NetworkingCCNA

CCNA Network Components: Routers, Switches, Firewalls & More

The CCNA 200-301 exam opens with network components — the physical and logical building blocks of every enterprise network. You need to know not just what each device is, but what layer it operates at, what problem it solves, and how to distinguish it from similar devices. Routers, Layer 2 switches, Layer 3 switches, next-generation firewalls, IPS, wireless access points, wireless LAN controllers, and endpoints all appear in scenario questions. This guide covers each device's role, its CCNA exam angle, and how they combine into real deployments.

10 min

5 sections · 6 exam key points

5 practice questions

Routers and their Layer 3 role

A router forwards packets between different IP networks using a routing table. Every interface on a router belongs to a separate subnet — traffic crossing from one subnet to another must pass through the router, which makes routing decisions based on destination IP. Routers also provide the default gateway for hosts; without a router, a host can only reach other devices on the same subnet.

On the CCNA exam, routers are the device that connects your LAN to the WAN and the internet. They run routing protocols like OSPF and EIGRP, perform NAT at the network edge, and terminate VPN tunnels. A router with sub-interfaces on a single trunk port is the classic router-on-a-stick topology used for inter-VLAN routing.

Layer 2 vs Layer 3 switches

A Layer 2 switch makes forwarding decisions based on MAC addresses. It builds a MAC address table by learning source MACs on each port, then forwards frames only to the correct destination port instead of flooding. All ports on a Layer 2 switch share the same broadcast domain unless VLANs are configured — VLANs create separate broadcast domains on the same physical switch.

A Layer 3 switch adds IP routing capability on top of switching hardware. It can route between VLANs using Switched Virtual Interfaces (SVIs) without needing an external router. In a three-tier campus design, Layer 3 switches sit at the distribution and core layers, routing between VLANs at wire speed. The key exam distinction: Layer 2 switches forward frames, Layer 3 switches can also route packets, but they still switch within a VLAN.

PoE (Power over Ethernet) switches deserve a specific callout. They deliver DC power over Ethernet cabling to IP phones, wireless access points, and cameras — eliminating separate power adapters. PoE (802.3af) delivers up to 15.4 W per port; PoE+ (802.3at) up to 30 W; PoE++ (802.3bt) up to 90 W. The switch must have a PoE budget large enough to power all connected devices simultaneously.

Next-Generation Firewalls and IPS

A traditional firewall filters traffic based on IP addresses and ports. A Next-Generation Firewall (NGFW) goes further: it performs deep packet inspection, identifies applications regardless of port (application awareness), and can enforce policies based on user identity, not just IP. NGFWs also include integrated IPS, URL filtering, and malware sandboxing.

An Intrusion Prevention System (IPS) analyzes traffic for attack signatures and anomalous patterns. Unlike a firewall that drops traffic based on policy, an IPS drops traffic based on detected threats. It sits inline in the traffic path — if it goes down without a bypass mechanism, it can disrupt connectivity. The CCNA exam distinguishes IDS (detect and alert) from IPS (detect and block inline).

For CCNA, remember that firewalls are stateful — they track connection state and automatically allow return traffic for established sessions. A stateless ACL on a router must explicitly permit return traffic; a firewall does this automatically.

Wireless Access Points and WLCs

A Wireless Access Point (WAP) connects wireless clients to the wired network. Autonomous APs operate independently and must be configured one by one. Lightweight APs offload configuration and management to a Wireless LAN Controller (WLC), which pushes policies to all APs centrally. This makes large deployments manageable — you configure SSIDs, security, and QoS on the WLC, and every AP applies those settings automatically.

The WLC also handles client roaming. When a client moves from one AP to another within the same WLC domain, the WLC manages the handoff without the client re-authenticating. This is transparent Layer 2 roaming. For the CCNA exam, know that lightweight APs use CAPWAP tunnels to communicate with the WLC, and that AP modes include local, monitor, sniffer, flex-connect, and bridge.

Endpoints and servers

Endpoints are end-user devices: laptops, desktops, smartphones, tablets, IP phones, and IoT sensors. They generate the traffic that everything else carries. Servers are endpoints too — web servers, file servers, DNS servers, DHCP servers — but they're typically in the data center behind distribution-layer switches.

Understanding endpoint role matters for security policy: you segment endpoints into VLANs by type (user VLAN, voice VLAN, IoT VLAN) and apply ACLs at the distribution layer to limit what endpoints can reach. A compromised IoT device on a flat network can reach every other device; on a segmented network it can only reach its VLAN.

