Path and Switching Details

CCNA & CCNP Basic
[A] Path Determination and Switching Function Details

Can you describe the exact details of what happens to a packet at Layer 2 and Layer 3 as it travels from
source to destination? If not, study the animation and follow along with the discussion until you can describe
the process on your own.
Step 1: PC1 has a packet to be sent to PC2
PC1 encapsulates the IP packet into an Ethernet frame with the destination MAC address of R1's FastEthernet 0/0
interface.
How does PC1 know to forward to packet to R1 and not directly to PC2? PC1 has determined that the IP source and
IP destination addresses are on different networks.
PC1 knows the network it belongs to by doing an AND operation on its own IP address and subnet mask, which
results in its network address. PC1 does this same AND operation using the packet destination IP address and the
PC1 subnet mask. If the result is the same as its own network, PC1 knows that the destination IP address is on its
own network and it does not need to forward the packet to the default gateway, the router. If the AND operation
results in a different network address, PC1 knows that the destination IP address is not on its own network and that it
must forward this packet to the default gateway, the router.
How does PC1 determine the MAC address of the default gateway, router R1? PC1 checks its ARP table for
the IP address of the default gateway and its associated MAC address. What if this entry does not exist in the
ARP table?
PC1 sends an ARP request and router R1 sends back an ARP reply.
Step 2: Router R1 receives the Ethernet frame

1. Router R1 examines the destination MAC address, which matches the MAC address of the receiving interface,
FastEthernet 0/0. R1 will therefore copy the frame into its buffer.
2. R1 sees that the Ethernet Type field is 0x800, which means that the Ethernet frame contains an IP packet in the
data portion of the frame.
3. R1 decapsulates the Ethernet frame.
4. Because the destination IP address of the packet does not match any of R1's directly connected networks, the
router consults its routing table to route this packet. R1 searches the routing table for a network address and subnet
mask that would include this packet's destination IP address as a host address on that network. In this example, the
routing table has a route for the 192.168.4.0/24 network. The destination IP address of the packet is 192.168.4.10,
which is a host IP address on that network.
R1's route to the 192.168.4.0/24 network has a next-hop IP address of 192.168.2.2 and an exit interface of
FastEthernet 0/1. This means that the IP packet will be encapsulated in a new Ethernet frame with the destination
MAC address of the next-hop router's IP address. Because the exit interface is on an Ethernet network, R1 must
resolve the next-hop IP address with a destination MAC address.
5. R1 looks up the next-hop IP address of 192.168.2.2 in its ARP cache for its FastEthernet 0/1 interface. If the entry
is not in the ARP cache, R1 sends an ARP request out its FastEthernet 0/1 interface. R2 sends back an ARP reply.
R1 then updates its ARP cache with an entry for 192.168.2.2 and the associated MAC address.
6. The IP packet is now encapsulated into a new Ethernet frame and forwarded out R1's FastEthernet 0/1 interface
Step 3: Packet arrives at router R2

1. Router R2 examines the destination MAC address, which matches the MAC address of the receiving interface,
FastEthernet 0/0. R1 will therefore copy the frame into its buffer.
2. R2 sees that the Ethernet Type field is 0x800, which means that the Ethernet frame contains an IP packet in the
3. R2 decapsulates the Ethernet frame.
4. Because the destination IP address of the packet does not match any of R2's interface addresses, the router
consults its routing table to route this packet. R2 searches the routing table for the packet's destination IP address
using the same process R1 used.
R2's routing table has a route to the 192.168.4.0/24 route, with a next-hop IP address of 192.168.3.2 and an exit
interface of Serial 0/0/0. Because the exit interface is not an Ethernet network, R2 does not have to resolve the next-
hop-IP address with a destination MAC address.
When the interface is a point-to-point serial connection, R2 encapsulates the IP packet into the proper data link
frame format used by the exit interface (HDLC, PPP, etc.). In this case, the Layer 2 encapsulation is PPP; therefore,
the data link destination address is set to a broadcast. Remember, there are no MAC addresses on serial interfaces.
5. The IP packet is now encapsulated into a new data link frame, PPP, and sent out the serial 0/0/0 exit interface.
Step 4: The packet arrives at R3
1. R3 receives and copies the data link PPP frame into its buffer.
2. R3 decapsulates the data link PPP frame.
3. R3 searches the routing table for the destination IP address of the packet. The search of the routing table results in
a network that is one of R3's directly connected networks. This means that the packet can be sent directly to the
destination device and does not need to be sent to another router.
Because the exit interface is a directly connected Ethernet network, R3 needs to resolve the destination IP address of
the packet with a destination MAC address.
4. R3 searches for the packet's destination IP address of 192.168.4.10 in its ARP cache. If the entry is not in the ARP
cache, R3 sends an ARP request out its FastEthernet 0/0 interface. PC2 sends back an ARP reply with its MAC
address. R3 updates its ARP cache with an entry for 192.168.4.10 and the MAC address that was returned in the
ARP reply.
5. The IP packet is encapsulated into a new data link, Ethernet frame and sent out R3's FastEthernet 0/0 interface.
Step 5: The Ethernet Frame with encapsulated IP packet arrives at PC2
1. PC2 examines the destination MAC address, which matches the MAC address of the receiving interface, its
Ethernet NIC. PC2 will therefore copy the rest of the frame into its buffer.
2. PC2 sees that the Ethernet Type field is 0x800, which means that the Ethernet frame contains an IP packet in the
3. PC2 decapsulates the Ethernet frame and passes the IP packet to the IP process of its operating system.
Summary:
-We have seen that routers are not involved only in Layer 3 routing decisions, but that they also participate in Layer
2 processes, including encapsulation, and on Ethernet networks, ARP. Routers also participate in Layer 1, which is
used to transmit and receive the data bits over the physical medium.
-Routing tables contain both directly connected networks and remote networks. It is because routers contain
addresses for remote networks in their routing tables that routers know where to send packets destined other
networks, including the Internet.
[B] # Follow Data through an Internetwork:
-Server (Receiving Host) – Router A ----- Router B ---------Client (Receiving Host)
The figure on the next page presents a simple data transfer between two hosts across an internetwork. We highlight
the function of each layer during the communication. For this example we will depict an HTTP request between a
client and a server.
In each step we are only bringing attention to the major elements. Many parts of the headers are ignored, for
example.
We are assuming that all routing tables are converged and ARP tables are complete. Additionally, we are assuming
that a TCP session is already established between the client and server. We will also assume that the DNS lookup for
the WWW server is already cached at the client.
In the WAN connection between the two routers, we are assuming that PPP has already established a physical circuit
and has established a PPP session.
*Step 1
-A user on a LAN network wants to access a web page stores on a server that is located on a remote network. The
user starts by activating a link on a web page.
*Step 2
-The browser initiates an HTTP Get request. The Application Layer adds the Layer 7 header to identify the
application and data type.
*Step 3
-The Transport layer identified the upper layer service as a World Wide Web (WWW) client. The transport layer
then associates this service with the TCP protocol and assigns the port number. It uses a randomly selected source
port that is associated with this established session (12345). The destination port (80) is associated with a WWW
service.
*Step 4
-TCP also sends an acknowledgement number that tells the WWW server the sequence number of the next TCP
segment it expect to receive. The sequence number will indicate where this segment is placed in the series of related
segments. Flag are also set as appropriate to establish a session.
*Step 5
-At the network layer, an IP packets is constructed to identify the source and destination hosts. For the destination
address, the client host uses the IP address associates with the WWW server host name that is cached in host table. It
uses its own IPv4 address as the source address. The network layer also identifies the upper layer protocol
encapsulated in this packet as a TCP segment.
*Step 6
-The Data link layer refers to the Address Resolution Protocol (ARP) catch to determine the MAC address that is
associated with the interface of RouterB, which is specified as the default gateway. It then uses this address to build
an Ethernet II frame to transport the IPv4 packet across the local media. The MAC address of the laptop is used as
the source MAC address, and the MAC address of the Fa0/0 interface of RouterB is used as the destination MAC
address in the frame.
*Step 7
-The frame also indicates the upper layer protocol of IPv4 with a value of 0800 in the Type field. The frame begin
with a Preamble and Start of Frame (SOF) indicator and ends with a cyclic redundancy check (CRC) in the frame
for the error detection. It then uses CSMA/CD to control the placing of the frame onto the media.
*Step 8
-The Physical layer begins encoding the frame onto the media, bit by bit. The segment between RouterA and the
server is a 10Base-T segment; therefore, the bits are encoded using Manchester Differential encoding. The RouterB
buffers the bits as they are received.
*Step 9
-RouterB examines the bits in the preamble and SOF, looking for the two consecutive 1 bits that indicate the
beginning of the frame. RouterB then begins the buffering the bits as the part of the reconstructed frame. When the
entire frame is receive, RouterB generates a CRC of the frame. It then compares this to the FCS at the end of the
frame to determine that the frame was intact. When the frame is confirmed as a good frame, the destination MAC
address in the frame is compares to the MAC address of the interface (Fa0/0). Because it matches, the headers are
removed and the packet is pushed up to the Network layer.
*Step10
-At the Network layer, the destination IPv4 address of the packet is compared against the route in the routing table.
A match is found that is associated with a next hop out interface S0/0/0. The packet inside ROuterB is then passed to
the circuitry for the S0/0/0 interface.
*Step11
-RouterB creates a PPP frame to transport the packet across the WAN. In the PPP header, a flag of 01111110 binary
is added to indicate the start of the frame. Following that, an address field of 11111111 is added, which is equivalent
to a broadcast (it means “send to all station”). Because PPP is point-to-point and is used as direct link between two
nodes, this field has no real meaning.
*Step12
-Also include is a Protocol field with a value of 0021 (hex) to indicate that an IPv4 packet is encapsulated. The
frame trailer ends with a cyclic redundancy check in the Frame Check Sequence for the error detection. A flag value
of 01111110 binary indicates the end of a PPP frame.
*Step13
-With the circuit and PPP session already established between the routers, the Physical layer begins encoding the
frame onto the WAN media, bit by bit. The receiving router (RouterA) buffers the bits as they are received. The type
of bit representation and encoding is dependent on the type of WAN technology being used.
*Step14
-RouterA examine the bits in the flag to identify the beginning of the frame. RouterA then begins buffering the bits
as part of the reconstructed frame. When the entire frame is received, as indicated by the flag in the trailer, the
RouterA generate a CRC of the frame. It then compares this to the FCS at the end of the frame to determine that the
frame was received intact. When the frame is confirmed as a good frame, the headers are removed and the packet is
pushed up to the Network Layer of RouterA.
*Step15
-At the Network layer, the destination IPv4 address of the packet is compared against the routes in the routing table.
A match is found that is directly connected to interface Fa0/0. The packet inside RouterA is then passed to the
circuitry for the Fa0/0 interface.
*Step16
-The Data Link layer refers to the ARP catch of RouterA to determine the MAC address that is associated with the
interface of Web Server. It then uses this MAC address to build an Ethernet II frame to transport the IPv4 packet
across the local media to the server. The MAC address of the Fa0/0 interface of RouterA is used as the source MAC
address, and the MAC address of the server is used as the destination MAC address in the frame. The frame also
indicates the upper layer protocol of IPv4 with a value of 0800 in the Type field. The frame begin with a Preamble
and start of Frame (SOF) indicator and ends with a cyclic redundancy check in the Frame Check Sequence at the
end of the frame for the error detection. It then uses CSMA/CD to control the placing of the frame on to the media.
*Step17
-The Physical layer begins encoding the frame onto the media, bit by bit. The segment between RouterA and the
server is a 100Base-T segment; therefore, the bits are encoded using 4B/%B encoding. The server buffers the bits as
they are received.
*Step18
-The Web Server examines the bits in the Preamble and SOF looking for the two consecutive 1 bits that indicate the
beginning of the frame. The server then begins buffering the bits as part of the reconstructed frame. When it has
received the frame, the server generates a CRC of the frame. It then compares this to the FCS at the end of the frame
to determine that the frame was received intact.
*Step19
-When the frame is confirmed as a good frame, the destination MAC address in the frame is compared to the MAC
address of the NIC in the serve. Because it matches, the headers are removed and the packet is pushed up to the
Network Layer.
*Step20
-At the Network layer, the destination IPv4 address of the packet is examined to identify the destination host.
Because this address matches its own IPv4 address, the packet is processed by the server. The Network layer
identifies the upper layer protocol as TCP and directs the contained segment to the TCP service at the Transport
layer.
*Step21
-At the Transport layer of the server, the TCP segment is examined to determine the session to which the data
contained in the segment belongs. This is done by examining the source and destination port. The unique source and
destination port identifies an existing session to the web server service. The sequence number is used to place this
segment in the proper order to be sent upward to the Application layer.
*Step22
-At the Application layer, the HTTP Get request is delivered to the Web Server service (httpd). The service can then
formulate a response to the request.
[C] Layer 3 Packet Rewriting Using Router:

--Layer 3 routing requires the ability of packet rewriting. Packet rewriting occurs on any routed
boundary. Figure 1-6 illustrates the basic packet rewriting requirements of Layer 3 routing in an example in which
two workstations are communicating using ICMP.
Process:
Address Resolution Protocol (ARP) plays an important role in Layer 3 packet rewriting. When Workstation A in
Figure 1-6 sends five ICMP echo requests to Workstation B, the following events occur (assuming all the devices in
this example have yet to communicate, use static addressing versus DHCP, and there is no event to trigger a
gratuitous ARP):
Step 1. Workstation A sends an ARP request for its default gateway. Workstation A sends this ARP to obtain the
MAC address of the default gateway. Without knowing the MAC address of the default gateway, Workstation A
cannot send any traffic outside the local subnet. Note that, in this example, Workstation A’s default gateway is the
Cisco 2900 router with two Ethernet interfaces.
Step 2. The default gateway, the Cisco 2900, responds to the ARP request with an ARP reply, sent to the unicast
MAC address and IP address of Workstation A, indicating the default gateway’s MAC address. The default gateway
also adds an ARP entry for Workstation A in its ARP table upon receiving the ARP request.
Step 3. Workstation A sends the first ICMP echo request to the destination IP address of Workstation B with a
destination MAC address of the default gateway.
Step 4. The router receives the ICMP echo request and determines the shortest path to the destination IP address.
Step 5. Because the default gateway does not have an ARP entry for the destination IP address, Workstation B, the
default gateway drops the first ICMP echo request from Workstation A. The default gateway drops packets in the
absence of ARP entries to avoid storing packets that are destined for devices without ARP entries as defined by the
original RFCs governing ARP.
Step 6. The default gateway sends an ARP request to Workstation B to get Workstation B’s MAC address.
Step 7. Upon receiving the ARP request, Workstation B sends an ARP response with its MAC address.
Step 8. By this time, Workstation A is sending a second ICMP echo request to the destination IP of Workstation B
via its default gateway.
Step 9. Upon receipt of the second ICMP echo request, the default gateway now has an ARP entry for
Workstation B. The default gateway in turn rewrites the source MAC address to itself and the destination MAC to
Workstation B’s MAC address, and then forwards the frame to Workstation B.
Step 10. Workstation B receives the ICMP echo request and sends an ICMP echo reply to the IP address of
Workstation A with the destination MAC address of the default gateway.
[D]How the packets traverse through the multilayer switch. Frame Rewrite
When packets transit through a router or multilayer switch, the following verifications must occur, as shown
in Figure 4-16:
• The incoming frame checksum is verified to ensure that no frame corruption or alteration occurs during transit.
• The incoming IP header checksum is verified to ensure that no packet corruption or alteration occurs during transit.
*Incoming Packet
IP unicast packets are rewritten on the output interface, as illustrated in Figure 4-17 and described as
follows:
• The destination MAC address changes from the router MAC address to the next-hop MAC address.
• The source MAC address changes from the sender MAC address to the outgoing router MAC
address.
• The destination MAC address changes from the router MAC address to the next-hop MAC address.
• The TTL is decremented by one, and as a result, the IP header checksum is recalculated.
• The frame checksum must be recalculated. *Rewritten Package
[E] Packet Flow: A Day in the Life of a Web Page Request:

