NPS# NETWORK NODES PORTFOLIO STATEMENT :
This network portfolio outlines the design, deployment, and management of a secure, scalable, and high-performance enterprise network infrastructure. The network architecture follows industry best practices using a layered design model comprising edge, distribution, aggregation, core, and service-provider connectivity layers. This structured approach ensures high availability, efficient traffic flow, simplified troubleshooting, and future scalability while maintaining strong security controls.
Overall, this network portfolio demonstrates a robust and standards-compliant design focused on security, performance, redundancy, and scalability. The architecture supports enterprise applications, internet access, MPLS connectivity, and wireless services while allowing easy expansion and efficient operations. This approach ensures a future-ready network capable of meeting both current business requirements and evolving technological demands.
8.1 # HOW TO DEFINE THE EDGE DEVICES IN NETWORK :
EDGE SWITCH: At the edge layer, access switches provide reliable and secure connectivity to end-user devices such as desktops, laptops, IP phones, wireless access points, and surveillance systems. These switches support VLAN segmentation, Power over Ethernet (PoE), and port-level security mechanisms including 802.1X authentication, DHCP snooping, and port security. This layer is designed to deliver seamless user access while protecting the network from unauthorized or misconfigured devices.
EDGE ROUTER: An edge router is a router placed at the boundary (edge) of a network, where an organization’s internal network connects to external networks such as the Internet, ISP, MPLS cloud, or a service provider. It acts as the entry and exit point for all data traffic between internal users and outside networks.
Required location in infrastructure : -
| Edge switch is required when: | |
|---|---|
| Edge Router | |
| An Edge Switch (also called Access Switch) is the network switch located at the edge of the LAN, where end devices directly connect to the network. | An Edge Router is a router placed at the boundary of a network, connecting the internal network (LAN) to external networks such as the Internet or MPLS/ISP network. |
| Connected Networks : | |
| PCs / Laptops, IP Phones, Wireless Access Points, Printers / CCTV / IoT. | Internal LAN / Core network, ISP / Internet / MPLS network. |
| Main Functions : | |
| Provides network access to users, VLAN assignment, PoE (Power over Ethernet), Port security (MAC binding, BPDU Guard), 802.1X authentication. | Routes traffic between different networks, NAT (Network Address Translation), WAN connectivity, Traffic filtering and security, Route exchange with ISP. |
| Location in Network : | |
| Closest to users, First switching device inside the LAN. | At the network perimeter & Between enterprise network and ISP. |
| Key Features : | |
| Mostly Layer-2 (some are Layer-3 lite), High port density (24/48 ports), PoE / PoE+ support, Low cost compared to core devices. | Layer-3 device, WAN interfaces (Fiber, Ethernet, Serial), Handles public and private IPs, High reliability. |
| Security Functions : | |
| Port security (MAC limiting), BPDU Guard, DHCP Snooping, 802.1X authentication. | ACLs (Access Control Lists), NAT / PAT, Basic firewall features, VPN termination (IPsec, SSL). |
8.2 # HOW TO DEFINE THE DISTRIBUTION DEVICES IN NETWORK :
DISTRIBUTION SWITCH: It is sit between the edge layer and the core layer and act as a control and policy enforcement point in the network. They aggregate multiple edge switches and usually operate at Layer-3, enabling inter-VLAN routing. Distribution switches apply access control lists (ACLs), quality of service (QoS) policies, route summarization, and redundancy mechanisms. This layer is designed to balance performance with control, ensuring that traffic from access switches is filtered, routed, and managed according to organizational policies before moving toward the core.
DISTRIBUTION ROUTER: It is a Layer-3 networking device deployed at the distribution layer of a hierarchical network architecture. It acts as an intermediate routing point between the access layer (edge switches) and the core network, responsible for aggregating traffic, routing between subnets or VLANs, and enforcing network policies.
Difference between : -
| Distribution Switch | Distribution Router |
|---|---|
| Main Functions : | |
| Inter-VLAN routing , ACLs and security policies, QoS enforcement, Route summarization, STP root bridge. | |
| Characteristics : | |
| Layer-3 capable, Medium port density, Redundancy focused. | |
8.3 # HOW TO DEFINE THE AFFREGATION DEVICES IN NETWORK :
AGGREGATION SWITCHES are used in large campus, data center, or service-provider environments where traffic from multiple distribution switches must be consolidated before reaching the core or upstream networks. The aggregation layer focuses on scalability and traffic consolidation, and in some designs it may also apply limited policies or load balancing. While similar to the distribution layer, aggregation switches mainly exist to handle high traffic volumes and simplify the network by reducing the number of direct connections to the core.
AGGREGATION ROUTERS are combines multiple network connections or traffic streams into a single, high-capacity link, boosting bandwidth, providing redundancy, and centralizing services like firewalls, crucial for managing growth in enterprise and service provider networks. It acts as a central point in data centers or branch offices, consolidating traffic from access switches or various internet providers (ISPs) to optimize performance and simplify management for cloud, mobility, and digital collaboration.
