There is something powerful about doing a thing again. And again. And again. And again ….

I heard this in church as a child, “repetition is the law of deep and lasting impressions ….

The first time I built a lab like this, it took me the whole of Jeremy’s IT Lab, Google searches, documentation, trial and error, and many moments of asking, “Why is this not working?” Every small step felt heavy. Creating VLANs, configuring trunks, setting up OSPF, thinking through HSRP, firewall zones, NAT, routing, and VPN concepts all required external help.

But this time felt different.

I have been working on this lab since last night at a relaxed pace, and I noticed something important: I was not really Googling for every detail. I was not constantly going back to Jeremy’s videos to remember every command. The ideas were beginning to stay. The commands were becoming familiar. The design was starting to make sense without forcing it.

That is what repetition does.

Repetition turns scattered knowledge into structure. At first, you copy commands. Then you understand why the commands exist. Later, you start seeing the network as a system. You know why the access switch needs a management VLAN. You understand why the firewall needs NAT and policy. You know why OSPF needs a real interface for adjacency, even if the loopback is what you want to advertise. You begin to recognize problems not as random errors, but as symptoms.

This is why I believe repetition is the law of deep and lasting impression.

When you repeat something with attention, it does not just stay in your memory. It starts shaping how you think. You move from “I watched this before” to “I can build this.” That is a different level of learning.

I am building this lab as part of my personal study as I begin my CCNP journey. Not just to pass an exam, but to create a place where ideas can become practical. When someone like Arash Deljoo says something that fascinates me, I do not want it to remain just a nice explanation in a video. I want to open my personal lab, download the packet, recreate the behavior, break it, fix it, and see it with my own eyes.

That is how deep learning happens.

The first attempt may feel slow. The second attempt feels less painful. By the third or fourth attempt, your hands start remembering what your mind once struggled to understand. The network stops looking like a diagram and starts becoming a living system.

This lab is more than routers, switches, VLANs, OSPF, firewalls, and tunnels. It is proof that repetition works. It is proof that what once looked complicated can become familiar through consistent practice.

The goal is not to know everything at once. The goal is to keep returning to the work until the work leaves an impression deep enough to stay.

I discovered that there is a better free host for my blog. My AWS EC2 free tier is close to expiring, hence I had to make a practical decision, keep hosting my WordPress blog in the cloud and risk new charges on my card, or I could rethink the entire setup. Since this is a personal technical blog, I did not want to keep paying for a server that mostly serves articles, images, and static page.

So I moved my WordPress environment from AWS to a hardware server hosted at home. But I don’t want public connections in any capacity coming to my home network. I had to make a change.

The idea was simple: WordPress would no longer be my public production website. Instead, it became my private development and writing environment. I use it to write, edit, preview, and manage my blog posts. After publishing or updating an article, I use a WordPress plugin called Staatic to convert the entire site into static files. Those static files are then copied into my GitHub repository once a day and pushed to GitHub Pages, where the public version of the blog is hosted for free.

This gave me a simple CI/CD-style workflow. In normal software development or DevOps, CI/CD means changes are built, tested, and delivered automatically or semi-automatically. In my case, the “change” is a new article or an edited blog post. The “build” step is Staatic converting WordPress into static HTML, CSS, JavaScript, and image files. The “delivery” step is pushing those files to GitHub, where GitHub Pages publishes the updated site.

The biggest benefit is cost control. I no longer need a cloud-hosted WordPress server running all the time just to serve blog posts. My home server is used for development, while GitHub Pages handles the public hosting.

There is also a security benefit. A normal public WordPress site exposes the login page, admin area, PHP processing, database connection, plugins, and themes to the internet. With this setup, visitors only see the static version of the site. The public website does not need WordPress, PHP, or MySQL to run.

This setup also helped me implement real infrastructure and DevOps decisions in a practical way. It touches local hosting, static site generation, GitHub version control, deployment, cost optimization, and environment separation. WordPress is my content management system, Staatic is my build tool, GitHub is my version control platform, and GitHub Pages is my deployment target.

It is not perfect. Features that depend on live WordPress, such as native comments, dynamic search, contact forms, or user login, may not work the same way after static conversion. But for a technical blog, this trade-off is acceptable.

In the future, I can improve the process by automating the daily copy and push process. For now, it is simple, free, and reliable enough for my needs.

This project reminded me that good engineering is not always about using the most expensive platform, it about doing the most efficient process that efficiently meets the need!

Jeremy IT labs did a fantastic job in explaining and detailing what goes on at this stratum of electronic communication, hence, we really recommend looking at his video on this. Also, Practical Networking YouTube video on this topic gave very interesting insights to the topic also.

Everything we are going to discuss here has its foundation in understanding the Transport Layer, also known as Layer 4 of the OSI model. This layer is responsible for the efficient movement of segments and datagrams between end hosts, whether through the reliability of Transmission Control Protocol (TCP) or the speed of User Datagram Protocol (UDP). A solid grasp of these two protocols is essential for both CCNA preparation and real-world troubleshooting. Note that one focuses on reliability while the other focuses on optimised speed.

Layer 4 – The Transport Layer

The transport layer is responsible for maintaining reliable, orderly, and efficient communication between devices. Its core functions includes process-to-process delivery, multiplexing, congestion/flow control and error management, collectively ensure that networked applications operate seamlessly, forming the foundation for dependable enterprise communication systems.

The transport layer plays a critical role in ensuring reliable data transfer within the OSI model. It receives data from the session layer, checks it for errors or corruption, and divides it into smaller segments before passing it to the lower layers for transmission. The two main protocols we get to see in this layer is the Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP). It utilises these two protocols to manage how data moves across the network, so long. The transport layer serves as the bridge between the upper-layer applications and the underlying network, ensuring that data is delivered efficiently, correctly, and to the right destination.

End hosts often run multiple services at once. For instance, a server hosting HTTPS website while also managing Active Directory sessions with a domain controller, it may also have security monitoring tools running in them. Layer 4, the Transport Layer, ensures data is reliably transferred between these processes and reaches the right application. Positioned between the Network Layer (IP addressing and routing) and the Application Layer (protocols like HTTP or SSH), it acts as the network’s traffic controller, directing data between communicating programs. This application-to-application or process-to-process delivery is achieved using 16-bit port numbers, which identify the sending and receiving applications to ensure each message reaches its correct destination. When multiple programs or applications are running simultaneously on a device, these port numbers allow the transport layer to distinguish between them and direct the correct data to each process.

This brings about another key function known as multiplexing and demultiplexing. Multiplexing allows multiple applications on the sender’s side to share a single network connection, combining their data streams for transmission. At the receiver’s end, demultiplexing separates these combined streams and delivers each to the appropriate application. This capability enables many network services to function concurrently over the same link without confusion.

Every network application communicates using a unique combination of an IP address and a port number, together known as a socket. This pairing ensures that data reaches the correct program on the correct device. Port numbers are divided into three main ranges. Well-known ports (0–1023) are reserved for core services such as HTTP on port 80, SSH on port 22, and FTP on port 21. Registered ports (1024–49151) are assigned to user applications or specific software vendors, while ephemeral ports (49152–65535) are temporary and randomly chosen by client devices during communication.

For example, when a computer opens a webpage, the connection may use source port 50000 on the client and destination port 80 on the web server. This system allows multiple applications—such as web browsing, file transfers, and DNS lookups—to operate at the same time without interfering with each other, keeping all sessions organized and independent.

The transport layer also manages congestion control, which prevents and mitigates traffic overload on the network. Congestion occurs when too much data is transmitted at once, overwhelming routers and causing delays or packet loss. Open-loop control methods aim to prevent congestion before it happens by regulating traffic flow, while closed-loop control mechanisms detect and resolve congestion once it occurs. This ensures smooth and efficient network performance, particularly in large enterprise environments where data volumes are high.

Another essential function is flow control, which regulates the rate of data transmission between the sender and receiver. It ensures that a fast sender does not overwhelm a slower receiver by sending more data than it can process. This is often implemented through the sliding window protocol, where acknowledgments and window sizes determine how much data can be sent before requiring confirmation.

Finally, error control ensures that data arrives accurately and intact. The transport layer detects and corrects errors using checksums or error-detecting codes. If corrupted data is found, acknowledgment (ACK) and negative acknowledgment (NACK) messages are exchanged between the sender and receiver. These signals help identify lost or damaged segments and trigger retransmission when necessary. Through this mechanism, the transport layer provides end-to-end reliability even over imperfect network connections.

Layer 4 Protocol – Transmission Control Protocol (TCP)

TCP is the backbone of reliable communication. It is connection-oriented, meaning both devices establish a connection before exchanging data. Just like everything layer 4, it lives above IP and below the Application layer, providing dependable, end-to-end delivery between specific processes or application on different hosts. Applications are identified with 16-bit port numbers, so TCP can deliver data to the exact service that needs it.

TCP begins with a formal three-way handshake: the client sends SYN, the server replies SYN-ACK, and the client answers with ACK. Only then does data flow. This set up of this connection just described is the reason why it is described as connection oriented. When either side is finished, the session is torn down cleanly with FIN/ACK exchanges so both hosts agree the conversation is over.