Book: Page 495: Computer Networking Kurose & Ross
[F] Host-To-Host Communication:
So far, we have learned how the Transport layer protocols UDP and TCP work, we also learned that both Network
Layer addresses (the IP address) and data link layer addresses (MAC address) are needed for two hosts to
communicate. In this section, we will put these knowledge into use by examing a Host-to-Host communication
example.
In the example setup, Host A has Layer 3 address of 192.168.1.100 and Layer 2 address of 0000:0000:AAAA; Host
B has Layer 3 address of 192.168.1.200 and Layer 2 address of 0000:0000:BBBB.
Let’s assume that Host B have a web server running on it, and its port 80 is ready to accept http connections. A
HTML file named test.htm is located in Host A’s internet folder.
Now, we open a web brower in Host A and type the URL http://192.168.1.200/test.htm in the address bar, then press
the ENTER key. This is what happened afterwards.
(Note that I will not emphasis events happened on the three upper layers of the OSI model. If you really want a
complete picture, please install a firebug on the firefox brower and exam the upper layer protocols by yourself.)
Step 1: The web brower program reads your input from the address bar.
Step 2:The browser broke the URL into three parts: the protocol (http), the server address (192.168.1.200), and the
file name (test.htm).
Step 3: From the protocol part “http”, the browser knows two things: a reliable connection is needed, and the port
number 80 should be used. Therefore the browser requests the reliable connection service from the transport layer, it
also tells the transport layer that the IP address is 192.168.1.200 and port number is 80.
Step 4: Upon receiving the request from the browser, the transport layer selects TCP to set up the session. TCP
initiates the session by creating a TCP segment with SYN bit set. The source port is a randomly assigned dynamic
port number and the destination port is 80. The TCP segment was passed down to the Network layer, with the
destination IP address 192.168.1.200.
Step 5: IP then creates a packet with IP source address 192.168.1.100 and destination address 192.168.1.200
received from TCP. The Protocol field of the packet has value 0×06, which means TCP. After the packet creation,
IP then passes the packet to Layer 2.
Step 6: Because hosts only communicate via hardware addresses on the local LAN, for this packet to be sent to the
destination Host B, Layer 2 needs to map the destination IP addrss 192.168.1.200 to its MAC address. Layer 2 does
this by requesting a mapping from the ARP program.
Step 7: ARP checks its ARP table to see if the IP address of the destination IP has already been resolved to
hardware address. If it is, the frame is then created with the hardware destinatio address. Otherwise, Layer 2 holds
the packet until ARP can provide a mapping. Since this is the first time we connect to the web server, the ARP table
is empty.
Step 8:The ARP program builds an ARP request and passes it to Layer 2, telling Layer 2 to send the request t a
broadcast address.
Step 9: Layer 2 encapsulates the ARP requestin a Layer 2 frame using the broadcast address (FFFF:FFFF:FFFF)
provided by ARP as the destination MAC address and the local MAC address (0000:0000:AAAA) as the source
MAC address.
Step 10: Layer 2 at Host B receives the frame, it notes the broadcast address and strips the Layer 2 header and send
it to ARP program.
Step 11: ARP sees the ARP request is from a host with IP address 192.168.1.100 and MAC address
0000:0000:AAAA, so it adds this IP and MAC pair to its ARP table.
Step 12: ARP builds a ARP response with its own IP address 192.168.1.200, then passes it to Layer 2, telling Layer
2 to send the response to MAC address 0000:0000:AAAA.
Step 13: Layer 2 encapsulates the ARP in a Layer 2 frame using the destination MAC address 0000:0000:AAAA
provided by ARP and the local source MAC address 0000:0000:BBBB.
Step 14: When Host A receives the frame, it notes that the destination MAC address is the same as its own. It strips
the Layer 2 encapsulation and passes the remaining ARP reply to the ARP program.
Step 15: ARP notice the ARP reply is from a host with IP 192.168.1.200 and MAC 0000:0000:BBBB, so it adds
this IP and MAC pair to its ARP table.
Step 16: Layer 2 now mapped the destination IP addrss 192.168.1.200 to the corresponding MAC address
0000:0000:BBBB with the help of ARP program. Therefore, it can encapsulats the pending packet into a frame with
Source MAC 0000:0000:AAAA and destination Address 0000:0000:BBBB, then the frame out.
Step 17: At Host B, the frame is passed up the stack where encapsulation is removed. The remaining protocol data
unit (PDU) is passed to TCP.
Step 18: In response to the SYN, TCP at Host B passes a SYN ACK down the stack to be encapsulated.
Step 19: Upon receives the SYN ACK from Host B, Host A sends back the ACK to complete the Three-Way
Handshake.
Step 20: With the three-way handshake completed, TCP can inform the web browser that a connection to the server
at IP address 192.168.1.200 have been formed on port 80.
Step 21: Following the HTTP protocol, the browser sent a GET request to the server, asking for the file test.htm.
Step 22: The server running on Host B then sent the HTML text for the Web page to the browser running on Host
A.
Step 23: The browser read the HTML tags and formatted the page onto your screen.
[F] How PING Works? / Behind the PING:
-It sends a small packet of information containing an ICMP ECHO_REQUEST to a specified computer, which then
sends an ECHO_REPLY packet in return.
*Let’s exam what happens after a ping command is issued.

-Refer to the exhibit. The LAN contains 2 hosts, 2 hubs and 2 routers. With subnetmask 255.255.255.240 or /27,
router R4 and R5 divide the LAN into 3 subnets — host A and R4’s 192.168.10.33/27 interface belongs to
192.168.10.32 subnet; R4’s 192.168.10.65/27 interface and R5’s 192.168.10.66/27 interface belongs to
192.168.10.64 subnet; R5’s 192.168.10.129/27 interface and host B belongs to 192.168.10.128 subnet. Notice the
layer 1 device hub have neither IP address nor ethernet address.
*Now, host A pings host B, what happened exactly behind the magic “PING” command.
 Step 1, command “ping 192.168.10.134″ is issued in the console at host A.
 ping program is envoked, which reads IP address 192.168.10.138 from user input, and hands it to Internet
Control Message Protocol (ICMP).
 ICMP then creates an echo request payload.
 ICMP hands the payload to Internet Protocol (IP). IP then creates a packet with IP source address
192.168.10.34 and destination address 192.168.10.134. The Protocol field of the packet has value 0x01, which
means ICMP.
 After the packet creation, IP determines whether the destination IP address is on the local network or a remote
network. The subnet mask stored on Host A 255.255.255.240 is bitwise AND to host A’s IP
address 192.168.10.34 to determine that host A belongs to 192.168.10.32 subnet. With the same manner, IP
determines that host B belongs to another subnet 192.168.10.128.
 Since IP determines that this is a remote request, the packet needs to be sent to the default gateway so the
packet can be routed to the remote network. The default gateway is stored in host A as 192.168.10.33 (either
statically configured by the user or dynamically configured by DHCP).
 Because hosts only communicate via hardware addresses on the local LAN, for this packet to be sent to the
default gateway, the hardware address of the default gateway (router’s interface with IP address 192.168.10.33)
must be known.
 The ARP cache of the host is checked to see if the IP address of the default gateway has already been resolved
to hardware address. If it has, the packet is then handed to the Data Link layer with the hardware destination
address. Otherwise, an ARP broadcast (to IP address 192.168.10.63) is sent out onto the broadcast
domain (subnet 192.168.10.32) to search for the hardware address of 192.168.10.33. The router responds to the
request with hardware address of ethernet interface 192.168.10.33, and Host A caches this address.
 IP hands the packet down to Data Link layer for framing. The Data Link layer frames the packet of information
and includes the following in the header: the destination hardware address 9999.DADC.1234, the source
hardware address BBBB.3333.5677, the Ether-Type field with 0x0800 (IP) in it, and the FCS field with the
CRC result.
 The frame is now handed down to the physical layer to be sent out over the network mdeium one bit at a time.
 The router R4’s Ethernet interface with MAC address 9999.DADC.1234 receives the bits and builds a frame.
The CRC is run, and FCS field is checked to make sure the answers match.
 Once the CRC is found to be okay, the hardware destination address is checked. Since the router’s interface is a
match, the packet is pulled from the frame and the Ether-Type field is checked to see what protocol at the
Network layer the packet should be delivered to.
 The protocol is determined to be IP, so it gets the packet. IP runs a CRC check on the IP header first and then
checks the destination IP address. The destination address is 192.168.10.134, which donesn’t match any of the
router R4’s interfaces. Therefore, the routing table is checked to see whether it has a route to 192.168.10.134. If
there’s no entry found for 192.168.10.134, the packet will be discarded. If there’s an entry found for
192.168.10.134, (For example, command “show ip route” reveals an entry such as “S 192.168.10.134/24 [1/0]
via 192.168.10.66“) the packet is ready to be sent out from interface 192.168.10.65, which directly connects to
the next hop 192.168.10.66.
 The router checks the ARP cache to determine whether the hardware address for 192.168.10.66 has already
been resolved. If it has, the packet is then handed to the Data Link layer with the hardware destination address.
Otherwise, an ARP broadcast (to IP address 192.168.10.95) is sent out onto the broadcast domain (subnet
192.168.10.64) to search for the hardware address of 192.168.10.66. The router R5 responds to the request with
hardware address of ethernet interface 192.168.10.66, and Router R4 caches this address.
 The hardware address and packet are handed to the Data Link layer. The Data Link layer builds a frame with
the destination address (MAC address corresponding to 192.168.10.66, not shown in the exhibit) and source
hardware address (MAC address corresponding to 192.168.10.65, not shown in the exhibit) and then puts IP in
the Ether-Type field. A CRC is run on the frame and the result is placed in the FCS field.
 The frame is then handed to the Physical layer to be sent out onto the local network one bit at a time.
 The destination Router R5 receives the frame, runs a CRC, checks the destination hardware address, and looks
in the Ether-Type field to find out whom to hand the packet to.
there’s no entry found for 192.168.10.134, the packet will be discarded. But router R5 is directly connected
with Host B, there should be an entry in the routing table like “C 192.168.10.134/24 is directly connected,
FastEthernet0“. This means the packet is ready to be sent out from interface 192.168.10.129, which directly
connects to the Host B 192.168.10.134. Notice hub don’t have IP address, it is just a multi-port signal repeater.
Otherwise, an ARP broadcast is sent (to IP address 192.168.10.159) out onto the broadcast domain (subnet
192.168.10.128) to search for the hardware address of 192.168.10.134. The Host B responds to the request with
hardware address DDDD.4444.1357, and Router R5 caches this address.
the destination address DDDD.4444.1357 and source hardware address 5555.AAAA.6666 and then puts IP in
 The destination Host B receives the frame, runs a CRC, checks the destination hardware address, and looks in
the Ether-Type field to find out whom to hand the packet to.
 IP is the designated receiver, and after the packet is handed to IP at the Network layer, it checks the protocol
field for further direction. IP finds instructions to give the payload to ICMP, and ICMP determines the packet to
be an ICMP echo request.
 ICMP creates an echo reply payload.
 ICMP hands the payload to Internet Protocol (IP). IP then creates a packet with IP source
address192.168.10.134 and destination address 192.168.10.34. The Protocol field of the packet has value 0x01,
which means ICMP.
 After the packet creation, IP determines whether the destination IP address is on the local network or a remote
network.
 Since IP determines that this is a remote request, the packet needs to be sent to the default gateway so the
packet can be routed to the remote network. The default gateway is stored in host B as 192.168.10.129 (either
statically configured by the user or dynamically configured by DHCP).
 The hardware address of 192.168.10.129 is found with ARP process, and the hardware address
5555.AAAA.6666and packet are handed to the Data Link layer.
 The Data Link layer builds a frame with the destination hardware address 5555.AAAA.6666 and source
hardware address DDDD.4444.1357 and then puts IP in the Ether-Type field. A CRC is run on the frame and
the result is placed in the FCS field.
 The destination router R5 receives the frame, runs a CRC, checks the destination hardware address, and looks
 IP is the designated receiver, and after the packet is handed to IP at the Network layer, IP runs a CRC check on
the IP header first and then checks the destination IP address. The destination address is 192.168.10.34, which
donesn’t match any of the router R5’s interfaces. Therefore, the routing table is checked to see whether it has a
route to 192.168.10.34. If there’s no entry found for 192.168.10.34, the packet will be discarded. If there’s an
entry found for 192.168.10.34, (For example, command “show ip route” reveals an entry such as
“S 192.168.10.34/24 [1/0] via 192.168.10.65“) the packet is ready to be sent out from interface
192.168.10.66, which directly connects to the next hop 192.168.10.65.
Otherwise, an ARP broadcast is sent out onto the network to search for the hardware address of 192.168.10.65.
The router R4 responds to the request with hardware address of ethernet interface 192.168.10.65, and Router
R5 caches this address.
the destination address (MAC address corresponding to 192.168.10.65, not shown in the exhibit) and source
hardware address (MAC address corresponding to 192.168.10.66, not shown in the exhibit) and then puts IP in
 The destination Router R4 receives the frame, runs a CRC, checks the destination hardware address, and looks
there’s no entry found for 192.168.10.34, the packet will be discarded. But router R4 is directly connected with
Host A, there should be an entry in the routing table like “C 192.168.10.34/24 is directly connected,
FastEthernet0“. This means the packet is ready to be sent out from interface 192.168.10.33, which directly
connects to the Host A 192.168.10.34. Notice hub don’t have IP address, it is just a multi-port signal repeater.
 The router R4 get the hardware address for 192.168.10.34 with ARP process.
the destination address BBBB.3333.5677 and source hardware address 9999.DADC.1234 and then puts IP in
 The destination Host A receives the frame, runs a CRC, checks the destination hardware address, and looks in
the Ether-Type field to find out whom to hand the packet to.
 IP is the designated receiver, and after the packet is handed to IP at the Network layer, it checks the protocol
field for further direction. IP finds instructions to give the payload to ICMP, and ICMP determines the packet to
be an ICMP echo reply.
 ICMP acknowledges the ping program that it has received the reply, ping program then sends an exlamation
point (!) to the user interface.
 ICMP then attempts to send four more echo requests to the destination host.
We have walked through the ping process step by step in the above demonstration. All these steps are hidden behind
a single command “ping 192.168.10.134″. As the packet traverses from router to router, layer 3 source and
destination addresses do not change when the packet traverse, whereas layer 2 frame header and trailer are removed
and replaced at every layer 3 device.
[ ] Tracing packet flow between a Hub and Switch

A few days ago a blogged about what would happen when you had 6 computer separated by two switches. If you
didn’t see it please check it out here:
How do switches work by tracing packet flow
Today we are going to see how do switches and hubs interact with each other by tracing packet flow. Here’s the
network we are going to be playing with today.
Like my previous article PC1 will have an IP address of 192.168.1.1 — It will be plugged into PORT 1 of the
closest networking device and have a mac address with the last 8 characters the same as the number of the PC like
1111.1111. PC2 will have an IP address of 192.168.1.2 — plugged into PORT 2 etc…
Like a Magician I am going to show you nothing is up my sleeve. In order to do this I need to show you the Mac
address table on “SWITCH”
As you can see there the switch hasn’t learned any MAC addresses. Reading text books you might here things like
“A switch can break up collision domains”. What the heck does that actually mean?
Well in order to understand it you need to know a bit on how Ethernet Works. When a computer on the network say
PC1 wants to talk to another computer say PC4 it will always look to it’s own MAC address table. It will ask “Have
I talked with host PC4 before?”. If it has it’s arp table will have that computer’s IP address and matching MAC
address. If not that means the PC1 will need to use ARP to send out a broadcast message “FFFF:FFFF:FFFFF” and
ask the computers if they have the IP address of 192.168.1.4 and if so, please send back their mac address.
What makes this layout a bit harder to understand than if it were just two switches is a HUB is a dumb device. All it
does is forward incoming frames out every port but the port it came in on.
Ok. Let’s just get to work and see how the packets will flow:
Let’s start with the same scenario we just talked about. PC1 will Ping PC4. PC1 will try and ping 192.168.1.4 but
will have to resort to ARP before it can send the ICMP request out on the line.
The ARP broadcast will be sent down the wire to the HUB.
Because the HUB is dumb it will need to forward the packet out all ports except the one it came from. PC2 and PC3
both know this packet is not for them.
SWITCH doesn’t know anything about PC1. Because the broadcast frame will have the host MAC address
as .1111.1111 it will add this to it’s MAC Address list.
It will now forward the packet off to all ports except the port the frame came in on.
PC5 & PC6 reject the frame because it’s not for them. PC4 says… Hey… I have the address of 192.168.1.4. It sends
back a reply making sure to set it’s MAC address as the originating address and puts PC1’s address in the
destination field. Because PC4 now knows PC1’s MAC address he does not need to send an ARP request to figure it
out. He will also add PC1’s MAC address in his MAC address table.
PC4 sends the reply back to SWITCH.
SWITCH will put PC4’s MAC address into it’s MAC address table so when the PC1 actually sends the ICMP ping
request it will know how to resolve IP Address 192.168.1.4 down to the MAC address of: 0010.4444.44444
SWITCH will send the response back to HUB.