Difference between : -
| Aggregation Switch | Aggregation Router |
|---|---|
| Key Functions : | |
| Data Consolidation: Combines traffic from multiple access switches into fewer, higher-bandwidth links. Policy Enforcement: Handles local routing, VLANs, Access Control Lists (ACLs), Quality of Service (QoS), and security. Load Balancing: Distributes traffic across multiple links for efficiency. Redundancy & Stability: Improves network resilience through features like Link Aggregation Control Protocol (LACP) and Spanning Tree Protocol (STP). |
WAN Aggregation: Merges multiple internet connections (DSL, 4G/5G, Ethernet) from different ISPs to create a faster, more reliable single connection, also called link bonding or multi-link aggregation. LAN Aggregation: Increases speed between devices (like routers and NAS) by combining multiple local network links (e.g., two Ethernet ports). Service Integration: In data centers, it integrates shared network functions (firewalls, load balancers) at the aggregation layer for access switches. Traffic Consolidation: Manages diverse traffic types (video, collaboration) from various sources for consistent performance. |
| Where will Use: | |
| Data Centers: Connecting Top-of-Rack (ToR) switches to core networks. Enterprise Networks: Efficiently managing campus or large office traffic. |
Enterprises: Combine multiple internet lines for branches. Data Centers: Connect access switches to integrate services. Service Providers: Build robust multiservice networks. |
Distribution = policy + routing & Aggregation = scaling + consolidation
8.4 # HOW TO DEFINE THE CORE DEVICES IN NETWORK :
CORE SWITCHES is a high-performance switching device used at the backbone of an enterprise or data-center network to interconnect distribution switches and major network segments. Its primary role is to forward traffic at very high speeds with minimal latency. Core switches usually operate at Layer-3 but are optimized for fast packet switching rather than complex decision-making. They are kept policy-free, meaning features such as NAT, firewalling, or heavy ACLs are avoided, to ensure maximum throughput, high availability, and rapid convergence.
CORE ROUTERS is a high-capacity routing device used at the backbone of large enterprise WANs, ISP networks, or MPLS environments. Its main function is to route traffic between different networks or autonomous systems and across long-distance links. Core routers handle complex routing protocols such as BGP, OSPF, and IS-IS and are designed to manage very large routing tables, traffic engineering, and WAN/MPLS services. Unlike core switches, core routers are more focused on network-to-network connectivity rather than internal LAN switching.
Difference between : -
| Feature | Core Switch | Core Router |
|---|---|---|
| Primary Role | High-speed LAN backbone | High-speed WAN/ISP backbone |
| Network Position | Inside enterprise or data center | Between networks or service provider cores |
| OSI Layer | Layer-3 (optimized for switching) | Layer-3 (routing-focused) |
| Traffic Type | Internal LAN traffic | Inter-network / WAN traffic |
| Routing Table Size | Small to medium | Very large |
| Protocols Used | OSPF, EIGRP (limited use) | BGP, OSPF, IS-IS, MPLS |
| Policy Features | Minimal or none | Advanced routing and traffic engineering |
| Latency | Very low | Slightly higher than switches |
| Typical Use Case | Campus or data center core | ISP, MPLS, WAN core |
7.3 # DIAGRAM OF PORT SECURITY SCENARIO
| Port Type | Connected Devices | MAC Limit | Security Mode |
|---|---|---|---|
| Fa0/1 | IP Phone + PC | 2 | Sticky + Restrict |
| Fa0/2 | Wireless AP | 1 | Static MAC + shutdown |
| Trunk | Switch to Switch | Unlimited | ❌ No Port Security |
| 1️⃣ Enable Port Security on Access Port (PC + IP Phone) |
|---|
| Switch(config)# interface fastEthernet0/1 Switch(config-if)# switchport mode access Switch(config-if)# switchport voice vlan 20 Switch(config-if)# switchport access vlan 10 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 2 Switch(config-if)# switchport port-security mac-address sticky Switch(config-if)# switchport port-security violation restrict 🔹 Explanation : VLAN 10 → Data, VLAN 20 → Voice, Sticky MAC learns phone + PC, Restrict mode logs violations. |
| 2️⃣ Access Port for Wireless Access Point (High Security) |
| Switch(config)# interface fastEthernet0/2 Switch(config-if)# switchport mode access Switch(config-if)# switchport access vlan 30 Switch(config-if)# switchport port-security Switch(config-if)# switchport port-security maximum 1 Switch(config-if)# switchport port-security mac-address 001A.2B3C.4D5E Switch(config-if)# switchport port-security violation shutdown 🔹 Explanation : Only one AP allowed, Static MAC = maximum security, Unauthorized device → port disabled |
| 3️⃣ Trunk Port (No Port Security) |
| Switch(config)# interface gigabitEthernet0/1 Switch(config-if)# switchport mode trunk 🚫 Port security should not be configured on trunk ports |
| Violation Scenario Flow |
|---|
| Unauthorized Laptop Plugged In ↓ MAC Address Exceeds Limit ↓ Violation Action Triggered ↓ • Restrict → Traffic dropped + log • Shutdown → Port err-disabled |
# Verification Commands (Troubleshooting):
Q. Which command to show the port status?
Switch #show port-security
Q. Which command to show the individual port status?
Switch #show port-security interface fa 0/1
Q. Which command to clear the port-security?
Switch #clear port-security all
Q. Which command to show the port-security status?
Switch #show port-security address
Q. Which command to remove the port-security status?
Switch #no switchport port-security
Q. Which command to show the port mac-address?
Switch #show mac-address-table
|| Alway be study right sight ||