It confirms delivery using acknowledgments. If an expected acknowledgment does not arrive, TCP retransmits the missing data. This makes delivery “informed” rather than magically guaranteed; if the path is broken, TCP can detect loss and try again, but it cannot force delivery over a dead link. Every byte in a TCP stream is numbered. If packets arrive out of order because different network paths have different delays, TCP buffers and reorders them before handing data to the application, ensuring the application sees a clean, in-order stream. This functions with a built-in mechanism that prevents a fast sender from overwhelming a slow receiver using window-based flow control. It also adapts to network conditions with congestion-control algorithms that probe for available bandwidth, back off when loss occurs, and then ramp up again. The result is efficient use of capacity with minimal drops over variable, multi-hop paths.

TCP carries a header, which is at least 20 bytes and up to 60 with options field, containing sequence and acknowledgment numbers, flags (SYN, ACK, FIN, etc.), window size, checksum, and more. The extra fields enable reliability, ordering, and flow control, at the cost of additional per-packet overhead.

In enterprise environment, because of its reliability and ordered delivery, TCP is preferred for web and API traffic (HTTP/HTTPS), file transfers, email, database replication, and most business applications where correctness matters more than a few extra milliseconds of setup or control traffic. Security is not built into it ordinarily, TCP by itself does not encrypt or authenticate data. Security is added by higher-layer protocols such as TLS (for HTTPS, SMTPS, etc.) or by IPsec below it. Choosing TCP does not inherently make traffic “more secure”; it simply makes delivery reliable.

Layer 4 Protocol – User Datagram Protocol (UDP)

UDP is the connectionless Transport-layer protocol. It also uses IP for routing and 16-bit ports for process addressing, but it does not set up or tear down sessions. Applications send discrete datagrams, and the network delivers them on a best-effort basis. A sender transmits immediately; the receiver processes what arrives. Engineers sometimes speak informally about a “UDP session,” but in practice it is just a group of packets sharing the same five-tuple (source IP/port, destination IP/port, protocol) within a time window.

UDP does not acknowledge receipt and does not retransmit on loss. If an application needs delivery confirmation, it must implement its own logic above UDP. The chance a datagram reaches the other end is governed by the same physical network as TCP; the difference is simply that UDP does not track or recover from loss at Layer 4. It neither sequences packet nor reorders them. If ordering matters, the application must be designed to handle it. UDP also lacks flow and congestion control; it will happily transmit as fast as the sender allows, which is perfect for real-time streams but can cause drops at bottlenecks if the path cannot keep up. Its header is minimal, 8 bytes with just source port, destination port, length, and checksum (often mandatory in IPv6; optional in some IPv4 contexts). The tiny header lowers CPU and bandwidth overhead and reduces per-packet processing delay in network devices.

UDP is ideal were time-based efficiency beats perfection. Voice and video (VoIP, conferencing), live streams, gaming telemetric/logging/monitoring applications, simple request/response protocols like DNS, DHCP, SNMP, and syslog often use UDP because occasional loss is acceptable or because the application layer supplies its own reliability. Like TCP, UDP offers no native encryption or authentication. Secure designs pair UDP with protocols such as DTLS or run it within VPNs or IPsec when confidentiality and integrity are required.

In the course of researching this topic, we discovered a very interesting YouTube channel, that broke this down in layman terms. NetworkBruh goes in detail what this topic and other CCNA topics is all about. I used his video to write this personal note for this topic.

This section in the CCNA blueprint covers interface and cabling issues that may arise in an enterprise environment. These include issues such as collisions, some operational errors, and mismatches in duplex or speed. Their names makes them sound like minor issues, but for an operational enterprise network, these are not just exam concepts, they are everyday realities that can cripple performance and business activity if left unchecked. A single bad cable, a mismatched speed setting, or silent Cyclic Redundancy Checks (CRC) errors can point to problems that may affect or even render the network services unusable bring down critical services and impact business continuity.

In the Open Systems Interconnection (OSI) reference model, these issues occur primarily at Layers 1 and 2. A solid understanding of these layers is fundamental, because before configuring complex enterprise systems or cloud integrations, network engineers must first ensure that the physical links and interface configurations are sound. More importantly, they should be able to recognize when something is wrong and troubleshoot it effectively.

For this discussion, we will explore how these issues develop, how they are detected, and why they remain critical to maintaining enterprise network reliability. Although modern networking equipment is designed to minimize many of these problems, their underlying principles are still vital to understand, especially since replicating them in a lab environment is often challenging.

Collisions: Problem Statement and the Evolution of Ethernet Switching

In the early days of ethernet, switches did not yet exist, and networks relied on network devices called hubs. As the technology matured, hubs were steadily replaced by more advanced and intelligent switches.

In the past, an ethernet hub was used to connect multiple devices. These broadcasted all incoming frames out every other port. If PC-A sent a frame, the hub simply flooded it to all remaining ports because it had no knowledge of destinations.

For this reason, hubs were often called “dumb” devices since they neither learned addresses nor made forwarding decisions. The drawbacks were clear: hubs created what we call a “single collision domain”, causing frames to collide and also requiring a complicated loop prevention mechanism. In modern enterprises, whenever a hub remained in a network, it was an operational and security liability.

Now, a switch, on the other hand has very effective knowledge of destinations, very much unlike a hub. The switch uses what we call Median Access Control (MAC) address table to effectively know the interacting MAC addresses. It works in such a way that when a frame arrives on a port, the switch records the source MAC against that port. The first time it needs to reach an unknown destination, it may flood (Address Resolution Protocol – ARP); once it learns where that destination lives, it forwards only on the correct port. That targeted forwarding reduces unnecessary broadcast like traffic and eliminates collisions when operating full duplex.

Hence, in switched Ethernet, each switch port and its attached device form a separate, independent link. Each of these links behaves on its own, typically in full duplex, which allows simultaneous send/receive and, therefore, no collisions on those links. You can think of each port-to-host connection as its own collision domain; compared to a hub, where the entire segment is one big collision domain, switched networks dramatically confine or eliminate collisions. Broadcasts still exist at Layer 2, but they don’t imply collisions the way shared-media hubs did.

Collison: Mitigation.

In the modern age today, ethernet is still the dominant enterprise networking framework and it can be described as a contention-based system that requires a shared medium i.e ethernet cables. This means that every device attached to the shared cables has the right to transmit. However, if more than one device transmits at the same time, a collision may occur.

To get a clear picture of this, imagine a set of nodes all tied into the same cable plant: they are sharing that medium. Sharing is good… except that in electronic communications, only one device can speak at a time. Think of it like a group conversation. Only one person can be understood at a time; if two people talk over each other, everyone else misses both messages. A two-way radio is a good analogy for half-duplex: push-to-talk, then release to listen. By contrast, a telephone is full-duplex-both sides can speak simultaneously without collisions.

Those collisions cause lost frames and retransmissions, reducing efficiency in the enterprise networks performance. To mitigate this, Carrier Sense Multiple Access with Collision Detection (CSMA/CD) was introduced into ethernet switching. This tech is structured in such a way that before transmitting, a station listens to the medium. If it hears silence, it sends; if it detects traffic, it waits a randomized interval before trying again. If a collision is detected, both senders back off and retry. That’s shared media ethernet in a nutshell: one speaker at a time, with rules to keep order.

One important thing you need to be aware of is that with a hub, the entire segment is one collision domain but with switches, each port along with its associated link is its own collision domain, and full-duplex operation removes the possibility of collisions altogether on that link. That’s why switching can be described as “smart,” scalable, and preferred for modern enterprise needs.

Recreating Errors

We tried to simulate these errors our virtual lab environment using Cisco Modelling Labs (CML). It however had us running some interesting limitations. On the Cisco router (R1), the duplex configuration options look like the below:

That’s it – no half-duplex option, no auto. Just full. On the switch (SW1), the situation is slightly different but with the same limitation:

Again, there’s no half-duplex option. This means that both the routers and switches in this simulation environment simply do not support half duplex configuration. The screenshots make it clear: R1 can only run full duplex, while SW1 allows auto or full, but nothing else. This matches what I have seen on the Linux endpoints in the topology (PC1, PC2, Server1, Server2). Those systems run Alpine or TinyCore Linux with BusyBox at the core. They can do basic networking with tools like “ifconfig” and netstat, but they do not let use adjust duplex or speed either. Put all that together, and the result is simple: we cannot recreate a classic duplex mismatch (full vs half), the scenario that usually produces late collisions and CRC errors in a physical CCNA lab.

Breaking Down Some Known Errors

When you enter the command “show interfaces GigabitEthernet0/0” on a Cisco router or switch, the system displays a comprehensive report about the physical and logical status of that specific interface. This command is one of the most essential tools used by network engineers to diagnose interface health, detect cabling or hardware faults, and analyse traffic flow issues across the link. The output you have shown indicates that the interface is administratively down, which means that it has been intentionally disabled by configuration rather than by hardware failure or network disconnection.

