Introduction to LANs

Introduction to LANs

If you’ve ever connected a laptop to a Wi-Fi router at home, plugged a PC into a wall port at the office, or watched Netflix on your phone over your home network — you’ve used a LAN. You just didn’t think about it that way. Most people don’t, and that’s fine. But if you’re studying for the CCNA, understanding what a LAN actually is, why it exists, and how it scales from your kitchen table to a 50-floor enterprise campus — that’s where we start.

This lesson lays the foundation for everything else in the switching section. VLANs, Spanning Tree, EtherChannel — none of it makes sense without a solid mental model of what a LAN is and how data moves within one. So let’s build that model properly.

What Is a LAN, Really?

LAN stands for Local Area Network. The operative word is local. A LAN is a network that exists within a limited geographic area — a home, an office floor, a building, or even a group of buildings on the same campus. Devices on a LAN share the same network infrastructure, and typically the same IP address space.

Here’s the simplest definition I give to junior engineers: if two devices can talk to each other without their traffic having to cross a router to get there, they’re on the same LAN.

That second part matters. A router is what separates one LAN from another. Traffic that stays within the LAN — say, a PC sending a file to a printer on the same floor — never touches the router. Traffic that needs to leave the LAN — going to a server in a data center across the country, or just browsing the web — crosses the router and exits onto the WAN (Wide Area Network).

The boundary looks like this:

[PC] ---[Switch]--- [Switch]--- [Router] ==WAN== [Internet]
         LAN         LAN           |
                               boundary

Everything to the left of the router is your LAN. Everything to the right is someone else’s problem — I mean, the WAN.

The Dominant LAN Technology: Ethernet

When we talk about wired LANs, we’re almost always talking about Ethernet. It’s been the dominant LAN standard since the 1980s, and it’s not going anywhere. Ethernet is standardized by the IEEE (Institute of Electrical and Electronics Engineers) under the 802.3 family of standards. The IEEE publishes these specs so that a Cisco switch, a Juniper switch, an HP laptop, and a Samsung phone can all plug into the same network and understand each other perfectly.

Ethernet has evolved dramatically over the decades. We went from original 10 Mbps Ethernet on coaxial cable, to 100BASE-TX Fast Ethernet over UTP copper, to Gigabit, 10 Gigabit, and now 25G, 40G, 100G links in modern data centers. The underlying framing format — the Ethernet frame — has stayed remarkably consistent through all of that. That backward compatibility is one of the reasons Ethernet won.

Wireless LANs are also part of the picture. These are governed by the 802.11 standard family (Wi-Fi). Wireless is a different medium but still part of the same LAN — once a wireless device associates with an access point, it becomes a participant in the same Ethernet-based LAN. From a Layer 2 perspective, the AP bridges the wireless and wired worlds together.

(Related Article: “Introduction to Ethernet”)

SOHO LANs: Where Most of Us Start

SOHO stands for Small Office/Home Office, and it’s exactly what it sounds like. This is the kind of network most people have experience with before they ever touch a Cisco switch.

In its most stripped-down form, a SOHO LAN is just two devices connected to a switch. That’s it. The switch lets them talk to each other at Layer 2, using MAC addresses to forward frames between ports.

[PC-1] ---[Switch]--- [PC-2]

In the real world, a home setup usually looks more like this:

[Internet] === [ISP Modem] --- [Home Router/AP]
                                      |
                     ┌────────────────┼────────────────┐
                   [PC]           [Laptop]          [Phone via Wi-Fi]

That home “router” you buy from an electronics store is actually three devices stuffed into one box: a router (handles WAN connectivity and routes between your LAN and the internet), a switch (typically 4 LAN ports for wired devices), and a wireless access point (handles the Wi-Fi). Manufacturers combined them because most home users want one device, not a rack.

The cables used in SOHO wired LANs are UTP (Unshielded Twisted Pair) — the familiar Cat5e, Cat6, or Cat6A cables with RJ-45 connectors on each end. The “twisted pair” part isn’t just mechanical design. The twisting of the wire pairs cancels out electromagnetic interference (EMI) and crosstalk between adjacent pairs. Cat6A, which you’d use for 10 Gigabit Ethernet, has tighter twists and sometimes an internal separator between pairs to further reduce crosstalk.