Again since HUB is dumb he has to send it out every port except the one it came in on. PC2 and PC3 will drop the
frame. PC1 will now know how to send the ping request!
PC1 can now ping PC4 as directly as it can. The frame will be sent down to the Hub.
Similar to how the arp broadcast went PC2 and PC3 will get the same frame because the NUB just blurts out
everything it hears on the ports the information didn’t come in on.
This is where the smarts of the switch come in. Because it knows what port the MAC address 0001.1111.1111 is it
sends it to only that port. ie. PC5 and PC6 don’t get the frame like PC2 and PC3 did in the last step.
PC4 will send the frame down to SWITCH
SWITCH will send the frame to HUB

You got it! Hub will forward it out ALL ports except the one it came in on. PC2 and PC3 will drop the frame.
When PC1 gets the reply you will notice the command prompt change on PC1 and look something like this:
This process will happen three more times and the pings will be done:
At this point other than PC1 and PC4 no other computers on this network knows any other MAC address.
A good question you might ask yourself… Right after all this happened… What would happen if PC6 were to ping
PC3?
[ ] How do switches work by tracing packet flow
[] Explain in detail, PC1 wants to communicate to PC2
I wish I had something like this when I first started networking. Some background on the test network.
1. There are six computers
2. Each computer is named PC1->PC6
3. Each PC has a MAC address that is reflective of it’s name 0020.1111.1111 for PC1->0020.6666.6666 for
PC6
4. Each PC has a IP address that is reflective of it’s name 192.168.1.1 for PC1 –> 192.168.1.6 for PC6
5. Each Port a pc is plugged into is reflective of it’s name. Port 1 for PC1 –> Port 6 for PC6
6. Both switches are connected to each other on Gig1/1
I have set this up so when you are looking at commands later on you can easily see where the packets came from
and where they are going.
First task is on PC1 we are going to ping PC4. What will happen?
On PC1 type “ping 192.168.1.4” at the command prompt.
The computer realizes it has absolutely no idea who 192.168.1.4 is because it doesn’t know it’s MAC address.
ICMP is put on hold and the computer sends out an ARP request to try and figure out where 192.168.1.4 is.
PC1 sends the frame to switch1. Because this is the first time switch1 has talked with PC1 switch one looks at MAC
source address and learns PC1’s MAC address which is 0020.1111.1111
Switch1 will broadcast out on all ports except the port the frame came in on. That means PC2, PC3 and Switch2 will
all receive the exact same frame. PC2 and PC3 will know right away this packet is not for them.
Switch2 will broadcast out the packet very similarly like switch1 did. PC5 and PC6 know right away it’s not for
them. PC4 looks at the frame and says yes… I am 192.168.1.4. My MAC address is 0020.4444.4444. It does so by
sending an ARP reply message back to PC1.
PC4 sends the reply back to switch2.
switch2 sends the reply back to switch1. Switch1 looks at the frame header and sees that there is a new MAC
address of 0020.4444.4444 in the source. Any time 0020.4444.4444 is needed it will just send the frame directly out
Gig1/1.
switch1 knows what MAC address PC1 has so it sends the package directly to PC1. PC2 and PC3 aren’t bothered
like they were when this whole process originally started.
Something to note… A bunch of stuff has happened. If we go back to the command prompt… It hasn’t changed a
bit…
Crazy right?!?!
Now that PC1 knows what MAC address PC4 has it can now do what it wanted to do… ie. ping PC4 using ICMP.
PC1 will send an ICMP packet (ping request) to switch1 with a destination address of 192.168.1.4
switch1 knows that 0020.4444.4444 is somewhere out Gig1/1 so it directly sends the frame to switch2.
Because switch2 already knows the MAC address of PC4 0020.4444.4444 in its switching table it can forward the
ICMP packet to PC4.
PC4 will now send a reply back to PC1. To do this it will send the packet directly to switch2
Switch2 will send the packet directly to switch1
Switch1 will look at the header and realize it needs to go to PC1 and will forward the packet onto PC1.
It’s at this point the command prompt will change a bit. It will now look like this:
In the emulator it says ALL requests took a total of 0.012sec.

For the next 3 ping requests we don’t have to worry about ARP at all. All devices know how to get to each other.
As long as the network is stable you would expect the next 3 results to be similar. Notice how the first ping took a
little longer and the next 3 are a bit shorter ie6ms? Because ARP isn’t needed for the second, third and forth ping the
requests are only 6ms.
Now that you know how about how a switch works let’s ask some more questions…
1.) What would happen if PC2 were to ping PC5? Would ARP be needed? If so what devices would get the ARP
request.
2.) What would happen after PC2 pinged PC5 and PC1 would ping PC5? Would ARP be needed? If so what devices
would get the ARP request?
3.) What would happen after PC1 pinged PC5 and PC1 pinged PC6? Would ARP be needed? If so what devices
4.) Would would happen after PC1 pinged PC6 and PC1 pinged PC3? Would ARP be needed? If so what devices
Answers to “how do switches work by tracing packet flow” post
So just to get you up to speed. This post will give the answers to my last post. In the last post we had PC1 ping PC4.
ARP ran and helped PC1 and PC4 talk to each other.
The questions I left you with were:
1.) What would happen if PC2 were to ping PC5? Would ARP be needed? If so what devices would get the ARP
request.
2.) What would happen after PC2 pinged PC5 and PC1 would ping PC5? Would ARP be needed? If so what devices
3.) What would happen after PC1 pinged PC5 and PC1 pinged PC6? Would ARP be needed? If so what devices
4.) Would would happen after PC1 pinged PC6 and PC1 pinged PC3? Would ARP be needed? If so what devices
Answers:
1.) Well neither PC2 nor PC5 have talked on the network. Because of this I would suspect that neither of the
switches nor any of the other computers on the network know what their MAC address were. Because of this ARP
would be needed and the process would be similar to what you saw for PC1 pinging PC4.
I’m not going to do the print out again but one thing to note is even though switch1 even though it knows the MAC
address of PC1 it will always send out a broadcast out every port except for the port the request came in on.
Switch2 will also broadcast out the request to all ports except the one it came in on.

2.) Now that PC2 has pinged PC5 the switches will have a MAC table of PC1,PC2,PC4 and PC5 MAC addresses.
Here’s the command below to verify.
If PC1 pinged PC5 should or shouldn’t it (PC1) need to send out an ARP request?
Answer: PC1 will still need to use ARP even if the switch knows where the MAC address is because what is ARP?
ARP allows a host to find out the MAC address of another host by only knowing it’s IP address. The Host (PC1)
sends out a broadcast saying “Who has this IP Address 192.168.1.5” because PC1 has never talked to PC5 yet.
Switches work at layer 2 so they don’t have a clue what that means so they can’t help speed the process along.
So again there is an ARP broadcast and only PC5 will respond to it.

3.) What would happen if PC1 would ping PC6
Because of the last question this one should be a little bit more obvious. PC1 has never talked to PC6 yet. Again
even if switches 1&2 knew about PC1 and PC6 address PC1 would still need to use ARP to find out PC6’s MAC
address.
4.) What would happen if PC1 pinged PC3
Again PC1 would need to call on an ARP broadcast because it has never directly talked with PC3. ie. PC3 is not in
the MAC table on host PC1. Much like 2 & 3, we’re going to need to call on our friend ARP to get PC1 to be able
to talk directly to PC3.
If PC1 wanted to ping any other device it’s already talked to it would talk directly to it without the need of sending
out an ARP broadcast!
[ ] Explain in detail, PC1 wants to communicate to PC2

Tracing packet flow between a 2 switches and a router
Today we are going to see how switches and a router interact with each other by tracing ARP and ICMP packet
flow. Here’s the network we are going to be playing with today:
We’re going to look at a couple of things here. The biggest thing to keep in the back of your mind is two things.
1. Switches break up collision domains
2. Routers break up broadcast domains
While you will see me cover #1 in this post you should really check out my previous post to see better
examples: Tracing packet flow between a Hub and Switch
We will focus most of this post on #2. Very much like all my post so it makes seeing what device is talking on the
network I’ve handed out custom MAC addresses on each device. The MAC address will look like 0010.1111.1111
for PC1(192.168.1.1) and 0010.2222.2222 for PC2 (192.168.1.2). Each computer set to use ROUTER’s closest port
as their “Default Gateway”.
All Devices all get turned on all at the same time. Non of them will have any information in their MAC or Routing
tables.
I ran an “Arp –a” to prove it doesn’t know a thing about PC4’s MAC address yet. PC1 will ping PC4. Because PC1
has no idea PC4’s MAC address PC1 will need to send out an ARP request to figure out how to get to router one
since 192.168.2.4 is not on the same network.
This is how the header will look (notice it doesn’t have a target MAC address yet!)
The Broadcast ARP request is sent to SWITCH1. SWITCH1 now has learned about PC1’s MAC address and put it
in it’s MAC Address table.
The ARP broadcast is sent out all ports except the port it came in on. That means PC2, PC3 and ROUTER. Notice
how the router breaks up the broadcast domain. PC4->PC6 do not get the request.
Router1 one sends back a request. It put’s PC1’s address in the “Target MAC” address field. It also puts it’s own
address in the SRC MAC address field. It also put’s PC1’s MAC address into it’s own MAC Address table.
Because ROUTER’s MAC address is in the SRC MAC field SWITCH1 will now add that address to it’s own MAC
Address table:
PC1 now knows how to get to it’s default gateway so that the packet can be routed to the external network
192.168.2.0 /24 network. The Router’s MAC address is added to it’s own MAC address table. PC1 creates a ICMP
packet (layer 3) and encapsulates it in an Ethernet frame. That frame has a SRC MAC address of PC1 and a
Destination MAC address of ROUTER.
The ping (ICMP) is sent to SWITCH1. Switch knows where 192.168.1.254 is so it directly sends the frame to
ROUTER.
When the packet gets to ROUTER, ROUTER realized that it it doesn’t know what the MAC address is of PC4.
Because ICMP requests are unicast, the router drops the packet. ROUTER then creates a ARP broadcast to find out
what MAC address PC4 has.
Router sends the ARP broadcast out to onto the network to SWITCH2. SWITCH2 will add ROUTER’s mac address
to it’s MAC address table.
Switch sends the ARP Broadcast out every port but the port it came in on. PC5 and PC6 drop the request. PC4 says
“It’s Me!”
As you would expect PC4 replies back to ROUTER by sending the response back on the network. SWITCH2 will
add PC4’s MAC address to it’s MAC address table.
ROUTER get’s PC4’s response back. ROUTER adds PC4’s MAC address into it’s MAC address table.
It’s at this point something kind of funky happens. When I first started out I didn’t quite get it. It’s at this exact
moment something will change on PC1’s command prompt. You will see a “Request timed out” message. The
reason for this is the computer waited to hear back the ping (ICMP) reply but never received one because ROUTER
dropped the packet because it didn’t know PC4’s MAC address. This does NOT mean that there is something wrong
with the hardware!
PC1 at this point says.. I’ guess something happened to my first ICMP request. I guess I should send request 2 of 4.
So it creates a new request.
PC1 will send out the 2nd ICMP ping out to the network. SWITCH1 get’s the frame. SWITCH2 says “Hey I know
where ROUTER is” and forwards it directly to ROUTER.
ROUTER and decapsulates the frame. It see’s the packet is needing to be sent on to PC4. It encapsulates the packet
in a brand new Ethernet frame. Because of the previous ARP request it now has PC4’s MAC address. **NOTE** –
The source MAC address on the new Ethernet Frame is set to ROUTER’s MAC address (gig0/1). The internal SRC
IP address in the packet remains the same. If ROUTER changed the SRC IP address to it own IP address, PC4
would never know how to send the packet back to PC1!
ROUTER sends the packet out to the network to SWITCH2

SWITCH receives the frame and looks at the header. Because it knows where PC4’s MAC address it can send the
frame directly to PC4.
PC4 receives the frame and sends it back to PC1. It changes the Frame header by setting the originating MAC to
itself and the destination address to ROUTER1. The IP address in the reply packet will be for PC1 and the SRC
address is PC4’s.
SWITCH2 will send the frame directly to ROUTER because it has it’s MAC address in it’s MAC table.
ROUTER decapsulates the frame and see’s the packet is being sent to the IP address of PC1. It sees that it has PC1’s
MAC address. It encapsulates the packet again and makes the SRC address it’s own MAC address. It makes the
destination address that of PC1. It sends the packet on its way to to SWITCH1.
Again SWITCH1 knows where to send the frame so it sends it directly to PC1. It knows because it has PC1’s mac
address in it’s MAC address table. PC1 receives the ping ICMP reply.
It’s at this very instant that we have completed the loop. PC1 has sent the ICMP request and it was routed to PC4.
PC4 responded and it’s response was routed back to PC1. The Command prompt on PC1 will change ever so
slightly to inform you that
All subsequent requests (3 to 4) will all get replies assuming that there is no issues with the networking equipment.
[] ARP Process
ARP Protocol - Mapping IP Address to MAC Address
Understanding ARP Request Process Article covers the following CCNA/ICND1 Exam Topics:
Under Operation of IP Data Networks:
1. Identify common applications and their impact on the network.
2. Predict the data flow between two hosts across a network.
Recommended Study Plan:
1. Download the ICND1v2 Exam Topics Sheet from Cisco Website.
2. Follow the Steps and the Articles under “IP Networking Fundamentals” by order.
3. Or Start with Understanding Web Browser DNS Lookup Article.
Average Time Required Studying this Article: 1 Hour
Table of Contents [show]
ARP Protocol Process
Mapping IP address to MAC Address
Address Resolution Protocol (ARP) used only on Ethernet Networks by Data Link Layer to provide two basic
functions:
Resolving IPv4 addresses to MAC addresses
Maintain a cache of MAC to IP address Mapping Table
Locally speaking inside the LAN, if a shared folder located in a server with IP 192.168.1.10 (using windows
environment) DNS will resolve human names such \shared-folder to server IP Address that host the shared folder,
but still the network need to resolve one more level – to Data link address, and since ethernet standard is used , ARP
is called to resolve IP Addresses to MAC addresses only on Ethernet Networks.
Why ARP Needed by Network Devices?
IP routing logic requires that network devices encapsulate IP packets inside Data-Link frames based on the link type
used, and If Ethernet link type is used, then ARP resolution from IP Addresses to MAC addresses is required to
encapsulate IP packets inside Ethernet frames.
Whenever a host or a router needs to communicate with other hosts or routers, they encapsulate TCP or UDP
segments in an IP packet. Hosts and Routers’ Network Layer knows all the important pieces to build an IP packet
such destination IP address and source IP address, but in Ethernet Network and when it comes to encapsulating an
IP packet inside a frame using destination and source MAC addresses, hosts and routers do not know neighbors
NIC’s or interface’s MAC addresses beforehand, hence, ARP get evolved.
TCP/IP defines ARP as the method by which any host or router on a LAN can dynamically learn the MAC address
of another host or router on the same LAN. ARP includes a protocol called ARP request, which is a message that
asks the simple request “if this is your IP address, please reply with your MAC address.” ARP also includes
the ARP Reply message, which indeed lists both the original IP address and the matching MAC address.
Detailed ARP Request and Reply Process
Based on the figure above, PC1’s Ethernet cable plugged into SW2, the following steps take place to show how PC1
initially learned its Default Gateway’s (R3) MAC address in order to route an IP packets outside its LAN network.
Step 1: PC1’s Network Layer sends an IP packet encapsulated with destination IP address of R3 (192.168.1.1) as a
receiver, and a source MAC address of PC1 (192.168.1.100) as sender.
Step 2: PC1’s Data-Link Layer encapsulate the IP packet inside an Ethernet Frame with a broadcast destination
MAC Address (FFFF.FFFF.FFFF), which means all devices on this LAN will receive this message, and a source
MAC address of PC1 NIC interface as sender.
Step 3: The switch receives the broadcast frame, learn the source MAC address and record it along the interface port
number in its MAC table (1), and flood the broadcast frame from all ports except the port where it was received (2).
Step 4: All devices receive the broadcast packet and drop it, except R3. R3 replies to PC1 with its MAC address
since the IP packet included ARP message request indicating its IP address in the destination field.
Step 5: PC1 receives the ARP reply request indicating R3’s MAC address, learn the MAC address and saves it in its
MAC table.
Step 6: PC1’s Network layer is ready right now to create an IP packet heading to Web-server instead of R3, and
ready to encapsulate it inside an Ethernet Frame to be forward to R3 MAC address as next-hop.
Notice, how PC1 has to prepare the pieces before completing web page request, resolving Name to IP using DNS (1)
learn R3 MAC address (2), and finally creates an HTTP Get request IP packet heading to a web-server.
Let’s Dig Deeper into the Process
Note that R3 IP Address (192.168.1.1) known to PC1 as Default Gateway by DHCP or Static configuration. The
following figure shows how PC1 created an IP packet indicating R3 IP address as destination, and encapsulated the
packet inside a frame indicating an ARP Request as destination Broadcast address (FFFF.FFFF.FFFF) inside the
frame.
Once PC1 release a broadcast frame, it will hit all network devices on this LAN address which is 192.168.1.0/24.
After R3 receives the broadcast frame, replies with its MAC, and PC1 learn R3’s MAC address, the next figure
shows how PC1 created a new IP packet indicating Web-Server’s IP address this time, and encapsulated the IP
packet inside a Frame heading this time to R3 MAC address as next-hop instead of Broadcast Address since PC1
learned R3’s MAC address already.
Note that Hosts save the ARP replies in their ARP cache or ARP table for future use as they do with DNS queries.
ARP is not used every time the host or the router needs to forward a packet to neighbor device. Each time a host or
router needs to send a packet encapsulated inside an Ethernet Frame, it first checks its ARP table for correct IP
address and matching MAC address. Hosts and routers will let ARP cache entries time out to clean up the table, so
occasionally ARP Requests traffic can be seen on LAN.
Unicast, Broadcast, and Multicast Frames
Why we need different types of Ethernet frames? To understand how ARP service works, it’s good to look at the
difference among all 3 types of Ethernet frames communication. By looking at the figures below and for simplicity,
note how each type has different color. Unicast is Orange and what inside the circle corresponds to the color as
well, and so on.
Unicast frame: indicates that only 2 network devices talking to each other.
(Remember Hubs don’t care and they broadcast everything Unicast, Broadcast, and Multi-Cast. In contrast,
switches do care, why? Because they know how to talk Ethernet language, therefore, know how to deal with MAC
addresses of any Ethernet frame type).
Broadcast frame: indicates that a single machine sending a frame to everyone on the LAN.
Multicast frame: indicates that a group of devices are willing to respond to a specific machine request on the
network, or a single network device is trying to talk only to a specific group of devices that are willing to listen to a
specific Multicast frame that hold a MAC address such this one 0100.5E7F.0001.
And finally Little bit about ICMP
Internet Control Message Protocol (ICMP) Why it’s important for Troubleshooting?
Troubleshooting tools – Use to verify connectivity such ping and traceroute commands.
ICMP Includes some primary tools for troubleshooting and verifying basic network connectivity, commands
such Packet Internet Groper (Ping) and Traceroute (tracert in windows).
Ping uses ICMP to send a message called ICMP echo request to another IP address. The host with that IP address
should reply with an ICMP echo reply packet. If that works, you successfully have tested the IP network. In another
words, you know that the network can deliver an IP packet from one host to the other and back. ICMP does not rely
on any application; it tests basic layer 1, 2, and 3 connectivity of TCP/IP model. The following shows a ping reply
from a host google.com.
Traceroute uses ICMP as well, is a network tool used to test and shows an IP packet route taken by PC1’s Internet
Protocol (IP) across the routers that are located between PC1 and Web-server. E.g. the following shows a windows
tracert command from a host to google.com.
Detailed ICMP header

