Routers, switches, access points, firewalls. The physical boxes that carry your packets โ and what each one actually does.
Router connects different networks (your home โ the internet). Works at Layer 3 using IP. Switch connects devices within one network. Works at Layer 2 using MAC addresses. Access point is the Wi-Fi radio โ extends the network wirelessly. Modem translates between your ISP's signal and your home network. Firewall filters traffic based on rules. Your home "router" is actually all four in one box.
3.1 What's In Your Home Router
Most households have one device they call "the router" โ a black or white box with a few flashing lights, plugged into the wall, providing Wi-Fi and a few ethernet ports. That single box is actually at least four different network devices combined:
"Home router" is marketing shorthand. The device is actually a modem, router, switch, access point, and firewall in one plastic shell.
Knowing this matters because each part does a different job, and in a business setting they're separate physical boxes. Once you understand what each one does, the whole network picture clicks into place.
3.2 Router โ Connects Different Networks
A router's one job: forward packets between different networks. If two devices are on the same network, they don't need a router. If they're on different networks (e.g., your phone at home โ Instagram's server), every packet crosses at least one router.
Operates at Layer 3 (Network) โ uses IP addresses
Maintains a routing table โ rules saying "traffic for network X goes out interface Y"
Provides NAT (on home routers) to share one public IP among many devices
Often also a DHCP server โ hands out private IPs to new devices joining the LAN
Often includes a small firewall to block unsolicited inbound traffic
ROUTER MENTAL MODEL: Think of a router like a postal sorting office. Letters come in with a destination address. The sorter looks at the address, checks which outgoing bag to put it in, and forwards it. It doesn't care what's inside the letter. Next sorting office does the same. Eventually the letter reaches the destination's local post office, which delivers it.
3.3 Switch โ Connects Devices Within One Network
A switch is what you plug your computers into to create a wired LAN. Multiple devices, all on the same network, share the switch.
Operates at Layer 2 (Data Link) โ uses MAC addresses, not IP addresses
Learns which MAC address is on which port by watching traffic
Forwards a frame only to the port where the destination MAC lives (not all ports)
Creates a separate "collision domain" for each port โ devices don't interfere with each other
Switch vs Hub โ historical difference you'll sometimes see
Hub (obsolete) = dumb device that repeats every incoming signal to every port. Every device heard every message. Inefficient and insecure (anyone could passively sniff others' traffic).
Switch (modern) = smart device that learns where each MAC address lives and sends messages only where they need to go. Modern switches are the default; hubs are museum pieces.
TRAP: Students sometimes say "the hub sends data" โ in a modern network, there is no hub. Use "switch." And don't confuse switch with router: switch = within one network; router = between networks.
Managed vs unmanaged switches
Unmanaged
Managed
What you do to it
Plug it in, it works
Configure via a web interface or command line
Features
Just forward frames
VLANs, port security, monitoring, QoS, DHCP snooping
SECURITY USE OF MANAGED SWITCHES: VLANs (Chapter 5) are configured on managed switches. You can put different ports into different VLANs to create security zones even on the same physical switch. This is how a school separates staff and student traffic without needing duplicate wiring. Managed switches also offer port security โ limit which MAC addresses can use each port, blocking random devices from being plugged in.
3.4 Access Point (AP) โ The Wi-Fi Radio
An access point converts between wired ethernet and Wi-Fi radio. Your phone's Wi-Fi talks to the AP; the AP is wired into a switch, which carries the traffic into the rest of the network.
Strictly a Layer 2 device (though often bundled with routers)
Broadcasts an SSID (the network name) that devices can see and join
Handles the Wi-Fi authentication (password or Enterprise login)
Modern APs support multiple SSIDs, each mapped to a different VLAN โ letting one AP serve Staff and Guest Wi-Fi simultaneously
In a home, the AP is inside the "router" box. In an office or school, APs are usually standalone units mounted on ceilings, wired back to a central switch, all managed by a wireless controller.
3.5 Modem โ Translates to Your ISP's Signal
The modem's job: convert between your ISP's specific transmission format and standard ethernet. Depending on your connection type:
Connection type
What the modem does
Cable (coax)
Translates DOCSIS signals over the coax cable
Fibre (FTTP/FTTN)
Translates optical light pulses (or copper signals in FTTN) to ethernet
ADSL/VDSL
Translates signals over copper phone lines
4G/5G mobile broadband
Cellular radio to ethernet/Wi-Fi
Satellite (Starlink)
Radio to satellite dish to ethernet
In Australia, NBN modems are often called "NBN connection boxes" or "NTDs." They're still conceptually modems.
WHY THE DISTINCTION MATTERS: If your internet is flaky, it could be the modem (ISP signal issues) or the router (LAN/Wi-Fi issues). A quick test: plug a laptop directly into the modem via ethernet, bypassing the router. If it works, the router is the issue. If not, the modem or ISP is. In a combined "home router" box, you can't separate them โ that's why many tech-savvy users buy their modem and router as separate devices.