For CCNA purposes, you need to know the cable categories and their associated speeds:

Cable Category	Max Speed	Max Distance	Common Use
Cat5e	1 Gbps	100 meters	Office workstations
Cat6	1 Gbps / 10 Gbps (short)	100m / 55m at 10G	Modern office LANs
Cat6A	10 Gbps	100 meters	Higher-density environments
Cat8	25/40 Gbps	30 meters	Data center top-of-rack

One thing worth noting: the 100-meter limit on copper Ethernet isn’t arbitrary. It’s based on the round-trip propagation delay requirements for CSMA/CD collision detection — a concept inherited from the early days of Ethernet. Even though modern full-duplex switches eliminated actual collisions, the 100m limit stuck as part of the standard.

Enterprise LANs: Where It Gets Interesting

Now we scale up. An enterprise LAN serves hundreds or thousands of devices spread across multiple floors, buildings, or even a campus. The core technology is still Ethernet, but the design has to be deliberate. You can’t just daisy-chain switches and hope for the best — that leads to broadcast storms, spanning-tree nightmares, and 2 AM phone calls.

The Three-Tier Hierarchical Model

Enterprise networks traditionally follow a three-tier hierarchical design developed by Cisco. You’ll see this referenced constantly in CCNA and CCNP material. The three tiers are:

Access Layer — This is where end devices connect. PCs, IP phones, printers, wireless access points, IP cameras — they all plug into access-layer switches. These are typically fixed-configuration switches like Cisco Catalyst 2960-X, 9200, or 9300 series. The access layer is also where you implement per-port security features: port security, DHCP snooping, Dynamic ARP Inspection, 802.1X authentication.

Distribution Layer — Access-layer switches uplink to distribution-layer switches. The distribution layer is where policy lives: routing between VLANs, ACLs, QoS marking, summarization. Distribution switches are typically multilayer (Layer 3) switches. In my experience, this is the layer where misconfigurations cause the most complex problems, because it’s the boundary between Layer 2 and Layer 3.

Core Layer — The core is purely about speed and availability. High-capacity switches here (Catalyst 9500, 9600, Nexus 9000) move traffic between distribution blocks as fast as possible, with no complex policy. The design mantra is: “don’t filter, don’t QoS-mark, just forward.”

                    [Core Switch]
                   /             \
         [Dist SW-1]           [Dist SW-2]
         /         \           /         \
   [Access-1] [Access-2] [Access-3] [Access-4]

Two-Tier (Collapsed Core) Design

In smaller enterprise environments — maybe a single building with under 2,000 users — you often see the distribution and core layers merged into a single collapsed core design. Two high-capacity multilayer switches serve both functions. This cuts hardware costs and reduces complexity without sacrificing much, since the traffic volumes don’t justify a dedicated core.

I worked on a collapsed core deployment at a mid-size manufacturing company a few years back. They had one building, about 800 users, and were running a pair of Catalyst 9500s as the collapsed core/distribution, with 9200s at the access layer. Clean, maintainable, and the switches had so much headroom we never worried about performance.

           [9500-A] ---- [9500-B]   (Collapsed Core)
               |    \  /    |
           [9200]  [9200]  [9200]   (Access)

LAN Across Multiple Buildings: The Campus Network

When an enterprise spans multiple buildings, we call it a campus network. The buildings are still connected via high-speed fiber (usually multimode or single-mode fiber depending on distance), and the overall structure remains the same — access, distribution, core. The core layer becomes the backbone that interconnects the distribution blocks of each building.

Building A                          Building B
[Access] → [Dist]                   [Dist] ← [Access]
                \                  /
                 [Core] ---- [Core]
                /                  \
[Access] → [Dist]                   [Dist] ← [Access]
Building C                          Building D

Fiber between buildings is almost always multimode (OM3 or OM4) for distances under 300–400 meters at 10G, or single-mode for longer runs. I’ve seen campus networks where two buildings are half a kilometer apart — at that distance you’re using single-mode fiber and SFP+ LR transceivers, not the cheaper SR optics that most people start with.

LAN Devices: What’s Actually in There

Let’s quickly walk through the hardware you’ll encounter in a LAN.

