Master Networking Fundamentals: Routing, Switching, and Firewalls Demystified – Your CCNA/CCNP Cheat Sheet! + Video

Listen to this Post

Featured Image

Introduction:

Networking is the backbone of modern IT infrastructure, yet many professionals struggle to connect the dots between routing, switching, and security. Understanding how routers select optimal paths (via RIP, OSPF, BGP), switches manage LAN traffic (VLANs, STP), and firewalls enforce access controls (NAT, IPS/IDS) is essential for building resilient enterprise networks.

Learning Objectives:

  • Configure and verify dynamic routing protocols (OSPF, EIGRP, BGP) on Cisco/Linux routers.
  • Implement VLAN segmentation, spanning-tree security, and port channel aggregation in switched environments.
  • Deploy firewall rules, NAT policies, and IPS/IDS signatures to protect against common network threats.

You Should Know:

  1. Routing Deep Dive – Command-Line Labs for Path Selection

Routing determines how packets traverse from source to destination. Below are hands-on commands for Linux (using `ip` and quagga/frr) and Windows (using route), plus Cisco IOS-style syntax.

Step‑by‑step guide – View and manipulate Linux routing table:
– `ip route show` – Display IPv4 routing table.
– `sudo ip route add 192.168.5.0/24 via 10.0.0.1 dev eth0` – Add a static route.
– `ip route del 192.168.5.0/24` – Remove a route.
– Enable OSPF on Linux with FRRouting: install frr, edit `/etc/frr/daemons` (set ospfd=yes), then systemctl restart frr. Enter `vtysh` and configure:

router ospf
network 10.0.0.0/24 area 0
network 192.168.1.0/24 area 0

Windows static route command (Admin PowerShell):

– `route print` – View table.
– `route add 192.168.5.0 mask 255.255.255.0 10.0.0.1` – Add route.
– `route delete 192.168.5.0` – Remove.

Cisco IOS example (for CCNA lab):

router ospf 1
network 10.0.0.0 0.0.0.255 area 0
network 192.168.1.0 0.0.0.255 area 0
default-information originate

BGP quick lab (using FRRouting):

router bgp 65001
neighbor 192.168.1.2 remote-as 65002
network 172.16.0.0/16
  1. Switching and VLAN Configuration – From Access to Trunk

Switches forward frames inside a LAN. VLANs segment broadcast domains; STP prevents loops.

Step‑by‑step VLAN creation on a Linux bridge (using `bridge` and ip):
– Install bridge-utils: sudo apt install bridge-utils.
– Create VLAN interface: sudo ip link add link eth0 name eth0.10 type vlan id 10.
– Assign IP: sudo ip addr add 192.168.10.1/24 dev eth0.10.
– Bring up: sudo ip link set eth0.10 up.

Cisco switch commands:

vlan 10
name Sales
interface fastEthernet 0/1
switchport mode access
switchport access vlan 10
interface gigabitEthernet 0/24
switchport mode trunk
switchport trunk allowed vlan 10,20

STP security – enable PortFast and BPDU Guard:

interface fastEthernet 0/1
spanning-tree portfast
spanning-tree bpduguard enable

EtherChannel (LACP) on Cisco:

interface range gigabitEthernet 0/1-2
channel-group 1 mode active
interface port-channel 1
switchport mode trunk

On Linux, use `bonding` driver with `mode=4` (802.3ad) and miimon=100.

  1. Firewall Security Essentials – iptables, nftables, and Windows Defender Firewall

Firewalls filter traffic and perform NAT. Below are modern command sets for hardening.

Step‑by‑step iptables (Linux) for basic protection:

  • Default deny incoming, allow established:
    sudo iptables -P INPUT DROP
    sudo iptables -A INPUT -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT
    sudo iptables -A INPUT -i lo -j ACCEPT
    sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT
    
  • Save rules: sudo iptables-save > /etc/iptables/rules.v4.
  • Enable NAT for internal network:
    sudo iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
    sudo sysctl -w net.ipv4.ip_forward=1
    

Advanced nftables (replacement for iptables):

sudo nft add table inet filter
sudo nft add chain inet filter input { type filter hook input priority 0\; policy drop\; }
sudo nft add rule inet filter input ct state established,related accept
sudo nft add rule inet filter input tcp dport 22 accept

Windows Firewall (PowerShell Admin):

  • Block all inbound except RDP: `New-NetFirewallRule -DisplayName “BlockAllInbound” -Direction Inbound -Action Block` (then add allow rules).
  • Allow SSH (port 22): New-NetFirewallRule -DisplayName "Allow SSH" -Direction Inbound -Protocol TCP -LocalPort 22 -Action Allow.
  • Enable logging: Set-NetFirewallProfile -All -LogFileName %windir%\system32\LogFiles\Firewall\pfirewall.log.

IPS/IDS quick test – Snort on Linux:

  • Install: sudo apt install snort.
  • Run in IDS mode: sudo snort -A console -q -c /etc/snort/snort.conf -i eth0.
  • For IPS inline: use `afpacket` mode with -Q.

4. Network Troubleshooting Commands – Diagnostic Toolkit

Every engineer must master these to validate routing/switching/security.

Linux / macOS:

– `traceroute -n 8.8.8.8` – Path discovery.
– `mtr 8.8.8.8` – Combined ping + traceroute.
– `ss -tulpn` – List listening ports (replaces netstat).
– `tcpdump -i eth0 -n host 192.168.1.10` – Capture specific traffic.
– `arp -a` – View ARP cache.
– `nmap -sS -p 1-1000 192.168.1.1` – SYN scan (requires nmap).

