##
Devices & Appliances
Every box on the network and the OSI layer it operates at — from dumb hubs to L7 application appliances.
| Device | Layer | Role |
|---|
| Hub | L1 | Repeats bits to all ports — one collision domain (legacy) |
| Switch | L2 | Forwards frames by MAC; per-port collision domain |
| Router | L3 | Routes packets between networks by IP |
| L3 Switch | L2/3 | Switching + inter-VLAN routing via SVIs |
| Firewall | L3–7 | Filters traffic by policy, state and app |
| NGFW | L3–7 | Firewall + IPS + app/identity awareness |
| Load balancer | L4–7 | Distributes sessions across servers |
| IDS / IPS | L3–7 | Detects (IDS, out-of-band) or blocks (IPS, inline) |
| Proxy | L7 | Intermediary — forward (clients) or reverse (servers) |
| WAF | L7 | Filters web-app attacks (SQLi / XSS) |
| Access Point | L2 | Bridges Wi-Fi clients onto the wired LAN |
| WLC | — | Manages many APs centrally over CAPWAP |
| Modem | L1 | Modulates digital ↔ carrier medium |
// key distinctions
- Collision domain = switch port · Broadcast domain = VLAN
- Router/L3 switch separate broadcast domains
- IDS watches a copy (SPAN); IPS sits inline and drops
- Forward proxy hides clients; reverse proxy fronts servers
// collision & broadcast domains
| Device | Collision domains | Broadcast domains | Behaviour |
|---|
| Hub | 1 (shared) | 1 | Everything collides — half duplex |
| Switch | 1 per port | 1 per VLAN | Micro-segments collisions; floods broadcast |
| Router / L3 switch | 1 per port | 1 per interface | Stops broadcasts — segments both domains |
// firewall types
| Type | Layer | What it does |
|---|
| Packet filter | L3/L4 | Stateless — matches IP/port per packet (ACL) |
| Stateful | L4 | Tracks connection state in a session table |
| NGFW / UTM | L7 | Adds app awareness, IPS, URL & malware filtering |
| Proxy firewall | L7 | Terminates & re-originates the session |
| WAF | L7 | Protects web apps (SQLi, XSS, OWASP) |
// IDS vs IPS
| IDS | IPS |
|---|
| Placement | Out-of-band (SPAN / tap) | Inline in the traffic path |
| Action | Alerts only | Alerts + blocks / drops |
| Latency | None (passive) | Adds some delay |
| Risk | Misses live attacks | False positive can drop good traffic |
| Detection | Signature + anomaly | Signature + anomaly |
// load-balancing methods
| Round-robin | Each server in turn — simplest |
| Weighted | Bigger servers take a larger share |
| Least-connections | Send to the least-busy server |
| IP hash | Hash of client IP → session stickiness |
| L4 vs L7 | L4 routes by IP/port; L7 inspects HTTP/URL/cookies |