Now when investigating these errors on the Cisco operating system, we us the “show interfaces” command. From the above screenshot, we can see the line that reads “GigabitEthernet0/0 is administratively down, line protocol is down” tells two different but related stories. “Administratively down” means that the interface was manually shut down by an administrator, typically using the shutdown command under interface configuration mode. Until it is re-enabled with the no shutdown command, the interface will remain inactive regardless of whether a cable is attached or not.

The phrase “line protocol is down” simply reflects that the data-link layer (Layer 2) is also inactive because there is no physical or logical carrier signal while the interface is administratively disabled. If this message instead read “up, line protocol is down,” it would usually indicate a Layer 1 or Layer 2 problem such as a faulty cable, mismatched duplex settings, or an incompatible speed configuration between devices.

The hardware and bandwidth section provides additional identification information such as “Hardware is iGbE, address is 5254.000f.2236” and “BW 1000000 Kbit/sec.” These lines confirm the hardware type and the default configured bandwidth. Although these do not directly indicate errors, they are helpful in verifying that the correct interface type and speed are being used. For instance, a mismatch in bandwidth expectation could contribute to queueing or throughput problems.

Further down the output, a large portion of the command output focuses on input and output statistics, which are critical for detecting physical-layer and data-link-layer errors. The following table summarizes the most important counters you will find in this section and how each one helps identify specific issues.

In our lab, all these counters are set to zero, which indicates that no physical-layer errors, collisions, or packet drops have been recorded. This is because this is a lab setting and in real life enterprise environment, these will be populated. When troubleshooting a live or active link, non-zero values in these fields are the first indicators of a problem. For example, a steadily increasing CRC counter often signals a damaged cable or connector, while late collisions point to a duplex mismatch between connected devices.

Next, the input and output queue information provides insight into internal packet processing. The line “Input queue: 0/75/0/0 (size/max/drops/flushes)” means that the input queue currently holds zero packets, can hold up to 75, and has dropped or flushed none. Likewise, “Output queue: 0/40” indicates that no packets are waiting to be transmitted and none have been discarded. If these values were rising or showing packet drops, it would suggest that the router’s processor or the interface queue is overloaded, potentially due to congestion or misconfigured quality-of-service policies.

The throughput statistics portion of the report, shown as “5 minute input rate 0 bits/sec, 0 packets/sec” and “5 minute output rate 0 bits/sec, 0 packets/sec,” displays the average data rate over the last five minutes. In this case, both are zero because the interface is shut down and not passing traffic. Under normal operating conditions, these numbers help identify unusual traffic patterns or confirm whether an interface is actively carrying data.

Finally, the collection of counters at the bottom, such as “watchdog,” “underruns,” “babbles,” and “output buffer failures”—are mostly low-level hardware indicators. Non-zero values here can point to deeper hardware or driver issues within the network interface card.

The command “show interfaces” or “show interfaces <interface_name>” is used to determine whether an interface is physically operational, administratively active, and free from transmission or reception errors.

The focus of this topic is single-mode fiber, multimode fiber, copper cables and their connectors. Remember that in networking, we are specifically referring to “enterprise networking”, hence you should know that making money …. or saving money is the goal. This means efficient business operations and planning.

When comparing between physical interface and cabling types, we are invariable dealing with one framework, two physical cabling types and two physical interface types. We will be discussing Ethernet as the “framework”, “copper/fiber” as the physical cabling types and “RJ45/Small form factor pluggable” connectors.

Why Standards

History shows what happens without shared rules. Two known examples are Apple Talks and Apple Type C USB. AppleTalk, launched in 1985, was clever, easy to use, and truly plug-and-play, Apple proprietary Macintosh computers could automatically assign addresses, update names, and even handle routing without a central server. It spread beyond Apple’s ecosystem, appearing on IBM PCs, the Apple IIGS, printers, file servers, and some routers. For a while it made networking almost effortless, but it was proprietary, and once the industry rallied around TCP/IP and Ethernet in the 1990s, AppleTalk couldn’t keep up. These open standards scaled better across mixed environments, so AppleTalk slowly faded, finally disappearing with Mac OS X 10.6 in 2009. Now, translate that to networking and the stakes are far higher.

The second clear example of the power of standards is the decision by the European Union (EU) requiring Apple to adopt the universal USB-C charging port. Prior to this, Apple, like many other device manufacturers, could pursue its own proprietary designs, often claiming superior efficiency or innovation. Let’s assume that every company in the world had continued down this path, the result would likely have been a fragmented ecosystem in which, for instance, only Apple devices could call with other Apple devices, or Samsung phones could call solely within the Samsung ecosystem.

Avoiding this kind of inter-operability issues was the purpose of introducing the 802.3 standards in networking. These standards define the choice of cables and connectors used in networking devices globally. Without universal frameworks like IEEE 802 (for LANs and WLANs), each vendor would implement incompatible media, frames, and signaling. Your Juniper router wouldn’t link to a Cisco switch, campus networks couldn’t join service-provider backbones, and regions like Europe, the United States, and Africa would struggle to interconnect. The internet’s explosive growth, new protocols, global reach, and cross-industry value; rests on these shared specifications. Standards are the invisible glue that makes global, borderless connectivity possible.

Standards For Network Cabling Types (Ethernet 802.3)

In modern networking, there are only two types of cables, but each has what I (emphasis on “I”) can describe as sub-types. They are

• Copper Cables
  • Coaxial Cables
  • Shielded Twisted Pair
  • Unshielded Twisted Pair
      
• Fibre Cables
  • Single Mode Fibre
  • Multi-Mode Fibre

For best referencing and information for the above, please go to Jeremy IT Lab – Interfaces and Cables and Connections Ethernet shared media and point to point – CCNA,

However, we will give a brief description and knowledge base on the image above

• Category 5/5e (802.3u): Category 5 was the workhorse of enterprise and residential networking through the late 1990s and 2000s. Supporting Fast Ethernet , it enabled the rise of broadband internet, office LANs, and small-scale data networks. However today, Cat 5e is still found in many office buildings, small businesses, and homes. It supports 1 Gbps speeds and it remains “good enough” for everyday internet access, VoIP phones, and Wi-Fi access points, but most new installations now favor higher categories. Assuming a new deployment was being performed, it would be unwise to use the CAT 5 or 5e cables in 2025.
  
  
• Category 6/6a (802.3ab): Category 6 and 6a cabling became the backbone of modern office and campus networks. Cat 6 is widely used for Gigabit Ethernet to desktops, while Cat 6a is the standard choice for 10GBASE-T in enterprise wiring closets and server rooms. Schools, hospitals, and corporate offices typically deploy Cat 6a to ensure long-term viability incase they need to deploy newer routers and switches, they can skip re-cabling the enterprise. In data centers, Cat 6a provides a cost-effective alternative to fibre for short-to-medium runs, particularly in structured cabling between switches and patch panels.
  
  
• Category 7/7a (802.3an): Category 7 and 7a are niche but important for environments where electromagnetic interference is a real challenge. With full shielding around every pair and an outer shield, they are used in mission-critical sites such as industrial control systems.
  
  
• Category 8.1/8.2 (802.3bq): Category 8 is highly specialized and designed almost exclusively for data centers. With support for 25/40GBASE-T, it connects top-of-rack switches to servers or between switches over very short distances. Cloud providers and hyperscale data centers may deploy Cat 8 in specific zones where copper is still favored for cost and backward compatibility with RJ-45. However, because of its 30-meter distance limit, fibre generally dominates large-scale deployments.
  
  
• Single-Mode Fibre (802.3z, 802.3ae): Single-mode fibre is the technology of choice for wide-area networks, long campus backbones, and inter-data centre links. ISPs and telecom providers rely on it to deliver high-speed services across cities and between core network sites. Enterprises use single-mode fibre for connecting distant buildings or extending networks across industrial parks. In cloud computing, single mode underpins the interconnects between hyperscale data centres, carrying 10G, 40G, and even 400G links across tens of kilometres.
  
  
• Multi-Mode Fibre (802.3z, 802.3ae): multi-mode fibre shines in local environments where cost and density matter more than distance. It’s the standard for high-speed connectivity within data centers, providing short-range links between switches, servers, and storage arrays. Large campuses, universities, and hospitals use multi-mode to link wiring closets and distribution points within buildings. Thanks to its affordability and support for 10 Gbps over several hundred meters, it remains a practical solution for high-speed enterprise networks.

Standards For Network Physical Interface (Ethernet 802.3)

RJ45 Connectors:

RJ45 is the standard physical connector used for Ethernet cabling over twisted pair copper (Cat5e, Cat6, Cat6a, Cat7, Cat8). It has 8 pins (8P8C – eight positions, eight contacts) that carry data signals, and in some cases power (PoE). RJ45 connectors are used in switches, routers, PCs, and patch panels, making them the most familiar plug-in networking. They support speeds from 10 Mbps (10BASE-T) up to 40 Gbps (40GBASE-T with Cat 8), depending on the category of cable.

