Course sections

Network Fundamentals

Lesson 1: Explain the role and function of network components

Explain the role and function of network components


Routers route traffic across IP subnets based on the destination IP address or prefix. To facilitate the propagation of routing information, routers also support various routing protocols such as OSPF, EIGRP, or BGP.

R1 and R2 are routers connected via an ethernet link.

A screenshot of a cell phone Description automatically generated

IP packet switching is the process as to how two end hosts communicate with each other. Much like network layer and IP addresses, the data link layer also has its link-layer addresses which are known as MAC addresses for ethernet. If you two end hosts are on the same IP subnet, they do not need a default gateway or a router to communicate with each other. One end-host can use ARP to find out the other’s MAC address on an ethernet segment, and then simply transmit the packet to the destination host. However, when the destination host is on a different subnet than the source host, the source host would simply send that packet off to the default gateway or the router. If the router knows how to reach that destination IP subnet, via a static or dynamic routing protocol, the router will simply rewrite the L2 information and send packet off to its destination host using the appropriate outgoing interface.

In the earliest days of networking, Cisco routers switched packets from incoming to outgoing interfaces using process switching which was slow due to the CPU overhead involved. Eventually, Cisco streamlined the process with fast switching and then finally CEF switching.

Process and CEF Switching

Process switching is the switching mechanism in which a general-purpose CPU, e.g. PowerPC or x86 processor, on a router is used to switch packets. In classic IOS, there is an input_process that runs on the CPU for processing all incoming packets. Today, process switching is only limited to a handful of specific scenarios, while everything else gets CEF switched whether in software (i.e. CPU) or hardware (i.e. network processor) depending on the platform.

The types of packets that require process switching include

  • Packets sourced or destined to the router i.e. traffic destined to the control plane such as routing protocol packets
  • Packets that are too complex for the hardware to handle, for example, packets with IP options set
  • Packets that require extra information such as ARP resolution etc.

The routing table, also known as Routing Information Base (or RIB) is built from information gained from either directly connected interfaces and/or static or dynamic routing protocols.

Cisco Express Forwarding (or CEF) is a Cisco proprietary switching method developed back in the 1990s to keep pace with the modern high capacity and low latency networks. Today, it is the default switching method across all Cisco routers, switches, and even appliances. CEF can be done in software or hardware. CEF can be implemented on both centralized (e.g. ISR 4K or ASR1K) as well as the distributed (e.g. Cisco ASR9K or Nexus 7K) forwarding platforms. Please note that concepts of centralized and distributed forwarding are orthogonal to whether a platform is software-based or hardware.

Software-based CEF

Software-based CEF implies CEF processing done using a general-purpose processor as opposed to using an ASIC or a network processor. CEF consists of two major components, i.e. Forwarding Information Base (or FIB) and Adjacency table.

The FIB is built directly from the routing table and contains next-hop IP addresses for each destination IP prefix. It is updated when a routing or topology change occurs.

Adjacency table contains MAC addresses and egress interfaces of all directly connected next hops and is populated using the ARP table (for ethernet medium).

A close up of a device Description automatically generated

Hardware-based CEF

Hardware-based CEF is where forwarding is done with the help of ASIC(s) or network processor(s). It can be either centralized (e.g. ASR1K) or distributed (e.g. ASR9K or CRS-1).

The primary advantage of distributed forwarding is that the packet throughput is improved even more so by offloading forwarding tasks to the egress line card(s).


FIB is used for forwarding but is derived from the combination of RIB and adjacency table so that L2 information in each outgoing frame can be rewritten.

Architecture IP routing table (best AD only) CEF table
Data Structure Repository of routes Repository of interface IDs and next-hop information for each destination prefix
Plane of Operation Routing Forwarding

A close up of a sign Description automatically generated

The RIB can be local to a routing protocol such as the case with the OSPFv2[1]. The OSPFv2 local RIB acts as the primary state management data structure for SPF computation which minimizes the churn within the global RIB and leads to lesser packet drops. The global RIB is updated only when routes are added, deleted, or changed. By default, the global RIB is used to compute inter-area, NSSA, and forwarding addresses for type 5 and 7 LSAs.

L2 and L3 switches

L2 Switches are for bridging or forwarding traffic based on the destination MAC address within a given L2 segment or VLAN based on CAM table which is built using the source MAC addresses. L3 switches can function both as an L2 switch as well as a router for inter-VLAN routing and many other use cases. Cisco Nexus 3000, 5000, 7000, and 9000 series products represent layer 3 families of switches.

The following steps describe the switching process.

  • The switch receives a frame from a source machine
  • The switch stores the source MAC address and the switch port that the frame was received on into the MAC table.
  • The switch checks the table for the matching destination MAC address. If there is a match, that port is used to forward the frame. If there is no match, it is flooded out of all the switch ports (for that VLAN).

