Compare Physical Interface and Cabling Types CCNA

Physical interface and cabling types is another topic from the current CCNA exam blueprint. Network engineers must know what the physical connectivity options exist, understand their limitations in speed and bandwidth. Power over Ethernet (PoE) is another related and important topic, as many critical devices are now dependent on network-delivered power. Network vendors and IEEE work to identify and standardize new ways to support higher power demands.

CCNA Exam test knowledge of these topics:

1.3 Compare physical interface and cabling types

1.3.a Single-mode fiber, multimode fiber, copper

1.3.b Connections (Ethernet shared media and point-to-point)

1.3.c Concepts of PoE

This first section is dedicated to types of physical interfaces available in Cisco LAN switches. The further sections present cabling and POE details.

Physical Interfaces

Cisco network devices can have either fixed ports or hot-pluggable transceivers slots. Figure 1 shows a Cisco Catalyst 9200 switch with 48x 10/100/1000 copper POE-enabled ports and an extension module, C9200-NM-4X which provides 4x SFP/SFP+ slots (on the right).

Cisco Catalyst 9200 switch with 4x 10GE SFP module
Figure 1. Cisco Catalyst 9200 switch with 4x 10GE SFP module
Courtesy of Cisco Systems, Inc. Unauthorized use not permitted

Different types of transceivers can be inserted into an SFP slot. For example, C9200-NM-4X module shown in Figure 1, can accept 1Gbps SFP modules and 10Gbps SFP+ modules. Figure 2 below shows SFP modules on the left and direct-attach Twinax copper cable on the right. This cable combines 2 connected SFPs and is a cost-effective way to connect devices in the same or adjacent racks.

SFPs and Direct-Attach Twinax Cables
Figure 2. SFPs and Direct-Attach Twinax Cables
Courtesy of Cisco Systems, Inc. Unauthorized use not permitted

Modern Catalyst switches, such as Catalyst 9000 series, have 2 types of copper interfaces:

  • 10/100/1000Mbps
  • Multigigabit with speed up to 10Gbps

Both types of interfaces support several standards and can negotiate different speeds with the connected device. For example, 10/100/1000 copper ports of Catalyst 9200 switch shown in Figure 1 support 10Base-T, 100-BaseTX and 1000Base-T. Multi-gigabit ports can negotiate 100Mbps, 1Gbps, 2.5Gbps, 5Gbps, and 10Gbps.

802.3 Standards

IEEE 802.3 family of standards defines physical interface specifications for the wired Ethernet. The table below shows some of the 802.3 standards.

StandardSpecificationPhysical Media
802.310Base-TUTP Cat 3 or higher
802.3u100Base-TXUTP Cat 5 or higher
802.3ab1000Base-TUTP Cat 5 or higher
802.3z*1G over fiberDifferent types of fiber
802.3bzMultirate 2.5G/5GUTP Cat 5E or higher
802.3an10G Base-TUTP Cat 6 (55m), Cat 6A
802.3ae**10G over fiberDifferent types of fiber
802.3by25GbpsDifferent types of fiber, twinax
802.3ba40Gbps/100GbpsDifferent types of fiber, twinax

Table 1. 802.3 Standards, Speed and Physical Media

*802.3z standard is called Ethernet over Fiber-Optic at 1Gbit/s and references multiple other standards. The example of commonly used options are 1000Base-SX (multi-mode fiber) and 1000Base-LX (multi-mode/single-mode fiber). Check this Wikipedia article for the full list.

**Has references to multiple standards depending on fiber type. The most commonly used options are 10GBase-SR, 10GBase-LR. Check this Wikipedia article for the full list.

Small Form-factor Pluggable Transceivers (SFPs)

SFPs are network interface modules. Their specifications are developed and maintained by industry vendors group, i.e. not by IEEE. While the modules manufactured by different companies should be compatible, many vendors, including Cisco, support only their own branded SFPs. QSFP has a larger size and the picture below shows the difference between SFPs and QSFPs modules, as well as switch-side sockets. In this example, it is a Catalyst 9300 48-SFP+ port switch with a C9300-NM-2Q network module (accepting 2x QSFP+ modules).

Catalyst 9300 with SFPs (on the left) and QSFPs (on the right)
Figure 3. Catalyst 9300 with SFPs (on the left) and QSFPs (on the right)
Courtesy of Cisco Systems, Inc. Unauthorized use not permitted

The table below lists different types of SFPs along with the supported speed. To confirm if a specific module can be used in a specific Cisco device use the transceiver compatibility tool available here.

SFP1 Gbps
SFP+10 Gbps
SFP2825 Gbps
QSFP40 Gbps
QSFP2840/100 Gbps
QSFP-DD100/400 Gbps

Table 2. SFPs and Speed

Unshielded Twisted Pair

Copper connectivity is based on Unshielded Twisted Pair (UTP) cabling of different categories. A higher category number refers to the newer standard and better parameters. An Ethernet cable consists of 8 wires, which are twisted together in pairs. The maximum distance for copper cabling is 100m. The connector is called 8P8C and also commonly referred to as RJ45.  There are 2 standards defining how individual wires are terminated within the connector – T568A and T568B. Refer to Wikipedia article for further information on pin-outs.

End devices have MDI (Medium Dependent Interfaces) ports and switches have MDI-X ports. -X means that the receive and transmit pairs are switched. To connect MDI to MDI-X straight-through cable is used. This cable has connectors with the same pin-out scheme used on both sides – either T568A or T568B. To connect MDI to MDI (host to host back-to-back), or MDI-X to MDI-X (switch to switch) crossover cable is required. A crossover cable has a connector with T568A pin-out on one side and T568B pin-out on another side.

Many modern switches can automatically switch their ports between MDI-X and MDI. They can use straight-through cables to connect to each other and don’t require a crossover cable.

Optical Fiber

Optical fiber cabling is usually more expensive to install, however, it has many benefits when compared to copper. In most cases, fiber cables can provide higher bandwidth over greater distances.