Small Form Factor Pluggable (SFP):

By photography by Christophe Finot, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=50571220

SFP is a compact, hot-swappable transceiver module used mainly in switches, routers, and servers. Unlike RJ45, which is fixed to copper, an SFP module can support different media types: fibre (multi-mode or single-mode) and even copper (with an RJ45 SFP). Standard SFP modules support speeds up to 1 Gbps, while SFP+ extends this to 10 Gbps, and newer variants like SFP28, QSFP+, and QSFP28 reach 25, 40, and 100 Gbps. SFPs provide flexibility, allowing network devices to be customized for the required distance, speed, and cabling type.

Conclusion

Without mincing words, standards in enterprise networking exists so that network device vendors and other digital services, organizations or electronic devices manufacturers or Original Equipment Manufacturer (OEM) wanting to communicate electronically on the TCP/IP stack, can have a common ground for engineering their devices or systems to electronically carry the bits and bytes of data. They exist so devices, software, and networks built by different vendors can speak the same language. In networking, IEEE 802.3 (Ethernet) provides that common ground: it defines how bits move on the wire, so equipment from Cisco, Juniper, HP, and everyone else can interoperate reliably.

Definition of Network Topology Architecture

Modern network topology is one of the most difficult things to define. This is because the needs and requirements of enterprises differ. Even within the same enterprise, the needs, and requirements may also fluctuant. Tailoring a network design that an enterprise will trust demands not only technical expertise but also years of practical experience on the part of the network engineer.

So, we will state again that, this is not a tutorial, these topics where covered in detail in Jeremy IT Lab LAN Architectures, Jeremy IT Lab Virtualization & Cloud and Jeremy IT Lab WAN Architectures (you will definitely see some of his wordings here because I have listened to him a lot over the last two years).

According to Cisco, network topology is

… used to describe the physical and logical structure of a network. It maps the way different nodes on a network — including switches and routers — are placed and interconnected, as well as how data flows. Diagramming the locations of endpoints and service requirements helps determine the best placement for each node to optimize traffic flows.

In the design of network topologies, the architecture chosen is never arbitrary. This is because these deployments can be resource intensive; especially on the financial side; however it is shaped directly by the specific needs of the enterprise. These needs differ significantly depending on the size of the organization, its departments, its geographic distribution, available budget, and the regulatory or compliance environment in which it operates. At the top of these considerations are four core drivers, stability, speed, scalability, and security.

Technical Definitions

1.2.a Two-tier

The two-tier architecture, also known as a collapsed core design, consists of two hierarchical layers: the access layer and the core/distribution layer. It omits the dedicated center layer found in a three-tier design, making it a simpler and more cost-effective option.

At the access layer, end devices such as servers, desktop computers, wireless LAN controllers, access points, IoT devices, IP phones, and printers connect directly to the access switches located on each floor. These switches provide the first point of connectivity and aggregation for users and devices. They usually have comparatively higher port density and often provides features such as Power over Ethernet (PoE), port security, Dynamic ARP Inspection (DAI), and Quality of Service (QoS) marking to prioritize critical traffic.

Traffic from the access switches is forwarded upward to the distribution layer, which aggregates connections from all access layer switches. The distribution layer is where we configure network policies such as Access Control Lists (ACLs), redundancy protocols like HSRP or VRRP, and provides uplinks to external services including the WAN, internet, or enterprise data centers.

The trade-off, however, is that performance can be limited. When Layer 2 switches are used at the access layer, there will be redundant links blocked by the Spanning Tree Protocol (STP), reducing overall efficiency. By contrast, deploying Layer 3 switches or routers at the access layer allows the use of Equal-Cost Multi-Path (ECMP), enabling multiple active paths and improving throughput. This makes the design more resilient and better suited to larger enterprise branches, where redundancy and traffic handling are critical. Another advantage is that the access and distribution layers can be expanded independently, allowing the network to scale in a more flexible way to meet growing business demands.

The switches used at the access and distribution layers in a two-tier network are generally simpler and less expensive and does not come with core application centric functions. This makes them easier to manage, more cost-effective to deploy, and well suited to locations where only enterprise grade connectivity and aggregation are required. In many cases, organizations adopt a two-tier model not just to save money but because it matches the exact operational needs of the site its being deployed to, whether it be a small headquarters, a branch office, or a retail environment.

1.2.b Three-tier

The three-tier LAN design is built around three hierarchical layers: the access layer, the distribution layer, and the core layer. This model is widely used in large enterprises, universities, and organizations with multiple buildings or departments because it delivers scalability, resilience, and performance. Cisco generally recommends introducing a core layer when a network has more than three distribution layers within a single location.

At the access layer, end devices such as computers, printers, IP phones, cameras, IoT devices, and wireless access points connect to access switches. These switches provide user connectivity, enforce port-level security, support Power over Ethernet (PoE) for IP phones and access points, and apply basic Quality of Service (QoS) marking.

The distribution layer sits above the access switches and aggregates their connections. It is the boundary between Layer 2 and Layer 3, where inter-VLAN routing is performed, and policies such as Access Control Lists (ACLs), route filtering, and redundancy protocols (HSRP, VRRP, GLBP) are applied. This layer also provides connectivity to external services such as WAN and data centers, ensuring that departmental traffic flows are efficiently managed.

The core layer functions as the high-speed backbone of the network. Its primary purpose is fast and resilient transport between distribution blocks, avoiding CPU-intensive tasks such as packet filtering or QoS classification. All connections at this layer are Layer 3, which eliminates reliance on Spanning Tree Protocol (STP) and ensures continuous connectivity even if devices fail. By keeping the core focused purely on speed and redundancy, the network achieves stability and high availability at scale.

The 3 layer architecture offers several key benefits. It is highly scalable, allowing new access and distribution blocks to be added as the enterprise grows. It is reliable, with redundancy at multiple levels so the network remains operational even if one component fails. It also delivers better performance, as the core layer provides dedicated bandwidth and reduces congestion between departments or sites.

The trade-offs are increased cost and complexity, since the design requires very high-performance hardware, more interconnections, and greater expertise to deploy and maintain. For this reason, the three-tier model is most appropriate for large enterprises, universities, and organizations that require secure, high-speed connectivity across multiple sites and departments with room to grow.

NB: For smaller LANs, two tiers is sufficient, but as the size goes beyond the vendor requirement given by Cisco, you have to scale to a 3 tier for operational and management efficiency.

1.2.c Spine-leaf

This design was developed in respect to data center operations. Hence, we can say that is a data-center design. They are the foundation of what Cisco refers to as Massively Scalable Data Center Network Fabric (MSDC) designs. According to Cisco ….

Massively Scalable Data Centers (MSDCs) are large data centers, with thousands of physical servers (sometimes hundreds of thousands), that have been designed to scale in size and computing capacity with little impact on the existing infrastructure. Environments of this scale have a unique set of network requirements, with an emphasis on application performance, network simplicity and stability, visibility, easy troubleshooting, and easy life-cycle management, etc. Examples of MSDCs are large web/cloud providers that host large distributed applications such as social media, e-commerce, gaming, Software as a Service (SaaS), Artificial Intelligence and Machine Learning (AI/ML) workloads, etc. These large web/cloud providers are often also referred to as hyper-scalers or cloud titans.

The central focus of modern data center design is application performance. Today’s applications are built on modular deployments and microservices, where numerous smaller components must constantly interact across different physical servers. This generates heavy east-west traffic within the data center, far exceeding traditional north-south flows between users and the internet.

Modern networks must be able to scale compute instances up or down on demand and support fast failover in case of bottlenecks or failures. Redundancy at the switching and routing layers ensures workloads can reroute instantly, a necessity for industries like finance, healthcare, and e-commerce where downtime is costly. Virtualization platforms such as Hyper-V and VMware ESXi further enhance resiliency, with features like vMotion enabling live migration of workloads without service disruption.

Segmentation is equally vital. Technologies such as VLANs, VRFs, VXLANs, and micro-segmentation isolate tenants and microservices on shared infrastructure, maintaining both security and predictable performance.

At the heart of this ecosystem is the spine-leaf fabric, designed for scalability, resiliency, and efficiency. Each leaf connects to every spine, creating a fully meshed network with predictable latency, uniform bandwidth, and multiple active paths. Unlike hierarchical designs, there are no lateral leaf-to-leaf or spine-to-spine links. End hosts connect only to leaves, ensuring consistency: every server is the same number of hops away from every other.

External connectivity is provided through edge or boundary nodes, which allow controlled traffic to flow beyond the fabric. Security and segmentation are enforced using ACLs, VLAN/VRF boundaries, and VXLAN overlays, while routing protocols such as OSPF and BGP manage internal and external route propagation. This preserves both the integrity and efficiency of the fabric, enabling seamless and secure communication across modern enterprise and hyperscale data centers.

1.2.d Wide Area Network

A Wide Area Network (WAN) is a network that spans large geographic areas and connects multiple Local Area Networks (LANs). WANs are used by enterprises to link offices, data centers, and remote sites together. While the Internet itself can be seen as a WAN, the term is usually applied to private enterprise connections. In situations where traffic must move over public infrastructure like the Internet, VPNs are used to build secure, private WAN connections. Depending on geography, different WAN technologies are available, and what is considered “legacy” in one region may still be in use elsewhere.