Network Interface Card (NIC)

Every end device that connects to a LAN has a NIC — a Network Interface Card. This is the physical hardware that handles Ethernet framing, converts data to/from electrical signals (or light, if it’s a fiber NIC), and maintains the device’s MAC address. On modern computers, the NIC is usually integrated directly onto the motherboard. The MAC address burned into the NIC at the factory is what Layer 2 switching uses to forward frames.

Switches

Switches are the core of a wired LAN. A switch operates at Layer 2 (Data Link) and makes forwarding decisions based on MAC addresses. When a frame arrives on a port, the switch looks up the destination MAC address in its MAC address table (also called the CAM table — Content Addressable Memory), finds the port associated with that MAC, and forwards the frame out only that port. This is fundamentally more efficient than the old hub approach, which sent every frame out every port regardless.

Also Read: “How a Switch Learns MAC Addresses“

Modern enterprise switches — Catalyst 9300, for example — are actually multilayer switches, meaning they can do Layer 3 IP routing in addition to Layer 2 switching, all in hardware using ASICs. That’s how inter-VLAN routing happens without needing a separate router for every pair of VLANs.

Access Points

Wireless access points (APs) bridge 802.11 wireless traffic onto the wired Ethernet LAN. Enterprise APs — Cisco Catalyst 9130, 9120, etc. — are typically managed centrally via a Wireless LAN Controller (WLC) or Cisco DNA Center, rather than being configured individually. That central management model makes it practical to manage hundreds of APs across a campus without losing your mind.

Routers

Routers operate at Layer 3 and connect different networks together — your LAN to the WAN, one VLAN to another at the network boundary, or your internal network to the internet. On small networks, a single router handles this. On large enterprise networks, routing happens in the distribution and core switches via Layer 3 switching, with dedicated routers only at the WAN edge.

LAN Segmentation: Why We Don’t Just Put Everything on One Network

Early LANs were flat — one big network, every device on the same subnet, shared broadcast domain. On a small network, that’s fine. On a network with 500 devices, it’s a disaster. Every ARP broadcast, every DHCP discovery, every unknown-destination frame gets flooded to all 500 devices. That’s a lot of unnecessary noise, and it creates serious security problems too — every device can see every other device’s traffic.

The solution is VLANs (Virtual Local Area Networks). VLANs let you logically segment one physical switch infrastructure into multiple separate Layer 2 broadcast domains. The Finance department’s PCs are in VLAN 10, Engineering is in VLAN 20, the IP phone system is in VLAN 100 — and traffic between those VLANs only moves through a Layer 3 device, where you can apply access control policies.

(Internal link suggestion: “Introduction to VLANs”)

VLANs are fundamental to modern LAN design, and we’ll cover them in depth in their own lessons. For now, just understand that a single physical LAN can — and should — be divided into multiple logical LANs.

Basic Switch Configuration: Getting Started on Cisco IOS

Let’s make this concrete. You’ve got a brand-new Cisco Catalyst 9200 out of the box. Here’s what initial configuration looks like before you start connecting users to it.

Accessing the Switch

You’ll use a console cable (USB-to-mini USB or USB-to-RJ45 depending on the model) and a terminal emulator like PuTTY or SecureCRT. Settings are 9600 baud, 8 data bits, no parity, 1 stop bit — the default for all Cisco IOS devices.

Hostname and Domain

Switch> enable
Switch# configure terminal
Switch(config)# hostname ACC-SW-01
ACC-SW-01(config)# ip domain-name netitpro.local

Good housekeeping. Name your switches logically — I use a convention like ACC (access), DIST (distribution), CORE for the tier, followed by building and number. Makes it immediately obvious where a switch sits when you’re reading logs.

Management IP Address

Switches don’t route traffic (unless they’re multilayer), but they still need an IP address for management — SSH, SNMP, logging. On a Layer 2 switch, you assign this to the VLAN 1 interface (or better, a dedicated management VLAN):

ACC-SW-01(config)# interface vlan 1
ACC-SW-01(config-if)# ip address 192.168.1.10 255.255.255.0
ACC-SW-01(config-if)# no shutdown
ACC-SW-01(config-if)# exit
ACC-SW-01(config)# ip default-gateway 192.168.1.1

The default gateway is critical — without it, the switch can receive management traffic but can’t reply to anything outside its own subnet.