Fiber cabling is divided into 2 types:

  • Multi-mode with categories of cables OM1, OM2, OM3, OM4 and OM5
  • Single-mode of two types – OS1 and OS2

A fiber cable has a core and cladding around it. Multi-mode cable’s core is either 50 or 62.5 micrometers in diameter with 125 micrometers cladding. For comparison, human hair has a diameter between 20-40 micrometers. Single-mode cable’s core is thinner – between 8 and 10.5 micrometers in diameter with the same size 125 micrometers cladding. Multi-mode transmitters use a wavelength of 850nm and 1300nm; single-mode is 1310 or 1550 nm based. Cisco publishes information for each SFP on maximum supported distance based on cabling characteristics. These datasheets can be accessed via the Cisco transceiver compatibility tool. A very detailed comparison table of multimode cables is available here.

Single-mode cabling can cover much greater distances than multi-mode cables. See “Modal dispersion” article on Wikipedia explaining physics behind this.

Multimode OM numbers, as UTP categories, are better with larger number and provide better speed and distance. Single-mode OS1 is for indoor use/shorter distances and OS2 is for outdoor/long distance-use.


Cisco fiber SFPs and some QSFPs have a duplex LC connector. Some QSFPs can also have MPO connectors. Check this article on Wikipedia with photos and specifications of different types of connectors.

Power Over Ethernet (POE)

Cisco Catalyst switches perform role of Power Sourcing Equipment (PSE). Cisco IP Phones, Access Points and other end devices are Powered Devices (PDs). Standards and data sheets usually list 2 power values: 

  • delivered on the switch port (PSE)
  • received at the end device (PD)

The value at PD is always smaller than at PSE due to the power dissipation in cabling.


Cisco introduced its proprietary technology before IEEE standardized the POE. Cisco inline power can provide up to 10W at the PSE. Switch sends a fast link pulse to detect power enabled device, which then sends a link pulse back. The switch and device negotiate the final power level via Layer 2 capability exchange protocol – Cisco Discovery Protocol (CDP). Original Cisco inline power switches and end devices reached their End-Of-Support dates a long time ago and are replaced with newer platforms using POE standards described below.

In 2003 IEEE released the first POE standard – 802.3af. The standard isn’t compatible with Cisco’s proprietary implementation. PSE can deliver a maximum of 15.40W with available power at PD of 12.95W. This specification defined PD detection and classification mechanisms using electrical signaling. PD has an option to signal to the switch which class it belongs to. With this information, the switch knows how much power it should deliver. As table 3 shows, 802.3af defined 3 classes and class 0, which means that no classification is supported.

Power (PSE side)SpecificationClass
4WIEEE 802.3af Type 1Class 1
7WIEEE 802.3af Type 1Class 2
10WCisco inline-power
15.4WIEEE 802.3af Type 1Class 3
15.4WIEEE 802.3af Type 1Class 0 (not classified)
30WIEEE 802.3at Type 2Class 4
45WIEEE 802.3bt Type 3Class 5
60WIEEE 802.3bt Type 3Class 6
60WCisco UPOE
75WIEEE 802.3bt Type 4Class 7
90WIEEE 802.3bt Type 4Class 8
90WCisco UPOE+

Table 3. POE Wattage and Associated Standards

In 2009 IEEE released the new 802.3at standard. Devices supporting it were called Type 2 or POE+. PSEs and PDs complying with earlier 802.3af standard were labeled as Type 1 devices. 802.3at provides up to 30W/25.50W of power. Power levels of 30W and higher have additional stage negotiations using either electrical signals or layer 2 capability exchange protocols, such as LLDP and CDP.

Standard is backward compatible and supports 802.3af Class 1-3 devices. New Class 4 is allocated for 30W devices. 802.3at is widely used. Current generation of access switches, such as Catalyst 9200, and modern access points supporting it. Both 802.3af and 802.3at use only 2 pairs of wires in 4-pair UTP cable to provide power.

New use cases emerged, for example, smart buildings with POE-enabled lighting and network-powered display screens. These devices demanded more power. In 2011, Cisco introduced proprietary Universal Power over Ethernet (UPOE) technology to support up to 60W with the use of all 4 pairs in UTP cable. IEEE released 802.3bt standard in 2018 with up to 90W of power at PSE. The standard introduced Type 3 devices (60W) and Type 4 devices (90W). IEEE standard also made use of all 4.

Cisco UPOE and IEEE Type 3 both deliver 60W but operate differently. Cisco publishes a list of UPOE Catalyst switches and line cards that comply with 802.3bt. Cisco proprietary UPOE+ was released to support 90W. UPOE+ switch modules can support 802.3bt Type 4 devices.

Some switches and line cards from Catalyst 9300 and 9400 families support UPOE and UPOE+. Catalyst 9200 switches support only POE+ (802.3at).

Self-test Questions

What are the 2 types of copper ports Catalyst 9000 series switches support?
• 10/100/1000Mbps

• Multigigabit – 100Mbps and 1/2.5/5/10Gbps
What are 2 types of fiber cabling?
• Multi-mode (OM1, OM2, OM3, OM4 and OM5)

• Single-mode (OS1 and OS2)
What are 2 roles a device can perform in POE configuration?
• Power Sourcing Equipment (PSE) – the switch providing power

• Powered Devices (PDs) – end device consuming power

Explain Role and Function of Network Components – Part 3 – Routers, Firewalls, and IPSs

This is the third article about the roles and functions of different network components (clock on the links for the first and second parts). In this part we will discuss operations of devices deployed on the network edge – Routers, Firewalls and Intrusion Protection Systems (IPSs).

Network edge provides connectivity between the company’s branch offices, data centers, remote workers, business partners, and the Internet. These devices must support a variety of transport technologies and provide security services.

There are two main types of edge connectivity:

  • Internet
  • WAN

Internet connectivity due to its public nature needs higher security control and devices such as firewalls, IPSs are usually deployed to enable the perimeter protection. Wide Area Network (WAN) in many environments was traditionally considered as a trusted network with only routers installed at the edge of each campus and branch.

In general, WAN links are more expensive and may not be available at every location. WAN connectivity is usually backed by agreed service level contracts and has guaranteed bandwidth and predictable latency. On the other hand, Internet links are cheap and offer more bandwidth, but no end-to-end service performance guarantees.