In practice, it is network service providers such as Bell, AT&T, and others that deliver these WAN services over what are essentially private “digital highways.” They own and operate the backbone infrastructure, and in fact, many of them are also the main deployers of spine-leaf topologies at scale to support the enormous east-west traffic patterns across their networks.

Because these backbones are shared by many customers, providers use network virtualization and segmentation to isolate traffic. This creates logically separate environments for each customer, commonly referred to as tenants. For example, twelve banks in Canada, alongside one hundred power stations, multiple insurance companies, and other organizations with WAN needs, may all run across the same physical backbone. Yet, through technologies such as VRFs, MPLS VPNs, or VXLAN overlays, each tenant remains fully isolated. No customer can view or interfere with another’s traffic, even though they are technically traversing the same infrastructure.

For enterprises, the priority is usually to manage and secure their own internal networks, while leaving the actual branch-to-branch connectivity hand-off to their service provider partners. This division of responsibility allows companies to focus on application performance, policy, and security, while relying on carriers to guarantee the underlying connectivity across cities, provinces, or even continents. Some technologies used to archive this isolation includes:

• WAN over Dedicated Connections (Leased Lines):
  One of the earliest WAN technologies is the leased line, a dedicated physical link between two sites. Leased lines commonly use serial technologies with HDLC or PPP encapsulation. They are reliable but expensive, with long installation times and lower bandwidth compared to modern Ethernet WANs. For this reason, Ethernet delivered over fiber has become the more popular choice for enterprise WAN connections. In a traditional leased line setup, a hub-and-spoke topology is often used, where branch offices connect directly back to a central hub.
  
  
• MPLS VPNs:
  Multi-Protocol Label Switching (MPLS) is a widely adopted service provider technology that allows enterprises to connect sites over a shared backbone. Service providers’ MPLS networks are shared infrastructures, but MPLS uses label switching to create VPNs that keep customer traffic isolated. Customer Edge (CE) routers connect to Provider Edge (PE) routers, while Provider (P) routers handle the internal forwarding of labeled packets. In a Layer 3 MPLS VPN, CE routers form routing adjacencies with PE routers using protocols such as OSPF. Routes from one CE are then advertised through the provider to the CE at another site, enabling seamless communication. In contrast, a Layer 2 MPLS VPN makes the provider’s backbone transparent. The CE routers appear directly connected in the same subnet, and if a routing protocol is used, the CE routers peer with each other as if no provider network existed. MPLS can be accessed through various underlying technologies, and segmentation is achieved through VRFs that ensure customers remain isolated from one another, even though thousands of tenants may share the same physical backbone.
  
  
• Internet Connectivity:
  Enterprises also connect to the Internet in a variety of ways. Traditional private WAN services such as leased lines and MPLS can be used to connect to a service provider’s Internet backbone. On the other hand, consumer technologies such as DSL and cable broadband are also used by some organizations, especially for branch offices. Increasingly, fiber-optic Ethernet is becoming the standard for both enterprise and consumer Internet access because of its ability to deliver high bandwidth over long distances. Connections can be single-homed, dual-homed, or multi-homed depending on how much redundancy and fault tolerance an organization requires.
  
  
• Internet VPNs:
  When the Internet is used as a WAN, there is no inherent security or traffic separation. Enterprises solve this by deploying VPNs. Site-to-Site VPNs using IPsec create encrypted tunnels between two routers, allowing secure communication between two sites. The tunnel encapsulates and encrypts the original packets, protecting them as they traverse the public Internet. However, IPsec tunnels only support unicast traffic, which limits the ability to run multicast-based protocols such as OSPF. To address this, enterprises often use GRE over IPsec, which adds flexibility by supporting multicast and broadcast traffic while still maintaining encryption with IPsec. A more advanced solution is DMVPN (Dynamic Multipoint VPN), a Cisco-developed technology that simplifies configuration. Instead of manually creating a full mesh of tunnels between all sites, routers build IPsec tunnels dynamically when communication is needed. This provides the efficiency of direct spoke-to-spoke communication with the simplicity of a hub-and-spoke design.
  
  
• Site-to-Site vs Remote-Access VPNs:
  Site-to-site VPNs provide permanent, encrypted connectivity between two or more locations, typically using IPsec. They allow entire offices to securely exchange data across the Internet and are ideal for interconnecting branch sites, data centers, or headquarters. Remote-access VPNs, by contrast, are designed for individual users. These VPNs typically use TLS (formerly SSL), the same protocol that secures HTTPS, to create on-demand encrypted tunnels from a single device into the enterprise network. Client software such as Cisco AnyConnect, installed on laptops or mobile devices, connects securely to a corporate firewall or router acting as the VPN server. This approach is especially well-suited for employees and contractors working from home or other untrusted networks, enabling them to safely access internal company resources wherever they are.
  

1.2.e Small office/home office (SOHO)

A SOHO network is the setup used in small offices, home offices, or even households with only a few devices. It doesn’t have to be a formal office—any small space with internet-connected devices qualifies. Unlike enterprises that use multiple dedicated appliances, SOHO networks usually rely on a single home router that combines routing, switching, firewalling, wireless access, and sometimes modem functions. This makes them simple and affordable but also more limited in performance and security.

With the rise of remote work, SOHO networks often serve as the bridge between employees and enterprise systems. Because this traffic may cross the open internet, companies add extra layers of protection. VPN tunnels are used to encrypt communications end to end. Multi-factor authentication ensures users are properly verified. Zero Trust models demand that every request be authenticated, even within the VPN.

SOHO networks are essential for remote work and small setups, offering convenience through a single all-in-one device.

1.2.f On-premises and cloud

Cloud computing marks a major departure from traditional on-premises and co-location models. In the past, organizations had to purchase servers, networking gear, storage, and the physical environment—including space, power, and cooling—then manage it all themselves. Co-location provided some relief by renting space in third-party data centers, but responsibility for equipment upkeep still remained with the customer. The rise of cloud computing transformed this model by enabling IT resources to be consumed as services, rather than owned and operated directly.

In modern times, the default deployment model in practice is hybrid. Even organizations that maintain significant on-premises infrastructure are, at a minimum, using cloud services such as Microsoft 365, making “pure on-prem” environments increasingly rare. Hybrid cloud has become the de facto reality—combining local infrastructure with public cloud platforms to balance flexibility, scalability, and compliance requirements.

At its foundation, cloud computing is defined by five key traits: on-demand self-service, broad network access, resource pooling, rapid elasticity, and measured service. These capabilities make it possible to dynamically scale resources, support diverse devices, and pay only for what is consumed.

However, the shift from on-premises to hybrid and cloud brings with it a heightened focus on security. Protecting data and ensuring trust across multiple environments—whether local servers, SaaS platforms, or public cloud infrastructure—has become one of the central priorities for modern IT strategy. We will explore these security considerations in greater detail as we progress in this section.

Services in the cloud are generally delivered in three layers.

• Software as a Service (SaaS) provides fully managed applications such as Microsoft 365, Gmail, or Salesforce, where users simply consume the application without managing the underlying infrastructure.
  
  
• Platform as a Service (PaaS) gives developers an environment to build and deploy applications without worrying about the operating system or servers, with examples such as AWS Lambda or Google App Engine.
  
  
• Infrastructure as a Service (IaaS) offers the most flexibility by allowing organizations to rent virtualized infrastructure such as servers, storage, and networking, while maintaining control of the operating systems and applications themselves. Examples include AWS EC2 and Microsoft Azure virtual machines.

Cloud computing can also be deployed in four different models.

• A private cloud is dedicated to a single organization and may be managed internally or by a third party, providing the same services as public cloud but restricted to one entity.
  
  
• A community cloud is shared by organizations with common requirements, such as compliance or mission goals, though it is less common.
  
  
• Public cloud is the most widely used model and is available to the general public, with providers like AWS, Microsoft Azure, and Google Cloud Platform leading the space. Hybrid cloud is a combination of two or more models, enabling workloads to move between private and public clouds to balance scalability, cost, and flexibility.

To connect securely with public clouds, enterprises typically use private WAN services or encrypted VPN tunnels over the internet. This ensures sensitive data remains protected when moving between on-premises systems and cloud environments. Security measures such as IPSec VPNs and private connectivity options provide enterprises with confidence that their traffic is safeguarded.

The benefits of cloud computing are substantial. Organizations reduce capital expenditures by avoiding large upfront investments in hardware and data centers. Services can scale globally, with resources provisioned from locations close to users. The cloud also enables speed and agility, allowing IT teams to launch resources in minutes instead of weeks. Productivity increases as staff spend less time managing physical hardware, while reliability improves through built-in redundancy and disaster recovery capabilities.

In summary, cloud computing provides a flexible, scalable, and cost-effective way to deliver IT services. Its defining characteristics, layered service models, and deployment options give organizations the tools to meet modern demands for performance and security.