[] ARP Process II
How ARP Works:
Step 1: When a source device want to communicate with another device, source device checks its Address
Resolution Protocol (ARP) cache to find it already has a resolved MAC Address of the destination device. If it is
there, it will use that MAC Address for communication. To view your Local Address Resolution Protocol (ARP)
cache, Open Command Prompt and type command "arp -a" (Without double quotes using Windows Operating
Systems).
Step 2: If ARP resolution is not there in local cache, the source machine will generate an Address Resolution
Protocol (ARP) request message, it puts its own data link layer address as the Sender Hardware Address and its
own IPv4 Addressas the Sender Protocol Address. It fills the destination IPv4 Address as the Target Protocol
Address. The Target Hardware Address will be left blank, since the machine is trying to find that.
Step 3: The source broadcast the Address Resolution Protocol (ARP) request message to the local network.
Step 4: The message is received by each device on the LAN since it is a broadcast. Each device compare the Target
Protocol Address (IPv4 Address of the machine to which the source is trying to communicate) with its own Protocol
Address (IPv4 Address). Those who do not match will drop the packet without any action.
Step 5: When the targeted device checks the Target Protocol Address, it will find a match and will generate an
Address Resolution Protocol (ARP) reply message. It takes the Sender Hardware Address and the Sender Protocol
Address fields from the Address Resolution Protocol (ARP) request message and uses these values for the Targeted
Hardware Address and Targeted Protocol Address of the reply message.
Step 6: The destination device will update its Address Resolution Protocol (ARP) cache, since it need to contact the
sender machine soon.
Step 7: Destination device send the Address Resolution Protocol (ARP) reply message and it will NOT be
a broadcast, but a unicast.
Step 8: The source machine will process the Address Resolution Protocol (ARP) reply from destination, it store the
Sender Hardware Address as the layer 2 address of the destination.
Step 9: The source machine will update its Address Resolution Protocol (ARP) cache with the Sender Hardware
Address and Sender Protocol Address it received from the Address Resolution Protocol (ARP) reply message.
[ ] TCP/IP Encapsulation
Data, Segments, Packets, and Frames
It started with PC1 requesting www.ccnahub.com homepage from a Web-Server.
PC1’s TCP/IP Stack Application Layer encapsulated the HTTP Data Request into HTTP Data Header, and handled
the Header to the Transport Layer for further Processing (1). Transport Layer encapsulated the HTTP Data Header
into Segment (s) adding source and destination TCP ports to the Segment (s), and handled the Segments to Network
Layer forPacking using Logical Addressing (2). Network Layer encapsulated the Segment (s) into an IP Packet (s)
adding logical source and destination IP addresses to the packet (s), and handled the packet (s) to the Data Link
Layer for Framing using Hardware Addressing (3), Data Link Layer encapsulated the IP Packet (s) into a Frame
(s) adding hardware source and destination MAC addresses to the Frame (s) with Ethernet Header and Trailer, and
handled the Frame (s) to the Physical Layer for Delivery using Ethernet Standard or Protocol(4), Physical
Layer converted the Frame (s) one at a time to stream of bits, encoded the bits into signals based on the type of
media used (Copper, Fiber, or Wireless), and transmitted the signals one at a time to the Default Gateway (5).
Route Packets and Forward Frames to Default Router
In the above figure, PC1 requested a ccnahub.com homepage from the Web-server, and while requesting, it does
some analysis and figure out that the IP of ccnahub.com is located in different subnet, hence, PC1 chooses to send
the IP packet (s) to the nearby router (R3), once received by R3, it will forward the packet (s) again to nearby Router
till the packet (s) reach final destination. PC1’s TCP/IP Stack analyzes decided that the destination IP address of
ccnahub.com is located at web-server (172.16.10.20) which is not on the same LAN where PC1 resides. So PC1’s
TCP/IP logic decided to route the HTTP Request packet (s) to a nearby default gateway (R3) which is located on the
same LAN as PC1.
To send packet (s) to the default gateway router, PC1 forwards frame (s) that hold the packet (s) across the ethernet
medium to (R3); these frames include the packets in the data portion of the Ethernet frames. From PC1 perspective,
the frames addressed to R3 as next-hop using R3’s MAC address.
The difference between IP Routing and MAC Forwarding Concept
Two main Concepts:
Network Layer Routing Concept: is based on Dotted Decimal Notation Logical destination IP Address inside the
IP Packet (172.16.10.20). Meaning, Internet Protocol (IP) Routes IP packets using IP Address System across the
internet without really caring or bothering what LAN medium or WAN connection in use (Either
Ethernet, PPP, HDLC, Frame Relay, ATM, Fiber, Etc…), therefore, Internet Protocol (IP) Route IP Packets.
Data-Link Layer Forwarding Concept: is based on 12-Hex Character Physical destination MAC Address inside
the frame (3001.2222.2222). Meaning, Ethernet Physical Address is used as a vehicle to transport the Packet (s),
hence, different MAC address is used on each Hop (that is: different vehicle) till the IP Packet (s) reach its final
destination. In Ethernet Networks: Each Hop represents its own vehicle (MAC address). Therefore, Ethernet
Protocol and WAN Protocols (HDLC, PPP, Frame Relay), all of them Froward Frames to be processed with the
Next-Hop till the Packet’s destination IP Address hit its Network as the final destination.
 Keep in mind that Ethernet MAC addresses are ONLY and ONLY associated with Ethernet Protocol, and when
it comes to WAN Protocols such, HDLC, PPP, Frame Relay, etc… If PPP, HDLC, or Frame Relay is used for
WAN connection, Data-Link Layer DOES NOT encapsulate IP Packets into Frames using Ethernet MAC
addresses, each one of these WAN Protocols suchHDLC, PPP, or Frame Relay has it’s own hardware
Address to use that is different than Ethernet MAC Address System. BUT there is one exception though: if
Ethernet WAN Technology used, which called Ethernet over Multiprotocol Label Switching (EoMPLS)
between 2 Routers, then MAC addresses can be used to move IP Packets between the Only 2 Routers that are
connected With EoMPLS.
We are going to map each step to the upper Large Figure, so I recommend to print or open it in different Window to
MAP each step. All the routers in these detailed steps are using OSPFv2 Routing protocol already configured with
routes and subnets. The steps demonstrates how TCP/IP Layers work together to deliver the data using IP Packets
and Data Link Frames.
Step 1: PC1’s Downstream started with PC1’s browsing ccnahub.com homepage.
Application Layer – Downstream: Creates and encapsulates the application requests or data with any required
Application Layer headers, and handle it the Transport Layer for segmentation.
That is: PC1’s Application layer creates and encapsulates HTTP (GET message) request inside a HTTP header.
Transport Layer – Downstream: Receives and encapsulates the data supplied by the Application Layer inside a
TCP or UDP header forming a Segment, adds destination and source TCP or UDP port to the segment, and finally
handle the segment to the Network layer for packing procedure.
That is: PC1’s Transport Layer receives and encapsulates the data supplied by PC1’s Application Layer inside TCP
header forming a segment (1), adds a destination TCP port (80) as http service receiver (2), adds a dynamic source
port (5480) as App (web-browser) sender (3), and finally handles the segment to the Network Layer for packing
procedure (4).
Network Layer - Downstream: Receives and encapsulates the TCP or UDP header supplied by the Transport layer
inside an IP Header forming an IP Packet, translates the destination domain name http://www.ccnahub.com to IP
address using DNS, adds a destination and source IP addresses to the IP packet, and finally routes the IP packet
using outgoing NIC or interface through the Data Link Layer.
That is: PC1’s Network Layer receives and encapsulates the TCP segment inside an IP header forming an IP Packet
(1), adds a destination IP address of ccnahub.com (172.16.10.20) as final destination (2), adds PC1’s source IP
address (192.168.1.100) as sender (3), and finally routes the IP packet using PC1’s NIC as outgoing interface
through the Data-Link layer to default gateway (R3) (4).
Data Link Layer – Downstream using Ethernet LAN NIC: Receives the IP Packet from the Network Layer and
encapsulates the IP Packet inside an Ethernet Header and Trailer to forming a Frame, Ethernet is used, adds
destination and source MAC addresses to the Frame based on Address Resolution Protocol (ARP) table, and finally
forwards the Frame to the next-hop using the device’s outgoing NIC or interface through the physical layer.
That is: PC1’s Data-Link Layer receives and encapsulates the IP packet inside an Ethernet Header and Trailer
forming a frame (1), adds a destination MAC address of R3’s f0/1 LAN interface (3001.2222.2222) as next-hop (2),
adds the PC1’s NIC source MAC address (3001.3333.3333) as sender (3), and forwards the frame using PC1’s NIC
as outgoing interface through the Physical layer to R3’s f0/1 (4).
Physical Layer – Downstream: Receives and converts the frame to bits, encodes the bits into signals based on the
type of media used (Copper, Fiber, or Wireless), and transmits the signals one at a time using the device’s outgoing
NIC or interface through the media used.
That is: PC1’s Physical Layer receives and converts the frame to bits (1), since Ethernet Copper cable is used,
encodes the bits into electrical signals (2), and finally transmits the electrical signals one at a time using PC1’s
outgoing NIC interface, through the physical cable heading to R3 (3).
Step 2: R3’s Upstream using Ethernet LAN Port
Physical Layer: Receives the signals from PC1’s Physical layer through R3’s f0/1 interface and de-encode each
electrical signal as bit stream (1), reassemble each bit stream as frame (2), and handles each frame to the Data-Link
Layer (3).
Data-link Layer: Receives the frames from the physical layer and applies Frame Check Sequence (FCS) on each
frame for any error (1), if no errors found, it de-encapsulates each frame contents (2), strips (discards) any MAC
addresses with it’s Header and Trailer (3), and Handles ONLY the IP packet to the Network Layer (4).
Network Layer: Receives and reads the IP Packet’s destination and source IP addresses (1), compares destination
IP (172.16.10.20) to known IP routes or subnets by reading the Routing Table Entries to analyze 172.16.10.20’s
subnet – Bingo! 172.16.10.0/24 Subnet found, which includes addresses 172.16.10.1 through 172.16.10.254
(3), Now the Routing decision: the subnet’s route states: 172.16.10.0 via 10.50.20.2 using f0/0 interface as
outgoing interface (4), and routes the IP packet using f0/0 interface as outgoing interface through the Data-link
Layer (5).
Note: 172.16.10.0 via 10.50.20.2 using f0/0 >>> 10.50.20.2 is R2’s IP address which is next router,

and f0/0 belongs to R3 as outgoing interface.
Data-link Layer – R3’s Downstream using Ethernet WAN Port: Receives the IP Packet back from the Network
Layer and encapsulates it inside a NEW Ethernet Header and Trailer forming a NEW Frame (1), adds new
destination MAC address of R2’s f0/0 (2001.2222.2222) as next-hop based on ARP cache table (2), adds new source
MAC address of R3’s f0/0 (3001.1111.1111) interface as a sender (3), and forwards the NEW Frame using R3’s
f0/0 as outgoing interface through the Physical layer.
Physical Layer: Physical Layer receives the New Frame from the Data link layer and converts it to bits (1), since
serial copper cable is used, encodes the bits into electrical signals (2), and transmits the electrical signals one at a
time using R3’s f0/0 outgoing interface, through the EoMPLS link heading to R2 (3).
Step 3: R2’s Upstream using Ethernet WAN Port
Physical Layer: Receives the signals from R3’s Physical layer through R2’s f0/0 interface and de-encode each
Layer (3).
frame for any error (1), if no errors found, it de-encapsulates each frame contents (2), strips (discards) any MAC
addresses with it’s Header and Trailer (3), and Handles ONLY the IP packet to the Network Layer (4).
(3), Now the Routing decision: the subnet’s route states: 172.16.10.0 via 10.50.10.2 using s0/0 interface as
outgoing interface (4), and routes the IP packet using s0/0 interface as outgoing interface through the Data-link
Layer (5).
Note: 172.16.10.0 via 10.50.10.2 using s0/0 >>> (10.50.10.2 is R1’s IP address which is the next router,