VPN tunneling over the Internet is used as a backup WAN connectivity method in many networks. Newer technologies, such as Cisco SD-WAN often use several Internet connections – as primary and backup WAN transport. SD-WAN routers can actively monitor links performance end-to-end and re-route traffic automatically based on the configured policy.

With these trends, the dividing line between WAN and Internet becomes less clear. Implementing security services on SD-WAN routers or installing firewalls behind it can be a reasonable choice.


The main function of a router is to perform Layer 3 forwarding or in most networks route IP (or IPv6) packets. Routers can run dynamic routing protocols to find the best paths to remote networks.

As we discussed in part 1 of this series, a Layer 3 Switch performs a similar function.

What is the difference between a Layer 3 switch and a router?

Historically, switches performed only Layer 2 functions and routers were responsible for Layer 3 operations. Topologies, such as router on a stick for inter-VLAN routing, were often deployed. Figure 1 displays a sample network demonstrating how the traffic between VLAN 10 and VLAN 20 hairpins via a router.

Figure 1. Router on a stick
Figure 1. Router on a stick

With the introduction of Layer 3 functionality in switches, inter-VLAN routing functionality was moved to them from routers. The term Layer 3 switching is used to describe fast, hardware-accelerated routing.

For example, aggregation-level router, such as Cisco ASR 1002-HX has a performance of up to 78Mpps, which is outperformed by the entry-level Catalyst C9200-24PXG access switch capable of switching up to 262 Mpps (million packets per second).

There is a balance between flexibility and performance. Routers are capable of providing more services and this is the reason they have lower layer 3 processing performance numbers. For example, routers support many types of WAN links (such as DSL variations and 4G LTE), can accept full Internet routing table, provide advanced QoS capability and application awareness, perform firewall zone-based services, establish VPN tunnels, act as voice gateways and many other features.

Cisco website has a tool called Feature Navigator that allows us to look up a feature that a specific platform or software version provides.

Cisco router product portfolio

Cisco routers can be grouped based on the type of location where they are typically deployed:

  • Branch routers: ISR 900, ISR 1000, ISR 4000, Meraki MX
  • WAN aggregation: ASR 1000, NCS 5000/5500
  • Datacenter and clouds: CSR 1000v, Meraki vMX100
  • Service provider routers: ASR 1000, ASR 9000, Cisco 8000 Series

Cisco router software

Previously, all enterprise Cisco routers were running the Cisco IOS software. It is now mostly replaced by IOS-XE. ISR 900 models are the only devices in the current product line that use IOS.

IOS-XE is IOS’s successor and the majority of enterprise-level devices, including ISR 1000, ISR 4000, ASR 1000 and CSR 1000v, are running it. IOS-XE is based on Linux kernel with IOS being a process called IOSd. IOS-XE and IOS share command-line syntax.

Enterprise platforms running IOS-XE can also run the SD-WAN version of the software, which allows the router to be managed by SD-WAN controllers (more information about SD-WAN platforms is available here).

Service provider routers, such as NCS 5000/5500 and ASR 9000 are running IOS XR software.

Self-test question: What are the functions of a router?
• Layer 3 (in most cases IP or IPv6) traffic forwarding
• Maintains remote network reachability information via static configuration or dynamic exchange with other routers
• Supports a wide variety of interfaces, such as Ethernet, DSL, and LTE
• Has application visibility and ability to apply granular Quality of Service policies
• Provides different services, such as VPN, firewall and VoIP services

Firewalls and Intrusion Protection Systems (IPSs)

Let’s start this section by describing the logical functions of a firewall and an intrusion protection system.

Cisco firewall and IPS functions

A firewall evaluates traffic against configured ruleset and then allows or blocks it. A stateful firewall keeps track of allowed connections and can recognize return traffic, i.e. being part of an existing session, so it can be allowed too.

An Intrusion Protection System performs the security policy enforcement on transit traffic by either comparing its content to a set of patterns or by analyzing its behavior. These pre-defined patterns are called signatures and must be regularly updated.

Traditional firewalls and IPSs

Cisco product line used to have two different types of devices – one performing the firewall functions and another one was responsible for intrusion protection. Cisco PIX and its successor ASA (and routers with security feature set enabled) were performing traditional stateful firewall functions. They had some a limited IPS feature set too. However, for the full IDS/IPS functionality, Cisco IPS appliances and hardware modules were required. After SourceFire acquisition, its standalone IPS products were also added to Cisco’s product line.

Cisco provided integration options, however, they were based on two separately managed systems running in parallel. For example, ASA could accept an expansion module providing IPS functionality connected via ASA’s backplane. Later, hardware modules were replaced by virtual software processes using ASA as a host.

Next-Generation firewalls

Many security vendors took an approach of closely integrating both types of features in a single device, which became known as a Next-Generation Firewall (NGFW). Cisco also released a unified software platform that inherited ASA code as a stateful firewall engine and Snort IPS as intrusion protection system. This software is running on the current NGFW platforms and is called Firepower Threat Detection (or FTD).

In addition to stateful firewall and IPS functions, Next-generation firewalls can also provide remote and site-to-site VPN services, malware protection and URL filtering. The intelligence behind FTD NGFW services is provided by Cisco’s TALOS group that collects and analyzes threats to develop definition updates.

All FTD software platforms can be centrally controlled by Firepower Management Center. Smaller models can be configured locally with Web-based Firepower Device Management.

Cisco firewall and IPS product portfolio

Current Cisco’s firewall and IPS product portfolio includes:

  • Firepower 1000/2100 (ASA or FTD image; locally or centrally managed)
  • Firepower 4100/9000 (ASA or FTD image; only central management for FTD)
  • Cisco NGFWv (virtual FTD – hypervisors and public clouds)
  • Cisco ASAv (virtual ASA – hypervisors and public clouds)
  • Cisco NGIPSv (for VMware)
  • ASA 5500-X
  • Meraki MX

Firewall deployment modes

Firewalls and IPSs are typically deployed on the network boundary with external networks, such as the Internet. Cisco NGFWs support 2 deployment modes:

  • Routed
  • Transparent
Figure 2. Firewall Routed vs Transparent Deployment Modes
Figure 2. Routed vs Transparent Deployment Modes

In routed mode, a firewall acts as a Layer 3 device, with each interface is assigned an IP address. Example in Figure 2 has NGFW in the routed mode option on the left. Notice that the workstation uses the INSIDE interface of the firewall as its default gateway.