Now, we are picking the first topic in the CCNA blueprint provided by Cisco as my first topic of discussion. Mind you, this is not a tutorial ( … go to Jeremy IT Lab for that). We are going to be using a university as a case study to show how these devices play a role in their environment. For random reasons, we will be using a popular university in United States of America as a case study. “The University of Washington (UW)“, established in 1861, is among the oldest universities on the U.S. West Coast. Its main campus in Seattle covers 700 acres, complemented by satellite campuses in Tacoma and Bothell, and includes more than 500 buildings. As of fall 2024, UW has an enrollment of about 51,719 students – 35,397 undergraduates and 16,322 postgraduates. With a workforce of over 34,600 across its campuses and health system, it stands as one of the largest institutions in the region. For simplicity’s sake, we will assume that they own all of their networking equipment, they don’t use “other people’s datacenter” (i.e., cloud … do you feel the sarcasm here … just kidding).

Pretend for a few minutes you are a network engineer working in this environment, you need devices and systems that will carry internet connectivity across the Seattle campus’s 700 acres, connect the branch campuses, network 500 buildings, provision services such as email, Wi-Fi in addition to making sure that the network is stable and available for educational content delivery to over 100 thousand people !!! Daily !!!

We will be discussing the devices that makes these possible but first, we need to define some basic technical networking terms.

What is a Network?

Every time you want to use Airdrop and Bluetooth on your phones, when those two devices’ pair, they form a network. Also, let’s assume, you use any type of computer cable to connect just two computers, that, in is basic form is a network.

Borrowing a few words from the networking gurus in Cisco,

Computer networking refers to connected computing devices (such as laptops, desktops, servers, smartphones, and tablets) and an ever-expanding array of IoT devices (such as cameras, door locks, doorbells, refrigerators, audio/visual systems, thermostats, and various sensors) that communicate with one another.

1.1 Explain the role and function of network components

1.1.a Routers:

This is the networking device that inter-connects different networks and direct traffic to predefined or configured paths, thus deterministically directing data traffic between these networks.

Juniper website defines it comprehensively thus;

“Routers allow devices to connect and share data over the Internet or an intranet. A router is a gateway that passes data between one or more local area networks (LANs). Routers use the Internet Protocol (IP) to send IP packets containing data and IP addresses of sending and destination devices located on separate local area networks. Routers reside between these LANs where the sending and receiving devices are connected. Devices may be connected over multiple router “hops” or may reside on separate LANs directly connected to the same router. 

Once an IP packet from a sending device reaches a router, the router identifies the packet’s destination and calculates the best way to forward it there. The router maintains a set of route-forwarding tables, which are rules that identify how to forward data to reach the destination device’s LAN. A router will determine the best router interface (or next hop) to send the packet closer to the destination device’s LAN. Once a device sends an IP packet, routers determine that packet’s best route over the Internet or intranet to reach its destination most efficiently and in accordance with quality-of-service agreements.”

1.1.b Layer 2 and Layer 3 Switches:

Before distinguishing between Layer 2 and Layer 3 switches, it is important to remember that a switch is a networking device that connects hosts within the same Local Area Network (LAN)—this is the fundamental role of a Layer 2 switch. A Layer 3 switch, on the other hand, adds routing functionality, allowing it to manage traffic not only within the LAN but also between different networks and Virtual Local Area Networks (VLANs), similar to the way a router operates. In simple terms, a Layer 3 switch combines the features of both a switch and a router in a single box and can be configured to perform both roles accordingly.

1.1.c Next-generation firewalls (NGFW) and Intrusion Prevention System (IPS):

A next-generation firewall is an advanced security device that goes beyond traditional firewalls. In addition to filtering traffic based on ports and IP addresses, NGFWs can inspect traffic at the application level, detect and block malware, enforce user-based policies, and integrate with threat intelligence. They combine firewall, intrusion prevention, and sometimes even VPN and antivirus features into one system.

IPS is a security tool designed to monitor network traffic programmatically actively for suspicious activities or known attack patterns. Unlike intrusion detection systems (IDS), which only alert administrators, an IPS can be programmed or is programmed to automatically act such as blocking malicious traffic, resetting connections, or dropping harmful packets to stop threats in real time.

1.1.d Access points:

An access point is a networking device that allows wireless devices (like laptops, phones, and IoT devices) to connect to a wired LAN. It acts as a bridge between the wireless network and the wired infrastructure, extending network coverage and enabling mobility. This is the connection you find in public places such as coffee shops, airports, schools etc.

1.1.e Controllers (Cisco DNA Center and WLC)

Cisco DNA Center: A centralized network management and automation platform. It provides end-to-end visibility, policy-based configuration, AI-driven analytics, and automation across wired and wireless networks. It simplifies management by using intent-based networking, where administrators define what they want the network to do, and the system implements it.

Wireless LAN Controller (WLC): A dedicated device or software that manages multiple wireless access points in an enterprise network. It centralizes tasks such as configuration, security, firmware updates, and load balancing. This ensures consistent policies, seamless roaming, and efficient use of wireless resources.

1.1.f Endpoints:

Endpoints are devices that connect to and use a network’s resources. They include user devices such as desktops, laptops, smartphones, and tablets, as well as IoT devices, printers, and servers.

1.1.g Servers:

Servers are powerful computers or virtual machines that provide shared resources, services, or applications to other devices (clients) on a network. They can have websites, manage databases, run applications, store files, handle email, or security services for users and the network alike.

1.1.h PoE:

Power Over Ethernet (PoE) is a technology that allows network cables to carry both data and electrical power to devices. This eliminates the need for separate power adapters. Common PoE-enabled devices include IP phones, wireless access points, and security cameras. It simplifies installation, reduces cabling costs, and provides centralized power management.

Our Network Diagram (Fake Network Diagram)

Let us design a felicitous network diagram based on the information available about the University of Washington from Wikipedia. In networking, this kind of setup is referred to as a campus network—a standard enterprise architecture that is customized to fit the unique requirements of each organization. This is why the saying often applies in networking: “no two networks are ever the same.”

The university’s main location is in Seattle, which serves as the central hub of operations. In addition, there are branch campuses located in Tacoma and Bothell, all of which must be seamlessly interconnected to support collaboration and resource sharing.

The scale of the university is significant, with over 500 buildings distributed across its campuses. As of Fall 2024, the institution supports a student population of more than 51,700 and a workforce exceeding 34,600 staff across both academic and health system operations.

For the purpose of this design, we will assume that the university owns and manages all of its networking equipment internally, without reliance on external cloud services or third-party datacenters. This approach highlights the need for a robust, secure, and self-sufficient campus network infrastructure capable of supporting such a large academic and research community.

Routers – The Campus Connectors

Routers are the traffic orchestrators of the UW network. At the Seattle main campus, a core router connects to the branch campuses in Tacoma and Bothell, making sure data travels deterministically between them. Without this router, each campus would be cut off from the others.

Also notice in the diagram: each campus also has its own internal router. These routers manage traffic inside the campus network itself, deciding the predetermined/configured path for data to move between buildings (classrooms, labs, gyms, and offices). Together, the core router (between campuses) and the local routers (within campuses) ensure intercommunication with all the networks.

Switches – Inside the Campus

Switches act as the local connectors within each campus building. The aggregate the connections that are coming from end-hosts. In each building, they link student laptops and desktops to learning platforms; in labs, they connect research computers and specialized equipment; and in offices and gyms, they support staff systems and IoT devices. By managing all the traffic that stays within a building, switches ensure fast and reliable communication among nearby devices.

Once data needs to leave the building, it is passed on to the campus router, which directs it to other buildings or campuses. This division of roles keeps the overall network structured, efficient, and easy to scale across hundreds of buildings.

Firewalls (IDS Role) – Guard at the Gate

At the edge of every campus, a firewall serves as the first line of defense, much like a security guard at the main gate. It examines all traffic entering or leaving the network, allowing safe communication while blocking known threats. Current known threatts include traffic from Russia, China, North Korea and Iran.

In this setup, the firewalls also function as Intrusion Detection Systems (IDS), monitoring traffic patterns for anything unusual. If suspicious activity is detected, the firewall alerts administrators so they can investigate and respond quickly. This ensures that harmful traffic is stopped at the perimeter before it reaches the university’s internal network.

IPS – Special Forces for Sensitive Data

Within the Seattle campus, the Top-Secret Government Research zone is safeguarded by an Intrusion Prevention System (IPS), providing security beyond standard monitoring. Unlike an IDS, which only detects and alerts administrators about suspicious activity, the IPS actively intercepts and blocks malicious traffic in real time. This proactive defense ensures that sensitive research data, experiments, and government projects remain protected from cyberattacks. In effect, the IPS acts like a specialized security force, standing guard over the university’s most critical and confidential work.

Access Points – Wi-Fi Everywhere

Across more than 500 buildings at the University of Washington, Access Points (APs) deliver Wi-Fi so that students, staff, and researchers can connect without needing physical cables. In this scenario, there will be thousands of APs !!! In classrooms, APs enable laptops and tablets to access online learning resources; in labs, they support wireless research devices and collaboration tools; and in gyms or common areas, they keep smartphones and tablets connected for communication and campus services. By extending the wired network into the air, APs provide seamless wireless coverage, giving the university community the flexibility to stay connected while moving throughout the campus.