and s0/0 belongs to R2 as outgoing interface.
Data-link Layer – R2’s Downstream using PPP Leased Line Serial Port: Receives the IP Packet back from the
Network Layer and encapsulates it inside a NEW PPP or HDLC Header and Trailer forming a NEW Frame (1), and
forwards the NEW Frame using R2’s s0/0 as outgoing interface through the Physical layer (2).
Physical Layer: Physical Layer receives the New Frame from Data link layer and converts it to bits (1), since
Ethernet copper cable is used, encodes the bits into electrical signals (2), and transmits the electrical signals one at a
time using R2’s s0/0 outgoing interface, through the EoMPLS link heading to R1 (3).
Step 4: R1’s Upstream using PPP Leased Line Serial Port
Physical Layer: Receives the signals from R2’s Physical layer through R1’s s0/0 interface and de-encode each
Layer (3).
frame for any error (1), if no errors found, it de-encapsulates each frame contents (2), strips (discards) any PPP or
HDLC Header and Trailer (3), and Handles ONLY the IP packet to the Network Layer (3).
(3), Now the Routing decision: the subnet’s route states: 172.16.10.0 is directly connected using f0/0 interface as
Layer (5). (directly connected, which means, there is no more routing can be done for this subnet, since this route
connected directly to R1)
Note: 172.16.10.0 is directly connected using f0/0 >>> directly connected, meaning, there are no more routers in
the middle to route to for this subnet, since this route connecteddirectly to R1, and f0/0 belongs to R1 as outgoing
LAN interface
Data-link Layer – R1’s Downstream using Ethernet LAN Port: Receives the IP Packet back from the Network
Layer and encapsulates it inside a NEW Ethernet Header and Trailer forming a NEW Frame (1), adds new
destination MAC address of web-server’s NIC (1001.3333.3333) as next-hop based on ARP cache table (2), adds
new source MAC address of R1’s f0/0 (1001.1111.1111) interface as a sender (3), and forwards the New Frame
using R1’s f0/0 as outgoing interface through the Physical layer (4).
Physical Layer: Physical Layer receives the New Frame from the Data link layer and converts it to bits (1), since
Ethernet copper cable is used, encodes the bits into electrical signals (2), and transmits the electrical signals one at a
time using R1’s f0/0 outgoing interface, through the LAN network heading to web-server (3).
Step 5: IP Packet hits its final destination using Web-Server’s Upstream NIC
Web-Server’s Physical Layer: Receives the signals from R1’s Physical layer through R1’s f0/0 interface and de-
encode each electrical signal as bit stream (1), reassemble each bit stream as frame (2), and handles each frame to
the upper layer – Data-Link Layer (3).
Web-Server’s Data-link Layer: Receives the frames from the physical layer and applies Frame Check Sequence
(FCS) on each frame for any error (1), if no errors found, it de-encapsulates each frame contents (2), strips (discards)
any Ethernet MAC address with its Header and Trailer (3), and Handles ONLY the IP packet to the upper layer –
Network Layer (3).
Web-Server’s Network Layer: Receives and reads the IP Packet’s destination and source IP addresses (1),
compares its destination IP (172.16.10.20) to it’s IP Address and found out that it is the same IP address as the web-
server’s IP address – Bingo!, the IP packet reached its final destination (2), it de-encapsulates the IP Packet and
handle the Segment to the upper layer – Transport layer (3).
Web-Server’s Transport Layer: Receives and de-encapsulates the segments supplied by the Network Layer,
analyze any destination TCP or UDP source port numbers, and finally handle the Data to the Application Layer’s
service based on the TCP or UPD destination port Number used inside the segment.
That is: Web-Server’s Transport Layer receives and de-encapsulates the segments supplied by Network Layer (1),
analyzes the segment’s destination TCP or UPD port fields (2), based on segment’s destination port number
analysis, transport Layer decides that this port is TCP port type number 80 (3) , based on this port number, it handles
the Data header to HTTP Service that is associated with port 80 and responsible to respond and process Web pages
data.
Web-Server’s Application Layer: receives any headers that include data from the lower layer – Transport Layer,
and have it’s application services process any data based on the port numbers was analyzed previously by the
Transport Layer.
That is: Web-Server’s HTTP Service processing the Data since it was meant to its TCP port 80, and found out it is a
GET Message Request from PC1 to view a website called ccnahub.com which is hosted by the Web-Server.
*Please Note: that most Routers do NOT deal with either Transport Layer Nor Application layer! Starting at the
Physical layer and up to ONLY the Network layer, Routers receive the Frame then the IP Packet as Upstream, then
Routers route the IP Packets through Data Link Layer using NEW Frames with New Hardware Address that is
suitable to medium used as Downstream to the Next-Hop.
Post Office Concept Mapped to TCP/IP Concept
Corporate Director as Layer 5: Notice, how the Application Layer acted similar to a corporate director in a
company where he wrote an urgent letter to his branch office manager in New York.
Corporate Director as Layer 4: decided to handle the letter to his secretary as is without envelope, and instruct her
to packet and send it to the branch office manager in New York Office using a guaranteed delivery feature – acting
similar to Transport Layer’s TCP feature.
Secretary as Layer 3: At this point, the corporate director doesn’t really care how the secretary would pack the
letter, such what kind of envelope would she use or how the secretary would decide to put the envelope on the
mailing box. The secretary job at this stage is very similar to the Network Layer. The secretary way of working
similar to an IP Protocol functions of PC1. She (IP) decided to encapsulate the letter inside an express mail envelope
using the New York branch office destination mail address – which is equal to the IP destination address of Web-
server as a receiver – and used the source mailing address of her corporate office as a sender– which is similar to the
source IP address of PC1 as sender.
Corporate Mail Man as Layer 2: the secretary prepared everything and called the corporate mail man for further
actions – which is very similar to Data-Link Layer. The mail man put or encapsulated the secretary envelope
(Packet) in his special mailing box and carries it to his car in order to deliver it the closest Post Office (R3) using the
corporate Mail man car that has a plate number (MAC Address)– which is very similar to a MAC address.
Obviously the Mail man can’t drive to New York, so the closest router to his office is one of the Post office sites (R)
for further routing. Next, choosing to use his car, and not a bicycle, is very similar of using an Ethernet Header and
Trailer control protocol. If the Mail man had chosen a bicycle instead, that would mean he had chosen to pick a
different Data-Link Layer protocol such PPP WAN.
Driving a car with (Ethernet plate or MAC number) on the Road as Layer 1: the corporate mail man drove on
the road to drop the envelope at the closest Post office box which is very similar of using a UTP cable between PC1
and R3. Obviously, there is no way that we can encode the Mail man and his car as electric signal yet, but at least we
can map the idea to better understand the theory of TCP/IP Networking Model which is similar at some points to the
Post Office Networking Model.
Person sending a Letter: the process from Corporate Director as Layer 5 up to Layer 4 is very similar to someone
wrote a letter but didn’t put the letter inside an envelope, rather, he handled it to the secretary to do the job.
Post office: The process from the Secretary (Network Layer) up to driving on the Road (physical Layer) is a
complete Packet Routing and Frame Forwarding Process; therefore, the last three layers act as internal Post Office
belongs to the corporate office; a theory makes each network device has a complete TCP/IP Networking “Mini-Post
Office” Model.
MAC addresses as a Mail Ethernet Vehicle: MAC addresses are used as a lower layer to keep processing of IP
Packet routing moving till it reaches its final destination. MAC addresses are similar to the Post Office’s trucks,
planes, or personal (each one of them carries a plate number) that keeps handling each other the mail till they
deliver it to its final destination. Now Ethernet can’t represent all of them but one of them, let’s say the Airplane
Medium!
Please Note: this Article explained the flow of Segments, Packets, and Frames among network devices. More
detailed steps for the following Protocols were not included in this Article.
DNS: As seen on the above figure, we used ccnahub.com address as domain name, we said that Domain Name
Resolution (DNS) resolved the domain to IP address, but we didn’t go through the DNS details. Why DNS? You
and me use words and can’t remember all IP addresses around the world, e.g google.com and once entered in the
browser it has to be translated from a Name to a dotted decimal number, that is, Public IP address used by
google.com ISP router. In order to translate a Host name or a Domain name like google.com, Network Layer MUST
relay on Domain Name System (DNS) to provide layer 3 with destination IP address, DNS work back and fourth
between Application Layer and Network Layer 3 and it can be configured at your Router as well. Understanding
Web Browser DNS Lookup Article explains the basics of how Layer 3 depends on DNS to complete the packet with
a destination IP address by translating a Domain Name entered by user to a Public IP address.
ARP: Data-link layer (if Ethernet Technology is used) relays on Address Resolution Protocol (ARP) which is part
of (Network Layer 3 protocols functions) to create frames with destination MAC address, this Article’s examples
and for sake of simplicity bypassed ARP requests detailed steps, this Article assumed that ARP table already
populated with MAC addresses on each network device ARP Table. Understanding ARP Request Process Article
will further explain why ARP needed in the Beginning of initializing a communication between the network devices
if Ethernet standard is used.
NAT: At the above examples, we used Private IP addresses among all the networks and subnets. In reality it’s little
bit different though, Private IP addresses to Public IP addresses translation or NAT will be involved. To get the
point, let’s say you have requested the home page of google.com from your home or office PC, (assuming you are
using IPv4 network) a very critical component called “Network Address Translation” (NAT) will be involved in
order to translate between Private IP addresses (which are used at your home or your office network) and a Public IP
addresses (which are used by your ISP Router and google ISP router), NAT functions at your home or Office
Router. Understanding NAT Article is coming soon to further explain the concept in how it works by looking at the
same examples but using NAT, DNS, and ARP all together.
[ ] Routing Back IP Packets
How the Web-Server replied back with ccnahub.com’s homepage to PC1’s web browser?
*To MAP the steps, print or open the upper figure in different Window.
Step 1: Server’s Downstream
Starting with Web-Server’s HTTP Service responding to PC1’s Browser with ccnahub.com’s homepage.

Application Layer – Downstream: Creates and encapsulates the application requests or data with any required
Application Layer headers, and handle it the Transport Layer for segmentation.
That is: Web-server’s HTTP service at the application layer, creates and encapsulates the application data with
HTTP (OK message) inside a header followed by part of the contents of a web page as data, therefore, PC1’s
browser can browse the Web page and retrieve the data.
Transport Layer – Downstream: Receives the HTTP Header with the OK Message and Data, encapsulates the
Header and data supplied by the Application Layer inside a TCP or UDP header forming a Segment, adds
destination and source port to the segment, and finally handle the segment to the Network layer for packing
procedure.
That is: Web-server’s Transport Layer receives and encapsulates the Header and data supplied by Web-Server’s
Application Layer inside TCP header forming a segment (1), adds back the PC1’s Web Browser dynamic TCP Port
(5480) as destination port (2), adds its HTTP service TCP static port (80) as source port (3), and finally handles the
segment to the Network Layer for packing procedure (4).
Network Layer – Downstream: Receives and encapsulates any TCP or UDP header supplied by the Transport
layer inside an IP Header forming an IP packet, adds a destination and source IP addresses to the IP packet, and
finally routes the IP packet using outgoing NIC or interface through the Data-Link Layer.
That is: Web-server’s Network Layer receives and encapsulates the TCP header inside an IP header forming an IP
Packet (1), adds PC1’s IP address (192.168.1.100) as destination IP Address (2), adds its IP address (172.16.10.20)
as source IP Address (3), and finally routes the IP packet using web-server’s NIC as outgoing interface through the
Data-Link layer (4).
Data-Link Layer – Downstream using Ethernet NIC: Receives and encapsulates the IP Packet inside an Ethernet
Header and Trailer forming a Frame, Ethernet is used, adds destination and source MAC addresses to the Frame
based on Address Resolution Protocol (ARP) table, and finally forwards the Frame to the next-hop using the
device’s outgoing NIC or interface through the physical layer:
That is: Web-server’s Data-Link Layer receives and encapsulates the IP packet inside an Ethernet Header and
Trailer forming a Frame (1), adds a destination MAC address of R1’s f0/0 LAN interface (1001.1111.1111) as next-
hop (2), adds the web-server’s NIC source MAC address (1001.3333.3333) as sender (3), and forwards the Frame
using web-server’s NIC as outgoing interface through the Physical layer (4).
Physical Layer – Downstream: Receives and converts the frame to bits, encodes the bits into signals based on the
type of media used (Copper, Fiber, or Wireless), and transmits the signals one at a time using the device’s outgoing
NIC or interface through the media used.
That is: Web-server’s Physical Layer receives and converts the frame to bits (1), since Ethernet Copper cable is
used, encodes the bits into electrical signals (2), and finally transmits the electrical signals one at a time using web-
server’s outgoing NIC interface, through the physical cable heading to R1 (3).
Step 2: R1’s Upstream using Ethernet LAN
Physical Layer: Receives the signals from Web-server’s Physical layer through R1’s f0/0 interface and de-encodes
each electrical signal as bit stream (1), reassemble each bit stream as frame (2), and handle each frame to the Data-
Link Layer (3).
Data-link Layer: Receives the frames and applies Frame Check Sequence (FCS) on each frame for any error (1), if
no errors found, it de-encapsulates each frame contents (2), strips (discards) any MAC addresses used with its
Header and Trailer (3), and Handles ONLY the IP packet to the Network Layer (4).
subnet – Bingo! 192.1681.0/24 Subnet found, which includes addresses 192.168.1.1 through 192.168.1.254
(3), Now the Routing decision: the subnet’s route states: 192.168.1.0 via 10.50.10.2 using serial0/0 interface as
outgoing interface (4), and routes the IP packet using s0/0 interface as outgoing interface through the Data-link
Layer (5).
Note: 192.168.1.0 via 10.50.10.2 using serial0/0 >>> 10.50.10.2 is R2’s IP address which is the next Router,

and serial 0/0 belongs to R1 as outgoing interface.
Data-link Layer – R1’s Downstream using Serial Port: Receives and encapsulates the IP packet
inside PPP Header and Trailer forming a NEW Frame (1), and forwards the NEW Frame using R1’s s0/0 as
outgoing interface through the Physical layer (2).
Physical Layer: Physical Layer receives and converts the frames to bits (1), since serial copper cable is used,
encodes the bits into electrical signals (2), and transmits the electrical signals one at a time using R1’s s0/0 outgoing
interface, through the serial link heading to R2 (3).
Step 3: R2’s Upstream using Serial Port
Physical Layer: Receives the signals from R1’s Physical layer through R2’s s0/0 interface and de-encodes each
electrical signal as bit stream (1), reassemble each bit stream as frame (2), and handle each frame to the Data-Link
Layer (3).
no errors found, it de-encapsulates each frame contents (2), strips (discards) any PPP or HDLC with its Header and
Trailer (3), and Handles ONLY the IP packet to the Network Layer (4).
(3), Now the Routing decision: the subnet’s route states: 192.168.1.0 via 10.50.10.1 using f0/0 interface as
Layer for further routing (5).
Note: 192.168.1.0 via 10.50.10.1 using f0/0 >>> 10.50.10.1 is R3’s IP address which is thenext router,

and f0/0 belongs to R2 as outgoing interface.
Data-link Layer – R2’s Downstream using Ethernet WAN port: Receives and encapsulates the IP packet inside
Ethernet Header and Trailer forming a NEW Frame (1), adds new destination MAC address of R3’s f0/0
(3001.1111.1111) as next-hop based on ARP cache table (2), adds new source MAC address of R2’s f0/0
(2001.2222.2222) interface as a sender (3), and forwards the the Frame using R2’s f0/0 as outgoing interface
through the Physical layer (4).
Physical Layer: Physical Layer receives and converts the frames to bits (1), since Ethernet copper cable is used,
encodes the bits into electrical signals (2), and transmits the electrical signals one at a time using R2’s f0/0 outgoing
interface, through the EoMPLS link heading to R3 (3).
Step 4: R3’s Upstream using Ethernet WAN Port
Physical Layer: Receives the signals from R2’s Physical layer through R3’s f0/0 interface and de-encodes each
electrical signal as bit stream (1), reassemble each bit stream as frame (2), and handle each frame to the Data-Link
Layer (3).
no errors found, it de-encapsulates each frame contents (2), strips (discards) any MAC addresses with its Header and
Trailer (3), and Handles ONLY the IP packet to the Network Layer (4).
(3), Now the Routing decision: the subnet’s route states: 192.168.1.0 is directly connected using f0/1 interface as
Layer (5).
Note: 192.168.1.0 is directly connected using f0/1 >>> directly connected, meaning, there are no more routers in
the middle to route to for this subnet, since this route connected directly to R3, and f0/1 belongs to R3 as outgoing
LAN interface.
Data-link Layer: Receives and encapsulates the IP packet inside Ethernet Header and Trailer forming a NEW
Frame (1), adds new destination MAC address of PC1’s NIC (3001.3333.3333) as next-hop based on ARP cache
table (2), adds new source MAC address of R3’s f0/0 (3001.2222.2222) interface as a sender (3), and forwards the
frame using R3’s f0/1 as outgoing interface through the Physical layer (4).
Physical Layer: Physical Layer receives and converts the frames to bits (1), since Ethernet copper cable is used,
encodes the bits into electrical signals (2), and transmits the electrical signals one at a time using R3’s f0/1 outgoing
interface, through the LAN network heading to PC1 (3).
Step 5: IP Packet hits its final destination using PC1’s Upstream NIC
PC1’s Physical Layer: Receives the signals from R3’s Physical layer through R3’s f0/1 interface and de-encode
each electrical signal as bit stream (1), reassemble each bit stream as frame (2), and handles each frame to the upper
layer – Data-Link Layer (3).
PC1’s Data-link Layer: Receives the frames from the physical layer and applies Frame Check Sequence (FCS) on
each frame for any error (1), if no errors found, it de-encapsulates each frame contents (2), strips (discards) any
Ethernet MAC addresses with its Header and Trailer (3), and Handles ONLY the IP Packet to the upper layer –
Network Layer (3).
PC1’s Network Layer: Receives and reads the IP Packet’s destination and source IP addresses (1), compares its
destination IP (192.168.1.100) to it’s IP Address and found out that it is the same IP address as the PC1’s IP address
– Bingo!, the IP packet reached its final destination (2), it de-encapsulates the IP Packet and handle the Segment to
the upper layer – Transport layer (3).
PC1’s Transport Layer: Receives and de-encapsulates the segments supplied by the Network Layer, analyze any
destination TCP or UDP source port numbers, and finally handle the Data to the Application Layer’s services based
on the TCP or UPD destination port Number used inside the segment.
That is: PC1’s Transport Layer receives and de-encapsulates the segments supplied by Network Layer (1), analyzes
the segment’s destination TCP or UPD port fields (2), based on segment’s destination port number analysis,
transport Layer decides that this port is TCP port type number 5480 (3) , based on this port number, it handles the
Data header to the Web Browser where previously requested a web page using a dynamic port 5480 to view the
ccnahub.com homepage Data.
PC1’s Application Layer: receives any headers that include data from the lower layer – Transport Layer, and have
it’s application services process any data based on the port numbers was analyzed previously by the Transport
Layer.
That is: PC1’s Web Browser Processed the Data since it was meant to its dynamic TCP port 5480, and found out it
is an OK Message Reply from the Web-Server that hosts www.ccnahub.com to view www.ccnahub.com homepage.
*At this point a TCP Handshake between PC1 and the Web-Server is complete, and a NEWTCP Socket has been
formed between these 2 network devices to exchange Data.
*Please Note: that most Routers do NOT deal with either Transport Layer Nor Application layer! Most Routers
deal with Physical layer up to ONLY the Network layer. Meaning, Routers receive the Frame and its IP Packet
through the Upstream; then Routers route back the IP Packets through the Data Link Layer again
using NEW Frames with New Hardware Addressthat is suitable to the medium being used on the Downstream link
which would be heading to the Next-Hop.
Media Access Control (MAC) Address
The upper figure showed how the Web-Server replied to PC1 with almost everything the same at the request stage
except:
1. The Port numbers are flipped on the reply stage
2. The IP address are flipped on the reply stage
3. The MAC addresses get stripped out on the upstream (discarded) at each routing device, and replaced by BRAND
NEW MAC addresses at the downstream. Basically, it is the handling process of the IP Packet between 2 network
devices connected to each other till the IP Packet get delivered to its final destination.
[ ] How the Internet Browsers find ccnahub.com?
Understanding Web Browser DNS Lookup function would be very helpful clearing the picture of how a Host
complete a message request or replies from or to a Remote Host such Hosting-Server or Web Server.
Domain Name System (DNS)
Name Servers – Used to Resolve Human Names into matching IP addresses.
DNS – Resolve Names to IP Address

