SkarpSkarp

Chapter 2 of 29

Network Building Blocks: Core Network Components and Models

Walk through a modern enterprise network from endpoint to cloud and see how routers, switches, firewalls, and controllers fit together in layered architectures.

27 min readen

From Laptop to Cloud: A High-Level Walkthrough

The Journey of a Packet

We will walk a packet from your laptop to a cloud app and meet the key devices that handle it: endpoints, APs, switches, routers, firewalls, controllers, and servers.

Our Running Scenario

Scenario: you open a browser on a Wi‑Fi laptop in a campus network and browse to `https://portal.example.com` hosted in the cloud. Every step uses core CCNA concepts.

What You Will Map

You will map each device to OSI/TCP‑IP layers and to data, control, and management planes, and see how on‑prem and cloud components form one end‑to‑end design.

Endpoints, Servers, and the Edge of the Network

What Are Endpoints?

Endpoints are user and device systems like laptops, phones, and cameras. They run apps, create TCP/UDP sessions, and are where connectivity problems are usually noticed first.

DHCP, DNS, and Default Gateway

Endpoints typically use DHCP for IP settings, DNS to map names to IPs, and a default gateway address on the local router interface to reach remote networks.

Servers and Cloud Apps

Servers host apps and data, either on‑prem or in the cloud. They live in specific VLANs or subnets and are reached via the campus, WAN, and often the public internet.

Switches and VLANs: The Layer 2 Foundation

The Role of Switches

Layer 2 switches forward Ethernet frames based on MAC addresses. They connect endpoints and APs and form the basic wiring closet of a campus network.

VLANs and Broadcast Domains

A VLAN is a logical Layer 2 subdivision that creates a separate broadcast domain. Devices in the same VLAN can talk directly at Layer 2, even if on different switches.

Redundancy and STP

With redundant links, switches run Spanning Tree Protocol to prevent Layer 2 loops by blocking some paths while keeping a loop‑free logical topology.

Routers and Layer 3 Switches: Moving Between Networks

Why We Need Routers

Routers forward packets between different IP networks. Any time traffic leaves a subnet or VLAN, it goes to a router interface acting as the default gateway.

Layer 3 Switches

Layer 3 switches combine switching and routing, commonly doing fast inter‑VLAN routing in the campus distribution or core using SVIs.

Routing Protocols and NAT

Dynamic protocols like OSPFv2 build routing tables automatically, while NAT on routers or firewalls maps private addresses to public ones for internet access.

Firewalls, NGFWs, and Access Control

What Firewalls Do

Firewalls enforce security policies by allowing or blocking traffic. They typically sit at network boundaries like the internet edge or between sensitive internal zones.

ACLs and NGFW Features

ACLs on firewalls and routers specify which traffic is permitted. NGFWs add app awareness, user identity, and advanced inspection beyond simple IP and port checks.

Firewalls in the Packet Path

In our scenario, traffic from your campus network passes through a perimeter firewall, which applies policy and often performs NAT before sending it toward the cloud.

Wireless Access Points and Controllers

What Access Points Do

APs connect wireless clients to the wired LAN. They speak 802.11 over the air, then bridge client traffic into VLANs on the switch via an Ethernet uplink.

Role of Wireless Controllers

Wireless controllers centrally manage APs: pushing configs, handling RF tuning, and enforcing security policies. APs form control tunnels to these controllers.

Cloud‑Managed Wi‑Fi

In cloud‑managed Wi‑Fi, the controller function runs in the vendor cloud, and you manage the WLAN via a web dashboard while APs keep secure tunnels to it.

Control Plane vs Data Plane vs Management Plane

Data Plane

The data plane is the fast path that forwards user packets. It does MAC lookups, IP routing, ACL checks, NAT, and other per‑packet operations.

Control Plane

The control plane runs protocols and processes that decide where traffic should go: routing protocols, STP, wireless control, ARP, and other signaling.

Management Plane

The management plane is how admins interact with devices: SSH, HTTPS, SNMP, syslog, and REST APIs used by network automation and controllers.

Software-Defined Networking and Controllers

What SDN Changes

SDN centralizes the control plane in a controller and leaves data forwarding on the devices. Policies are defined centrally and pushed down programmatically.

Controllers in Practice

Campus and SD‑WAN controllers manage many devices at once, handling configuration, policy, and monitoring instead of you configuring each box individually.