Controllers – The Command Center

Cisco DNA Center: The University of Washington’s network spans over 500 buildings across three campuses, supporting more than 51,000 students and 34,000 staff. Each building likely contains multiple switches to handle the demands of classrooms, labs, offices, gyms, and research areas, easily amounting to several thousand switches in total, along with thousands of wireless access points.

Managing such a large network manually, by logging into each switch, router, or access point one at a time, would be time-consuming, error-prone, and difficult to scale. Cisco DNA Centre addresses this by providing a single centralized platform for management and orchestration. From one console, network engineers can monitor the health of all devices across the entire university, configure policies once and push them consistently to every switch or access point, and roll out updates or security changes across the network without touching individual devices.

For example, a policy that separates student Wi-Fi traffic from sensitive research networks can be applied to all 500 buildings instantly, rather than configured one device at a time. Likewise, a firmware update or configuration change can be staged and deployed across thousands of switches and access points in a coordinated way. In effect, Cisco DNA Centre turns what would be thousands of repetitive device-level tasks into centralized, orchestrated actions, ensuring consistency, reducing downtime, and simplifying the operation of one of the largest campus networks in the region.

Wireless LAN Controller (WLC): This is a wireless APs operational orchestrator. Wi-Fi runs on shared radio spectrum, so access points can “talk over” one another and create co-channel and adjacent-channel interference unless the radio environment is programmatically orchestrated. At the University of Washington, with thousands of APs across 500-plus buildings serving more than 51,000 students and 34,000 staff, a Wireless LAN Controller (WLC) provides that orchestration.

The WLC continuously monitors RF conditions on each AP and automates on them things like channel selection, transmit power control, client load balancing, and airtime fairness to prevent RF clashing and keep performance stable. It also centralizes configuration and security by pushing SSIDs, authentication policies, and firmware updates to every AP, and it enables fast and secure roaming so users can move from lecture halls to libraries and gyms without drops. By coordinating the radio layer and the operational layer from one console, the WLC makes UW’s large wireless estate manageable, consistent, and reliable.

Endpoints

Endpoints are the everyday devices that bring the university’s network to life. For students, this includes laptops used in classrooms and libraries, tablets for coursework, and smartphones that connect throughout the campus. In the academic and research environment, endpoints also extend to lab desktops, specialized research IoT devices, and high-performance systems used for experiments and simulations. Faculty and staff rely on networked printers, administrative desktops, and HR workstations to carry out academic and operational tasks. Beyond this, the campus makes extensive use of IP cameras for security, smart locks for controlled access to sensitive areas, and connected classroom technologies that support modern teaching methods. These endpoints are the ultimate reason the network exists, and every router, switch, firewall, and controller in the architecture works together to ensure they remain secure, accessible, and reliable for daily academic, research, and administrative use.

Servers – The University’s Brain

Servers are the central brain of the university’s IT system, powering essential services for students, faculty, and staff. They host learning platforms with course materials, lecture recordings, and grades; provide researchers with secure access to valuable databases and archives; and support administration by managing HR files, payroll, and other internal systems. In the network diagram, these appear as Enterprise Services and Network Management Services, placed in secure zones at the main campus to safeguard sensitive data.

To access these resources, the branch campuses in Tacoma and Bothell rely on their routers, which connect them back to the main campus servers. Without this setup, the academic, research, and administrative functions across the university’s 500+ buildings and three campuses could not operate.

PoE – One Cable, Two Jobs

At a large university like the University of Washington, running separate cables for both power and network data to every device would be expensive, complex, and time-consuming. Power over Ethernet (PoE) solves this by allowing a single Ethernet cable to carry not just data, but also electrical power.

For example, devices such as access points (APs), IP phones, and security cameras can all be powered directly through the same cable that connects them to the network. This eliminates the need for individual power outlets at every installation point—something especially useful when mounting cameras on ceilings or APs in hallways.

By using PoE, the university can cut down installation costs, reduce the amount of cabling required, and make it far easier to deploy and manage thousands of devices spread across more than 500 buildings. It also allows centralized control of power—meaning IT staff can remotely restart or shut down a device without having to physically access it.

Conclusion

Hence we can see that at the University of Washington enterprise network, routers play two key roles. The core router at the Seattle campus connects the branch campuses in Tacoma and Bothell, routing traffic between the different campus networks. At the same time, each campus has its own internal routers, which route traffic within the campus—moving data between buildings, classrooms, labs, offices, and departments. This reflects the CCNA 1.1.a Routers blueprint, showing how they direct traffic both between networks and inside large campus networks.

Within each building, switches connect devices such as computers, labs, and offices, supporting local communication as described in 1.1.b Switches. Each campus edge is secured by firewalls working as IDS, while IPS protects sensitive research zones, aligning with 1.1.c Firewalls and IPS. Access points extend Wi-Fi across classrooms and offices (1.1.d APs), and controllers like WLC and DNA Center centrally manage thousands of APs and automate the entire network (1.1.e Controllers).

The network serves endpoints such as laptops, smartphones, and IoT devices (1.1.f Endpoints) and relies on servers for learning platforms, research databases, grades, and HR systems (1.1.g Servers). Finally, PoE powers APs, IP phones, and cameras over the same cable, simplifying deployment (1.1.h PoE).

Together, these components form a Campus Network, demonstrating how the CCNA 1.1 blueprint applies in a real-world enterprise environment.

In my previous post, I set out why the Cisco pathway represents the most fitting choice FOR ME (your are allowed to think otherwise for YOU). From a career standpoint, I view it as both a natural and logical progression of my knowledge. More importantly, I am persuaded that a focus on core Network Engineering is a wise course – it sharpens my reasoning, deepens my understanding, and enables me to grasp the underlying processes behind much of the environments I have encountered. To this end, I shall be embarking upon the Cisco Certified Network Associate (CCNA) and recording my journey here.

Although I already possess a few industry-grade technical certifications, I feel compelled to return to the very foundations – networking – especially since I have recently completed a diploma in computer networking technology.

I do not intend to publish exhaustive tutorials in this space; rather, my purpose is to present each concept in plain terms, to demonstrate its application in real-world scenarios, to share insights from my own experiences, and to direct readers towards valuable tutorials and resources, both free and paid.

Newbie, Experience (Maybe in Any IT Field), or Expert?

My rule of thumb is the picture below:

As my rule of thumb, if you cannot immediately recognise , explain, or demonstrate practical experience with the components listed under Network Fundamentals section for the CCNA blue print on Cisco website – such as routers, Layer 2 and Layer 3 switches, if you do not know the difference between routers and switches (pleeeaaaasseeeee …. they are not the same), next-generation firewalls, intrusion prevention systems, access points, controllers (e.g. Cisco DNA Center and WLC), endpoints, servers, or Power over Ethernet (PoE) – then, by definition, you are still at the level of a beginner.

But however, whatever stage you may be at – whether a novice, a seasoned practitioner, or an expert, it must be said without embellishment that Cisco examinations can whop your ass! It would be an illusion to think that networking concepts can be mastered “half-asleep, standing akimbo.” To really grasp it, you need to stay focused, stay consistent, and keep practicing repeatedly. You must read widely, revise consistently, and make use of tools such as flashcards and structured study resources. The less experience you have in the industry, the more essential this dedication to practice becomes.

The moral of this section is that you need to practice, A LOT!!!

Resources

Preparation must be anchored in hands-on “labbing,” beginning with accessible tools like Cisco Packet Tracer. Beyond this, Cisco Modelling Labs (CML) provides a powerful, real-world emulation of Cisco’s product suite. With CML, you can observe precisely how devices operate in live environments—even down to the subtleties of commands that take time to propagate, allowing you to witness the process unfold in real time. For those seeking a no-cost option, Cisco DevNet Sandbox offers reservable CML instances entirely free of charge. This invaluable multi-device and multi-APIs resource enables learners to bridge traditional networking with the modern domains of automation, programmability, and DevOps practices. Within this environment, you can safely explore a wider range of Cisco products, experiment with APIs, scripting, and network programmability, and strengthen the very skills that align with the future of networking.

Equally important is cultivating the habit of searching for information. A career in networking will involve an ongoing process of “googling” and upskilling; therefore, there is no better time to begin developing this instinct than now.

Finally, a word on Artificial Intelligence. As a beginner, AI can be both a blessing and a curse. It certainly offers benefits that may accelerate your learning, yet it can also foster dependence and short-circuit genuine understanding. Thus my advice is not to avoid it entirely, but to use it with caution—and I repeat for emphasis—use it with caution !!!

Tutorials: My Recommendations

Your most reliable companion in this endeavor will be YouTube. For beginners in particular, I place Jeremy’s IT Lab at the very top of the list. His explanations are delivered at a deliberate and measured pace, making even complex concepts remarkably easy to follow. If your budget allows, I would go further to recommend his paid course on Udemy. In short, whatever Jeremy advises—whether it be a lab exercise, a study focus, or even a resource to purchase—heed his guidance without hesitation. He recommends Boson a lot, and I totally agree with him

In addition, I recommend the Custodian Data Centre’s YouTube channel for those who wish to gain a visual peek into what real data centre look like. To complement this with a broader perspective on networking and the internet itself, I strongly suggest the video “How Does the Internet Work? – Glad You Asked S1“, which provides a clear and engaging explanation of how the global network operates.