Imagine that every time you want to search the Internet, you need to type google IP Address (173.194.43.9) instead
of using google.com. We barely remember phone numbers these days. Luckily TCP/IP networking Model defines a
way to use Host Names Resolution through DNS. All we have to type google.com on the browser then DNS resolve
and discover all the necessary pieces to make communication happened based on Name resolution.
As mention with previous IP Fundamentals Articles, IP packets include a destination IP address in every packet
created. So, in order to communicate with google using its web address name instead of IP address, TCP/IP Network
Layer help the Internet Browser find the IP address of google.com using DNS or name servers.
DNS resolving ccnahub.com
The following figure will Zoom at PC1 side, to help you understand the process. What follows are detailed steps of
what happened when a user type a URL inside the Internet browser URL address field. Note that your router at
home or office could function as DNS server as well. DNS servers can be also a dedicated hardware and usually will
be housed or installed along a Domain Controller in Windows environment.
Step 1: ccnahub.com entered into Web Browser at PC1.
Step 2: In order to browse ccnahub.com
PC1’s TCP/IP Stack and for the first time (before caching ccanhub.com on its DNS table), sends DNS request
packet to the DNS server on the right as shown on the above figure.
Note: the DNS request uses a UDP header with a destination UDP Port type 53 indicating DNS server as shown on
the following figure.
Step 3: After receiving the upper request
The following figure shows DNS server sent a reply listing IP address 172.16.10.20 as www.ccnahub.com’s IP
address.
Note: the difference between the Request packet of PC1 and the Reply packet of DNS Server. The packets may look
similar, but the highlighted Yellow shows the difference between both, at the request and reply stage. E.g.
Destination and Source IP address are flipped.
Step 4: After receiving the DNS reply
PC1’s TCP/IP Stack starts the process of establishing a new TCP connection to the web-server that hosts
ccnahub.com as requested by the Browser.
Note: the following figure shows the Web-Server’s IP Address as destination IP Address that hosts
www.ccnahub.com and this time the header is TCP since HTTP protocol uses TCP socket with destination TCP port
type 80 and TCP SYN set at ON indicating that TCP connection has been established and not a UDP connection.
Please keep in mind that No single DNS server knows all the names and matching IP addresses around the world,
but the information is distributed across many ISP DNS servers. So, the local DNS server such Router’s DNS server
works with the ISP DNS server to resolve queries. The local DNS server forwards the queries to the ISP server if is
not listed in its DNS Table. Even the ISP DNS server itself sometimes forwards the queries to other ISP’s DNS
server till they find the answer and supply back the desired IP address all this in a second or two. With IPv4 DNS,
table information called “A records”, in IPv6 called “AAAA Records”.
Please Note: DNS runs as service on a Server to respond to DNS requests by the Network Clients, you might asking
yourself, if DNS is a service, why would DNS protocol or service categorized under Network Layer Protocol?
Shouldn’t be categorized under Application Layer instead? Well, it is on both actually, it is a service where an
administrator can interact with it, but it mainly serves the Network Layer, without DNS we cannot translate Domain
Names and Shared Folders to an IP Address. ARP is next, it has almost a similar situation; it works back and forth
between Network Layer and Data-Link layer to Translate IP Addresses to MAC Addresses on Ethernet Network.
I’m not aware of ARP service in Windows machine, but there is an ARP cache table. DNS cache and ARP cache
tables can be flushed mostly from all Network devices.
[ ] ARP Packet Flow:

>>Resolving Logical Addresses to Hardware Addresses
A host cannot directly send data to another host’s logical address. A destination logical address must be mapped to a
hardware address, so that the Data-Link layer can package a frame to transmit on the physical medium.
The Address Resolution Protocol (ARP) provides this mechanism for IPv4 on Ethernet networks. ARP allows a
host to determine the MAC address for a particular destination IP address.
Consider the above diagram. The following demonstrates the steps required for HostA to communicate with HostB:
• First, HostA will determine if the destination IP address of 10.1.1.6 is itself. If that address is configured on a local
interface, the packet never leaves HostA. In this example, 10.1.1.6 is not locally
configured on HostA.
• Next, HostA will determine if the 10.1.1.6 address is on the same network or subnet as itself. HostA consults its
local routing table to make this determination. In this example, the subnet mask is /16.
Thus, HostA’s IP address of 10.1.1.5 and the destination address of 10.1.1.6 are on the same network (10.1).
• Because HostA and HostB are on the same network, HostA will then broadcast an ARP request, asking for the
MAC address of the 10.1.1.6 address.
• HostB responds to the ARP request with an ARP reply, containing its MAC address (AAAA.BBBB.CCCC).
• HostA can now construct a Layer-2 frame, with a destination of HostB’s MAC address. HostA forwards this frame
to the switch, which then forwards the frame to HostB.
>>Resolving Logical Addresses to Hardware Addresses (continued)

Now consider a slightly modified scenario between HostA and HostB:
Again, HostA will determine if the destination IP address of 10.2.1.5 is itself. In this example, 10.2.1.5 is not locally
configured on HostA.
• Next, HostA will determine if the 10.2.1.5 address is on the same network or subnet as itself. In this example, the
subnet mask is /16. Thus, HostA’s IP address of 10.1.1.5 and the destination address of
10.2.1.5 are not on the same network.
• Because HostA and HostB are not on the same network, HostA will parse its local routing table for a route to this
destination network of 10.2.x.x/16. Hosts are commonly configured with a default gateway to reach all other
destination networks.
• HostA determines that the 10.1.1.1 address on RouterA is its default gateway. HostA will then broadcast an ARP
request, asking for the MAC address of the 10.1.1.1 address.
• RouterA responds to the ARP request with an ARP reply containing its MAC address (4444.5555.6666). HostA
can now construct a Layer-2 frame, with a destination of RouterA’s MAC address.
• Once RouterA receives the frame, it will parse its own routing table for a route to the destination network of
10.2.x.x/16. It determines that this network is directly attached off of its Ethernet2 interface. RouterA then
broadcasts an ARP request for the 10.2.1.5 address.
• HostB responds to the ARP request with an ARP reply containing its MAC address (AAAA.BBBB.CCCC).
RouterA can now construct a Layer-2 frame, with a destination of HostB’s MAC address.
>>Resolving Logical Addresses to Hardware Addresses (continued)

Consider the following example again:
Note that as a packet is routed, the source and destination IP address remain unchanged. However, both the source
and destination MAC address did change.
This is because a MAC address contains no network hierarchy, and thus is only significant on the local network. In
the above scenario, HostA and HostB could not communicate directly using Layer-2 addressing. At every routed
hop, the source and destination MAC address are adjusted to reflect
the source and destination hosts on the local network.
The source and destination IP address will only be changed if NAT is used.
[C] Differences between Static Route with Exit Interface and Next-Hop Interface
In point to point interface, by definition two devices are directly connected, so in case if you configure static route
pointing to outgoing interface or next hop IP address does not make a difference, router uses L2 address of next hop
IP address of interface for routing packet to every destination address.
In multipoint interface, by definition interface can have multiple devices connected to it. So as mention above in
point number two, if you configure static route point to next-hop, router need L3 to L2 resolution for each
destination prefixes.
Conclusion:
->For point to point interfaces, you can use static routes that point to the interface or to the next hop address.
There is only one possible next hop and its L2 address will be used to build L2 frame.
->For multipoint/Broadcast interfaces, it is more suitable to use static routes that point to a next hop address to
avoid the need for resolving every destination address to its L2 address. As you have seen above it is still possible
to use static routes pointing to the interface but not a scalable solution.
https://supportforums.cisco.com/document/116711/static-routes-next-hop-exit-interface-or-ip-address
Introduction:
This document describes the difference between implementation of static routes with next hop as an exit interface or
an IP address.

!-- Pointing to next hop address
ip route 0.0.0.0 0.0.0.0 10.1.1.2
!-- Pointing to the interface
ip route 0.0.0.0 0.0.0.0 fa0/0
Basic Overview:
For forwarding packet to the destination, the router must determine the exit interface and rewrite the L2 frame
before putting the packet on the wire. In order for a router to write the L2 frame it must resolve the IP address to its
corresponding L2 address and reconstruct the frame before sending to the next hop. The function of address
resolution can be done dynamically using protocols like ARP in Ethernet or Statically/Dynamically learned DLCI in
frame-relay.
There are two points need to be understand, when you configure static route on router.
1) If you configured static route pointed to next hop IP address, for every destination forwarding router requires only
L2 address of next hop IP address to rewrite the L2 frame.
Example: ip route 2.2.2.0 255.255.255.0 10.1.1.2
For routing packet to destination address 2.2.2.2, router requires L2 mac address of 10.1.1.2.
2) If you configured static route point to outgoing interface, forwarding router assume destination address is directly
connected to that interface and router will try to find the L2 address of the destination by sending ARP request out of
the interface to the destination address in case of Ethernet or looking for a static/dynamic map entry in the mapping
table in case of frame-relay.
Example: ip route 2.2.2.0 255.255.255.0 fa0/0
For routing packet to the destination address 2.2.2.2, router assumes host 2.2.2.2 is directly connected to the
interface fa0/0 and it requires L2 mac address for 2.2.2.2.
In general, interfaces can be point to point or multi-point. The above mentioned conditions work differently in
scenarios of Point to point and multipoint interface.
In point to point interface, by definition two devices are directly connected, so in case if you configure static route
pointing to outgoing interface or next hop IP address does not make a difference, router uses L2 address of next hop
IP address of interface for routing packet to every destination address.
In multipoint interface, by definition interface can have multiple devices connected to it. So as mention above in
point number two, if you configure static route point to next-hop, router need L3 to L2 resolution for each
destination prefixes. Ethernet is an example of multi-point interfaces whereas Frame-relay and ATM can be multi-
point interface or point to point depending on the configuration.
Configuration overview:
The topology and initial configurations are shown below:
Topology diagram:

Initial configuration:
R1 R2 R3
interface Loopback0 interface Loopback0 interface Loopback

ip address 1.1.1.1 255.255.255.255 ip address 2.2.2.2 255.255.255.255 ip address 3.3.3.3 255.255.255.25
! ! !
interface FastEthernet0/0 interface FastEthernet0/0 interface FastEthernet0/
ip address 10.1.1.2 255.255.255.252 ip address 10.1.1.1 255.255.255.252 ip address 20.1.1.2 255.255.255.25
duplex auto duplex auto duplex aut
speed auto speed auto speed aut
! ! !
interface FastEthernet0/1 ip route 0.0.0.0 0.0.0.0 10.1.1.2 ip route 0.0.0.0 0.0.0.0 20.1.1.1
ip address 20.1.1.1 255.255.255.0
duplex auto
speed auto
!
ip route 2.2.2.2 255.255.255.255 10.1.1.1
ip route 3.3.3.3 255.255.255.255 20.1.1.2
Case1: Configured static route on R2 point to the next hop address of neighboring router R1. As discussed above,
for forwarding every packet to destination prefix R2 will use destination mac address of R1 in L2 frame.
Verifying connectivity from R2 to R1 and R3 loopback addresses:
R2#ping 1.1.1.1 so 2.2.2.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 1.1.1.1, timeout is 2 seconds:
Packet sent with a source address of 2.2.2.2
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 20/28/40 ms
R2#ping 3.3.3.3 so 2.2.2.2
!!!!!
R2#sh ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.1 - c000.3148.0000 ARPA FastEthernet0/0
Internet 10.1.1.2 0 c001.3148.0000 ARPA FastEthernet0/0
Case2: Configured a static route on R2 point to the outgoing interface. As discussed above, for forwarding every
packet R2 assume destination address is directly connected to that interface and will try to find the L2 mac address
of the every destination by sending ARP request out of the interface to the destination address.
R2(config)#no ip route 0.0.0.0 0.0.0.0 10.1.1.2
R2(config)#ip route 0.0.0.0 0.0.0.0 fa0/0

Connectivity verification from R2 to R1 and R3 loopback addresses. Also IP packet debug turned on R2 to get
closer packet level view.
R2#debug ip packet detail
IP packet debugging is on (detailed)
R2#ping 3.3.3.3 so 2.2.2.2
IP: tableid=0, s=2.2.2.2 (local), d=3.3.3.3 (FastEthernet0/0), routed via RIB
IP: s=2.2.2.2 (local), d=3.3.3.3 (FastEthernet0/0), len 100, sending
ICMP type=8, code=0
IP: s=2.2.2.2 (local), d=3.3.3.3 (FastEthernet0/0), len 100,encapsulation failed
ICMP type=8, code=0.
IP: tableid=0, s=2.2.2.2 (local), d=3.3.3.3 (FastEthernet0/0), routed via RIB
IP: s=2.2.2.2 (local), d=3.3.3.3 (FastEthernet0/0), len 100, sending
ICMP type=8, code=0
IP: s=2.2.2.2 (local), d=3.3.3.3 (FastEthernet0/0), len 100,encapsulation failed
R2#sh ip arp
Internet 1.1.1.1 0 Incomplete ARPA
Internet 3.3.3.3 0 Incomplete ARPA

As 1.1.1.1 and 3.3.3.3 prefixes are not directly connected to fa0/0, R2 is not getting L2 mac address of these
prefixes hence ARP table entry is showing incomplete and there is L2 encapsulation failure on R2 is dropping
packets for this destination.
There are two tricky works around are available but these are not solutions just explained for user’s information.
1) Enabling proxy ARP on next hop router:

If you enable proxy ARP on router, Whenever router get address resolution request it send the proxy ARP of its
own interface address to the requested router, Only if the prefixes are present in its routing table.
In this example R1 sends proxy ARP i.e. L2 mac address of 10.1.1.2 to R2 for prefixes 3.3.3.3 and 2.2.2.2, as both
are in its routing table. By default proxy ARP is enable on the most of the routers.
R1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
R1(config)#int fa0/0
R1(config-if)#ip proxy-arp
R1(config-if)#do sh ip int fa0/0 | in Proxy
Proxy ARP is enabled
Local Proxy ARP is enabled
Verifying connectivity from R2 to R1 and R3 loopback address:
R2#ping 1.1.1.1 so 2.2.2.2
!!!!!
R2#ping 3.3.3.3 so 2.2.2.2

!!!!!
Take closer look at Arp table of R2, it is showing that same mac address present for 3.3.3.3 and 1.1.1.1 prefixes in
address resolution table because R1 is sending proxy ARP of its own interface address.
R2#sh ip arp
Hence this could result in a large amount of broadcast traffic and a large no of ARP cache on R2, especially if the
static route was a default route used for internet traffic.
2) Adding manual ARP entries in ARP table:

