Lab 5: Switch, Router, and Service Boundaries

Scenario: Someone Added a Router

A small office reports intermittent access after an employee plugged in a spare home router to 'add more ports and better Wi-Fi.' Some users receive addresses in 192.168.0.0/24, others receive 10.10.5.0/24, and a few devices can reach the Internet but cannot see the office printer. This is a role-boundary problem. The added device may be acting as a switch, router, access point, DHCP server, DNS forwarder, firewall, and wireless gateway all at once.

Start by identifying the official design. The office firewall should be the router and default gateway at 10.10.5.1. The access switch should provide wired Layer 2 connectivity. The approved access point should bridge employee Wi-Fi into the employee VLAN and offer a separated guest SSID. DHCP should come from the firewall or server. With that design, employee clients should receive 10.10.5.x settings, gateway 10.10.5.1, and approved DNS. Any address from 192.168.0.x is a clue that another DHCP server or private network is present.

Physically inspect where the new device is connected. If the home router's WAN port is connected to the office LAN and users connect behind its LAN ports or Wi-Fi, those users may be placed behind a second NAT boundary. They may reach the Internet because the home router translates their traffic, but they may not reach office printers, file shares, or management tools because they are no longer on the same subnet and may be blocked by firewall behavior.

If the home router's LAN side is connected directly to the office LAN while its DHCP server is still active, it may hand out wrong addresses to random office clients. That creates intermittent symptoms because client results depend on which DHCP server answers first.

Switching symptoms differ from routing symptoms. If two wired users on the same switch and same subnet cannot reach each other, look at cable, port, VLAN, host firewall, or MAC learning. If local traffic works but Internet traffic fails, look toward the default gateway, firewall, NAT, ISP, or DNS. If only users connected through the added router have trouble reaching internal resources, the unauthorized router is likely changing the network boundary. That boundary may be physical, logical, or both.

The technician should not simply unplug equipment without considering business impact, but unauthorized consumer gear is a valid escalation item. Document the device model, where it is patched, which SSID it broadcasts, whether its DHCP service appears to be active, and examples of client IP settings from affected and unaffected devices. If local policy allows removal of unauthorized devices, follow that policy and retest. If not, escalate to the network owner or engineer with evidence.

The lesson is that device labels can mislead. A 'router' may include a switch and access point. A firewall may provide routing, NAT, DHCP, and DNS forwarding. An access point may bridge clients into a VLAN or route them into a separate network depending on mode. Use the diagram, port labels, IP settings, and symptoms to determine the active role before changing cables or settings.

Study Checkpoint

• Topic: Lab 5: Switch, Router, and Service Boundaries.
• Verify the official Cisco concept before memorizing a shortcut.
• Practice the technician action: observe, document, test, fix when supported, or escalate.