Aim to Learn “Entreprise Networking”, Not Just “Networking”.

This is different from your home WIFI! … very very different. With every topic you encounter, ground your understanding by considering how it is applied within real-world enterprises. In networking, the term enterprise encompasses far more than just corporations—it refers to organizations and institutions of every scale and sector. Think of banks, insurance companies, universities, colleges, state high-school boards, sports teams, power stations, shipping companies, shipping vessels, your nation’s Army, Navy, and Air Force, security agencies such as the FBI and CIA, your local airport control tower, the airport itself, stadiums—the list is virtually endless. All of these fall within the scope of what we call enterprises in networking terminology.

You would observe that the sizes of these enterprises varies greatly, and so do their needs. A small regional bank may require secure VPN access for remote employees, while a multinational financial institution must manage vast data centres, redundant links, and advanced intrusion detection systems. A sports stadium may focus on delivering reliable, high-density Wi-Fi to tens of thousands of fans, whereas a power station prioritises industrial control systems, low-latency communication, and strict segmentation to safeguard against cyberattacks. A shipping company may need resilient satellite and WAN connectivity across oceans, while a military base demands encrypted communication, layered defence, and zero-trust architectures.

Always use such organizations, or incidents that have occurred within them, as case studies in your research. By examining how different enterprises tackle networking challenges—whether through redundancy, automation, security frameworks, or cloud integration—you not only strengthen your theoretical understanding but also gain insights into how networking operates under real-world pressure.

Even today, professionals encounter numerous alternatives — from competing networking vendors to emerging cloud platforms — for both infrastructure solutions and certification pathways. Yet, our focus here is on Cisco’s certification track and its curriculum.

The world is bound together by an immense web of cables stretching across continents and beneath oceans. Every email, video stream, and cloud application depend on this backbone. At the center of it, Cisco has long been a driving force, engineering the routers and switches that sustain global connectivity.

Cisco’s influence reaches far beyond hardware. Foundational protocols such as VLAN tagging (IEEE 802.1Q), Spanning Tree (IEEE 802.1D/802.1w), Ethernet (IEEE 802.3), and 802.1X access control were pioneered, promoted, or shaped by Cisco’s contributions. Proprietary technologies including Enhanced Interior Gateway Routing Protocol (EIGRP), Inter-Switch Link (ISL), VLAN Trunking Protocol (VTP), and Hot Standby Router Protocol (HSRP) also set industry benchmarks and influenced the development of open standards and modern automation practices. Though new technologies and competitors continue to emerge, Cisco remains a cornerstone of networking and a dominant force in the enterprise IT landscape.

But really …. Why Cisco?

Industry Recognition: The Cisco Certified Network Associate (CCNA) is widely regarded as one of the most valuable entry-level certifications in the IT industry. Employers across the globe recognize it as a credible benchmark for networking knowledge. Holding a CCNA demonstrates to hiring managers and organizations that you possess the skills needed to understand, configure, and troubleshoot modern enterprise networks.

Career Value: Beyond being an entry point, the CCNA is a gateway to advanced certifications such as CCNP (Cisco Certified Network Professional) and CCIE (Cisco Certified Internetwork Expert). It validates your ability to apply networking concepts in real-world enterprise environments, making it highly relevant for roles in system administration, network engineering, and IT infrastructure. In many organizations, the CCNA serves as a minimum requirement for career progression in networking. At the highest levels, certifications like the CCIE are regarded as the gold standard. Even in banking, cloud service providers, and government institutions, core enterprise operations and backbone networks are often designed, maintained, and optimized by CCIE-certified professionals. This progression highlights how the CCNA can be the first step toward an elite career path in networking.

Comprehensive Foundation: The CCNA curriculum is designed to give learners a broad yet solid foundation in networking. It covers everything from networking fundamentals and IP connectivity to security, automation, and programmability. This ensures that candidates not only understand how traditional networks operate but also how modern technologies like automation and cloud integration are reshaping enterprise infrastructure.

Longevity: While technology continues to evolve — with cloud, virtualization, and AI-driven solutions reshaping the IT landscape — the core networking concepts taught in the CCNA remain timeless. Understanding IP addressing, routing, switching, and network security is just as important today as it was decades ago. The modern internet is only a few decades old, yet Cisco has practically grown alongside it, shaping, and supporting its expansion while continuing to make significant strides in enterprise networking. This is not to glorify Cisco, but rather to acknowledge a practical truth: if you want to save yourself the stress of wondering “Where do I start?”, start with Cisco curriculum path. The knowledge you gain is not just vendor-specific — it is highly transferable across domains, industries, and technologies.

Cisco may have started with routers in the 1980s, but today it remains a strong player in much of the digital information technology infrastructure that we all rely on. For me, preparing for the CCNA is not just about earning a certification — it’s about building a strong foundation in networking and positioning myself for the future of the industry. And if you’re also looking for solid, transferable networking knowledge, starting with Cisco can give you the same grounding and confidence to grow in this field.

For anyone seeking to advance from beginner to an intermediate level of networking expertise, the Cisco Certified Network Associate (CCNA) offers a structured and globally recognized path to build the essential skills that underpin today’s connected world.

The term virtualization is often considered ambiguous due to its broad range of applications. By analyzing the root word “virtual,” it can be understood as referring to the abstraction from the physical tangibleness.

We definitely have to agree with Allen B. Downey that “ … an  important kind of abstraction is virtualization, which is the process of creating a desirable illusion“. Now, we know we are working within the context of information technology, it is essential to define this “desirable illusion” specifically in relation to these environments. So we can say that …

Virtualization is the process of creating virtual versions of physical resources (on physical resources … emphasis mine), such as servers, storage devices, networks, or operating systems, by using software to abstract and allocate these resources, enabling multiple virtual environments to run simultaneously on a single physical system.

For example, a single piece of hardware — whether it’s a physical server, a storage system, or a network device such as a router or switch — can be abstracted and have its resources sliced into a software-defined instances. This process doesn’t mean the hardware itself becomes virtual; rather, virtualization layers on top of the hardware to extend its functionality. Through this, services such as Virtual Local Area Networks (VLANs), routing, or storage can be logically provisioned and centrally managed, while the underlying hardware continues to provide the essential physical resources. Virtualization doesn’t replace hardware. It needs the real physical device, while the virtual version runs above it — both can exist at the same time.

In IT, infrastructure is usually grouped into three main categories: Computing (servers, processors), Networking (routers, switches, firewalls) and Storage (hard drives, SANs, databases). With today’s technologies and protocols, all three can be virtualized. Deploying virtualization is no longer optional — it is the very foundation of how enterprises operate. Instead of being tied to one physical server, one dedicated network device, or one storage unit, enterprises now create virtual machines, virtual networks, and virtual storage pools that can be provisioned, scaled, and managed far more flexibly.

This principle of virtualization is also what makes cloud computing possible. Providers like AWS, Azure, or Google Cloud operate massive data centers filled with servers, storage arrays, and networking equipment. Instead of assigning entire machines to individual customers, they use virtualization to carve out slices of computing, networking, and storage resources. Each customer experiences an isolated environment that appears to be dedicated hardware, even though it is running on shared physical infrastructure.

Network virtualization also enables Internet Service Providers (ISPs) to use the same physical infrastructure to deliver different classes of service to a wide range of customers and enterprises. Using technologies such as Multiprotocol Label Switching (MPLS), Virtual Routing and Forwarding (VRF), Virtual Extensible Local Area Network (VXLAN), and Virtual Local Area Network (VLAN), ISPs can separate traffic streams, enforce policies, and maintain security and performance across shared infrastructure.

The growth of virtualization has also paved the way for containerization technologies such as Docker and Kubernetes. Containers take the idea of virtualization further by allowing applications and their dependencies to run in lightweight, isolated environments without the overhead of full virtual machines. This shift is central to modern DevOps practices, where CI/CD (Continuous Integration/Continuous Deployment) pipelines automate the process of building, testing, and delivering applications quickly and reliably. In networking, tools like Containerlab extend this concept, allowing engineers to build complex virtual lab environments for testing and training without the need for racks of physical hardware.

Hence, we can see that virtualization is more than just a technical concept — it is the fundamental abstraction that makes modern computing, networking, and storage both flexible and scalable. By creating virtual versions of physical resources, organizations can maximize the use of their infrastructure, reduce costs, and adapt quickly to changing demands. This capability underpins the way enterprises operate today, enabling everything from virtual machines in a data center to entire cloud platforms serving millions of users.

In essence, virtualization — from virtual machines to containers — is the engine of modern IT. It powers the cloud, drives enterprise agility, and sustains the connectivity of smart cities and global digital services. Modern research and innovation continue to push this principle further: doing more with less physical hardware while maintaining performance, scalability, and security. As organizations evolve, virtualization and containerization will remain at the heart of digital transformation, shaping the future of how we build, deploy, and consume technology.