Securing Access

ACC-SW-01(config)# enable secret Str0ngP@ssword!
ACC-SW-01(config)# service password-encryption
ACC-SW-01(config)# line vty 0 15
ACC-SW-01(config-line)# transport input ssh
ACC-SW-01(config-line)# login local
ACC-SW-01(config-line)# exec-timeout 10 0
ACC-SW-01(config-line)# exit
ACC-SW-01(config)# line con 0
ACC-SW-01(config-line)# login local
ACC-SW-01(config-line)# exec-timeout 10 0
ACC-SW-01(config-line)# exit
ACC-SW-01(config)# username admin privilege 15 secret Admin@2024!

Note the transport input ssh — you’re explicitly blocking Telnet here. Telnet sends credentials in cleartext. Never use Telnet on a production network. I’ve seen auditors flag this immediately during security reviews.

Generating the RSA Key for SSH

ACC-SW-01(config)# crypto key generate rsa modulus 2048

2048-bit minimum. Some older guides say 1024 — don’t do that. SSH v1 is insecure, so lock it to v2:

ACC-SW-01(config)# ip ssh version 2

Saving the Configuration

ACC-SW-01# copy running-config startup-config
Destination filename [startup-config]?
Building configuration...
[OK]

Or the shortcut: write memory (still works on IOS-XE). Either way, get in the habit of saving before you leave a switch. Rookie mistake: spending 20 minutes configuring a switch, having someone power-cycle it, and losing everything.

Verification Commands

Once the switch is up, you’ll want to verify things are working. Here are the key commands:

Check the Management Interface

ACC-SW-01# show interface vlan 1
Vlan1 is up, line protocol is up
  Hardware is Ethernet SVI, address is aabb.cc00.1000 (bia aabb.cc00.1000)
  Internet address is 192.168.1.10/24
  MTU 1500 bytes, BW 1000000 Kbit/sec, DLY 10 usec,
     reliability 255/255, txload 1/255, rxload 1/255
  Encapsulation ARPA, loopback not set

“Vlan1 is up, line protocol is up” — that’s what you want to see. If you see “up/down,” the VLAN might not have any active ports assigned to it. If you see “administratively down,” you forgot the no shutdown.

Check Physical Interfaces

ACC-SW-01# show interfaces status

Port      Name               Status       Vlan       Duplex  Speed Type
Gi1/0/1                      connected    1          a-full  a-1G  10/100/1000BaseTX
Gi1/0/2                      notconnect   1          auto    auto  10/100/1000BaseTX
Gi1/0/3                      connected    1          a-full  a-1G  10/100/1000BaseTX

This gives you a quick one-line-per-port status. “a-full” and “a-1G” mean the switch auto-negotiated full duplex and 1 Gbps — that’s normal. “notconnect” just means nothing is plugged in. If you see “err-disabled,” that’s a different story (see the troubleshooting section below).

Check the MAC Address Table

ACC-SW-01# show mac address-table
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    aabb.cc11.2200    DYNAMIC     Gi1/0/1
   1    aabb.cc33.4400    DYNAMIC     Gi1/0/3
Total Mac Addresses for this criterion: 2

This shows you which MAC addresses the switch has learned, what VLAN they’re on, and which port they came in on. DYNAMIC means the switch learned these by seeing frames — they’ll age out if no traffic is seen for 300 seconds (the default MAC aging timer). STATIC entries are manually configured and don’t age out.

Verify SSH Is Working

ACC-SW-01# show ip ssh
SSH Enabled - version 2.0
Authentication timeout: 120 secs; Authentication retries: 3
Minimum expected Diffie Hellman key size : 1024 bits
IOS Keys in SECSH format(ssh-rsa, base64 encoded):
...

Troubleshooting Common LAN Issues

Here’s where things get real. The theory is great, but in production you’ll spend time diagnosing problems. These are the most common ones I’ve run into.

Problem 1: Interface is Up/Down

You plug a cable in, but show interfaces GigabitEthernet1/0/1 shows “GigabitEthernet1/0/1 is up, line protocol is down.”

What’s happening: The physical layer is detecting a signal (up), but the Layer 2 protocol isn’t establishing. Classic causes: bad cable, duplex/speed mismatch, bad NIC, or the other end is administratively shut down.