On the right side, NGFW operates in transparent mode and performs the role of a Layer 2 device. It must be placed between the local network and the router, as there is no explicit configuration on the workstation, such as default gateway configuration to force the traffic to traverse the firewall.

The diagram shows that the transparent firewall is physically connected to the router ensuring that non-local traffic is not able to bypass the firewall.

In cases when such connectivity is not possible, so-called VLAN stitching can be used. To implement it, the connection between the router and the firewall external interface is allocated to different VLANs, which are stitched together by the firewall.

Self-test question: What are the functions of a Next-Gen Firewall?
• Enforce security policy by blocking or allowing packets
• Perform deep packet analysis with application awareness to provide intrusion protection
• Provide additional services, such as VPN, Malware protection and URL filtering
Self-test question: What are two deployment modes of a Next-Gen Firewall?
• Routed mode. In this mode, firewall operates similar to a router and has different IP addresses on interfaces
• Transparent mode. In this mode operates as a network switch and don’t have IP addresses assigned to data interfaces

Explain Role and Function of Network Components – Part 2 – Cisco Access Points and WLCs

This is the second part of the series of articles about the roles and functions of different network components (the first part is available here). In this part, we will discuss the operations of Cisco Wireless Access Points (APs) and Cisco WLAN Controllers (WLCs).  The purpose of this blog post is to explain what a Cisco-based wireless network consists of and how these elements interact with each other.

Wireless Standards

IEEE 802.11 set of standards defines Layer 1 and Layer 2 operations of wireless networks. The latest standard that Cisco Access Points support at the time of writing is 802.11ax (Wi-Fi 6).

IETF’s RFC 5415 standardizes communication protocol between a WLC and an Access Point – Control And Provisioning of Wireless Access Points (CAPWAP).

Access Points (APs)

Wireless clients connect to an Access Point to communicate with each other and with the devices on the wired network that the AP is connected to. Single Access Point forms a BSS (Basic Service Set), which is identified by its MAC address.

Access Point advertises one or many wireless networks identified by an SSID (Service Set ID). A WLAN can be mapped to a VLAN on the wired side of an access point.

ESSID is the same wireless network, as identified by an SSID but advertised by multiple Access Points that are connected to the same wired network.


The current portfolio of Cisco Access Points is represented by:

  • Wi-Fi 6 (802.11ax) models, such as Catalyst 9115, 9117, 9120 and 9130
  • 802.11ac Wave 2 models, such as Aironet 1815, 2800, 3800 and 4800
  • Outdoor and Industrial, such as Aironet 1540, 1552, 1560 and 1570
  • Meraki MR45 and MR55
  • Small Business 100, 300 and 500 series

Cisco website provides a selector tool that performs a side-to-side comparison of different AP and controller models. It can be accessed via this URL.

Autonomous vs Lightweight APs

Access Point’s mode of operations can be either Autonomous or Controller-based. Let’s consider the difference between management, control and data planes for Access Points operating in different modes to understand their functions.

Management Plane

The management plane deals with the static configuration of Access Points. APs in autonomous mode can be managed directly via Web interface or CLI. In contrast, controller-based APs don’t allow direct configuration changes and, instead, are managed by the controller, which provides a centralized interface for an administrator. The controller is not always a dedicated physical or virtual appliance, it can also be cloud-based service (Meraki) or even another access point (Mobility Express and Embedded WLC).

Control Plane

The control plane is responsible for dynamic access point operations, such as radio parameters management and user authentication. Autonomous APs perform all these tasks on their own. Controller-based (or Lightweight) APs shift these tasks to the controller. For example, a controller can instruct access points to change a radio channel and decrease transmit power, as it can make more informed decisions based on data received from several adjacent access points in the network.

Data Plane

The Data plane is responsible for moving data between wireless clients and the wired networks. An autonomous AP switches data directly to the wired network based on its SSID-to-VLAN mapping. Lightweight APs have different mode operations which define how they switch data:

  • Local or Split MAC mode. In this mode, all user data traffic is tunneled to WLC
  • FlexConnect – central switching mode. Data plane is similar to local mode, however, some traffic can be switched locally. When the controller is not reachable, AP operates as an autonomous AP
  • FlexConnect – local switching mode. Data plane is similar to autonomous AP, which switches traffic locally to wired network based on configured SSID-to-VLAN mapping using 802.1q tagging
  • SD-Access mode. In this mode, AP connects to the SD-Access Edge switch and transmits data via SD-Access fabric using VXLAN encapsulation (check this link for more information on SD-Access).
Self-test question: What are the functions of an Access Point?
• Advertises one or more wireless networks identified by SSIDs and allows wireless clients to connect to these networks

• Allows wireless clients to communicate with each other and access wired network
Self-test question: What are the two modes of Access Points operations and their difference?
• Autonomous. Standalone Access Point that operates independently and is individually managed

• Lightweight or controller-based. Requires a controller to perform management and control plane tasks. Data plane operations may be performed locally or tunneled to WLC

Wireless LAN Controllers (WLCs)

Managing a number of autonomous APs is getting more difficult as device number grows, as the configuration must be consistent across many devices. WLCs solve this problem by providing centralized management of the wireless network.


Current Cisco portfolio of controllers consists of:

  • WLC 3504 (AireOS)
  • WLC 5520 (AireOS)
  • WLC 8540 (AireOS)
  • Mobility Express on APs (AireOS)
  • Catalyst 9800 series (IOS-XE): 9800-L, 9800-40, 9840-80, 9800-CL (virtual)
  • Embedded WLC on APs and Switches (IOS-XE)

The recently released versions of WLCs can be compared using the same tool shown in the Access Points section.  


Cisco Wireless LAN Controllers were traditionally running AireOS software. The Cisco controller-less solution with the WLC role performed by an 802.11ac Access Points is called Cisco Mobility Express.