3.6 Firewall โ Filters Traffic
A firewall inspects traffic and decides whether to allow it based on rules. Firewalls are the primary defensive control at network boundaries.
Types of firewall:
Type
What it checks
Strength
Packet-filter (stateless)
Each packet in isolation โ source/dest IP, port, protocol
Fast but limited โ can't tell legitimate replies from forged packets
Stateful
Remembers ongoing conversations. Allows reply packets from established connections.
The modern baseline for any serious firewall
Application-layer / Next-gen (NGFW)
Looks into the packet content at Layer 7 โ knows HTTP from SSH from Facebook
Blocks specific applications, detects known attack patterns
Web Application Firewall (WAF)
Specifically protects a web application from attacks like SQL injection, XSS
Critical for any public-facing web app
Chapter 14 covers firewalls in depth as defences. For now, know that every home router has a basic stateful firewall built in โ that's what stops random internet attackers from directly connecting to your laptop.
3.7 Other Devices You'll Meet
Network Interface Card (NIC)
The actual hardware inside each device (laptop, phone, server) that lets it connect to a network. Every NIC has a unique MAC address burned in at manufacture โ 48 bits, usually written as six hex pairs: AC:DE:48:00:11:22.
TRAP: MAC addresses are supposed to be unique globally but can be spoofed in software. Modern operating systems (iOS, Android) deliberately randomise their MAC when joining new Wi-Fi networks to prevent tracking. Don't assume a MAC uniquely identifies a device forever.
Load balancer
Distributes incoming traffic across multiple servers so no one server gets overwhelmed. Critical for any website that serves more than a few hundred users. Works at Layer 4 (TCP) or Layer 7 (HTTP).
Proxy server
Sits between clients and servers, making requests on their behalf. Used for caching (serving repeat requests faster), filtering (blocking categories of sites at a school), or anonymity. Schools often use a proxy to enforce web content filtering โ required under ACMA expectations for minors.
VPN concentrator
Dedicated device or software that terminates VPN connections from remote users. Lets employees working from home connect securely to the office network. Chapter 14 covers VPNs.
Intrusion Detection/Prevention System (IDS/IPS)
Monitors network traffic for suspicious patterns. IDS alerts when something looks wrong; IPS actively blocks it. Chapter 14 / 15 cover these properly.
Cables and connectors
Cable type
Used for
Max speed (typical)
Cat 5e
Standard ethernet
1 Gbps
Cat 6 / 6a
Faster ethernet
1โ10 Gbps
Fibre optic
Long-distance, high-speed backbones
10โ400+ Gbps
Coaxial
Cable TV / legacy cable internet
Varies
Fibre is increasingly used even for short runs because it's immune to electromagnetic interference and can carry vastly more data than copper.
3.8 How the Hardware Fits Together โ A Classroom Example
This is what "star topology" actually looks like physically. Each classroom is a small star; all classrooms combine into a larger tree rooted at the core switch.
EXAM-FRIENDLY HARDWARE CHOICES: When asked "what hardware is needed for [scenario]", use a checklist:
1. Modem โ one per internet connection
2. Firewall โ at the border between internal network and internet
3. Router โ to handle routing and NAT
4. Switches โ enough ports for all wired devices + growth
5. Access points โ cover the physical area with Wi-Fi
6. Servers โ for the specific services (file, print, web, database)
7. Backup infrastructure โ often missed, important for availability
Name each device and justify the count ("3 APs to cover the 3 floors"). That's a complete answer.
3.9 Quiz Time
A student sets up two computers at home, plugged into the same switch. Can they communicate with each other without a router?
Yes. A switch connects devices within one network. If both computers have IPs in the same subnet (e.g., 192.168.1.5 and 192.168.1.7), they talk directly through the switch using MAC addresses at Layer 2. A router is only needed when traffic crosses between different networks. This is why two PCs on the same LAN can share files without either being connected to the internet.
Why does a school use managed switches instead of cheap unmanaged ones?
Managed switches support VLANs, which let the school split one physical switch into multiple logical networks โ for example, student VLAN, staff VLAN, server VLAN โ so traffic is isolated even though everything shares the same cables. They also support port security (blocking unknown devices), monitoring (watching for suspicious traffic), and QoS (prioritising important traffic like video calls). All of these are critical for a network handling minors' data under the Privacy Act, and none are possible with unmanaged switches.
Why are modems and routers becoming combined devices in homes but kept separate in businesses?
Homes prioritise simplicity โ one box, one cable to the wall, minimal setup. Combining modem + router + switch + AP hides the complexity. Businesses prioritise flexibility and replaceability โ if the modem dies, you swap just the modem without losing your firewall configuration; if you upgrade to faster internet, you only replace the modem; if you need a better firewall, you upgrade just that. Separate devices also support higher performance and more features (dedicated firewall appliances, managed switches, ceiling-mounted APs). Trade-off: simplicity vs flexibility.