The networking an ops interview probes: the model (OSI/TCP-IP), addressing (IP/CIDR), transport (TCP vs UDP), name resolution (DNS), the web stack (HTTP/TLS), NAT/ports/load balancing, and the tools to test each hop. Follow the packet; test each layer in turn.
1. OSI / TCP-IP model
| Layer | Unit | Examples / addressing |
|---|---|---|
| L7 Application | data | HTTP, DNS, SSH, gRPC, TLS |
| L4 Transport | segment | TCP, UDP — ports |
| L3 Network | packet | IP, ICMP — IP addresses, routing |
| L2 Data link | frame | Ethernet, ARP, VLAN — MAC |
| L1 Physical | bits | cables, radio |
"L4 vs L7 load balancer": L4 routes by IP/port (fast, protocol-agnostic); L7 routes by HTTP content (host/path/headers, TLS termination, smart). ARP maps IP → MAC within a subnet.
2. IP addressing, subnets & CIDR
# CIDR /N = N network bits. Usable hosts = 2^(32-N) - 2 10.0.0.0/24 -> 256 addrs, 254 usable (.1–.254 ; .0 net, .255 bcast) 10.0.0.0/16 -> 65,536 ; /25 -> 128 ; /30 -> 4 (2 usable, point-to-point) # private ranges (RFC1918): 10.0.0.0/8 172.16.0.0/12 192.168.0.0/16 # CGNAT 100.64.0.0/10 ; loopback 127.0.0.0/8 ; link-local 169.254.0.0/16
- Network address (all host bits 0) + broadcast (all 1) aren't usable.
- Gateway = the router for off-subnet traffic (often .1).
- Smaller prefix number = bigger network. Subnetting splits a block into smaller ones.
- IPv6: 128-bit, hex, no NAT needed;
::1loopback,/64typical subnet.
/24 = 254 usable
256 addresses minus network + broadcast = 254 hosts. A
/30 gives 2 usable — classic
point-to-point link. Know how to count hosts from a prefix.3. TCP vs UDP
| TCP | UDP |
|---|---|
| Connection-oriented, reliable, ordered | Connectionless, best-effort |
| 3-way handshake, flow + congestion control, retransmit | No handshake, no retransmit — just send |
| HTTP, SSH, DB, SMTP | DNS, DHCP, NTP, VoIP, QUIC/HTTP3 base |
Handshake: client SYN → server SYN-ACK →
client ACK. Close: FIN/ACK both ways (then
TIME_WAIT). A RST is an abrupt reset (port closed / forced close).
4. DNS
| Record | Maps |
|---|---|
| A / AAAA | name → IPv4 / IPv6 |
| CNAME | name → another name (alias; not at zone apex) |
| MX | mail servers (with priority) |
| TXT | arbitrary text — SPF, DKIM, domain verification |
| NS / SOA | authoritative nameservers / zone metadata |
| PTR | reverse: IP → name |
| SRV | service location (host + port) |
Resolution: stub resolver → recursive resolver → root → TLD
(.com) → authoritative. TTL controls caching duration.
5. HTTP, HTTPS & TLS
- Methods: GET (read, idempotent), POST (create), PUT (replace), PATCH (partial), DELETE, HEAD, OPTIONS.
- Status: 2xx ok, 3xx redirect, 4xx client error (400/401/403/404/429), 5xx server (500/502/503/504).
- Headers: Host, Authorization, Content-Type, Cache-Control, Cookie, X-Forwarded-For.
- HTTPS = HTTP over TLS. TLS handshake: negotiate version/cipher → server sends cert chain → client verifies to a trusted CA + SNI hostname → key exchange → encrypted.
- Versions: HTTP/1.1 (keepalive, head-of-line blocking) → HTTP/2 (multiplexed over one TCP conn) → HTTP/3 (QUIC over UDP).
6. NAT, ports & firewalls
- NAT — many private IPs share a public IP (home router; cloud NAT gateway for private subnets' egress). SNAT (source) / DNAT (destination/port-forward).
- Ports — 0–65535. Well-known: 22 SSH, 25 SMTP, 53 DNS, 80 HTTP, 443 HTTPS, 3306 MySQL, 5432 Postgres, 6379 Redis, 3389 RDP. Ephemeral 32768–60999.
- Firewall — stateful (tracks connections, return traffic auto-allowed) vs stateless (must allow both directions, e.g. AWS NACL).
7. Load balancing & proxies
- Algorithms: round-robin, least-connections, IP/consistent hash, weighted.
- Health checks remove unhealthy backends from rotation.
- L4 LB (NLB) = TCP/UDP pass-through; L7 LB (ALB/nginx) = HTTP-aware routing + TLS termination.
- Forward proxy (client-side egress) vs reverse proxy (in front of servers: nginx, Envoy).
- Sticky sessions pin a client to one backend (cookie/IP) when state isn't shared.
8. Diagnostic tools (follow the packet)
ping host # reachable + RTT (ICMP)
traceroute host / mtr # path + where it dies
dig name ; dig +short ; dig @8.8.8.8 name # DNS (bypass local resolver)
curl -v https://host # full HTTP/TLS exchange, status, timing
curl -w '%{time_total}\n' -o /dev/null -s url # timing
nc -vz host port # port open? refused vs timeout
ss -tunap # sockets/listeners + pid
ip a ; ip route ; arp -n # interfaces, routes, ARP table
openssl s_client -connect host:443 -servername host # inspect TLS
tcpdump -ni any port 443 # packet capture (last resort)
9. "What happens when you type a URL?"
- DNS resolve the hostname → IP (cache → resolver → authoritative).
- TCP connect to IP:443 (3-way handshake).
- TLS handshake — cert verified, keys exchanged.
- HTTP request sent; server (often via LB/reverse proxy) responds.
- Browser renders; follows redirects, loads sub-resources (HTTP/2 multiplexed).
Each step is a debug point — a failure at any one explains "the site is down".
10. Rapid-fire interview Q&A
- TCP vs UDP?TCP = reliable, ordered, connection + handshake + congestion control. UDP = fast, connectionless, best-effort. DNS/VoIP/streaming use UDP.
- The 3-way handshake?SYN → SYN-ACK → ACK to establish a TCP connection.
- Usable hosts in a /24? a /30?254 (256 − net − broadcast); /30 = 2 (point-to-point).
- L4 vs L7 load balancer?L4 routes by IP/port; L7 routes by HTTP content (host/path/headers) and can terminate TLS.
- A vs CNAME?A → IP; CNAME → another name. Can't CNAME the zone apex.
- What does NAT do?Maps private IPs to a public IP so many hosts share one address; cloud NAT gateways give private subnets outbound internet.
- refused vs timeout?Refused = host reachable, nothing listening (RST). Timeout = packets dropped (firewall/route/wrong IP).
- What happens when you type a URL?DNS → TCP → TLS → HTTP request → response → render. Each hop a debug point.
- HTTP/2 vs HTTP/1.1?HTTP/2 multiplexes many requests over one TCP connection (no head-of-line blocking at app layer), binary framing, header compression.
- Stateful vs stateless firewall?Stateful tracks connections (return traffic auto-allowed). Stateless evaluates each packet — must allow both directions (e.g. AWS NACL).
- What's an ephemeral port?A temporary high-numbered source port (~32768–60999) the OS assigns for an outbound connection.
- How does TLS verify identity?Server presents a cert chain; client checks it chains to a trusted CA, isn't expired, and the SAN matches the hostname (with SNI).