Network device quick reference

Device	OSI Layer	Forwarding basis	Key feature
Router	Layer 3	IP address	Routes between subnets, runs routing protocols
Layer 2 Switch	Layer 2	MAC address	Wire-speed frame switching, VLANs
Layer 3 Switch	Layer 2/3	MAC or IP	Routes between VLANs using SVIs
NGFW	Layer 3–7	IP + application	Deep packet inspection, app awareness
IPS	Layer 3–7	Signatures/anomaly	Inline threat blocking
Autonomous AP	Layer 1/2	Radio + MAC	Standalone WLAN, self-configured
Lightweight AP	Layer 1/2	Radio + MAC	Managed by WLC via CAPWAP
WLC	Layer 3	Mgmt plane	Centralizes AP config, roaming, RF management

Key exam facts — CCNA

A Layer 3 switch routes between VLANs using SVIs — no external router needed
PoE budget: total switch budget must exceed sum of all connected device power requirements
NGFW is stateful and application-aware; traditional firewall is stateful but port/IP only
IDS detects and alerts; IPS detects, alerts, and blocks inline
Lightweight APs use CAPWAP to communicate with WLC; autonomous APs are self-contained
WLC manages roaming, RF, SSIDs, and security policy for all lightweight APs

Common exam traps

A Layer 3 switch replaces the router entirely

Layer 3 switches route LAN-to-LAN traffic efficiently, but WAN connectivity and advanced features like NAT still typically require a dedicated router

An IPS is just a firewall

A firewall enforces policy (allow/deny based on rules); an IPS detects and blocks attack patterns in allowed traffic — they complement each other

Autonomous APs and lightweight APs are interchangeable

Lightweight APs require a WLC and use CAPWAP; autonomous APs are self-managed. Converting between modes requires a firmware/mode change

Practice questions — Network Components

These questions are representative of what you will see on CCNA exams. The correct answer and explanation are shown immediately below each question.

Q1.Which device forwards traffic based on MAC addresses and creates separate broadcast domains using VLANs?

A.Router

B.Layer 2 switch

C.Layer 3 switch

D.NGFW

Explanation: A Layer 2 switch uses MAC addresses for forwarding decisions and uses VLANs to create separate broadcast domains. A router forwards based on IP; an NGFW uses IP plus application inspection.

Q2.A wireless network has 50 access points. Which deployment model allows an administrator to configure all APs from a single interface?

A.Autonomous AP deployment

B.Lightweight AP with WLC

C.Mesh AP deployment

D.SOHO AP deployment

Explanation: Lightweight APs managed by a Wireless LAN Controller (WLC) receive their configuration centrally via CAPWAP. Autonomous APs must each be configured individually.

Q3.An IP phone needs power but there is no nearby electrical outlet. Which switch feature provides a solution?

A.QoS

B.PoE

C.STP PortFast

D.VLAN trunking

Explanation: Power over Ethernet (PoE) delivers power through the Ethernet cable, eliminating the need for a separate power adapter for IP phones, cameras, and access points.

Q4.Which statement correctly distinguishes an IDS from an IPS?

A.An IDS blocks threats inline; an IPS only logs them

B.An IDS detects and alerts; an IPS detects, alerts, and blocks inline

C.An IDS operates at Layer 7; an IPS operates at Layer 3

D.An IDS requires a WLC; an IPS does not

Explanation: An Intrusion Detection System (IDS) monitors traffic and generates alerts. An Intrusion Prevention System (IPS) is inline and can drop malicious traffic in real time.

Q5.A Layer 3 switch uses which mechanism to route traffic between VLANs without an external router?

A.PortFast

B.Switched Virtual Interface (SVI)

C.CAPWAP tunnel

D.Trunk port

Explanation: A Switched Virtual Interface (SVI) is a logical Layer 3 interface on a VLAN. The Layer 3 switch routes packets between SVIs at hardware speed, enabling inter-VLAN routing without an external router.

Frequently asked questions — Network Components

What is the difference between a Layer 2 and Layer 3 switch?

A Layer 2 switch forwards Ethernet frames based on MAC addresses and cannot route between subnets. A Layer 3 switch adds IP routing capability — it can route between VLANs using Switched Virtual Interfaces (SVIs) at hardware speed, making it faster than routing through an external router.

What is CAPWAP and why do lightweight APs use it?

CAPWAP (Control and Provisioning of Wireless Access Points) is the protocol lightweight APs use to communicate with a Wireless LAN Controller. It tunnels both control traffic (configuration, management) and data traffic to the WLC, allowing centralized management of all APs.

What makes a Next-Generation Firewall different from a traditional firewall?

A traditional firewall filters based on IP addresses and ports. An NGFW adds deep packet inspection, application awareness (identifying apps regardless of port), user-identity-based policies, integrated IPS, and URL filtering. This lets you block specific applications like social media even if they use port 443.

How does PoE work and what are its power limits?

Power over Ethernet delivers DC power over standard Ethernet cables using spare wire pairs or the data pairs. IEEE 802.3af (PoE) provides up to 15.4 W per port, 802.3at (PoE+) up to 30 W, and 802.3bt (PoE++) up to 90 W. The switch must have sufficient total PoE budget for all powered devices.

When would you use an autonomous AP versus a lightweight AP?

Autonomous APs make sense for very small deployments (home office, single room) where central management isn't needed. Lightweight APs with a WLC are the enterprise choice — they enable centralized configuration, seamless roaming, RF management, and consistent policy enforcement across dozens or hundreds of APs.

Practice this topic

CCNApractice questions

Test yourself on Network Components

JT Exams routes you to questions in your exact weak areas — automatically, after every session.

Free practice test Start 7-Day Free Trial

No credit card · Cancel anytime