You can also add manual ARP entries for destination prefixes to build L2 frame as shown below:
R2(config)#arp 1.1.1.1 c001.3148.0000 arpa
R2(config)#arp 3.3.3.3 c001.3148.0000 arpa
R2#sh ip arp
Internet 1.1.1.1 - c001.3148.0000 ARPA
Internet 3.3.3.3 - c001.3148.0000 ARPA
To build L2 frame for each destination prefixes you will need to add manual entries in address resolution table.
Conclusion:
->For point to point interfaces, you can use static routes that point to the interface or to the next hop address.
There is only one possible next hop and its L2 address will be used to build L2 frame.
->For multipoint/Broadcast interfaces, it is more suitable to use static routes that point to a next hop address to
avoid the need for resolving every destination address to its L2 address. As you have seen above it is still possible
to use static routes pointing to the interface but not a scalable solution.
http://www.networkers-online.com/blog/2009/01/static-routes-and-next-hops/
Static routes and next hops
January 27th, 2009 Wael Osama Posted in Routing, WAN technologies | 9 Comments »
Today I have received a question by mail from one of our readers asking about the difference between pointing the
static route to a next hop address or pointing it to the exit interface itself as shown in the example below:
!-- Pointing to next hop address

ip route 0.0.0.0 0.0.0.0 192.168.1.1
!-- or Pointing to the interface
ip route 0.0.0.0 0.0.0.0 s1/0
Although it seems to be an easy question to answer but I it was a little bit hard for me to write the answer in words.
You know, sometimes we know things but when time comes for explaining them you do not know how to start. I
decided to do it the following way, hope it is clear
To answer this question we just need to review some of the fundamentals:
Packet Forwarding
For a packet to be forwarded to its destination the router must determine the exit interface, rewrite the frame and put
the packet on the wire.
What concerns us for our discussion is the frame rewriting part, in order for a router to write the frame it must
resolve the IP address to its corresponding L2 address and reconstruct the frame before sending to the next hop.
The function of address resolution can be done dynamically using protocols like ARP or statically using adding
static mappings in the address resolution tables.
Interfaces Media Types
In general interfaces can be point to point interfaces or multi-access interfaces, Ethernet is an example of multi-
access interfaces. Frame-relay and ATM can act as a multi-access interface or point to point depending on the
configuration.
Multiple access describes medias which multiple devices are connected and can send or receive simultaneously.
Point to Point describes medias where only two devices are connected to the same media and can only talk to each
other.
Static Routes:
If the static route is pointed to a next hop address, the forwarding router needs to resolve the L2 address of this next-
hop address only to rewrite the frame.
If the static route is pointed to the interface, the forwarding router still needs to resolve the L2 address to write the
frame, but this time there is no next-hop address configured to go for; The router will try to find the L2 address of
the destination by sending ARP request out of the interface to the destination address in case of Ethernet or looking
for a static/dynamic map entry in the mapping table in case of frame-relay. It is clear that would never be a scalable
solution.
One more point worth mentioning here is that a static route pointing to the next-hop rather than the outgoing
interface is also known as a recursive static route, this came from the fact that the router will need to do recursive
lookup(s) on the next-hop of the static route to find out the outgoing interface which the packets should be
forwarded.
Conclusion:
I think it has been clear that the router’s main function is to find the outgoing interface to reach the packets next hop
in its path to the destination and to reach this next hop specifically it needs to find its L2 address “via address
resolution protocols”. From all the above sections we can safely conclude the following points:
 For point to point interfaces, you can use static routes that point to the interface itself or to the next hop
address. There is only one possible next hop and its L2 address will be used for the frame.
 For multi-access interfaces, its more suitable to use static routes that point to a next hop address to avoid
the need for resolving every destination address to its L2 address. It is still possible to use static routes
pointing to the interface but it is not a scalable solution and requires additional configurations.
I have tried to make it clear as much as possible, hope I have been informative.
[D] Proxy ARP: [What, When & Why Used]
http://www.cisco.com/c/en/us/support/docs/ip/dynamic-address-allocation-resolution/13718-5.html
https://learningnetwork.cisco.com/thread/60350
- When a host does not know it's default gateway, it arps every time it wants to send IP packet to remote
networks (provided it's arp cache does not contain corresponding entry). If proxy-arp is on on the router
serving that segment, the router will every time answer to each arp request with it's own mac-address if it
knows a route to destination included in arp-request. this may eventually drain the resources of a router, as
well as bandwidth of an switched path from host to router.
OR
- A Proxy ARP enabled Router answers ARP requests intended for another machine, it does that by making
the local host believe that the Router is the "owner" of that IP Address, local host will forward the traffic to
the Router and the Router will be responsible to "route" the packets to the real destination.
OR
1. Proxy ARP must be used on the network where IP hosts are not configured with a default gateway or do
not have any routing intelligence.
2. Hosts have no idea of the physical details of their network and assume it to be a flat network in which
they can reach any destination simply by sending an ARP request.
Explanation:
-Address Resolution Protocol (ARP) is used to map a known IP Address to a unkown data-link identifier (for
example MAC Address). The ARP Request will contain:

 Source IPv4 Address;
 Source data-link identifier address (MAC Address for example);
 Destination IPv4 Address;
 Destination data-link identifier (MAC Address in our example) will be set to 00:00:00:00:00:00.

Just did an ARP capture :

Ethernet II, Src: 00:30:b8:83:cb:40, Dst: ff:ff:ff:ff:ff:ff
Destination: ff:ff:ff:ff:ff:ff (Broadcast)
Source: 00:30:b8:83:cb:40 (00:30:b8:83:cb:40 )
Type: ARP (0x0806)
Trailer: FFE000200020003035800000FFE000100030 Address Resolution Protocol (request)
Hardware type: Ethernet (0x0001)
Protocol type: IP (0x0800)
Hardware size: 6
Protocol size: 4
Opcode: request (0x0001)
Sender MAC address: 00:30:b8:83:cb:40 (00:30:b8:83:cb:40)
Sender IP address: 201.6.115.1 (201.6.115.1)
Target MAC address: 00:00:00_00:00:00 (00:00:00:00:00:00)
Target IP address: 201.6.115.254 (201.6.115.254)

Now let's see Proxy-ARP.

A Proxy ARP enabled Router answers ARP requests intended for another machine, it does that by making the local
host believe that the Router is the "owner" of that IP Address, local host will forward the traffic to the Router and
the Router will be responsible to "route" the packets to the real destination.

For example, a Host in Subnet A wants to send traffic to Host in Subnet B. Host A will send an ARP Request with
Host B IP Address, the Router connected to both subnets will answer to Host A request using it´s own MAC
Address instead of Host B MAC Address.

Now when Host A wants to transmit traffic to Host B, it´ll send to the Router MAC Address and the Router will just
forward the traffic to Host B. That´s why "Proxy ARP".

It´s used on networks where the hosts are not configured with a default-gateway.
And yes a little pointer as well. It is enabled by default on a Cisco Router and you can obviosly disable it manually,
on a per interface basis with the no ip proxy-arp command. And still to get back to the default use theip proxy-
arp command.
Difference between clear arp-cache and clear ip arp
++ show arp will show you your Ethernet/ARPA/MAC addresses which are mapped to IP addresses for the hosts
which have previously ARPed your router.
++ They basically display the same info. The show arp will show you not only your IP-MAC, but other L3-MAC
addresses, e.g. Appletalk.
++ While show ip arp , will by definition show you only your IP-MAC bindings.
http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1ripadr.html#wp1020730
++ Clear arp & clear ip arp removes the output of show arp & show ip arp respectively
clear ip arp
++ By default the arp timeout is 4 hours and mac address table timeout is 300 seconds.
++ when you issued clear arp-cache/clear arp/clear ip arp, the relevant arp table output should clear.
- In addition to clearing the ARP cache, the clear arp-cache causes the particular device to send a gratuitous
ARP reply regarding its own address - usable if for whatever reason, the MAC address of the device
changes. The clear ip arp does not send gratuitous ARPs.
ARP Caching:
ARP is a dynamic resolution protocol, which means that every resolution requires the interchange of messages on
the network. Each time a device sends an ARP message, it ties up the local network, consuming network bandwidth
that cannot be used for “real” data traffic. ARP messages aren't large, but having to send them for every hop of
every IP datagram would represent an unacceptable performance hit on the network. It also wastes time compared to
the simpler direct mapping method of resolution. On top of this, the ARP Request message is broadcasted, which
means every device on the local network must spend CPU time examining the contents of each one.
The general solution to the efficiency issues with dynamic resolution is to employ caching, which I described in
general terms in the section on address resolution concepts. In addition to reducing network traffic, caching also
ensures that the resolution of commonly-used addresses is fast, making overall performance comparable to direct
mapping. For this reason, caching functionality has been built into ARP from the start.
Static and Dynamic ARP Cache Entries
The ARP cache takes the form of a table containing matched sets of hardware and IP addresses. Each device on the
network manages its own ARP cache table. There are two different ways that cache entries can be put into the ARP
cache:
o Static ARP Cache Entries: These are address resolutions that are manually added to the cache table for a
device and are kept in the cache on a permanent basis. Static entries are typically managed using a tool
such as the arp software utility.
o Dynamic ARP Cache Entries: These are hardware/IP address pairs that are added to the cache by the
software itself as a result of successfully-completed past ARP resolutions. They are kept in the cache only
for a period of time and are then removed.
A device's ARP cache can contain both static and dynamic entries, each of which has advantages and disadvantages.
However, dynamic entries are used most often because they are automatic and don't require administrator
intervention.
Static ARP entries are best used for devices that a given device has to communicate with on a regular basis. For
example, a workstation might have a static ARP entry for its local router and file server. Since the entry is static it is
always found in step #1 of the ARP transaction process, there is no need to ever send resolution messages for the
destination in that entry. The disadvantage is that these entries must be manually added, and they must also be
changed if the hardware or IP addresses of any of the hardware in the entries change. Also, each static entry takes
space in the ARP cache, so you don't want to “overuse” static entries. It wouldn't be a good idea to have static
entries for every device on the network, for example.
[E] Interface is UP & line protocol is down:
Configuring and Troubleshooting Ethernet 10/100/1000Mb Half/Full Duplex Auto-Negotiation
http://www.cisco.com/c/en/us/support/docs/lan-switching/ethernet/10561-3.html?referring_site=bodynav
Troubleshooting Router Interfaces and Modules Issues
http://www.cisco.com/c/en/us/support/docs/interfaces-modules/interface-cards/71820-routermodules.html
Troubleshooting Switch Port and Interface Problems
http://www.cisco.com/c/en/us/support/docs/switches/catalyst-6500-series-switches/12027-53.html
[F] ICMP:
ICMP Error Message Types and Formats:
http://www.tcpipguide.com/free/t_InternetControlMessageProtocolICMPICMPv4andICMPv6.htm
http://www.tcpipguide.com/free/t_ICMPConceptsandGeneralOperation.htm
Message Type & Format:
http://www.tcpipguide.com/free/t_ICMPVersion4ICMPv4InformationalMessageTypesandForm.htm
Error Message Type & Format:
http://www.tcpipguide.com/free/t_ICMPVersion4ICMPv4ErrorMessageTypesandFormats.htm
ICMP Types and Codes
The original version of this file can be found here.
Jon Postel's original paper on ICMP, RFC 792.
Other RFCs referenced in this table can be accessed by visiting the RFC Index.
ICMP TYPE NUMBERS
The Internet Control Message Protocol (ICMP) has many messages that
are identified by a "type" field.
Type Name Reference

---- ------------------------- ---------
0 Echo Reply [RFC792]
1 Unassigned [JBP]
2 Unassigned [JBP]
3 Destination Unreachable [RFC792]
4 Source Quench [RFC792]
5 Redirect [RFC792]
6 Alternate Host Address [JBP]
7 Unassigned [JBP]
8 Echo [RFC792]
9 Router Advertisement [RFC1256]
10 Router Selection [RFC1256]
11 Time Exceeded [RFC792]
12 Parameter Problem [RFC792]
13 Timestamp [RFC792]
14 Timestamp Reply [RFC792]
15 Information Request [RFC792]
16 Information Reply [RFC792]
17 Address Mask Request [RFC950]
18 Address Mask Reply [RFC950]
19 Reserved (for Security) [Solo]
20-29 Reserved (for Robustness Experiment) [ZSu]
30 Traceroute [RFC1393]
31 Datagram Conversion Error [RFC1475]
32 Mobile Host Redirect [David Johnson]
33 IPv6 Where-Are-You [Bill Simpson]
34 IPv6 I-Am-Here [Bill Simpson]
35 Mobile Registration Request [Bill Simpson]
36 Mobile Registration Reply [Bill Simpson]
37 Domain Name Request [Simpson]
38 Domain Name Reply [Simpson]
39 SKIP [Markson]
40 Photuris [Simpson]
41-255 Reserved [JBP]
Many of these ICMP types have a "code" field. Here we list the types
again with their assigned code fields.
Type Name Reference

---- ------------------------- ---------
0 Echo Reply [RFC792]
Codes
0 No Code
1 Unassigned [JBP]
2 Unassigned [JBP]
3 Destination Unreachable [RFC792]
Codes
0 Net Unreachable
1 Host Unreachable
2 Protocol Unreachable
3 Port Unreachable
4 Fragmentation Needed and Don't Fragment was Set
5 Source Route Failed
6 Destination Network Unknown
7 Destination Host Unknown
8 Source Host Isolated
9 Communication with Destination Network is
Administratively Prohibited
10 Communication with Destination Host is
Administratively Prohibited
11 Destination Network Unreachable for Type of Service
12 Destination Host Unreachable for Type of Service
13 Communication Administratively Prohibited [RFC1812]
14 Host Precedence Violation [RFC1812]
15 Precedence cutoff in effect [RFC1812]
4 Source Quench [RFC792]

Codes
0 No Code
5 Redirect [RFC792]
Codes
0 Redirect Datagram for the Network (or subnet)
1 Redirect Datagram for the Host
2 Redirect Datagram for the Type of Service and Network
3 Redirect Datagram for the Type of Service and Host
6 Alternate Host Address [JBP]
Codes
0 Alternate Address for Host
7 Unassigned [JBP]
8 Echo [RFC792]
Codes
0 No Code
9 Router Advertisement [RFC1256]
Codes
0 No Code
10 Router Selection [RFC1256]
Codes
0 No Code
11 Time Exceeded [RFC792]
Codes
0 Time to Live exceeded in Transit
1 Fragment Reassembly Time Exceeded
12 Parameter Problem [RFC792]
Codes
0 Pointer indicates the error
1 Missing a Required Option [RFC1108]
2 Bad Length
13 Timestamp [RFC792]
Codes
0 No Code
14 Timestamp Reply [RFC792]
Codes
0 No Code
15 Information Request [RFC792]
Codes
0 No Code
16 Information Reply [RFC792]
Codes
0 No Code
17 Address Mask Request [RFC950]
Codes
0 No Code
18 Address Mask Reply [RFC950]
Codes
0 No Code
19 Reserved (for Security) [Solo]

20-29 Reserved (for Robustness Experiment) [ZSu]
30 Traceroute [RFC1393]
31 Datagram Conversion Error [RFC1475]
32 Mobile Host Redirect [David Johnson]
33 IPv6 Where-Are-You [Bill Simpson]
34 IPv6 I-Am-Here [Bill Simpson]
35 Mobile Registration Request [Bill Simpson]
36 Mobile Registration Reply [Bill Simpson]
39 SKIP [Markson]
40 Photuris [Simpson]
Code
0 Reserved
1 unknown security parameters index
2 valid security parameters, but authentication failed
3 valid security parameters, but decryption failed
ICMP Message Types
The type field identifies the type of the message sent by the host or gateway. Many of the type fields contain more
specific information about the error condition. Table 3.2 lists the ICMP message types.
Table 3.2 ICMP Message Types
Type Description ICMP Message Types
0 Echo Reply (Ping Reply, used with Type 8, Ping

Request)
3 Destination Unreachable
4 Source Quench
5 Redirect
Type Description ICMP Message Types
8 Echo Request (Ping Request, used with Type 0,

Ping Reply)
9 Router Advertisement (Used with Type 9)
10 Router Solicitation (Used with Type 10)
11 Time Exceeded
12 Parameter Problem
13 Timestamp Request (Used with Type 14)
14 Timestamp Reply (Used with Type 13)
15 Information Request (obsolete) (Used with Type

16)
16 Information Reply (obsolete) (Used with Type

15)
17 Address Mask Request (Used with Type 17)
18 Address Mask Reply (Used with Type 18)

Because each of the ICMP message headers vary depending on which one is sent, we will discuss each type
separately, identifying the corresponding code fields, if applicable.
Ping: Echo Request and Reply—Types 8 and 0

We discuss the ICMP Echo Request Type 8 and Echo Reply Type 0 because ICMP uses these messages in tandem.
Remote hosts use these two message types to test connectivity. As previously mentioned, the user executes the Ping
utility, initiating the generation of ICMP echo requests with the expectation that the destination host sends a
corresponding echo reply. Upon successful receipt of the replies to the echo requests, the messages do the
following:
 Indicate a successful test.

