Network Devices | Network+ N10-009

Slide 1 of 10 | N10-009 Obj 1.2 | Network Devices

Network Devices:
Right Tool, Right Layer, Right Position

Every device in a network has a specific job defined by its OSI layer. Pick the wrong one and the design fails.

You are designing a network from scratch. For each position in the topology you need to pick the right device. Router? Switch? Firewall? WAP? Each has a specific function and a specific OSI layer. Let's map every device to its role.

10 Slides N10-009 Obj 1.2 All OSI Layers Device Placement + Function

Slide 2 of 10

Switches — Layer 2 MAC-Based Forwarding

A switch learns which MAC address is reachable out of which port, then makes forwarding decisions per frame.

Unmanaged Switch L2

Plug-and-play. No configuration interface. Learns MACs automatically via the CAM table. Used in small offices and home networks.

No VLANs, no QoS, no management port. If anything goes wrong, your only option is to replace it.

Managed Switch L2

Full configuration via CLI or GUI. Supports VLANs, STP, port security, SNMP monitoring, QoS, and port mirroring.

Every enterprise switch is managed. You cannot run a production network without visibility into your Layer 2 infrastructure.

Layer 3 Switch L2/L3

Performs both MAC-based switching (L2) and IP-based routing (L3) in hardware. Used at the distribution layer for inter-VLAN routing.

Faster than routing through a router for east-west traffic between VLANs. Does not replace a router for WAN connectivity.

How MAC learning works: When a frame arrives, the switch records the source MAC and the port it arrived on in the CAM table. When a frame arrives destined for a known MAC, it forwards out that specific port only. Unknown destinations are flooded to all ports. This is why switches are more efficient than hubs — traffic is isolated, not shared.

The design: managed switches at the access layer (one per floor), a Layer 3 switch at the distribution layer for inter-VLAN routing between the finance, engineering, and guest VLANs.

Slide 3 of 10

Hubs vs Switches — Why Hubs Are Dead

Understanding why hubs failed explains exactly what switches were designed to solve.

Hub — Layer 1, Physical Repeater

Repeats every signal out every port simultaneously.

All ports share a single collision domain. Two devices transmitting simultaneously = collision. Both must back off and retry (CSMA/CD).

All ports share a single broadcast domain.

10 devices on a hub share the total bandwidth — 10 Mbps hub means 1 Mbps per device under load.

Every device can see every other device's traffic — a passive wiretap.

Half-duplex only — cannot send and receive simultaneously.

Switch — Layer 2, Intelligent Forwarding

Forwards frames only to the specific destination port based on the MAC table.

Each port is its own collision domain. Full-duplex — no collisions.

Still one broadcast domain per VLAN (VLANs segment this further).

Each port gets dedicated bandwidth — 1 Gbps switch gives each device 1 Gbps.

Traffic is isolated — a device only sees frames addressed to it (or broadcasts).

Full-duplex on every port simultaneously.

When would you see a hub on the exam? Network tap scenarios and packet capture questions. An attacker connecting to a hub-based segment can see all traffic — this is historically why switched networks and port security exist. Hubs also appear in questions about CSMA/CD, collision domains, and half-duplex.

Slide 4 of 10

Routers — Layer 3 IP-Based Forwarding

A router connects different networks. It makes forwarding decisions based on IP destination address and the routing table.

Routing Table L3

The router's decision engine. Each entry: destination network, subnet mask, next-hop IP or exit interface, and metric (cost). Longest prefix match wins.

Populated by static routes, directly connected routes, or dynamic routing protocols (OSPF, EIGRP, BGP).

Broadcast Domain Segmentation L3

Routers do not forward broadcast traffic by default. Every routed interface is a separate broadcast domain. This is how the network scales — broadcasts stay contained.

Switches forward broadcasts to all ports in a VLAN. Routers stop them at the boundary.

WAN / Internet Gateway L3

The router connects your internal network to the ISP. Typically performs NAT (Network Address Translation) to map private internal addresses to a public IP.

In small offices the router and the firewall are often the same device. In enterprise they are always separate.

Switch vs Router — the critical distinction: A switch forwards based on Layer 2 MAC addresses within a network. A router forwards based on Layer 3 IP addresses between networks. Both are necessary — switches for local delivery, routers for cross-network delivery.

The design needs one router at the edge connecting to the ISP. Inter-VLAN traffic stays on the Layer 3 switch (faster, keeps traffic local). Only traffic destined for the Internet or remote sites hits the router.