Check this:

ACC-SW-01# show interfaces GigabitEthernet1/0/1
GigabitEthernet1/0/1 is up, line protocol is down
  ...
  Last input 00:00:00, output 00:05:32, output hang never
  Last clearing of "show interface" counters never
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  ...
  CRC, input errors, giants, runts — check these counters

High CRC errors usually mean a bad cable or a duplex mismatch. Input errors with no CRC usually point to a physical layer issue. Replace the cable first — it’s the cheapest fix and right more often than you’d expect.

Problem 2: Interface is err-disabled

This one surprises new engineers. You check a port and see:

ACC-SW-01# show interfaces status | include err
Gi1/0/5   err-disabled

An err-disabled port has been shut down by IOS automatically due to a policy violation or detected error. Common triggers include: port security violation (too many MACs on the port), BPDU Guard (an STP BPDU arrived on a PortFast port — meaning someone plugged in a switch where there should only be a PC), UDLD failure, or a loopback detection.

To see why:

ACC-SW-01# show interfaces GigabitEthernet1/0/5
GigabitEthernet1/0/5 is err-disabled
...
ACC-SW-01# show errdisable recovery

Fix the underlying cause first, then recover the port:

ACC-SW-01(config)# interface GigabitEthernet1/0/5
ACC-SW-01(config-if)# shutdown
ACC-SW-01(config-if)# no shutdown

Don’t just blindly bounce the port without understanding why it went err-disabled. I’ve seen people do that in a loop for an hour without fixing anything.

Problem 3: Can’t SSH to the Switch

You’ve configured SSH but can’t connect from a PC on the same subnet.

Checklist:

1. Is VLAN 1 (or your management VLAN) interface up/up? (show interface vlan 1)
2. Is there an active port in that VLAN? A VLAN SVI won’t come up if no ports are assigned to it and active.
3. Did you generate the RSA key? (show crypto key mypubkey rsa)
4. Is ip ssh version 2 configured?
5. Are the VTY lines set to transport input ssh?
6. Does a local username exist? (show running-config | include username)

In my experience, the most common miss is #6. Someone configures login local on the VTY lines but forgets to create a username, or they create the username but misspell it.

Problem 4: Duplex Mismatch

This is a silent performance killer. One side of a link negotiates full duplex, the other ends up at half duplex. Traffic flows, but you see a lot of late collisions and input errors.

ACC-SW-01# show interfaces GigabitEthernet1/0/1
  ...
  0 late collision, 0 deferred

If late collisions are incrementing, you have a duplex mismatch. The fix is to hardcode both ends to the same duplex and speed, or ensure both ends are set to auto-negotiate:

ACC-SW-01(config)# interface GigabitEthernet1/0/1
ACC-SW-01(config-if)# duplex auto
ACC-SW-01(config-if)# speed auto

The general rule: either hardcode both ends, or leave both ends on auto. Mixing one hardcoded and one auto is the classic recipe for a duplex mismatch.

LAN vs WAN: Knowing the Boundary

Since we’re setting the foundation, let’s be clear about where a LAN ends and a WAN begins — because students mix this up constantly.

	LAN	WAN
Geographic scope	Building, campus	City, country, global
Technology	Ethernet, Wi-Fi	MPLS, leased lines, internet
Ownership	Usually organization-owned	Usually service provider
Speed	100 Mbps to 400 Gbps	Varies widely, often slower
Layer 2 protocol	Ethernet (802.3)	Frame Relay (legacy), PPP, HDLC, Ethernet (Metro-E)
Cost	Capital expense (buy the gear)	Operating expense (monthly bills)

The router is the demarcation point. It connects your LAN to the service provider’s WAN infrastructure. Everything on your side of the router is your LAN. The first hop on the other side belongs to the provider.

Conclusion

That’s the foundation. A LAN is a local network — from two computers on a desk to thousands of devices across a multi-building campus. Ethernet is the dominant technology. Switches are the central devices. And the router is the boundary between your local world and everyone else’s.

As we move through the CCNA material, every topic builds on this. VLANs segment your LAN logically. Spanning Tree prevents Layer 2 loops. EtherChannel aggregates bandwidth between switches. Routing gets your traffic from one LAN to another. None of that is complicated once you have this baseline picture firmly in place.

In the next lesson, we’ll go deeper on Ethernet itself — how frames are structured, how MAC addresses work at the hardware level, and what happens from the moment you hit Enter on a ping until the echo reply comes back.