Newer controllers are now IOS-XE software-based. New Catalyst 9100 Access Points can run the WLC role and this newer IOS-XE based solution is called Embedded Wireless Controller. Based on the fact that new controllers are IOS-XE based, AireOS most likely will be replaced by IOS-XE. A feature comparison of both platforms can be found here.

A controller can have multiple functions depending on types of the deployment. The next sections discuss available options.

Meraki cloud-based management

Meraki MR APs are first associated with their serial numbers with Meraki Cloud, which provides management access for the wireless LAN deployment. The AP-to-Controller communication is out-of-band and Meraki MR APs will continue to function when connectivity to Meraki Cloud is lost. During connectivity outages ability to perform configuration changes is not available.

No user data is being transferred through Meraki Cloud infrastructure. Security operations, such as authentication are performed by Meraki Access Point locally. For example, RADIUS authentication requests for WPA2 Enterprise are being sent directly from an access point.


This type of deployment is suitable for large campuses, where sufficient infrastructure exists for the controller to be deployed locally. In this scenario, controllers are actively participating in data forwarding. Access Points establish CAPWAP tunnels to the controller. One tunnel is used for the control plane and another carries encapsulated data payload.

From a wired network perspective, all wireless users traffic is originating from WLC’s LAN interface. This simplifies the configuration of switching infrastructure, as access point facing ports no longer require 802.1q trunk configuration and maintenance of allowed VLANs on that interface. Such ports can be configured as access ports. CAPWAP traffic is unicast UDP traffic between the AP and the WLC.

Figure 1 shows a simplified view of the traffic flow with the split MAC. If A sends a frame to C, AP will send it over the CAPWAP tunnel (in yellow) to WLC. AP and WLC can be in different VLANs, as CAPWAP is IP routed traffic. WLC will de-capsulate it and send it on its LAN interface connected to port 2 of the switch. The switch will learn the MAC address of A via port #2 (facing WLC).

Figure 1. Split MAC Traffic Flow
Figure 1. Split MAC Traffic Flow

Split-MAC configuration usually offers faster roaming when the user moves from one access point to another. There are some associated drawbacks, such as the requirement to maintain a dedicated WLC, and bandwidth scaling limits imposed by the controller’s platform and increased dependency on the WLC, as Lightweight Access Points cannot operate without an active connection to it.


The WLC and access points also support FlexConnect mode of operation. It allows Lightweight Access Point to locally switch some or all of the user traffic instead of sending it to the controller via the CAPWAP tunnel. This mode’s purpose is to decrease the amount of traffic that needs to be sent to a controller from the branch offices.

WLC appliances support 2 modes – Central Switching and Local Switching.

When WLAN is configured to use Central Switching, traffic from an AP is still tunneled to WLC, however, local-site traffic can be enabled for local switching by configuring Split Tunneling. When there is an active connection between WLC and AP, it is in Connected Mode. When the connection is lost, AP moves into a standalone mode and performs switching locally.

AP in FlexConnect Local Switching mode switches all traffic locally, even when AP can reach WLC. It is similar to the operation of autonomous APs which also switches traffic locally by mapping SSIDs to VLANs. Access Points are still controlled by WLC retaining the benefits of centralized management.

Figure 2. FlexConnect Local Switching Traffic Flow
Figure 2. FlexConnect Local Switching Traffic Flow

Embedded WLCs (and Mobility Express) rely on FlexConnect Local Switching operation, as there is no benefit in sending encapsulated data over the tunnel to another Access Point that performs the role of WLC.

SD-Access Mode

SD-Access fabric-integrated WLC actively participates in the fabric operation via the control plane integration. For example, a WLC can update host tracking databases of the edge switch when a client registers, so this information is then distributed via a fabric LISP-based control plane.

WLC controls fabric-integrated access points perform the same functions as non-fabric WLCs, plus fabric specific operations. For example, a WLC provides an Access Point with VXLAN information (VNI) during client registration. By integrating with Cisco ISE, WLC can also provide AP with security tags (SGTs), so the policy can be enforced upstream.

In fabric mode, a WLC doesn’t participate in the data plane operation and all data is encapsulated locally by the fabric access point.

Self-test question: What are the functions of a WLC?
• Provide centralized management of the wireless network

• In some modes of operation transmit user traffic received from APs via CAPWAP tunnel
Self-test question: What are two types of the Cisco WLCs software?
• AireOS. This is the traditional Cisco WLC platforms software

• IOS-XE. New controllers are based on this version of the software
Self-test question: What is Split-MAC WLC mode of operation?
• An Access Points sends all user traffic to WLC where it breaks out centrally

The 3rd part of the series is now available.

Explain Role and Function of Network Components – Part 1

This blog post provides an overview of different network components and their role and functions. The article’s target audience is CCNA candidates and students looking for introductory information about computer network components. In this first post of the 3-article series, we will start by exploring the functions of endpoints and servers. Then the section about LAN switches will follow focusing on the difference between Layer 2 and Layer 3 switch operation.

Endpoints and Servers

The purpose of the infrastructure that the network devices create is to connect endpoints, such as computers, laptops, mobile and IP phones, and servers. A typical endpoint usually runs client applications, for example, a web browser and mail client that interact with the users. These network-enabled applications use services provided by network protocol stacks, drivers, and hardware components.

Out of all network components, endpoints have the most obvious role – they generate useful network payloads, such as digitized voice or Excel spreadsheets that are being transmitted over the network. And their function is to interact with a user, follow specific standards and protocols, so the transmitted data can be decoded on the receiving side of the connection.

Endpoints have an Operating System, which interacts with physical hardware using drivers. Operating System manages networking stack and provides APIs, so the application developers can work with the network without having to program low-level hardware components.

The most common type of wired connectivity is Ethernet, which is described by multiple IEEE 802.3 standards. Wireless communication is defined by IEEE 802.11 standards. Both types of connections use the same addressing, which is used to send frames between devices on the same network. Usually, this type of communication is referred to as Layers 1 and Layer 2 operations of the 7-layer OSI reference model. Layer 1 deals with physical specifications, such as electronic signals transferred over the wire. Layer 2 uses services provided by Layer 1 and is responsible for data framing and addressing.