Slide 5 of 10

Firewalls — Stateful Inspection, NGFW, UTM

A firewall enforces policy on traffic crossing a network boundary. The generation determines how deeply it inspects.

Packet Filter (Legacy) L3/L4

Examines each packet in isolation: source/destination IP, source/destination port, protocol. Stateless — does not track connections.

Cannot distinguish a legitimate TCP response from an unsolicited inbound packet. ACL-based routers behave this way.

Stateful Firewall L3/L4

Tracks the state of TCP/UDP connections in a state table. Knows whether a packet is part of an established session or an unexpected inbound attempt. The standard for decades.

Allows return traffic automatically without explicit permit rules. Does not inspect application-layer content.

NGFW / UTM L7

Next-Generation Firewall: adds deep packet inspection (DPI), application awareness, IPS, TLS inspection, and user identity awareness.

UTM (Unified Threat Management) bundles firewall + IPS + antivirus + web filtering + VPN in one appliance. Common in mid-market. NGFW is the enterprise term.

Host-Based Firewall Software

Runs on the endpoint (Windows Firewall, iptables). Protects the individual host. Does not protect the network — but adds a layer inside the perimeter. Defense in depth.

DMZ Architecture Design

Demilitarized zone — a third firewall interface segment for public-facing servers (web, email, DNS). Traffic from the Internet reaches the DMZ but cannot directly reach the internal LAN. Two firewalls create a true DMZ.

Slide 6 of 10

Wireless Access Points — Autonomous vs Controller-Based

A WAP bridges wireless clients onto the wired network. The management architecture determines how you deploy and maintain them.

Autonomous (Fat) AP

All configuration lives on the AP itself.

Each AP managed individually via web GUI or CLI. Fine for 1-5 APs.

Changing the SSID or security policy across 50 APs requires 50 separate logins.

No centralized roaming — client roams by dropping one AP and associating with another. Noticeable disruption for voice calls.

Typical in small offices and home environments.

Controller-Based (Thin) AP

AP (thin AP or LAP) has minimal local config — most processing happens on the Wireless LAN Controller (WLC).

Single pane of glass management for all APs. Push one policy change to every AP simultaneously.

Seamless roaming — the WLC manages client handoff between APs without reassociation. Required for voice and video.

Centralized RF management, rogue AP detection, and band steering.

Standard for enterprise deployments. WLC can be physical appliance or cloud-managed (Meraki, Aruba Central).

The design: Controller-based APs (Cisco or Aruba) with a WLC — 40+ APs in the new office cannot be managed individually. Cloud-managed is acceptable if on-premise IT staffing is limited. Autonomous APs only for the server room console access point (one AP, no roaming requirement).

Slide 7 of 10

IDS/IPS, Proxy Servers, and Load Balancers

Three devices that sit in-line or adjacent to traffic flows and add inspection, filtering, or distribution capability.

IDS — Intrusion Detection L3-L7

Passive. Receives a copy of traffic (via SPAN/TAP). Analyzes it against signature rules and behavioral baselines. Generates alerts. Takes no blocking action.

Advantage: zero impact on traffic if the IDS fails. Disadvantage: by the time an alert fires, the traffic has already been delivered.

IPS — Intrusion Prevention L3-L7

Inline. All traffic flows through the IPS. Can drop, block, or reset connections in real time. Same detection capabilities as IDS but with enforcement authority.

Risk: false positives can block legitimate traffic. A failed IPS can take down the network — most support a fail-open or fail-closed bypass mode.

Proxy Server L7

Acts as an intermediary for client requests. Forward proxy: sits between internal clients and the Internet — caches content, enforces web filtering policy. Reverse proxy: sits in front of servers — load balances, terminates TLS, hides server identity.

Transparent proxy: clients are unaware. Explicit proxy: clients are configured to use it (browser proxy settings).

Load Balancer L4 / L7

Distributes incoming connections across a pool of servers. Layer 4 (TCP/IP) for raw throughput distribution. Layer 7 (HTTP) for content-aware routing — send API requests to one pool, web requests to another. Also provides health monitoring and automatic failover.

VPN Concentrator L3

Terminates a large number of VPN tunnels from remote users or branch offices. Handles crypto offload at scale — a router can terminate a few VPNs, a concentrator terminates thousands. Supports IPsec, SSL/TLS VPN, split tunneling.

