Network Components - Routers, Switches, and Firewalls

Back

Welcome to the CCNA course! In this section we'll go over network components; routers switches and firewalls.

Before we really dive into the network components themselves, it helps to go over some network fundamentals so we can keep our conversation more fluid and have some shared definitions while we describe how the components interact with network traffic.

OSI model layers

In case you're not familiar with it, let's go over the OSI model. Now back in the day when TCP/IP was just in its infancy, we also had another competing protocol stack that was the OSI protocol stack. OSI has its own addressing scheme (NSAP/ISO), just like TCP/IP has IP addresses. A communication functional model was created, the OSI model.

The bottom layer is layer 1, with the top as layer 7. We as network engineers really only care about the first 4 layers. Many engineers will reference anything above layer 4 as "layer 7". Now when you're talking with your colleagues and troubleshooting issue it really helps to conceptualize your problems in terms of the OSI layers.

You and your buddy are troubleshooting and you think "it's a layer 1 issue", well then we're looking at a physical cabling issue. This would likely be that you do not have connectivity across a link. Talking about a layer 2 issue you might mean a switching issue or a MAC addressing problem (que the nightmare that is a duplicate MAC address on a broadcast domain) with the frame. You can probably see pretty quick that being able to conceptualize your communication with other engineers in terms of the OSI model layers can be very efficient and useful.

it really helps to conceptualize your problems in terms of the OSI layers.

Let's dive in a little more and take a look at what protocols live at each of these layers, and what their data units are, the word used to define the individual unit of that protocol's data.

Protocols and their respective PDUs placed on the OSI model layers

Physical Layer

Down at the physical layer we have the physical specifications of wireless (802.11) and wired standards like the usual ethernet connector RJ45. These are shown on the left, with the data unit on the right. The physical layer data unit is typically the 'Bit', however in analogue communications, like dial-up, we see 'symbols' or a particular frequency which represents multiple bits to increase throughput.

Data Link Layer

Up at the data link layer, layer 2, is where the ethernet protocol lives. This is where we use MAC (Media Access Control) addresses to communicate. The protocol data unit at this layer is a Frame. This is where a network switch does its work. It only looks at each data unit up to this layer before it starts forwarding it along. It will remember the source MAC and the port it came in on and forward it on to whatever the destination MAC address is.

Network Layer

At the network layer is where we start to see Internet Protocol, where we use IP addresses to communicate. Layer 3 is where routers do much of their work. IP routers look at source and destination IP addresses to select the appropriate port to forward the packet out of. We'll get more into this later, but an important note is that routers will rewrite the source and destination MAC address in the packet header, to be the source of its interface and destination of the next hop, but switches do not modify the frame at all.

Transport Layer

Up in layer 4 is where we find out 'ports'. If you've ever heard someone reference that "port 443 is blocked", or they need to "open port 21 inbound", they are referencing port numbers that are used in the layer 4 protocols. It's likely they are referencing TCP or UDP port numbers specifically. While ports aren't exactly addresses, they are an identifier that the system uses to forward the information appropriately up the application/protocol stack. We'll get more into this later, and I'll write up a full lesson on this topic at a later date.

an important note is that routers will rewrite the source and destination MAC address in the packet header...but switches do not modify the frame at all.

Lets take a look at how an IP packet is constructed, in this case specifically a UDP packet. You don't need to know yet the difference between TCP and UDP, just that they are layer 4 protocols.

UDP Datagram structure

You can probably tell that the layers match up with the OSI model, starting at layer 2 at the bottom. We have the frame header information on the outside of the data unit, then the IP header inside of that, then the UDP header inside of that then our application data.

Layer 2 Switches

Now that we have some more context on the OSI model we can talk about network devices a little more fluidly. Let's talk about what a switch does.

The primary job of a switch is to learn what port each destination MAC address lives on and forward any frames with that destination MAC address out the appropriate port. As we mentioned above, and might be clear from this heading, layer 2 switches only interact with traffic up to layer 2.

You may have heard of a 'hub' before and might wonder what the difference is between hubs and switches. Well the best difference is that a switch separates out collision domains, allowing for a separate collision domain per port, where a hub has a single collision domain for all of its ports.

Example of an older Cisco switch

Layer 3 Switches

"Layer 3 switch" is a little deceiving. You might read that and say "that's a router", and you'd be right, the only difference is typically feature set. generally layer 3 switches do not have the memory capacity to handle large routing tables, or state tables needed for stateful features like ALGs and NAT. These switches are typically capable of basic routing, usually both dynamic and static, and some very basic security functions. Many organizations will use a layer 3 switch as their core router, with additional routers at the network's edge. If you're interested in reviewing more network design, we have a whole lesson series on it.

Routers

As I mentioned above, routers interact with devices at layer 3, and usually have some additional features as well. They can act as an 'Application Layer Gateway' or ALG to proxy connections, rate limit, apply certain rules or restrictions to different application traffic. Routers are usually also good at other things that require a lot of memory, like traffic shaping where a device queues traffic that's being sent above the committed rate of an interface to smooth out and not drop the data.

Example of a Cisco ISR4331

Firewalls and IPS

The primary job of a firewall is to allow some trusted network to access some untrusted network, and not the other way around. Now firewalls have come a long way since the old ASA 5505, they can do some pretty fancy things. Things like application layer inspection where it actually looks at the application data and can make decisions based on it. If it sees that a user is attempting to execute a SQL injection attack, then it can stop that traffic. They can also do things like user ID based network rules, where it will change how it handles traffic based on the user account that's logged into the device that sourced that traffic.

An IPS, or Intrusion Prevention System, is generally included in todays Next Generation Firewalls (NGFW). For Cisco these are the Firepower line of devices. This is typically where the application layer inspection, also called Deep Packet Inspection (DPI) usually happens. This, coupled with crowd sourced information of all the active attacks happening in the world, the IPS and firewalls of today have gotten substantially smarter and better at defending our networks than ever before. Unfortunately, malicious actors are also increasing at a similar pace, continuing the need for such things.

ASA 5506

Thanks for hanging in there with me and I hope you enjoy the course!

© Ben Jacobson.RSS