Advanced Network & Security Interview Questions

When preparing for Network Engineer or CCIE Security interviews, you’re often tested on practical scenarios: packet flows, troubleshooting steps, proxies, filtering traffic, and more.
In this article, we’ll cover seven frequently asked questions, with detailed answers you can read, understand, and deliver confidently in interviews.

Q1: If two PCs are connected through routers, explain the ICMP packet flow.

When two PCs are in different networks and connected via one or more routers, the ICMP packet flow looks like this:

1. Source PC creates the ping request
   • PC-A wants to reach PC-B, but it first checks whether PC-B is in the same subnet.
   • Since it’s in a different network, PC-A forwards the packet to its default gateway (the router).
2. ARP for the gateway
   • Before sending anything, PC-A must know the MAC address of its gateway.
   • If not already in the ARP cache, PC-A broadcasts an ARP request: “Who has this IP?”
   • The gateway replies with its MAC address, and PC-A saves it.
3. Encapsulation and send
   • PC-A wraps the ICMP packet inside an IP packet with destination = PC-B’s IP.
   • At the Ethernet level, however, the destination MAC is the gateway’s MAC.
   • PC-A sends the frame to the switch, which forwards it to the router.
4. Router processes the packet
   • The router removes the incoming Ethernet header, checks the destination IP, and consults its routing table.
   • It decides the next hop and then builds a new Ethernet frame for that next hop.
   • The router may again perform ARP to learn the MAC of the next hop.
   • At every router hop, this process repeats: decapsulate → route → re-encapsulate.
5. Final delivery to PC-B
   • When the last router in the path receives the packet, it sees the destination is directly connected to one of its interfaces.
   • It sends an ARP request for PC-B’s MAC if needed, then forwards the ICMP request directly to PC-B.
6. Reply back
   • PC-B processes the request and creates an ICMP reply.
   • The reply follows the same path in reverse, going hop by hop, until it reaches PC-A.

Q2: If two PCs are connected to the same switch, explain the ICMP packet flow.

When two PCs are in the same subnet and connected to the same switch, the ICMP flow is simpler:

1. Source PC checks destination
   • PC-A wants to ping PC-B. Since both are in the same subnet, there is no need to send the packet to a router.
   • PC-A must directly find PC-B’s MAC address.
2. ARP for the destination PC
   • If PC-A doesn’t already know PC-B’s MAC, it broadcasts an ARP request on the LAN.
   • The switch floods this ARP request to all ports in that VLAN.
   • PC-B replies with its MAC address, and PC-A saves it in the ARP table.
3. Encapsulation and send
   • PC-A now creates the ICMP request with PC-B’s IP as the destination.
   • At the Ethernet level, it sets PC-B’s MAC as the destination.
   • The switch looks up the MAC in its CAM table and forwards the frame only to PC-B’s port.
4. Reply from PC-B
   • PC-B receives the request, processes it, and generates an ICMP reply.
   • If PC-B doesn’t have PC-A’s MAC, it sends its own ARP request first.
   • Once the MAC is known, PC-B sends the reply back.

Q3: If you are able to ping the DNS server but when you try to access a URL it’s not accessible, what reasons could be responsible?

This is a classic troubleshooting case. Ping works, so basic connectivity is fine, but URL access fails. Possible reasons:

1. Application Layer Issues: The DNS server itself is reachable, but it may not be resolving the domain due to misconfigured records or DNS service failure.
2. Firewall or Proxy Blocking: HTTP/HTTPS traffic may be blocked by firewall ACLs, proxy policies, or URL filtering rules. ICMP is allowed, but TCP port 80/443 may not be.
3. Routing Issues for Return Path: DNS may work, but the actual web traffic may take a different path that is blocked or misrouted.
4. DNS Response Tampering: The DNS server may return an incorrect IP due to cache poisoning or misconfiguration.
5. SSL/TLS Issues: If it’s HTTPS, SSL inspection or certificate errors may prevent access.
6. MTU/Fragmentation Problems: ICMP echo packets are small, but web traffic can be large. Path MTU discovery issues could break HTTP traffic.

Q4: If a particular site is not reachable for a group of users, what troubleshooting steps will you take?

Troubleshooting must be structured and layered:

1. Verify Connectivity: Can users ping the gateway? Can they ping the site’s IP directly? If yes, DNS is the issue.
2. Check DNS Resolution: Use nslookup or dig to confirm domain resolution.
3. Check Proxy/Firewall Policies: See if URL filtering, security policies, or group-based rules are blocking access for this group.
4. Trace the Path: Use traceroute to identify where the traffic stops.
5. Check Logs: Review firewall, proxy, and DNS logs to correlate events.
6. Policy/ACL Review: Ensure that specific VLANs or subnets used by that user group are not blocked by mistake.
7. Test with Another Group: If other groups can access, it’s a policy misconfiguration. If no one can access, it’s a global issue.
8. ISP Issues: If external routing fails, check upstream ISP reachability.

Q5: If a user wants to block the entire YouTube platform but allow only educational videos, how can you achieve this requirement?

This is a real-world security use case. A normal firewall URL block won’t work, because YouTube uses HTTPS and all content comes from the same domain. Possible solutions:

1. SSL Decryption (Deep Packet Inspection): The firewall must decrypt HTTPS traffic to inspect the actual URL (the video ID or category). Without SSL decryption, you only see youtube.com, not the specific content.
2. Application Control & Categorization: Many NGFWs (like Palo Alto, FortiGate, Check Point) can classify YouTube traffic into categories like “Education” or “Entertainment.” Policies can then allow “YouTube-Education” while blocking others.
3. Google Workspace Integration: If the organization uses Google Workspace, admin controls allow restricting YouTube to “restricted mode,” which automatically filters out non-educational content.
4. Custom Filtering with Regex/Tags: Some solutions allow regex filtering on video URLs or categories.

Q6: What is the difference between on-premises proxy and hybrid proxy deployment?

• On-Premises Proxy: The proxy server is deployed within the organization’s data center or branch. All user traffic is routed through it. It gives complete control, but requires hardware, management, and capacity planning. Works well for internal users, but remote users need VPNs to send traffic through it.
• Hybrid Proxy: This is a modern model combining on-premises proxies with cloud-based proxies. Branch/remote user traffic can be forwarded to the nearest cloud proxy, while sensitive workloads still use local proxy. It reduces latency for remote workers, simplifies scaling, and supports cloud adoption. Examples include Zscaler, Cisco Umbrella, or Check Point Harmony.

Q7: How to filter out traffic of a particular URL in Wireshark?

In Wireshark, you can filter traffic based on hostnames, HTTP headers, or TLS SNI fields.

• HTTP Traffic: Use the filter http.host == "example.com" to capture only packets going to that host.
• HTTPS Traffic: Since HTTPS is encrypted, you can filter on the TLS SNI field: tls.handshake.extensions_server_name == "example.com".
• IP-based Filtering: If you know the resolved IP, use ip.addr == x.x.x.x.
• Combination Filters: For example, (http.host contains "youtube.com") && (ip.src == 10.1.1.50) will filter YouTube traffic from a specific client.