Slide 8 of 10

Modems, Media Converters, and Edge Devices

The devices where your internal network hands off to something external — a different medium or a different carrier.

Modem L1/L2

Modulates and demodulates signals between digital data and the analog or frequency-division format used on cable, DSL, or fiber ISP lines. Converts between mediums at the carrier boundary.

Cable modem (DOCSIS): coax to Ethernet. DSL modem: telephone pair to Ethernet. ONT (Optical Network Terminal): fiber ISP to Ethernet. The ISP owns the modem/ONT in most deployments.

Media Converter L1

Converts between two different physical media types at Layer 1 — typically copper Ethernet to fiber. No MAC address, no routing decision. Pure signal conversion. Used when you need to extend a run beyond copper's 100m limit using existing fiber.

Example: 1000BASE-T copper (RJ45) to 1000BASE-SX fiber (LC). Runs in both directions simultaneously.

Wireless Range Extender L2

Receives the existing Wi-Fi signal and rebroadcasts it. Extends coverage without a new wired connection. Cuts effective bandwidth roughly in half — it both receives and transmits on the same channel.

Not a replacement for proper AP placement with a wired backhaul. A legitimate second WAP on a wired drop is always the better solution.

CSU/DSU L1

Channel Service Unit / Data Service Unit. Terminates a WAN line (T1, T3) at the customer premises. Converts between the WAN signal and the serial interface on the router. Legacy WAN — still tested on N10-009 for historical context.

Patch Panel L1 (passive)

A passive cross-connect panel in the IDF/MDF. Horizontal runs terminate on the back. Patch cables on the front connect to switch ports. Provides a clean, organized, change-friendly interface between permanent cable runs and active equipment.

Slide 9 of 10

Device Placement — Where Each Device Lives

Every device has a position in the topology that reflects its OSI layer and its traffic function.

Access Layer

Where end devices connect. Managed Layer 2 switches, wireless APs (wired to switch). PoE delivered here. Port security enforced here. VLANs defined here.

Distribution Layer

Aggregates access layer switches. Layer 3 switch for inter-VLAN routing. Implements routing policy and QoS. Redundant uplinks to the core.

Core Layer

High-speed backbone. No packet filtering, no complex policy — just fast forwarding. Layer 3 switches or routers optimized for throughput. Redundant links only.

Edge / Perimeter

Where the internal network meets the Internet. Firewall (NGFW), WAN router, VPN concentrator, IPS, and DMZ reside here. Everything from the Internet must pass through this zone.

DMZ

A third firewall interface segment. Public-facing servers (web, email, DNS) live here. Reachable from the Internet, isolated from the internal LAN. Compromise of a DMZ server does not grant LAN access.

Out-of-Band Management

Dedicated management network physically separate from production traffic. Console servers, IPMI/iDRAC, and management switch ports. When the production network fails, OOB lets you still reach every device.

The completed design: access-layer managed switches (PoE+) feeding a distribution-layer L3 switch, feeding a core router at the edge. NGFW between the core and Internet. WAPs at access layer, IPS inline at the edge, VPN concentrator in the DMZ alongside the public web server.

Slide 10 of 10 | N10-009 Obj 1.2

You Can Place Every Device Correctly

The design spec: access-layer managed switches (Layer 2) for end devices, a Layer 3 distribution switch for inter-VLAN routing, an edge router for WAN connectivity, an NGFW at the perimeter, controller-based WAPs with a WLC, IPS inline at the edge, a load balancer in front of the web server pool, and a VPN concentrator in the DMZ. Every device maps to an OSI layer and a position in the topology. No device is placed by intuition — each one has a justifiable function.

6 Facts to Carry Out of This Presentation

1 Switch = Layer 2, MAC-based forwarding. Router = Layer 3, IP-based forwarding. These two are never interchangeable.

2 Hubs are dead because they create a single collision domain and broadcast all traffic to every port — no isolation, no security.

3 Stateful firewall tracks TCP session state. NGFW adds deep packet inspection and application-layer awareness.

4 IDS = passive monitoring (alerts only). IPS = inline enforcement (blocks in real time). Failure modes differ — plan accordingly.

5 Controller-based WAPs (thin APs + WLC) are required at enterprise scale. Autonomous APs cannot support seamless roaming.

6 Access = L2 switches Distribution = L3 switches Core = high-speed backbone Edge = firewall + router

Network Devices N10-009