REST APIs and Automation

REST APIs let software talk to controllers and devices over HTTP, enabling scripts and tools to configure networks and collect data automatically.

Mapping Devices to OSI and TCP/IP Models

Models Overview

The OSI model has 7 layers; the TCP/IP model has 4. OSI 1–2 map to TCP/IP Network Access, OSI 3 to Internet, OSI 4 to Transport, and OSI 5–7 to Application.

Device to Layer Mapping

Switches are mainly Layer 2, routers Layer 3, APs Layer 1–2, firewalls Layer 3–7, and controllers mostly Layer 3–7 for policy and management.

Protocols by Layer

Ethernet and Wi‑Fi live at Layers 1–2, IP and OSPFv2 at Layer 3, TCP/UDP at Layer 4, and DNS, HTTP, SSH, and similar protocols at Layer 7.

End-to-End Walkthrough: Campus User to Cloud App

Step 1–2: Join and Get an IP

The laptop associates to an AP, is placed in VLAN 20, and uses DHCP to obtain IP settings, including subnet mask, DNS servers, and a default gateway.

Step 3–4: DNS and Routing Out

The laptop queries DNS for the cloud app’s IP, then sends HTTPS traffic to that IP via its default gateway, which routes it toward the internet edge firewall.

Step 5–6: Internet and Back

Edge routers and the ISP forward traffic to the cloud. Responses take the reverse path through NAT and firewalls back to the laptop, completing the session.

Thought Exercise: Classify Components and Planes

Use this short exercise to solidify how you classify devices by layer and by plane.

  1. Device to OSI layer
  • For each, decide the primary OSI layer and then check yourself:
  • a) Access switch
  • b) Router at the WAN edge
  • c) Wireless access point
  • d) Next‑generation firewall
  • e) SD‑WAN controller

Reflect:

  • a) Access switch: mainly Layer 2.
  • b) Router: Layer 3.
  • c) AP: Layer 1–2 (radio and bridging).
  • d) NGFW: Layer 3–7.
  • e) SD‑WAN controller: logically Layer 3–7 (control/management).
  1. Plane classification

For each activity, decide if it belongs to the data, control, or management plane:

  • a) A router running OSPFv2 and updating its routing table.
  • b) An engineer SSHing into a switch to change a VLAN configuration.
  • c) A switch forwarding frames between two ports based on MAC addresses.
  • d) A firewall logging dropped packets to a SIEM.

Reflect:

  • a) Control plane (routing protocol).
  • b) Management plane (admin access and config).
  • c) Data plane (frame forwarding).
  • d) Primarily management plane (logging and monitoring).
  1. Design question
  • You must isolate IoT devices from student laptops but use the same physical switches. Which feature is most appropriate, and which layer is it at?
  • Answer: Use VLANs (Layer 2) to place IoT devices and student laptops into separate broadcast domains and apply different policies.

Quiz 1: Core Components and Models

Check your understanding of the core devices and models.

Which statement best describes the role of a Layer 3 switch in a modern campus network?

  1. It only forwards frames based on MAC addresses and cannot perform routing.
  2. It provides wireless connectivity to endpoints and tunnels all traffic to a controller.
  3. It combines high-speed switching with IP routing, often performing inter-VLAN routing using SVIs.
  4. It sits at the internet edge and inspects traffic up to Layer 7 to enforce security policies.
Show Answer

Answer: C) It combines high-speed switching with IP routing, often performing inter-VLAN routing using SVIs.

A Layer 3 switch is a multilayer device that can both switch frames at Layer 2 and route packets at Layer 3. In campus designs it commonly performs inter-VLAN routing via switch virtual interfaces (SVIs). Option 1 describes a pure Layer 2 switch, option 2 describes an access point, and option 4 describes a next-generation firewall.

Quiz 2: Planes and OSI Layer Mapping

One more quick check on planes and layers.

An engineer uses a REST API to push a new security policy to all campus switches via a central controller. Which planes are primarily involved on the controller and switches?

  1. Controller: data plane; Switches: control plane
  2. Controller: management and control planes; Switches: control and data planes
  3. Controller: data and management planes; Switches: management plane only
  4. Controller: control plane only; Switches: data plane only
Show Answer

Answer: B) Controller: management and control planes; Switches: control and data planes

The controller exposes a REST API for management and also runs the centralized control plane that decides policies. Switches participate in the control plane when they receive new instructions and in the data plane when they enforce those policies on user traffic.