Figure 1. OSI 7-Layer Model
Figure 1. OSI 7-Layer Model

Almost all OS stacks support and prefer one of two versions of IP protocol (IPv4 or IPv6). Each endpoint is assigned with an IP address that is used for addressing when a packet needs to be transmitted over multiple physical networks. This type of communication is referred to as Layer 3 connectivity.

There are two IP protocols operating on Layer 4 – Transport Control Protocol (TCP) and User Datagram Protocol (UDP). A connection or flow between two devices is identified by source and destination port (both TCP and UDP use concept of ports). Connection is usually initiated by a client. Servers wait for new connections to be established by listening on a specific port. TCP port 0 to 1023 are well-known ports allocated to the specific applications. Client-side uses dynamically allocated ports.

Layer 2 Switches

CCNA blueprint doesn’t include Ethernet hubs, as there are now fully replaced by the switches. However, it is still helpful to understand the way a hub operates to understand the benefits that Layer 2 switches provide.

Early Ethernet network technologies were either bus or star topology-based. Bus topology would have end devices sequentially connected to each other with a coaxial cable. A hub allowed building a star-like topology where all UTP (twisted pair) cabling would terminate in a single location with the hub being the center of the star. In both cases, the network was shared medium and each machine must first listen if there is an active transmission on the network before sending any traffic on its own.

If 2 devices send traffic at the same time a collision occurs and both devices pause for some random amount of time before trying again. Such mode of operation is called CSMA/CD (Carrier-Sense Multiple Access with Collision Detection).

Hubs create a collision domain by re-sending traffic to every port except the ingress one, which makes total available bandwidth smaller as the number of devices increases.

Layer 2 switch solves the issue of sending traffic to all ports by inspecting incoming traffic and learning addresses of devices behind each port, so it can then send unicast traffic through the correct port, as opposed to flooding. BUM traffic (Broadcast, Unknown Unicast and Multicast) is still sent out of all ports. Switches also can store some amount of traffic in its buffers if there is more traffic to be sent than the port’s available bandwidth.

Endpoints connected to a switched port don’t need to listen if other hosts on the network are sending traffic and can send data at any time. Such ports are operating in full-duplex and will not experience collisions as the devices connected to hub ports.

Ethernet Layer 2 switches are usually placed at the access level with the end-users, phones, and printers connected to them. Most of the Cisco Ethernet switches have 24 or 48 ports.

In the topology shown below, the switch uses only hardware MAC address information to forward frames. Both PCs and servers will also have Layer 3 address, such as IP or IPv6, however, for a Layer 2 switch operation, this information is not being processed for traffic forwarding.

Figure 2. Layer 2 Switch Operation
Figure 2. Layer 2 Switch Operation

Layer 2 switches provide connectivity between hosts on Layer 2 with connected endpoints sharing the same broadcast domain and IP subnet. All 3 devices in the figure above are in the same VLAN and can communicate with each other. The switch will maintain a table of MAC address to port mappings.

Layer 2 switch can create broadcast domain boundaries by placing a group of ports into different VLANs, but it cannot provide communication between these domains. In the sample topology below A and B (ports 1 and 2) are in VLAN 10 and communicate with each other. C and D (ports 3 and 4) are in VLAN 20 and can also communicate with each other. There is no communication between VLAN 10 and VLAN 20 possible with only Layer 2 switch.

Figure 3. Layer 2 Switch Operation - VLANs
Figure 3. Layer 2 Switch Operation – VLANs

A layer 3 device is required to perform this function. In the campus network, it is the responsibility of a Layer 3 switches to provide connectivity between VLANs.

Self-test question: What are the functions of Layer 2 switch?
• Provide wired full-duplex connectivity to the end users and phones

• Divide collision domains. Each port is a separate collision domain

• Ability to create isolated broadcast domains with VLANs

Layer 3 Switches

Layer 3 switches traditionally were placed at the distribution level, however, in modern networks routed access becomes more common. Almost all current Cisco switching platforms can perform inter-VLAN routing and can act as Layer 3 switches on the network. Therefore, the distinction between Layer 2 and Layer 3 switches is in their configuration, not the specific model.

Layer 3 switching is essentially IP routing or packet forwarding based on Layer 3 addressing. Modern Layer 3 switches perform routing in hardware and can provide very high throughput comparable to Layer 2 switching. However, Layer 3 switches have a smaller feature sets when comparing to routers, which can usually be found at the WAN edge of the network.

To perform its operation Layer 3 switch must have either a logical interface in VLANs that it routes for or a physical interface with IP address assigned to it.

Switched Virtual Interface (SVI) is a logical interface named after VLAN it is connected to. It has an IP address allocated to it, to provide routing for this VLAN clients. As shown in the diagram below, Layer 3 switch has 2 SVIs – VLAN10 and VLAN20. Notice that now devices are shown with IPv4 addresses allocated to them instead of hardware MAC addresses, as this is the information relevant for Layer 3 switch operation.

Layer 2 operations are still performed in exactly the same way as described in the Layer 2 switch section. For example, if the workstation A sends a packet to the server B, no routing is required and Layer 2 forwarding is used to deliver the frame.

If host A will try to communicate to host D inter-VLAN routing will be performed by the switch, which will involve two-step process – Layer 2 communication between host A and switch VLAN 10 SVI; and another one between switch’s VLAN 20 SVI and the server D.

Figure 4. Layer 3 Switch Operation – SVIs

Physical IP interfaces are usually used on transit segments. Consider the topology shown in the next diagram. Switch connects to two routers. A point-to-point subnet of /30, which can accommodate only 2 hosts, has been to allocate to each of the connections. We now have two configuration options. The top router is connected via Layer 2 port which is a member of VLAN 254. We then create an SVI on the L3 switch for VLAN 254. As we assigned only a single Layer 2 port to this VLAN, the connection is point-to-point. This is similar to the previous example.

The second option is to configure the physical port, in our case, it is GigabitEthernet1/0/10 as Layer 3 port. We don’t have to consume a VLAN ID and configuration is contained within a single interface.

