state, VLAN, duplex, and speed for all switch ports at once.
Q85. A user can ping the gateway but can’t access the internet. Walk me through troubleshooting.
Ping confirms Layer 3 to the gateway is working. Next: can you ping a known internet IP (8.8.8.8)? If yes, the path works but DNS is likely broken — check nslookup google.com. If ping to 8.8.8.8 fails: on the router, check show ip route for a default route. Check NAT translations (show ip nat translations). Check ACLs on the outbound interface. Check the WAN interface state. Ping from the router itself to 8.8.8.8 — if that works but the user can’t, NAT is likely misconfigured (no ip nat inside/outside on the right interfaces).
Q86. How do you find which interface or VLAN a specific host is connected to?
On a router: show arp maps IP-to-MAC for directly connected subnets. On a switch: show mac address-table address <MAC> shows which port the MAC was learned on. If the MAC appears on an uplink port, the device is on a downstream switch — log into that switch and repeat. CDP can help: show cdp neighbors detail shows connected Cisco device IPs and their port connections. This hunt from the router’s ARP table down through the switching fabric is a standard daily task for network engineers.
Q87. What is CDP and what does it reveal?
Cisco Discovery Protocol is a Layer 2 protocol that runs between directly connected Cisco devices. show cdp neighbors detail reveals the connected device’s hostname, platform model, IOS version, IP address, and which interfaces connect them. Extremely useful for building a network diagram when documentation is missing. Security consideration: CDP reveals device model, software version, and IP addresses to anyone connected — disable it on external-facing or untrusted ports. LLDP is the open standard equivalent that works across vendors.
Q88. How do you recover a Cisco switch from an incorrect configuration?
If you still have access: reload discards unsaved changes and restores the last saved config. If you saved the bad config: restore from backup using copy tftp: running-config or copy startup-config. If you’ve lost access entirely: use console cable for physical access. If you need to reset the enable password: the password recovery procedure (model-specific) involves interrupting the boot sequence (Rommon mode), changing the configuration register to 0x2142 to skip startup config, booting, changing the password, resetting the register to 0x2102, and saving.
Q89. What is the difference between running-config and startup-config?
Running-config: the configuration currently active in RAM. Any changes you make with config t immediately affect the running-config. Lost on reload unless saved. Startup-config: the configuration in NVRAM that loads on boot. Save with copy running-config startup-config or write memory. The danger: making a config change that locks you out (bad ACL, wrong IP) and then not saving — the device reloads with the old good config. Also, never reload a device without saving if you want to keep your changes.
Q90. What are the most useful Cisco IOS show commands for daily troubleshooting?
# Interface states (fastest overview) show ip interface brief show interfaces status # switches # Routing show ip route show ip route <destination-ip> # best path for specific IP # Switching show vlan brief show interfaces trunk show mac address-table # Routing protocols show ip ospf neighbor show ip eigrp neighbors show ip bgp summary # Security show ip access-lists show ip nat translations show arp # Spanning Tree show spanning-tree vlan <id> # CDP neighbors show cdp neighbors detail
|
Category 10 — Q91 to Q100 IPv6, SDN & Network Automation |
烙 |
Q91. Why was IPv6 created and what is its address size?
IPv4 has 4.3 billion addresses (2^32). The internet ran out of available IPv4 addresses at the IANA level in 2011; regional registries followed. IPv6 uses 128-bit addresses — 2^128 = 340 undecillion addresses (340 followed by 36 zeros). Written as eight groups of four hexadecimal digits: 2001:0db8:85a3:0000:0000:8a2e:0370:7334. Leading zeros in a group can be omitted; a single consecutive sequence of all-zero groups can be replaced with :: (only once per address).
Q92. What are the main types of IPv6 addresses?
Global Unicast (GUA): routable on the internet, prefix 2000::/3. Link-Local: automatic on every IPv6-enabled interface, prefix FE80::/10. Only valid on the local link; never routed. Used for neighbor discovery and routing protocol communication. Unique Local (ULA): like private IPv4 addresses, prefix FC00::/7. Not routable on the internet. Loopback: ::1/128 (equivalent to 127.0.0.1). Multicast: FF00::/8. IPv6 has no broadcast — broadcast functions are replaced by multicast. Anycast: same address assigned to multiple devices; packets route to the nearest one.
Q93. What is SLAAC and how does IPv6 address autoconfiguration work?
Stateless Address Autoconfiguration allows IPv6 hosts to configure their own addresses without DHCP. The router sends Router Advertisements (RA) containing the network prefix. The host combines that prefix with its Interface ID (derived from MAC using EUI-64 process, or a random privacy address per RFC 4941) to form a full 128-bit global unicast address. The router’s link-local address becomes the default gateway. NDP (Neighbor Discovery Protocol) replaces ARP in IPv6, using ICMPv6 Neighbor Solicitation and Neighbor Advertisement messages for address resolution.
Q94. What is SDN (Software-Defined Networking) and how does it differ from traditional networking?
Traditional networking: control plane (routing decisions) and data plane (packet forwarding) run on the same device. Each device is configured individually. SDN separates them: a centralized controller makes all routing and policy decisions, and the data plane devices (switches, routers) just forward packets according to rules from the controller. The controller has a network-wide view and can reconfigure the entire network from one place. OpenFlow is a common protocol between the SDN controller and data plane devices. Cisco DNA Center and ACI are SDN implementations. This centralizes intelligence and enables automation at scale.