Key Term Flashcards: Network Building Blocks

Flip through these cards to reinforce core definitions and roles.

VLAN
A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.
default gateway
A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.
NAT
Network Address Translation (NAT) is a method of translating private IP addresses to public IP addresses, and vice versa, as packets traverse a router or firewall.
DHCP
The Dynamic Host Configuration Protocol (DHCP) automatically assigns IP configuration parameters such as IP address, subnet mask, default gateway, and DNS servers to clients.
DNS
The Domain Name System (DNS) is a distributed database that maps human-readable hostnames to IP addresses and other resource records.
ACL
An Access Control List (ACL) is an ordered set of permit and deny statements that control which packets are allowed or blocked based on criteria such as source, destination, and protocol.
Spanning Tree Protocol (STP)
Spanning Tree Protocol (STP) is a Layer 2 protocol that prevents loops in a bridged network by placing redundant paths into a blocking state while maintaining a loop-free logical topology.
OSPFv2
Open Shortest Path First version 2 (OSPFv2) is a link-state interior gateway protocol used to exchange IPv4 routing information within a single autonomous system.
software-defined networking (SDN)
Software-defined networking (SDN) is an architectural approach that separates the control plane from the data plane, enabling centralized control of network behavior through software-based controllers and APIs.
REST API
A Representational State Transfer (REST) API is a web-based interface that uses HTTP methods and resource-oriented URIs to enable programmatic access to network devices and controllers.

Key Terms

ACL
An Access Control List (ACL) is an ordered set of permit and deny statements that control which packets are allowed or blocked based on criteria such as source, destination, and protocol.
DNS
The Domain Name System (DNS) is a distributed database that maps human-readable hostnames to IP addresses and other resource records.
NAT
Network Address Translation (NAT) is a method of translating private IP addresses to public IP addresses, and vice versa, as packets traverse a router or firewall.
DHCP
The Dynamic Host Configuration Protocol (DHCP) automatically assigns IP configuration parameters such as IP address, subnet mask, default gateway, and DNS servers to clients.
VLAN
A Virtual Local Area Network (VLAN) is a logical subdivision of a Layer 2 network that groups devices into the same broadcast domain regardless of their physical location.
OSPFv2
Open Shortest Path First version 2 (OSPFv2) is a link-state interior gateway protocol used to exchange IPv4 routing information within a single autonomous system.
REST API
A Representational State Transfer (REST) API is a web-based interface that uses HTTP methods and resource-oriented URIs to enable programmatic access to network devices and controllers.
Controller
A centralized system (on-prem or cloud) that manages configurations, policies, and sometimes control-plane functions for network devices such as switches, routers, and APs.
Data plane
The functional area of a network device that forwards user traffic based on existing tables and policies.
Access switch
A switch at the edge of the network that connects endpoints and access points, typically operating at Layer 2 and assigning ports to VLANs.
Control plane
The functional area of a network device that builds and maintains forwarding information, such as routing tables and topology information.
Layer 3 switch
A multilayer switch that can perform both Layer 2 switching and Layer 3 routing, often used for inter-VLAN routing in campus networks.
default gateway
A default gateway is the IP address of a router interface on the local network segment that a host uses to send traffic destined for remote networks.
Management plane
The functional area of a network device used by administrators and tools to configure, monitor, and manage the device.
Access point (AP)
A device that provides wireless connectivity to clients and bridges their traffic into the wired LAN, typically mapping SSIDs to VLANs.
Spanning Tree Protocol (STP)
Spanning Tree Protocol (STP) is a Layer 2 protocol that prevents loops in a bridged network by placing redundant paths into a blocking state while maintaining a loop-free logical topology.
Next-generation firewall (NGFW)
A firewall that performs stateful inspection and can inspect traffic up to Layer 7, recognizing applications and users and enforcing advanced security policies.
software-defined networking (SDN)
Software-defined networking (SDN) is an architectural approach that separates the control plane from the data plane, enabling centralized control of network behavior through software-based controllers and APIs.

Finished reading?

Test your understanding with a custom practice exam on this chapter.

Test yourself