Networking Appliances and Where They Operate
Key Takeaways
- Network appliances are selected by function: forwarding, filtering, translating, optimizing, terminating, or observing traffic.
- Some appliances operate at more than one layer, so the scenario wording matters.
- A firewall may filter by IP, port, connection state, application behavior, or identity depending on capability.
- Load balancers, proxies, VPN concentrators, and wireless controllers often appear in design and troubleshooting scenarios.
- Placement matters: edge, DMZ, internal segmentation, access layer, data center, cloud, or branch.
Choose Appliances by Job and Placement
Network+ questions often describe a business need and ask for the device or service that fits. Start with the job: connect, segment, route, filter, inspect, translate, terminate, balance, monitor, or manage.
| Appliance | Common operating layer | Primary job | Typical placement |
|---|---|---|---|
| Hub | 1 | Repeat signals | Rare legacy environments or simple labs |
| Bridge | 2 | Connect LAN segments | Legacy or specialized segmentation |
| Switch | 2 | Forward frames by MAC address | Access layer and data center switching |
| Layer 3 switch | 2/3 | Switch locally and route between VLANs | Distribution/core or campus networks |
| Router | 3 | Forward packets between networks | WAN edge, branch, Internet edge |
| Wireless access point | 1/2 | Provide Wi-Fi radio access and bridge clients | Access layer |
| Wireless controller | 2/3/7 management | Manage APs, SSIDs, roaming, policies | Campus or cloud-managed wireless |
| Firewall | 3/4/7 | Enforce traffic policy | Edge, DMZ, internal segmentation, cloud |
| IDS | 3-7 observation | Detect suspicious traffic | Span/TAP, sensor path, cloud mirror |
| IPS | 3-7 inline | Block suspicious traffic inline | Between network zones |
| Proxy | 7 | Intermediary for application requests | Web egress, content filtering, caching |
| Load balancer | 4 or 7 | Distribute client sessions | In front of application pools |
| VPN concentrator | 3/4/7 depending on VPN | Terminate encrypted remote or site tunnels | Edge, cloud gateway, data center |
| Modem/ONT | 1/2 | Convert provider media/signaling | WAN handoff |
| Packet broker/TAP | 1/2 | Copy or aggregate traffic for monitoring | Monitoring fabric |
Firewall Types in Scenarios
| Firewall clue | Likely capability |
|---|---|
| Filters by source/destination IP and port | Packet filtering or stateless rules |
| Tracks established sessions | Stateful inspection |
| Understands web application behavior | Application-aware or next-generation firewall |
| Protects a web application from HTTP attacks | Web application firewall |
| Enforces policy between internal VLANs | Internal segmentation firewall |
Appliance Placement Scenario
A company hosts a public web application. It wants Internet users to reach only HTTPS, wants the web servers separated from the internal database network, and wants suspicious HTTP requests blocked before they reach the application.
| Requirement | Appliance or design choice |
|---|---|
| Allow public HTTPS only | Edge firewall rule or security group |
| Separate public-facing servers | DMZ or segmented application subnet |
| Block malicious HTTP requests | Web application firewall or application-aware inspection |
| Distribute users across web servers | Load balancer |
| Keep database private | Internal firewall/ACL and no direct Internet route |
Troubleshooting with Appliance Awareness
| Symptom | Appliance to check early |
|---|---|
| One VLAN cannot reach another | Layer 3 switch, router, firewall, ACL |
| Public site resolves but HTTPS times out | Edge firewall, load balancer, server listener |
| Users can browse but a specific category is blocked | Proxy or secure web gateway policy |
| VPN connects but internal routes fail | VPN concentrator route/policy, firewall, split tunnel |
| Wireless clients roam poorly | AP coverage, controller policy, channel plan |
The exam may say "best device" or "where should it be placed." Use layer, job, and traffic path together.
Which device is most appropriate for distributing HTTPS client sessions across multiple web servers?
Which devices commonly inspect or filter traffic between security zones? Select all that apply.
Select all that apply
Match each appliance to its best description.
Match each item on the left with the correct item on the right