Figure 5. Layer 3 Switch Operation – L3 Interfaces
Self-test question: What are the functions of Layer 3 switch?
• Can perform all functions of Layer 2 switch

• Performs high-speed routing between VLANs

• Traditionally deployed at distribution layer of the campus network

• Can be deployed at the access layer when routed access design is used

In the second part of these series of articles, we will discuss the operation of another type of LAN device which provides connectivity to the wireless clients – Access Points. Wireless LAN Controller functions will also be presented.

The third part of this series will be dedicated to devices that are usually found at the edge of the network, such as routers, firewalls, and IPSs.

DNA Center is introduced in its own article.

Reference materials

Cisco SD-Access

Collapsed core and three-tier architecture

Cisco Certification Changes

Cisco Certification Levels
Cisco Certification Levels

This blog post provides information about the Cisco certification program after the February 2020 update, which has not only affected exam blueprints but also consolidated and renamed many certification tracks. In summary, the changes made are:

  • Previous multiple CCNA tracks are now discontinued. Only a single track is called CCNA, i.e. no more CCNA specializations. Associate-level DevNet and CyberOps certifications are still available, however, CCNA is removed from their name.
  • Design-focused associate and professional tracks (CCDA and CCDP) have been removed.
  • Different CCNP tracks are still available. CCNP status now requires passing only 2 exams: a core and one of the concentration exams which can be selected.
  • Introduction of multiple specialist certifications. Every concentration exam from the CCNP track also earns a specialist certification.
  • Various CCIE tracks are still available with some adjustments. The lab format is changed. The written exams are now replaced with the core exams, which are shared with the corresponding CCNP track.

Entry-level Certification

CCT Certification
CCT Certification

CCT Data Center and CCT Routing and Switching

Cisco Certified Technician (CCT) Data Center and Routing and Switching tracks focus on onsite support and maintenance of data center equipment (such as UCS servers and Nexus switches) or enterprise devices (routers and switches). Technicians must be able to identify device models and components, as well as cabling and accessories. The exam also tests some knowledge of basic configuration. CCT Data Center requires the passing of the DCTECH exam with code of 010-151 and the CCT Routing & Switching exam code is 100-490 RSTECH.

Associate-level Certification

There are 3 associate-level certifications available: CCNA, CyberOps Associate and DevNet Associate.

CCNA Certification
CCNA Certification


New CCNA is a broad foundation certification that now includes the topics that were previously part of CCNA Routing and Switching, Wireless, and Security. It also encompasses topics from now-retired design track – CCDA.

CCNA tests a candidate’s fundamental knowledge and covers a broad set of topics. Engineers starting their career in networking do not to have to make a specialization decision early. To achieve CCNA certification only 1 exam is required – 200-301. Exam topics include network fundamentals, such as LAN switching, wireless, and introductory IP routing and services. The exam also contains security and automation-related questions.

CyberOps Associate

This certification track is for the Security Operation Center (SOC) Analysts. At the time of writing, 2 exams are required to achieve this certification. Cisco has announced the plan to replace these exams with a single consolidated exam in May 2020. A detailed list of the exam topics is available via the URLs below:

  • 210-250 SECFND (available till May 2020)
  • 210-255 SECOPS (available till May 2020)

DevNet Associate

DevNet certification tracks are for the engineers looking into application development for Cisco products and platforms. A single exam is required – 200-901 (DEVASC: DevNet Associate). A list of the exam topics is available via this link.

Certified individuals will have knowledge in different data formats, Cisco platforms API capabilities and popular automation tools.

Professional-level Certification

There are 6 professional-level tracks currently available, with 5 of them are called CCNP:  

  • CCNP Enterprise
  • CCNP Service Provider
  • CCNP Data Center
  • CCNP Security
  • CCNP Collaboration
  • DevNet Professional

There are no formal pre-requisites in obtaining professional-level certifications, so one can skip CCNA certification. Re-certification is required every three years. Each track has one required core exam and one elective concentration exam.

Concentration exams also award an associated specialist certification, so every CCNP will have at least a single specialist-level certification that corresponds to the selected concentration exam.

CCNP Certification
CCNP Certification

CCNP Enterprise

CCNP Enterprise consolidates topics from several previously available certifications – CCNP Routing and Switching, CCNP Wireless and CCDP. Some of the shared topics are now tested as part of the core exam and then there are the specific technology-focused concentration exams.

Core exam for CCNP Enterprise is:

  • 350-401 ENCOR:  Implementing and Operating Cisco Enterprise Network Core Technologies.

Candidates can select a single exam from the list below to earn CCNP Enterprise certification.

  • 300-410 ENARSI: Implementing Cisco Enterprise Advanced Routing and Services
  • 300-415 ENSDWI: Implementing Cisco SD-WAN Solutions
  • 300-420 ENSLD: Designing Cisco Enterprise Networks
  • 300-425 ENWLSD: Designing Cisco Enterprise Wireless Networks
  • 300-430 ENWLSI: Implementing Cisco Enterprise Wireless Networks
  • 300-435 ENAUTO: Implementing Automation for Cisco Enterprise Solutions

As each of the exams above also earns a Specialist certification it will be possible to see which areas individual has expertise in.

CCNP Service Provider

Certification track information is available via this link. Core exam (mandatory):

  • 350-501 SPCOR: Implementing and Operating Cisco Service Provider Network Core Technologies

Concentration exams (select one):

  • 300-510 SPRI: Implementing Cisco Service Provider Advanced Routing Solutions
  • 300-515 SPVI: Implementing Cisco Service Provider VPN Services
  • 300-535 SPAUTO: Implementing Automation for Cisco Service Provider Solutions

CCNP Data Center

This track is for Data Center engineers and designers. Core exam (mandatory):

  • 350-601 DCCOR: Implementing and Operating Cisco Data Center Core Technologies

Concentration exams (select one):

  • 300-610 DCID: Designing Cisco Data Center Infrastructure
  • 300-615 DCIT: Troubleshooting Cisco Data Center Infrastructure
  • 300-620 DCACI: Implementing Cisco Application Centric Infrastructure   
  • 300-625 DCSAN: Implementing Cisco Storage Area Networking
  • 300-635 DCAUTO: Automating and Programming Cisco Data Center Solutions

CCNP Security

This certification. It is for network engineers specializing in Cisco security portfolio. Core exam (mandatory):

  • 350-701 SCOR: Implementing and Operating Cisco Security Core Technologies

Concentration exams (select one):

  • 300-710 SNCF: Securing Networks with Cisco Firepower Next Generation Firewall and IPS
  • 300-715 SISE: Implementing and Configuring Cisco Identity Services Engine
  • 300-720 SESA: Securing Email with Cisco Email Security Appliance
  • 300-725 SWSA: Securing the Web with Cisco Web Security Appliance
  • 300-730 SVPN: Implementing Secure Solutions with Virtual Private Networks
  • 300-735 SAUTO: Implementing Automation for Cisco Security Solutions

CCNP Collaboration

Professional level certification for voice/collaboration engineers. Certification track information is available via this link.

