Network Engineer Interviews: Packets, BGP, And Blast Radius

A network engineer interview rewards precision and punishes the approximate. Interviewers ask you to trace a packet from one host to another, subnet a network on the spot, and explain what happens when a route propagates where it should not. The candidates who pass do not recite acronyms; they explain mechanisms, name the layer a problem lives at, and reason about blast radius when something goes wrong on the wire.

This guide covers the rounds you should expect in a networking interview, the fundamentals every panel checks, and the BGP topics that come up the moment the role touches the internet edge. Get the models, the handshake, and subnetting exact, because these are the questions where a wrong word ends the round.

The Rounds You Should Expect

A network engineer loop in 2026 generally runs three to five conversations:

• A fundamentals round on the OSI and TCP/IP models, addressing, and core protocols.
• A subnetting and addressing round, often live with pen and paper or a shared doc.
• A routing and switching round, scaling up to BGP for roles that face the internet or run a data center fabric.
• A troubleshooting round: "users in one site cannot reach an application, walk me through it."
• A behavioral round on incidents and change management.

The troubleshooting round is where layered thinking shows. Good engineers move methodically up or down the stack instead of guessing.

OSI Versus TCP/IP

Know both models and how they map. The OSI model has seven layers, from the bottom up: Physical, Data Link, Network, Transport, Session, Presentation, Application. The TCP/IP model is the one the internet actually runs on and is more compact. In its common four-layer form it collapses OSI's top three (Session, Presentation, Application) into a single Application layer and merges Physical and Data Link into a Network Access layer, keeping Internet (Network) and Transport in between.

The reason interviewers care is troubleshooting. "Is this a layer 1 problem, a layer 2 problem, or a layer 3 problem" is a real diagnostic question. A cable or optic is layer 1. A MAC address, a switch, or a VLAN is layer 2. An IP address and routing are layer 3. Naming the layer narrows the search.

Subnetting You Can Do Live

Expect to subnet without a calculator. Be fluent with CIDR and the arithmetic:

• A /24 is 256 addresses, 254 usable hosts after the network and broadcast addresses.
• Each added prefix bit halves the host space: a /25 is 128 addresses, a /26 is 64, a /27 is 32.
• Given 192.168.10.0/26, you should immediately give the four subnets, their ranges, and the broadcast address of each.

A typical question: "you need six subnets with at least 25 hosts each out of a /24, lay them out." Talk through it: 25 hosts needs at least a /27 (30 usable), and a /24 splits into eight /27 blocks, which covers six subnets with room to spare. Show the boundaries. The interviewer is checking that the binary is second nature, not memorized.

The TCP Three-Way Handshake

This is a near-guaranteed question, and the order and flags must be exact. TCP opens a connection in three steps to synchronize sequence numbers before any application data is sent:

• SYN. The client sends a segment with the SYN flag set and its initial sequence number.
• SYN-ACK. The server replies with both SYN and ACK flags set, sending its own initial sequence number and acknowledging the client's.
• ACK. The client acknowledges the server's sequence number. The connection is now established and data can flow.

Be ready for the follow-ups. Why three messages and not two: both sides must agree on each other's starting sequence numbers, so each direction needs a SYN and a matching ACK. What a SYN flood is: an attacker sends many SYNs and never completes the handshake, exhausting the server's half-open connection table, mitigated with SYN cookies. Connection teardown uses a separate exchange with the FIN flag, which is a common confusion to avoid.

Routing Basics

Before BGP, the panel checks whether you understand how a router decides. Be clear on the difference between a routing protocol that runs inside one organization and one that runs between them. Interior gateway protocols like OSPF compute shortest paths within an autonomous system using a metric such as link cost. The exterior protocol, BGP, exchanges reachability between autonomous systems and chooses paths by policy, not by raw shortest distance. Know that longest-prefix match wins: a more specific route, a /24, beats a less specific one, a /16, regardless of the protocol that learned it.

BGP And Route Leaks

For any role near the internet edge, BGP is the centerpiece. BGP is the path-vector protocol that glues autonomous systems together; each AS announces the prefixes it can reach, and routes carry the AS-path they traversed. Two failure modes come up constantly, and the distinction matters:

• BGP hijack. An AS originates a prefix it does not own, often a more specific one to win longest-prefix match, pulling traffic toward itself. This can be malicious, used to intercept or black-hole traffic.
• Route leak. An AS propagates routes beyond their intended scope, for example announcing routes learned from one provider to another provider when it should not. It is usually accidental, a policy mistake, and it bends traffic through a path that should never have carried it, causing congestion, latency, and packet loss.

The crisp framing: a hijack is unauthorized origination of a prefix, a leak is a legitimate route announced to the wrong neighbors. Know the defenses too: prefix filtering and maximum-prefix limits on peers, RPKI route origin validation to check that the originating AS is authorized for a prefix, and the principles behind MANRS. A candidate who can explain why RPKI stops origin hijacks but does not by itself stop every path manipulation is showing real depth.

How To Practice

Rehearse out loud: trace a packet from a browser to a server naming the layer at each hop, subnet a /24 into the blocks a scenario asks for while talking through the binary, and explain the three-way handshake with the flags in order and the reason for each message. Then describe the difference between a hijack and a route leak and the filter that stops each. Speaking it is what reveals whether you actually know the mechanism or just the term. A tool like Mythic Intel can build a verified network-engineer room and grade your spoken answer on accuracy, completeness, structure, and proof. Drill the handshake and the subnetting until they are reflexive, because those are the questions you cannot afford to fumble.