1.

0 Network Fundamentals

1.1 Explain the role and function of network components

1.1.a Routers
1.1.b L2 and L3 switches
1.1.c Next-generation firewalls and IPS
1.1.d Access points
1.1.e Controllers (Cisco DNA Center and WLC)
1.1.f Endpoints
1.1.g Servers

What is a router? What is a L2 switch? What is an L3 switch? What is all this stuff and what
does it do? We are already too deep into the material. Let’s take a step back and figure
something out here.
A network is a bunch of connected devices. Think about your home or office. I have an office
downtown, which has a network. All my office devices – laptops, servers, printers, etc. can
connect. I also have a home. All my home devices – laptops, phones, printers, cameras can
connect. If I’m working from home, I can still connect to my office network.
Google has a big network. I can connect to Google’s network from my home or office.

31 31
In the world, there are millions, or hundreds of millions of networks, all connected somehow.
How does it all work?
Well, at the edge of each network is a router. We’re going to learn more about these routers
later. But for now, we should understand that a router moves traffic between one network and
another. It might move traffic between your home network and the internet. Or it might move
traffic between your work network and your home network.

32 32
In each office, I also have a switch, or maybe I have several switches. Let’s take a closer look at
my home network. I connected all my devices to a switch, like my TV, my desktop computer,
and my printer. The switch forwards traffic between the devices on my network. If I want to
print something, the traffic goes from my computer, to the switch, and then to the printer. We
might call the network in my home a Local Area Network. That is, any equipment behind the
router is a Local Area Network, or LAN.
If I want to access something on the internet (on another network – outside my LAN), the
traffic must pass through the router.

33 33
Going back to my switch – we call this type of Switch a Layer 2 Switch. More advanced
switches are known as Layer 3 Switches (or multi-layer Switches). We’ll come back to the
difference later, when it makes more sense.
I also need to keep bad people out of my network. So, I add a firewall between the router and
the rest of my network.

34 34
35 35
There are many types of firewalls. The most basic ones ask only a few questions

• Where is the traffic coming from? What is the source IP address of the traffic?

• Where is the traffic going? What is the destination IP address of the traffic?
The firewall has some rules. It compares the source and destination of the traffic to the rules
and decides whether to let it through. It’s like looking at the to and from fields on an envelope
before deciding whether to mail it.
Newer firewalls – known as Next Generation Firewalls – take a deeper look. They look at the
contents of the traffic to decide if it’s good or bad. A Next Generation Firewall can ask some
more questions

• What type of traffic is it? What is the port number? Is it HTTP traffic, VoIP traffic, FTP
traffic, etc?

• If it’s HTTP or HTTPs traffic, what is the URL of the website? Is this a safe website?

• What is the state of the traffic? Did the connection originate from inside the network
or from outside the network? This is known as stateful inspection.

For example, if you’re visiting a website, we would expect the connection to originate
from inside the network. If a website originates the traffic, it’s probably from an
imposter.

• How many packets did this host send? A sudden surge of traffic from a specific source
could be a symptom of an attack. If the firewall notices that we’re receiving a lot of
traffic from a specific source, it could throttle it or slow it down.
A firewall can also use security zones. A security zone is a set of hosts (which could be
internal or external). We might call each device on our network a “host”. Each zone can have
different rules for what its hosts can access. For example, we could have trusted internal servers
in one zone, trusted external webservers in a second zone, and untrusted sites in a third zone.
The most important zone in our network is the DMZ or Demilitarized Zone. We put servers
that must access both the internal network and the internet in the DMZ. These could include
web
servers and e-mail servers. We need to access our e-mail from inside the network, and people on
the internet need to access our e-mail server to send us e-mails.
Cisco next generation firewalls were called Cisco Adaptive Security Appliances or ASAs.
The newer firewalls are called Cisco Firepower. The Firepower firewalls take a deeper look at
each packet. It’s like opening each envelope and reading the contents before deciding whether
to send it.

36 36
Why do we need to take a deeper look? A hacker can hide malicious information inside a
legitimate- looking piece of data. For example, legitimate web traffic might come in disguised as
legitimate web traffic. If a legitimate web server is compromised (through a virus or trojan), the
hacker could use it to send malicious traffic.

37 37
This deep packet inspection is performed with a tool called Cisco Application Visibility and
Control (AVC). The firewall can predict the application that is running inside the data.

We also use Intrusion Prevention Systems, or IPSs. The IPS is like a firewall, but more
advanced. It checks every packet against a signature database to determine what to do with it.
The IPS can detect viruses, worms, and DDoS attacks. Usually, the IPS comes preloaded with a
signature database, and no configuration is required. The IPS might connect to the cloud and
download new threat signatures to its database in real time. It might also share threats that it
detects with other
IPSs; if one IPS detects an early threat, it can share it with other IPSs, so that they all benefit.
In addition to its database, the IPS uses heuristics, or artificial intelligence to detect threats. If
it detects a packet that might be a threat, but it’s not sure, it sends it to the cloud for further
analysis. Researchers take a closer look at the packet and decide whether to include it in the
database.
Cisco has created Next Generation IPSs, which can look deeper inside the hosts on the
internal network. The Next Generation IPS will identify the types of operating systems,
applications, and protocols running on the internal network. They also identify the ports in
use on the internal network. This is known as Contextual Awareness.
With this information, the NGIPS can do two things

• Detect abnormalities in the network, such as devices with unrecognized or non-

typical operating systems and applications

• Avoid spending time looking for threats against devices that do not exist in the network
Like the firewall, the Cisco NGIPS provides Application Visibility and Control. It also
provides Reputation-Based Filtering. Cisco tracks bad people on the internet based on their
domain names, IP addresses, and names. Cisco assigns each network resource (web server,
website, etc.) a reputation score. With this information, your NGIPS can block traffic that has
a bad reputation.
Each time the IPS matches a packet, it creates a security alert. Over time, an IPS can create
millions of security alerts; it’s not possible for a human to read all of them. The NGIPS also
uses Event Impact Levels to help rank each alert, so that an administrator can focus on the
issues that could cause the most harm.
In summary, a Cisco Next Generation Firewall/IPS can do the following

• All the functions of a traditional firewall

• Application Visibility and Control

38 38
 • Blocking specific URLs (websites) based on the reputation of the website. This is called
Reputation-Based Filtering.

39 39
 • Detection of malware

• All the functions of a standard Intrusion Protection System

Going back to my network, I have many laptops. Some of these laptops don’t want to sit in one
spot. I want to sit on the patio and do some work. So, I install a Wireless Access Point, or
WAP. The WAP connects to the switch and broadcasts a Wi-Fi signal, which all my (wireless-
capable) devices can connect to.

If I have lots of WAPs, then I need to add a controller. If I had an office with 20 or 30 or 100
access points, I wouldn’t want to manually configure each one. The controller configures and
monitors the WAPs automatically. The controller is known as a WLC or Wireless Controller.
A more advanced Cisco controller is called the Cisco DNA Center. We will learn more about it
later.
My network might also have a server. Servers are computers that serve multiple users. For
example, I might have a server for sharing important files with multiple users. Or I might
have a server that handles my e-mail.
Each of the end user devices (printers, laptops, desktops, phones, etc.) is known as an endpoint
or an end-user device.

40 40
In a home network, we might have one physical device that performs all the functions:
router, firewall, switch, and wireless access point all in one. It doesn’t have a wireless
controller, but the access point functions independently.
The home network device also functions as a modem and connects to a cable, DSL, fiber optic,
or
4G connection.
We will learn more about the different devices and how to configure them later in this book.

41 41
42 42