Core exam (mandatory):

  • 350-801 CLCOR: Implementing and Operating Cisco Collaboration Core Technologies

Concentration exams (select one):

  • 300-810 CLICA: Implementing Cisco Collaboration Applications
  • 300-815 CLACCM: Implementing Cisco Advanced Call Control and Mobility Services
  • 300-820 CLCEI: Implementing Cisco Collaboration Cloud and Edge Solutions
  • 300-835 CLAUTO: Implementing Automation for Cisco Collaboration Solutions

DevNet Professional

Many of DevNet Professional concentration exams are shared with other CCNP tracks. Core exam (mandatory):

  • 350-901 DEVCOR: Developing Applications Using Cisco Core Platforms and APIs

Concentration exams (select one):

  • 300-435 ENAUTO: Implementing Automation for Cisco Enterprise Solutions
  • 300-535 SPAUTO: Implementing Automation for Cisco Service Provider Solutions
  • 300-635 DCAUTO: Implementing Automation for Cisco Data Center Solutions
  • 300-735 SAUTO: Implementing Automation for Cisco Security Solutions
  • 300-835 CLAUTO: Implementing Automation for Cisco Collaboration Solutions
  • 300-910 DEVOPS: Implementing DevOps Solutions and Practices using Cisco Platforms
  • 300-915 DEVIOT: Developing Solutions using Cisco IoT and Edge Platforms
  • 300-920 DEVWBX: Developing Applications for Cisco Webex and Webex Devices

Expert-level Certification

Cisco’s CCIE program is one of the most respected certifications in the industry. There are 7 expert-level certifications, 6 x CCIE, and CCDE. All CCIE exams share core exam with the CCNP tracks as pre-requisite and 8-hours lab hands-on practical exam.

CCIE Certification
CCIE Certification

New lab exams for CCIE tracks availability date is April 27, 2020. The new format of the exam includes 2 modules: 3-hours design and 5-hours for tasks testing deployment and operation of the lab network.

CCIE Enterprise Infrastructure

Written exam (the same exam required for CCNP Enterprise):

  • 350-401 ENCOR: Implementing and Operating Cisco Enterprise Network Core Technologies.

Practical exam:

  • CCIE Enterprise Infrastructure v1.0 replaces Routing and Switching lab exam and covers topics as traditional routing and switching, services and software-defined infrastructure. Blueprint also includes automation and programmability topics.

CCIE Enterprise Wireless

Written exam (the same exam required for CCNP Enterprise):

  • 350-401 ENCOR: Implementing and Operating Cisco Enterprise Network Core Technologies.

Practical exam:

CCIE Collaboration

Written exam (the same exam required for CCNP Collaboration):

  • 350-801 CLCOR: Implementing and Operating Cisco Collaboration Core Technologies

Practical exam:

CCIE Data Center

Written exam (the same exam required for CCNP Data Center):

  • 350-601 DCCOR: Implementing and Operating Cisco Data Center Core Technologies

Practical exam:

  • CCIE Data Center v3.0 includes ACI and VXLAN EVPN, Compute and Storage. There is also 15% of data center automation topics.

CCIE Security

Written exam (the same exam required for CCNP Security):

  • 350-701 SCOR: Implementing and Operating Cisco Security Core Technologies

Practical exam:

  • CCIE Security v6.0 practical exam includes Cisco firewalls, ISE, and advanced threat protection-related tasks.

CCIE Service Provider

Written exam (the same exam required for CCNP Service Provider):

  • 350-501 SPCOR: Implementing and Operating Cisco Service Provider Network Core Technologies

Practical exam:

  • CCIE Service Provider v5.0 practical exam covers service provider technologies, including provider-specific routing and security, MPLS and automation.


Written exam (CCDE exam has its own written exam, as there is no CCDP anymore):

Practical exam:

  • CCDE practical exam has a different format from CCIE exams. It is also a 8-hours exam focusing on design case studies

Architect-level Certification

CCAr is the highest level of Cisco certification. It has a pre-requisite of passing the CCDE exam and submitting an application outlining the past project experience. After approval candidate must complete the CCAr Board Exam which is based on presenting a network architecture to a panel of Board members.

Specialist Certification

Specialist certifications usually require only a single exam to be passed. Apart from specializations achieved by passing concentration exams from CCNP tracks, there are 14 specialist certifications which cover very focused areas of technology or business:

  • Cisco TelePresence Solutions Specialist 
  • Cisco Unified Contact Center Enterprise Specialist            
  • Cisco Video Network Specialist
  • Cisco and NetApp FlexPod Design Specialist        
  • Cisco and NetApp FlexPod Implementation and Administration Specialist              
  • Cisco Industrial Networking Specialist                     
  • Cisco IOS XR Specialist                    
  • Cisco Service Provider Mobility CDMA to LTE Specialist   
  • Cisco Service Provider Mobility UMTS to LTE Specialist    
  • Cisco Business Architecture Analyst                       
  • Cisco Business Architecture Specialist                                    
  • Cisco Business Architecture Practitioner
  • Cisco Customer Success Manager
  • Cisco Renewals Manager                            

This URL contains up-to-date information on these tracks.

Related technology posts:

Cisco Data Center: ACI Concepts

Cisco Data Center: VPC Basics

Network Design Architectures

Cisco Enterprise: SD-Access Components

Cisco SD-WAN: Overview

Cisco SD-WAN: Routers and Platforms

IPv6: Addressing Scheme

IPv6: Configure, Verify and Troubleshoot