Q95. What is the difference between the northbound and southbound API in SDN?
In an SDN architecture: Northbound API: between the SDN controller and applications/management systems above it. This is how network operators or automation tools tell the controller what they want the network to do. REST APIs are common. Southbound API: between the SDN controller and the network devices below it (switches, routers). OpenFlow is the classic southbound protocol; Cisco uses NETCONF/RESTCONF and OpFlex. The controller sits in the middle, translating high-level intent from the northbound into specific device instructions on the southbound.
Q96. What is a REST API and how is it used in network automation?
REST (Representational State Transfer) is an architectural style for APIs over HTTP. It uses standard HTTP verbs: GET (retrieve data), POST (create), PUT (replace), PATCH (update), DELETE (remove). Responses are typically JSON or XML. Modern network devices (Cisco IOS-XE via RESTCONF, DNA Center, Meraki Dashboard) expose REST APIs that let you automate configuration changes, query device state, and integrate with other systems — without CLI screen-scraping. Authentication uses API keys, OAuth, or basic auth over HTTPS. The ability to consume REST APIs is increasingly expected at entry and mid-level network engineering roles.
Q97. What is the difference between NETCONF and RESTCONF?
NETCONF (RFC 6241) uses SSH (port 830) and XML for structured communication with network devices. It’s more robust for complex configurations and supports transactions (all-or-nothing commits). Widely supported on enterprise gear. RESTCONF (RFC 8040) provides a REST HTTP interface to the same YANG data models that NETCONF uses. Supports JSON or XML. Easier to use with standard HTTP tools (curl, Postman, Python requests). Both use YANG models to define the structure of configuration and operational data. For network automation beginners, RESTCONF is easier to start with; NETCONF is more feature-complete.
Q98. What is Ansible and how is it used for network automation?
Ansible is an agentless automation platform that uses YAML playbooks. “Agentless” means no software runs on the managed device — Ansible uses SSH or API calls to communicate. For Cisco IOS-XE, the cisco.ios Ansible collection provides modules for sending commands (ios_command), pushing configuration (ios_config), and retrieving facts. Playbooks are idempotent — running them multiple times is safe. Terraform is another IaC (Infrastructure as Code) tool, using declarative HCL rather than procedural YAML, with a state file to track what’s deployed.
Q99. What is the difference between JSON and XML in network automation?
Both are data serialization formats for exchanging structured information. JSON (JavaScript Object Notation): key-value pairs, arrays, lightweight, human-readable, more compact. Preferred for REST APIs. XML (eXtensible Markup Language): uses tags like HTML, more verbose, supports namespaces and attributes. Preferred for NETCONF. In Python: import json; data = json.loads(response.text) parses JSON into a Python dictionary. Most modern APIs prefer JSON. NETCONF/YANG traditionally uses XML, though RESTCONF supports JSON with the same YANG models.
Q100. What certifications and skills should a CCNA engineer pursue next?
CCNP Enterprise is the natural next step — split into ENCOR (core exam) and a concentration (ENARSI for routing, or ENWLSI for wireless). For security specialists: CCNP Security. For data center: CCNP Data Center. Beyond Cisco: AWS Solutions Architect or Cloud Practitioner for cloud networking roles. Python basics (especially using the requests, netmiko, and nornir libraries) are increasingly expected even at CCNA-level jobs. Learning Ansible or Terraform puts you well ahead of most entry-level candidates. The CCNA is the foundation. What matters most after passing it is lab time — building and breaking real configurations in GNS3 or Cisco CML.
Quick Reference: CCNA Must-Know Commands
| Command | What It Shows / Does |
| show ip interface brief | All interfaces: IP, status, protocol |
| show ip route | Full routing table |
| show vlan brief | All VLANs and assigned ports |
| show interfaces trunk | Trunk ports, allowed VLANs, native VLAN |
| show mac address-table | MAC-to-port mappings on a switch |
| show spanning-tree | STP topology, root bridge, port states |
| show ip ospf neighbor | OSPF adjacency state per neighbor |
| show ip nat translations | Active NAT translation table |
| show arp | ARP cache: IP-to-MAC mappings |
| show cdp neighbors detail | Connected Cisco devices, their IPs and models |
| show ip access-lists | ACL entries with match counters |
| copy run start | Save running config to NVRAM |
| debug ip icmp | Real-time ICMP packet events (disable when done) |
What Interviewers Are Actually Looking For
| Conceptual clarity | Can you explain why something works, not just the steps? “STP blocks ports to prevent loops” is better than reciting convergence timers without context. |
| Troubleshooting process | Walking through a scenario methodically matters more than immediately knowing the answer. “I’d start by checking the routing table, then verify the NAT config, then check for ACLs” is a great answer. |
| CLI comfort | Know your show commands cold. Interviewers notice when you hesitate to name a command you should use daily. |
| Honesty on gaps | “I haven’t worked with EIGRP much in production” is better than a confident wrong answer. Every network engineer has gaps; what matters is how you handle them. |