Next-generation firewalls and IPS

Firewalls can be divided into several types based on how they operate on traffic passing through them. The actual implementation could be in the form of a physical or virtual appliance, the latter also suitable for cloud deployments.

  • Packet filters (or stateless FW such as an ACL)
  • Stateful FW (such as IOS ZBFW or Cisco ASA without any AVC, APM, etc. configured)
  • Application-layer firewalls (e.g. proxies)
  • Next-gen firewalls (e.g. Cisco Firepower with application-level controls)
  • Cloud firewalls (mostly virtual appliances, OVAs)

It is worth noting that there is no consensus or a definition of what a next-gen firewall is in the security industry. There are two main ways a firewall can be deployed in an enterprise network.

  • Firewall as bastion host (you can also call this two-legged deployment where a FW separates the trusted from the untrusted network). This is the single most common deployment model.
  • Firewall as bastion host with DMZ (this is your three-legged deployment where a FW has a third connection facing the servers (such as web, mail, and DNS)

In the case of a firewall as a bastion host with DMZ, you can also choose to deploy two separate firewalls, one facing the trusted (or private) and the other facing the untrusted or public network. Servers on the DMZ are only allowed to send traffic in response to traffic coming from the hosts on the trusted or untrusted network. The biggest drawback associated with a traditional FW deployment is that it does nothing to prevent attacks coming from inside the network.

A close up of a logo Description automatically generated

A picture containing computer Description automatically generated

Intrusion Prevention Systems (IPS) systems come in a variety of shapes and forms, below are the four most common ones.

  • Network-based IPS (or NIPS, protect the traffic behind it)
  • Host-based IPS (or HIPS protect the computer or host it is installed on)
  • Wireless IPS (or WIPS only monitors WLAN traffic)
  • Network Behavior Analysis (or NBA, looks at unusual traffic pattern or volume such as the case with DDoS)

IPS is deployed alongside firewall clusters, and its placement depends on the underlying use case. IPS can be deployed either in an in-line or TAP (aka passive) mode. In an in-line deployment, all network traffic passes through the IPS, and the ports can be configured in a fail-closed (i.e., no traffic passes if port or the IPS malfunctions) or fail-open fashion.

In a passive IPS deployment, an IPS such as a Firepower system monitors traffic flowing across a network using a switch port that’s configured for port mirroring or SPAN. The SPAN port receives all traffic data copied from other ports, so this type of deployment allows for placing the IPS just about anywhere within the L2 domain. In passive mode, an IPS cannot take actions that require it to be in the data path, such as blocking or shaping.

Below are the common NIPS use cases.

  • Protecting a remote or branch office with direct internet access. IPS is enabled on the WAN interface.
  • IPS to meet certain compliance requirements such as PCI. IPS is placed at the network edge.
  • Guest network protection, in this case, IPS is enabled on the guest VLAN interface.
  • Limiting or containing a threat from claiming further attack surface, e.g. a network attack propagating from branch to HQ or other branches.

Access points

Cisco WLAN infrastructure consists of either autonomous (standalone) or lightweight APs (LAPs) that are connected to the network via WLAN controllers. The autonomous APs is also known as Fat APs.

Controllers (Cisco DNA Center and WLC)

A Wireless LAN (WLAN) controller manages wireless network access points (APs) that wireless devices use to connect to the wireless network. WLAN controller can be deployed in a centralized (most common) or distributed fashion.

Cisco’s WLAN controllers are a key component of intent-based networking. Cisco DNA Center is a controller as well as an analytics platform that makes Cisco’s intent-based networking possible. It consists of five major components.

  • Design
  • Policy
  • Provision
  • Assurance

DNA center appliance hosts SDN controller, analytics engine, and telemetry storage. At the time of writing, a 44-core DNA appliance (DN2-HW-APL) is listed for USD 88.6K in Cisco’s GPL. It must be installed and run on the bundled bare metal server, as we speak, there is no virtual appliance package available.

DNA center licenses come in three flavors, i.e.

  • Essentials (includes basic automation and network visibility)
  • Advantage (includes Essentials, plus advanced automation, image lifecycle management, AI/ML analytics and assurance and API/SDK integration)
  • Premier (Everything in Advantage, plus encrypted traffic analytics and multi-domain policy segmentation)


Endpoints are desktop or mobile clients that connect into networks to consume network services and access resources. For example, a network-connected laptop, desktop, smartphone, tablets, printers, or any other network-connected hardware with a TCP/IP stack.


A server is a hardware or software device on a network that accepts and responds to a network connection request made by a client or an endpoint. Servers are purpose-built computers to carry out various network functions. For example, a web server is a computer that runs web services (i.e. Apache or Microsoft IIS software) and responds to HTTP/HTTPS requests coming in from the web clients.