A normal Layer3 Routing device, when receiving a packet on one of its ingress interfaces, first checks the destination IP address of the packet and then consults its routing table in order to forward the packet to the proper outgoing interface. This is the most basic operation of a router.

A stateful firewall (like the Cisco ASA), on the other hand, has a much more complicated work to do on an incoming packet. There are several steps and decision points that the packet has to go though before being allowed and forwarded by the firewall. This is called “conditional forwarding” because the packet must satisfy several rules and conditions before passing through the firewall.

The diagram below shows a simplified traffic flow of a packet through a Cisco ASA device:

As shown on the figure above, the packet coming from the Input Interface is being checked first if it is a part of an existing connection. If yes, it skips many of the intermediate steps and is only checked if it satisfies the Layer7 inspection rules.

Now, if the packet is a new connection, the firewall needs to store in its state table all the pertinent information of this new connection. Some of the information that is stored in the state table include the source and destination IP addresses, the source and destination port numbers, TCP sequence numbers etc. Since the packet is a new connection, it will have to go through several steps and checks before being forwarded to the output interface.

First the firewall checks if there is a Layer3 route for the destination address of the packet in the routing table. After that, it checks if the Access Control List (ACL) on the input interface allows the specific connection to pass. If this is ok, then it checks to see if there is a NAT rule configured for this specific connection. After that, the device verifies that any Layer7 inspection rules allow the specific connection. After all the previous steps have been satisfied successfully, only then the packet is allowed to exit the output interface.

Cisco has announced that they will lay off around 10,000 employees in an effort to reduce costs and regain profitability. 7,000 positions will be cut and 3,000 people will receive early retirement under this initiative.

Some reports say that Cisco is thinking to sell off its Linksys Home Router business unit, while it has already shut the Flip camera unit. With the above changes, Cisco is expecting to save around 1 billion dollars in 2012.

The company is focusing more on the routing and switching business, something which has been its core business since the company’s starting days. In this market however, Cisco lost market share by 6.4% (now it has 54.2% of the total market) with rivals like Juniper and Alcatel-Lucent gaining ground. This has been alarming for Cisco which is trying hard now to regain the lost market, especially in the Enterprise and Service Provider routing and switching business.

Cisco Systems Inc. supports a broad range of local area network (LAN) switching architecture technologies and platforms.  The general minimal requirements that the Cisco switching platforms are designed to address include the following:

• High-performance switched Ethernet, capable of delivering 100 Mbps and 1Gbps to the desktop, and 1Gbps or 10Gbps uplinks.
• Quality of Service (QoS) features permitting prioritization of delay-sensitive traffic and control over packet delay and jitter.
• Simple, highly structured, and deterministic design (Predictable – in both normal and failure recovery modes).
• Support for both IP version 4 and IP version 6 protocols.
• Fault tolerance (Redundancy for critical components and links ‑ eliminating network single-points-of-failure).
• Flexibility (Network logically partitioned at Layers 2, 3 and 4, to direct traffic flow).
• Secured through authentication, authorization and accounting (AAA) controls.
• Modular design capable of supporting new applications and network growth without requiring “fork-lift” upgrades.
• Scalability for cost-effective delivery of the smallest to the largest telecommunications rooms and campuses
• Multicast protocol support for end-to-end management and optimization of streaming content delivery.
• Switches capable of powering IP telephones (via phantom power).
• Capable of being remotely monitored and managed using network management tools, such as HP Openview.

All Cisco switches are based on a distributed hardware architecture in which the LAN switching functions are separated from the “control plane” functions of switch management by utilizing both one or more general-purpose central processing chips and port or line card application-specific integrated circuits (ASICs).

The general-purpose CPU handles network management functions, like user logins, SNMP, and maintenance operations like operating system booting.  The general-purpose processor controls the configuration of the switch platforms with a command-line interface.  The ASICs optimize packet and frame switching at the port and line card level in order to reduce inter-frame delays and increase overall system throughput.

Older Cisco switches used an operating system called CatOS, with a command-line syntax based on set and clear statements.  Newer switch use an operating system referred to as the Cisco Internetwork Operating System (IOS), which is common across both switching and routing platforms.  The older CatOS is end-of-life and end-of-sale.  Only configurations involving IOS will be shown here.  A newer switching operating system based on the Cisco next-generation Nexus platforms is called NXOS, but is nearly identical to the IOS command syntax, and most of the Cisco switch product is based on IOS.

Cisco switching utilizes recommendations for a hierarchical design in switched network infrastructures, called core, distribution, and access layers.  It is acceptable to combine the functions of the core and distribution layers in smaller switched networks, which is called a collapsed core design.  The functions of each layer are as follows:

Core layer

• Links to WAN (Internet or other wide-area network)
• Links to distribution switches
• Additional Virtual Local Area Networks (VLANs) —Used by the system for routed ports as well as WAN ports

Distribution Layer

• Server connections
• Links to downstream (closet) access switches via layer 2 or layer 3 links.
• Site services, like wireless LAN controllers
• Service VLANs—To forward traffic to the service modules, such as the client VLAN of a content switch
• Fault tolerant VLANs—For redundancy with CSM, FWSM, CSS, and so forth

Access Layer

• Client connectivity at 10/100/1000Mbps