Networking Appliances and Where They Operate
Key Takeaways
- Appliances are chosen by function: forward, segment, route, filter, inspect, translate, terminate, balance, or monitor.
- Many appliances operate at more than one layer, so the scenario wording (clue words) decides the answer.
- Firewalls range from stateless packet filters to stateful, next-generation (NGFW), and web application firewalls (WAF).
- Load balancers, proxies, VPN concentrators/headends, and wireless LAN controllers dominate design and troubleshooting items.
- Placement matters: edge, DMZ (screened subnet), internal segmentation, access layer, data center, branch, and cloud.
Choose Appliances by Job, Layer, and Placement
N10-009 scenario questions describe a business need and ask for the best device or service. Solve them with three filters in order: the job (connect, segment, route, filter, inspect, translate, terminate, balance, monitor), the operating layer, and the placement in the traffic path. A device that is technically capable but in the wrong place is still the wrong answer, so read for placement words like "at the Internet edge," "between the web tier and the database," or "in the DMZ."
The blueprint groups these into networking devices, networked devices, and network functions virtualization. Networking devices forward or shape traffic (switch, router, firewall, load balancer); networked devices are endpoints that ride the network (VoIP phones, printers, cameras, IoT, and access points); and virtual or cloud appliances reproduce the same roles in software (a virtual firewall, a cloud load balancer, or a software-defined WAN edge).
The exam increasingly expects you to recognize that a function such as load balancing or firewalling can be a physical box, a virtual machine, or a managed cloud service, and that the chosen layer and job, not the form factor, decide whether it is the right answer.
| Appliance | Operating layer | Primary job | Typical placement |
|---|---|---|---|
| Hub | 1 | Repeat signals to all ports | Legacy/lab only |
| Switch | 2 | Forward frames by MAC | Access layer, data center |
| Layer 3 switch | 2/3 | Switch locally, route between VLANs | Distribution/core, campus |
| Router | 3 | Forward packets between networks | WAN/Internet edge, branch |
| Wireless access point | 1/2 | Provide Wi-Fi, bridge clients | Access layer |
| Wireless LAN controller (WLC) | mgmt 2/3/7 | Manage APs, SSIDs, roaming, RF | Campus or cloud-managed |
| Firewall | 3/4/7 | Enforce traffic policy | Edge, DMZ, internal, cloud |
| IDS | observe 3-7 | Detect and alert (out of band) | SPAN/TAP, sensor path |
| IPS | inline 3-7 | Detect and block inline | Between zones |
| Proxy / SWG | 7 | Intermediary, filter, cache requests | Web egress |
| Load balancer | 4 or 7 | Distribute client sessions | In front of server pools |
| VPN headend/concentrator | 3/4/7 | Terminate encrypted tunnels | Edge, cloud gateway |
| Modem / ONT | 1/2 | Convert provider media | WAN handoff (demarc) |
| TAP / packet broker | 1/2 | Copy/aggregate traffic to tools | Monitoring fabric |
Firewall Types in Scenarios
The difference between an IDS (detects and alerts only, deployed out of band on a SPAN port or TAP) and an IPS (sits inline and can drop the packet) is a classic trap. "Block," "prevent," and "inline" point to IPS; "alert," "detect," and "monitor" point to IDS.
| Firewall clue word | Likely type |
|---|---|
| Filters by source/dest IP and port only | Stateless packet filter |
| Tracks established sessions/connection state | Stateful firewall |
| Decodes apps, IDs users, integrates IPS | Next-generation firewall (NGFW) |
| Protects a web app from SQL injection / XSS | Web application firewall (WAF) |
| Enforces policy between internal VLANs | Internal segmentation firewall |
Worked Placement Scenario
A company hosts a public web app. It wants Internet users to reach only HTTPS, the web servers isolated from the internal database, malicious HTTP requests blocked, and traffic spread across several web servers.
| Requirement | Best choice |
|---|---|
| Allow public HTTPS only | Edge firewall rule / security group on TCP 443 |
| Isolate public servers | DMZ (screened subnet) |
| Block malicious HTTP (SQLi, XSS) | Web application firewall |
| Distribute users across servers | Load balancer |
| Keep the database private | Internal firewall/ACL, no direct Internet route |
Notice each requirement maps to a distinct appliance; the WAF (not the edge firewall) is what understands HTTP attack patterns, and the load balancer (not the router) is what spreads sessions.
Troubleshooting with Appliance Awareness
| Symptom | Check first |
|---|---|
| One VLAN cannot reach another | L3 switch / router / firewall ACL |
| Public site resolves but HTTPS times out | Edge firewall, load balancer, server listener |
| A web category is blocked | Proxy / secure web gateway policy |
| VPN connects but internal routes fail | Headend route/policy, split tunnel, firewall |
| Wireless clients roam poorly | AP coverage, WLC policy, channel plan |
When the question says "best device" or "where should it be placed," combine layer, job, and traffic path; that combination is almost always what separates the correct answer from a plausible distractor.
A few distinctions are tested so often they deserve memorizing as pairs. A proxy acts on behalf of clients making outbound requests (forward proxy) or on behalf of servers receiving inbound requests (reverse proxy), while a load balancer specifically spreads inbound load across a server pool; many reverse proxies do both, which is why scenario wording about "caching and filtering web requests" leans proxy and "even distribution across identical servers" leans load balancer.
A router moves traffic between different IP networks, while a Layer 3 switch does the same job at wire speed inside a campus and is preferred for high-volume inter-VLAN routing. A modem or ONT marks the demarcation point where the provider's media is converted to Ethernet, so a question about "where the ISP hands off the circuit" points there. Finally, do not confuse a content/secure web gateway (policy on web egress) with a firewall (policy between zones); both filter, but their placement and intent differ. Matching the precise verb in the scenario to the precise device is what earns the point.
An organization needs to spread incoming HTTPS connections evenly across four identical web servers while presenting a single virtual IP. Which appliance best fits?
A security team wants a device that sits out of band on a SPAN port, generates alerts on suspicious traffic, but never drops packets. Which device is described?
Which appliances commonly inspect or enforce policy on traffic between security zones? Select all that apply.
Select all that apply
Match each appliance to its best description.
Match each item on the left with the correct item on the right