Windows:

– `pathping 8.8.8.8` – Combines ping and traceroute with statistics.
– `netstat -an | findstr “LISTENING”` – Listening ports.
– `Get-NetTCPConnection -State Listen` – PowerShell equivalent.
– `netsh trace start capture=yes tracefile=c:\capture.etl` – Packet capture.
– `arp -a` – ARP table.

Wireshark filters for CCNA labs:

– `ospf` – Show OSPF hellos.
– `vlan` – Filter VLAN tags.
– `tcp.port == 179` – BGP traffic.
– `ip.src == 10.0.0.1 && ip.dst == 192.168.1.1` – Specific flow.

  1. Advanced Security Features – IPSec VPN and AAA

Protecting data in transit and controlling access are core firewall responsibilities.

Step‑by‑step IPSec VPN (Linux strongSwan) between two hosts:

  • Install: sudo apt install strongswan.
  • Edit /etc/ipsec.conf:
    conn vpn-host
    left=10.0.0.1
    leftsubnet=192.168.1.0/24
    right=10.0.0.2
    rightsubnet=192.168.2.0/24
    authby=secret
    auto=start
    
  • Set Pre-Shared Key in /etc/ipsec.secrets: 10.0.0.1 10.0.0.2 : PSK "MySecretKey123".
  • Restart: sudo systemctl restart strongswan.
  • Check status: sudo ipsec status.

AAA (TACACS+ / RADIUS) – FreeRADIUS on Linux:

  • Install: sudo apt install freeradius.
  • Add client in /etc/freeradius/3.0/clients.conf:
    client myrouter {
    ipaddr = 192.168.1.1
    secret = testing123
    shortname = cisco
    }
    
  • Test authentication: radtest user password 192.168.1.1 0 testing123.

Cisco router AAA configuration:

aaa new-model
radius-server host 192.168.1.10 key testing123
aaa authentication login default group radius local
  1. Real-World Attack Mitigation – BGP Hijacking, ARP Spoofing, and ACL Hardening

Understanding exploitation leads to better defense.

Mitigating ARP spoofing on Linux:

  • Enable static ARP: arp -s 192.168.1.1 00:11:22:33:44:55.
  • Use `arptables` to filter:
    sudo arptables -A INPUT --source-mac ! 00:11:22:33:44:55 --opcode Request -j DROP
    
  • Or deploy `arpwatch` to detect changes.

BGP route filtering (Cisco IOS) to prevent hijacking:

ip prefix-list ALLOW-OWN deny 0.0.0.0/0 ge 1
ip prefix-list ALLOW-OWN permit 172.16.0.0/12 le 24
route-map OWN-ONLY permit 10
match ip address prefix-list ALLOW-OWN
neighbor 10.0.0.2 route-map OWN-ONLY in
neighbor 10.0.0.2 route-map OWN-ONLY out

ACLs to block malicious traffic (Cisco extended ACL):

access-list 100 deny ip 10.0.0.0 0.255.255.255 any
access-list 100 deny tcp any any eq 445
access-list 100 permit ip any any
interface gigabitEthernet 0/1
ip access-group 100 in

Windows PowerShell firewall block rule for SMB:

New-NetFirewallRule -DisplayName "Block SMB" -Direction Inbound -Protocol TCP -LocalPort 445 -Action Block
  1. Automation and Scripting for Network Engineers – Python & Ansible

Modern networking requires automation for configuration backup, state verification, and alerting.

Step‑by‑step Python script to backup Cisco config via SSH (netmiko):
– Install: pip install netmiko.
– Script:

from netmiko import ConnectHandler
device = {
'device_type': 'cisco_ios',
'ip': '192.168.1.1',
'username': 'admin',
'password': 'cisco',
}
with ConnectHandler(device) as conn:
output = conn.send_command('show run')
with open('backup.txt', 'w') as f:
f.write(output)

Ansible playbook to enforce VLANs on multiple switches:

- name: Configure VLANs
hosts: switches
tasks:
- name: Create VLAN 20
cisco.ios.ios_vlan:
vlan_id: 20
name: Engineering
state: present

Linux cron job for routing table logging:

– `crontab -e` add:
`/5 /usr/bin/ip route show >> /var/log/routes.log`

What Undercode Say:

  • Key Takeaway 1: Mastering routing, switching, and firewalls requires not just theory but hands-on command-line practice. The provided Linux, Windows, and Cisco snippets give you an immediate lab experience.
  • Key Takeaway 2: Security is embedded in every layer – from BGP filtering to ARP spoofing defenses. Modern network engineers must blend traditional protocol knowledge with automated scripting for real-world resilience.

The infographic from Tony Moukbel’s network highlights fundamental protocols, but true expertise comes from configuring OSPF areas, hardening STP with BPDU Guard, and deploying IPSec tunnels. With threats like BGP hijacking and VLAN hopping still prevalent, practicing the above commands on virtual labs (EVE-NG, GNS3) or cloud sandboxes is non‑negotiable. The WhatsApp community linked (https://lnkd.in/d-kemJU6) offers peer support, but self‑driven labbing accelerates CCNA/CCNP success. Additionally, integrating Python automation reduces human error in firewall rule deployment. As infrastructure shifts toward SD‑WAN and zero‑trust, these fundamentals remain the bedrock of any security career.

Prediction:

Within the next three years, AI-driven network orchestration will automate most routine configuration tasks, but deep knowledge of routing and firewall internals will become even more critical for auditing AI-generated policies. Engineers who can manually verify BGP path selections and diagnose ACL misconfigurations will lead incident response teams. The demand for hybrid skills – traditional networking plus Python scripting and cloud security – will spike, making CCNA/CCNP certifications with hands-on lab portfolios the gold standard for hiring in enterprise and cloud-native environments.

▶️ Related Video (82% Match):

🎯Let’s Practice For Free:

IT/Security Reporter URL:

Reported By: Sayed Hamza – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeTesting & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky