Sign Up|Login Courses F.a.q Resources
BLOG HOME

The role of switches, routers and firewalls in a network

The previous post provided an overview of computer networks and described how data is encapsulated in multiple layers of headers in order to correctly identify its source (application, device and interface) as well as its destination (application, device and interface). In this post, we will discuss the role played by network devices such as switches, routers and firewalls in transfering data from its source to its intended destination over a network.

Let's start by revisiting the HTTP request from the previous post. The request, encapsulated in TCP, IP and Ethernet headers looks like the following:

Data Link (MAC)70:F4.7D:A5.BC:4FEC:70:2C:5D:AF:F2Layer 2
Network (IP)10.0.0.9110.0.0.10Layer 3
Transport (TCP)1080180Layer 4
 GET / HTTP/1.1 

One way of categorizing network devices is by using the layer at which the device primarily operates.

Layer 1 devices

An example of Layer 1 network device is a hub. (We usually would not see a hub in use in a modern network. We will discuss the reasons in another post.) A hub is a Layer 1 device, and its primary to purpose is to function as a repeater. An ethernet hub has multiple ethernet interfaces and each interface can be connected to a host via an ethernet cable. When a hub receives data on an interface, it retransmits the data out of each connected interface. The Layer 1 functions of the hub include the ability to detect the following:

  • the beginning and end of a stream of data;
  • gaps between data streams;
  • any collisions that might occur on an interface.

When an interface on a Layer 1 device receives an incoming data stream, it simply rebroadcasts that data stream out of each connected interface. A Layer 1 network device does not inspect any of the upper layer (Layers 2, 3 or 4) headers, or the data encapsulated within these headers.

Layer 2 devices

A switch is an example of a Layer 2 device. Switches perform a similar function to a hub, but with some enhancements. A switch inpsects the Layer 2 header of every frame that enters one its interfaces. It makes a forwarding decision based on the Destination MAC Address in the Layer 2 header.

When a switch receives the following frame:

Data Link (MAC)70:F4.7D:A5.BC:4FEC:70:2C:5D:AF:F2Layer 2
Network (IP)10.0.0.9110.0.0.10Layer 3
Transport (TCP)1080180Layer 4
 GET / HTTP/1.1 

it will inspect the Layer 2 header, and forward the frame out of the interface that is connected to the device with MAC Address EC:70:2C:5D:AF:F2.

In the following network, the role of the switch is to inspect the Layer 2 (Ethernet) header of each frame as it enters an interface and direct the frame out of the correct interface so that it arrives at the correct destination device:

10.0.0.91
A
10.0.0.94
D
10.0.0.92
B
0/1
0/2
0/3
SWITCH
0/4
0/5
0/6
10.0.0.95
E
C
10.0.0.93
F
10.0.0.100

How does a switch know which MAC Addresses are connected to which interface? Basic switch operation is covered in Course 1 (Switching Basics) on this site.

Network segments

A large network may be divided up into smaller network segments. Each segment can be considered as a Layer 2 domain. This means that all of the devices within the segment can communicate with each other directly via their Layer 2 addresses. A Layer 2 device such as a switch inspects the Layer 2 headers and directs traffic to the correct destination device based on the Destination MAC Address in the Layer 2 header.

Here is an example of 4 separate network segments:

SEGMENT 1
10.0.1.15
A
10.0.1.16
B
SWITCH 1
10.0.1.17
C
SEGMENT 2
10.0.2.15
D
10.10.0.10
J
10.0.2.16
E
SWITCH 2
ROUTER
SWITCH 4
10.10.0.20
K
F
10.0.2.17
L
10.10.0.30
SEGMENT 4
G
10.0.3.15
SWITCH 3
I
10.0.3.17
SEGMENT 3
H
10.0.3.16

The IP Addresses of devices in Segment 1 follow the pattern 10.0.1.x, those in Segment 2 follow the pattern 10.0.2.x, those in Segment 3 follow the pattern 10.0.3.x, and those in Segment 4 follow the pattern 10.10.0.x.

Switch 1 allows the devices in Segment 1 to communicate directly with each other. Switch 1 inspects the Destination MAC Address in the Layer 2 header of each frame that it receives, and makes a decision on how to forward the frame. The same is true for Switches 2, 3 and 4 in Segments 2, 3 and 4. Segment 4 contains 3 servers hosting multiple server applications.

If we want the devices in each Segment to be able to communicate with devices in each of the other segments, we would require a router to direct, or "route" traffic between the segments. The network would look like the following:

SEGMENT 1
10.0.1.15
A
10.0.1.16
B
SWITCH 1
10.0.1.17
C
SEGMENT 2
10.0.2.15
D
10.10.0.10
J
10.0.2.16
E
SWITCH 2
ROUTER
SWITCH 4
10.10.0.20
K
F
10.0.2.17
L
10.10.0.30
SEGMENT 4
G
10.0.3.15
SWITCH 3
I
10.0.3.17
SEGMENT 3
H
10.0.3.16

Each switch is now connected to an interface on a router. The router is responsible for routing traffic between the different network segments.

Layer 3 devices

A router is a Layer 3 device. What does this mean? This means that when a data packet arrives at a router interface, the router strips off the Layer 2 header and inspects the Layer 3 (Network layer) header in order to make a forwarding decision.

Suppose Device A in the diagram above sends an HTTP request to the web server application running on Device J. When the router receives the request it strips off the Layer 2 header. The request encapsulated in the remaining Layer 3 and 4 headers would look like this:

Network (IP)10.0.1.1510.10.0.20Layer 3
Transport (TCP)1080180Layer 4
 GET / HTTP/1.1 

The router inspects the Layer 3 (Network Layer / IP) header and checks the Destination IP Address. Since the Destination IP Address is an address belonging to Segment 4, the router will forward the request to Switch 4 (after encapsulating it in a new Layer 2 header).

Layer 3 devices inspect Layer 3 headers and make the appropriate forwarding decision in order to route traffic bewteen different network segments.

Network segments are covered in Course 2 (IP Addressing and Subnetting) on this site. Basic Router operation is covered in Course 3 (Routing Basics) on this site.

Firewalls

Where do firewalls fit in this scenario? The purpose of a firewall is to inspect all of the traffic that passes through it, and make decisions on whether to allow or block traffic based on certian rules (or policies) configured on it. In our case, suppose we wanted to protect the servers that are hosted on Segment 4. We would need to place a firewall "inline" between the Router and Switch 4 as shown in the diagram below:

SEGMENT 1
10.0.1.15
A
10.0.1.16
B
SWITCH 1
10.0.1.17
C
SEGMENT 2
10.0.2.15
D
10.10.0.10
J
10.0.2.16
E
SWITCH 2
ROUTER
FIREWALL
SWITCH 4
10.10.0.20
K
F
10.0.2.17
L
10.10.0.30
SEGMENT 4
G
10.0.3.15
SWITCH 3
I
10.0.3.17
SEGMENT 3
H
10.0.3.16

As the diagram above shows, we now have a firewall directly between the router and Switch 4. Any traffic that enters Segment 4 from outside the segment has to pass through the firewall. Any traffic leaving Segment 4 also has to pass through the firewall. At this point, we can create rules on the firewall to restrict the traffic that is allowed to enter or exit Segment 4.

Firewall rules can generally be created based on a combination of Layer 3 and Layer 4 headers. For example, if we wanted to prevent any traffic from outside Segment 4 from reaching Device J, we could create a rule to block all incoming traffic to IP Address 10.10.0.10. After we create such a rule, if the following packet arrives at the firewall:

Network (IP)10.0.1.1510.10.0.10Layer 3
Transport (TCP)1080180Layer 4
 GET / HTTP/1.1 

the firewall inspects the Layer 3 header and since the Destination IP Address matches the Destination IP Address defined in the firewall deny rule, the firewall will drop this HTTP request.

Alternatively, we could create a rule that blocks all unencrypted web traffic from entering Segment 4. To do this we would simply specify a rule that would drop all traffic that uses TCP as the Transport Layer and has the TCP Destination Port set to 80. This rule would make the firewall inspect the Layer 4 header regardless of the Destination IP Address in the Layer 3 header. If the following packet arrived at the firewall:

Network (IP)10.0.1.1510.10.0.30Layer 3
Transport (TCP)1080180Layer 4
 GET / HTTP/1.1 

the firewall inspects the Layer 4 header and since the Destination TCP port matches the Destination TCP port defined in the firewall deny rule, the firewall will drop this HTTP request.

We could create a more specific rule that blocks only unencrypted web traffic (TCP port 80) requests from Device E to Device K. If we were to create such a rule and the following packet arrives at the firewall:

Network (IP)10.0.2.1610.10.0.20Layer 3
Transport (TCP)1080180Layer 4
 GET / HTTP/1.1 

the firewall would inspect both the Layer 3 and the Layer 4 headers and drop the request since the Source and Destination IP Addresses in the Layer 3 header, as well as the Destination TCP port in the TCP header all matched the conditions defined in the deny rule.

Summary

We can summarize our discussion as follows:

Layer 1 devices (such as hubs) simply retransmit data received on any interface out of every other connected interface. They do not make any forwarding decisions based on any of the upper layer headers.

Layer 2 devices (such as switches) inspect Layer 2 headers and make forwarding decisions based on the Destination Address in the Layer 2 header. Switches allow hosts on a network segment to communicate directly with each other.

Layer 3 devices (such as routers) inspect Layer 3 headers and make forwarding decisions based on the Destination Address in the Layer 3 header. Routers allow hosts residing on different network segments to communicate with each other.

Firewalls inspect both Layer 3 and Layer 4 headers to determine whether to allow or block traffic based on rules (or policies) created by an administrator.

Share this
Have a comment, question or feedback for us? Leave us a note below.