 Assume that a valid communication path between the hosts exists.
 Assume the end host works through the Network layer.
Destination Unreachable—Type 3
ICMP Type 3 message Destination Unreachable alerts a source host of delivery problems encountered while trying
to reach the destination. Note that a destination host sends only code types 2 and 3; a router can send all codes.
Destination Unreachable uses several code values to further describe the function of the ICMP message being sent.
Each code type describes a different delivery problem encountered, as shown here:
0 = Network Unreachable
This message indicates that the router cannot find the destination network (does not exist or has failed) or has
no route to this network. In other words, the router cannot deliver or forward an IP datagram to the
destination network. This could be the result of a network that is beyond the maximum distance limitation for the
routing protocol in use and is therefore considered unreachable (too far). When a client attempts to connect to a
host on a network that is unreachable, a gateway generates this message to alert the source host of the
problem. You can think of this message as the gateway saying to the sending host, "The street you are trying to
locate is not found or is too far to reach."
1 = Host Unreachable
The host unreachable message alerts the sending host that the destination host requested cannot be found. This could
happen because this host has been turned off or does not exist.
2 = Protocol Unreachable
Protocol unreachable indicates that the Transport layer protocol (UDP or TCP) is not available. The destination host
or an intervening gateway might send this message. You can think of this message as saying, "The transport layer
protocol you are attempting to communicate with is not active on this host."
3 = Port Unreachable
A port unreachable message indicates that the process or application the source host is attempting to establish a
connection with is not active on the destination host. Typically this type of message is sent when an application has
not been started or has failed on this host. The destination host or an intervening gateway might send this message.
Example of an ICMP destination port unreachable message generated because the router or gateway could not find
the BOOTP server, or the server was unavailable.
4 = Fragmentation is needed, but don't-fragment bit set
This message occurs when a router receives a datagram that requires fragmentation, but the router has the DF (don't-
fragment) flag turned on. If you recall, the sending host generally has the responsibility of fragmentation. The
receiver has the responsibility of reassembly.
However, when a router cannot forward a datagram because it is too big, if allowed the router might fragment the
datagram further before transmitting it to an attached segment. If the router has the DF bit set, this will not happen
and the router will trash the datagram. It then generates a message to alert the sender of this action by sending a
Type 3, Code 4 message. The fragmentation bit also can determine the maximum packet size or MTU that hosts can
transmit end to end along the communication path.
ICMP message being sent by a gateway (36.53.0.204) stating the previous request failed because the port
request (68) is not active and therefore unreachable.
Hosts can use the ICMP messages sent by routers to resize datagrams, dynamically adjusting to the needs of the
network. This allows the host to determine the smallest MTU path to a destination.
5 = Source Route Failed
The message occurs if a router encounters a next hop in the source route that does not reside on a directly connected
network.
6 = Destination Network Unknown
This message occurs when a router receives an IP datagram that it cannot deliver or forward to a particular network
because it is unknown.
7 = Destination Host Unknown
This message occurs when a router receives an IP datagram that it cannot deliver or forward to a particular host
because it is unknown.
8 = Source Host Isolated (obsolete)
9 = Destination Network Administratively Prohibited
because it is not allowed. Access to this network has been prohibited.
10 = Destination Host Administratively Prohibited
because it is not allowed. Access to this host has been prohibited.
11 = Network Unreachable for ToS
because the ToS requested is not available.
12 = Host Unreachable for ToS
because the ToS requested is not available.
13 = Communication Administratively Prohibited by Filtering

because it is not allowed. An administratively configured filter has prohibited access to this process or application.
14 = Host Precedence Violation
because the precedence level requested does not match, and is not accepted or is invalid. This could be a source host
attempting to access a high security host without the necessary security clearance values.
15 = Precedence Cutoff in Effect
This message rarely occurs. However, you will receive this message when a packet is dropped by the cutoff
function.
Precedence Handling For All Routers
Routers must accept and route incoming traffic of all precedence levels normally, unless you have configured it to
do otherwise. If you want to learn more about precedence and Destination Unreachable messages 14 and 15, please
refer to RFC 1812, 5.3.3.3, "Precedence Handling for All Routers."
Source Quench—Type 4
A receiving host generates this message when it cannot process datagrams at the speed requested due to a lack of
memory or internal resources. This message serves as a simple flow control mechanism that a receiving host can
utilize to alert a sender to slow down its transmission of data. When the source host receives this message, it must
pass this information on to the upper-layer process, such as TCP, which then must control the flow of the
application's datastream. A router generates this message when, in the process of forwarding datagrams, it has run
low on buffers and cannot queue the datagram for delivery.
Redirect—Type 5
A router sends a redirect error to the sender of an IP datagram when the sender should have sent the datagram to a
different router or directly to an end host (if the end host is local). The message assists the sending host to direct a
misdirected datagram to a gateway or host. This alert does not guarantee proper delivery; the sending host has to
correct the problem if possible.
Only gateways generate redirect messages to inform source hosts of misguided datagrams. Note that a gateway
receiving a misdirected frame does not trash the offending datagram if it can forward it. The gateway forwards the
frame, sends an alert message to the source, and hopes the source host will properly direct future frames to the
designated host or gateway indicated in the message. ICMP redirect messages alert source hosts when a datagram
has been misdirected and should be resent. Four redirect error codes can occur:
1. 0 = Redirect for Network
2. 1 = Redirect for Host
3. 2 = Redirect for Type-of-Service and Network
4. 3 = Redirect for Type-of-Service and Host
Figure 3.14 shows an example of a ICMP redirect message. In this example, a gateway (36.53.0.1) alerts host
(36.53.0.174) that it should be sending future datagrams to the following gateway internet address (36.53.2.2). This
alert message also includes a copy of the offending IP header for the source host's inspection.
Figure 3.14 ICMP redirect messages are sent by gateways to hosts alerting them of messages that have been
misdirected.
Router Advertisement and Solicitation—Types 9 and 10

Rather than initializing a routing table with static routes specified in configuration files, you can use the router
ICMP advertisement and solicitation messages. After bootstrapping, a host can transmit a broadcast or multicast a
solicitation message to which a router or routers responds with a router advertisement. This allows communicating
hosts to learn of available routes dynamically and update their routing tables. We will discuss routing in more detail
in Chapters 5 and 6.
Time Exceeded—Type 11
The time exceeded message occurs when a router receives a datagram with a TTL (Time To Live) of 0 or 1. IP uses
the TTL field to prevent infinite routing loops. A router cannot forward a datagram that has a TTL of 0 or 1. Instead,
it trashes the datagram and sends a time exceeded message. Two different time exceeded error codes can occur:
1. 0 = Time-To-Live Equals 0 During Transit

2. 1 = Time-To-Live Equals 0 During Reassembly
Note that a router cannot forward a datagram with a TTL of 0 or 1 both during transit or reassembly.
As previously mentioned in the IP section of this chapter, the TTL timer is measured in seconds and originally was
used before the existence of routers to guarantee that a datagram did not live on the Internet forever. Each gateway
processing a datagram reduces this value by at least one if it takes longer to process and forward the datagram.
When this value expires, the gateway trashes the datagram and sends a message back to the sender notifying the host
of the situation.
The traceroute utility also uses the TTL value to discover the path or route to a destination host or network. Upon
execution of the traceroute command, the initial ICMP message is sent out with a TTL value of 1 set in the IP
header. You can use the traceroute program to determine, or rather trace, the path to a destination. Traceroute
accomplishes this by sending a sequence of datagrams with the TTL set to 1, 2, and so on. It then uses the ICMP
Time Exceeded messages like a trail of breadcrumbs to trace the routers along the path. We will provide you with
examples later in this section.
As you might recall from earlier in this chapter, when a router receives a datagram with a TTL of zero, it trashes the
datagram and returns an ICMP time exceeded message to the source. This message allows the host to learn of the
first router in the path to the destination. Figure 3.15 shows an ICMP message generated as a result of a TTL
expiration.
As shown in the figure, ICMP message type 11 alerts a source host of a TTL expiration. Code 0 identifies the reason
for the expiration as time to live being exceeded while the datagram was in transit. This message also includes a
copy of the original datagram header that caused the error to assist the source host in correcting the problem. Within
the offending header contained within the ICMP message, you can see that the "TTL value = 0 seconds/hops,"
which is why the original datagram was trashed.
Figure 3.15 The ICMP time exceeded message is sent when the TTL timer expires.
Now the source host sends a new ICMP trace with a TTL value of 2, which allows this datagram to be forwarded by
the first router (which decrements the value by one) and reaches the next router in the path with a TTL of one. This
router must trash the frame and send back an ICMP time exceeded. This process continues until the path to the
destination network or host is fully discovered or deemed unreachable. As you can see, traceroute is another useful
troubleshooting tool, typically used in conjunction with other utilities such as the Ping utility to test connectivity
between two hosts.
TIP
Both the Ping and traceroute utilities can help you when troubleshooting.
Parameter Problem—Type 12
The parameter problem message indicates that a host or gateway received and could not interpret an invalid or
misunderstood parameter. A host or gateway also can send this message when no other ICMP message covering the
problem can be used to alert the sending host. In this respect, it is a catchall message. In most cases this message
indicates some type of implementation error occurred, perhaps because of vendor incompatibility issues. A host or
gateway will not send this message unless it trashes the datagram containing the parameter problem.
Two parameter problem error messages can occur:
1. 0 = IP Header Bad (catchall error0)

2. A host or gateway sends this error to indicate a general implementation error of an unspecific nature.
3. 1 = Required Option Missing
4. The host or gateway expected a specific option, but the sender did not send it.
Timestamp Request and Reply—Types 13 and 14

Timestamp request and reply messages work in tandem. You have the option of using timestamps. When used, a
timestamp request permits a system to query another for the current time. It expects a recommended value returned
to be the number of milliseconds since midnight, Coordinated Universal Time. This message provides millisecond
resolution, considered a beneficial feature when compared to other means of obtaining time from another host who
provides resolution in seconds. The two systems compare the three timestamps and use RTT to adjust the sender's or
receiver's time if necessary. Note that most systems set the transmit and receive time as the same value.
The process for time resolution goes as follows:
1. The requestor stamps the originate time and sends the query.
2. The replying system stamps the receive time when it receives the query.
3. The replying system stamps the transmit time when it sends the reply to the query.
Information Request and Reply—Types 15 and 16

Although ICMP messages list information request and reply as a potential ICMP message type, they actually do not
occur; thus they are obsolete. A host can request information such as to what network it was attached.
Address Mask Request and Reply—Types 17 and 18

Address mask request and reply messages work in tandem. Although we rarely use this message today, its original
design supported the function of dynamically obtaining a subnet mask. Hosts can use the ICMP address mask
request to acquire subnet masks during bootstrap from a remote host. However, problems can occur when using
ICMP to receive a mask if a host gives an incorrect mask from an external source. If the external source does not
give a response, the source host must assume a classful mask (that the network is not subnetted).
Summary
IP is the workhorse of the Network layer within the TCP/IP suite. All protocols and applications utilize IP for logical
Network layer addressing and transmission of datagrams between internet hosts. IP provides an unreliable,
connectionless datagram delivery service and uses ICMP to send messages when it encounters an error.
End host and routers use ICMP as a control, messaging, and diagnostic tool. ICMP utilizes IP to deliver its messages
and is considered an integral part of IP. ICMP messages notify a host of problems. Although ICMP does not offer a
solution to these problems, it can provide enough information for a source host to solve some of the problems that
might occur in the internetwork. The most popular ICMP message is the echo request and reply. Utilizing the Ping
utility, these messages allow you to test connectivity between end hosts.
What is LAN Switch?
- A LAN switch is a multiport bridge that allows workstations to attach directly to the switch to experience full
media bandwidth and enables many workstations to transmit concurrently.
[] End Host with different VLAN (10 and 20) Communication when Switches are connecting through Access
Port:
VLANs are locally significant

One common misconception regarding VLANs is that they are significant beyond a single switch. Of course, VLAN
numbers have to match for trunking to work, and VTP can be used to automatically propagate VLAN information.
However, a VLAN, being essentially little more than a number, is significant only within a device. Consider the
following scenario:
All of the ports on switch A are set to access mode in VLAN 10, and all of the ports on switch B are set to access
mode in VLAN 20. Note that the connection between the two switches is not a trunk; each end is configured as an
access port in the respective VLAN. Our two hosts A and B are similarly connected to different VLANs, but still
reside in the same IP subnet. Can hosts A and B communicate?
The answer is yes. Follow the path of a frame leaving host A destined for host B. Switch A receives this frame on a
port in VLAN 10, so it can only egress out another port in VLAN 10 or a trunk port. It performs the usual MAC
lookup to determine the appropriate outbound port is its link to switch B. Now, here's the key: the frame is
forwarded to switch B without a VLAN tag, because this is an access port. Switch B receives the frame on an
interface it considers VLAN 20 and performs the same switching decision to forward the frame to host B.
So, does it work? Yep! Is it a good idea? Probably not. In an instance where VLANs are used, you're probably using
more than one. For this reason and others, it's recommended to always trunk between switches using IEEE 802.1q or
(less favorably) Cisco ISL.
[ ] Inter VLAN Routing Flow:
In lesson 16, you had a chance to see how to implement simple VLAN scenario. It is relatively easy to
configure VLANs, but what is far more important, is to understand the traffic flow between them. This
post is going to show you step-by-step, how traffic flows between VLAN 10 and VLAN 20 used in the
previous lesson.
Fancy a little, virtual journey between VLANs?
Our topology looks like this:
In our scenario, PC1 (source) is going to send the packet to PC2 (destination). Let's jump on the packet
and see what happens, shall we?
NOTICE!
MAC addresses use hexadecimal notation and are case insensitive (i.e. lower or upper case are
interpreted as the same address).
PC1 (hostname=ancient) Addresses:

IP: 192.168.10.1/24
MAC: 0050.BF9C.456A
Gateway: 192.168.10.254
PC2 (hostname=red) Addresses:
IP: 192.168.20.1/24
MAC: 0010.5AD3.E4E0
Gateway: 192.168.20.254
NOTICE!
R1's interface FastEthernet0/0 has been configured as two sub-interfaces, but the MAC address used by
both of them is the same (real MAC address of Fas0/0)
R1 Addresses:
Gateway for VLAN 10 clients (sub-interface)

F0/0.10
IP: 192.168.10.254/24
Gateway for VLAN 20 clients

F0/0.20
IP: 192.168.20.254/24
F0/0 (both sub-interfaces use the real MAC below)

MAC: 000F.F752.EFE0
Having learned all these addresses we can finally hit the road!
Step 1
PC1 (ancient) wants to send a packet to PC2 (red). Since the IP address of the PC2 (destination) is NOT in
the same layer 3 network as PC1 (source), it must be delivered to the default gateway.PC1 checks the
destination IP by comparing its own 24 bits of the IP address (it uses 24 bit subnet mask=255.255.255.0)
with 24 bits of the destination IP address.
192.168.10.0 (first 24 bits of PC1 in decimal notation)
192.168.20.0 (first 24 bits of PC2 in decimal notation)
The first sixteen bits (two bytes) are identical, but the third byte is NOT!
The packet must be sent to PC1's default gateway (192.168.10.254).
Step 2
Packet is encapsulated in a layer 2 Ethernet header. Source MAC address
is PC1(ancient=0050.BF9C.456A) and the destination MAC address must be the default gateway's MAC
address. PC1 (ancient) tries to find the mapping of the default gateway IP to its MAC address like shown
below. If one is not found, the ARP request is sent asking for it. In my case the PC1 has it.
Pic. 2 - PC1 (ancient) ARP cache has mapping of R1's IP to its MAC address.
IP packet is encapsulated in the Ethernet header:

Src IP=192.168.10.1
Dst IP=192.168.20.1
Src MAC=0050.BF9C.456A
Dst MAC=000F.F752.EFE0
Those address are NOT going to change, until delivered to R1 router (look at step 7).
The frame leaves PC1 (ancient) and is sent towards SW1, interface F0/1.
Step 3
SW1 receives the frame on port F0/1. It learns or refreshes its MAC address table entry (PC1's source
MAC address on F0/1). Remember, that F0/1 is now an 'access' port assigned to VLAN 10!This means,
that all traffic coming to that port is considered as sourced by VLAN 10.
Pic. 3 - SW1 CAM entry for PC1.

SW1 must now find the outbound port for our destination MAC address (R1=000F.F752.EFE0).
Step 4
SW1 looks into its Content Addressable Memory (CAM) aka MAC address table, and finds the outbound
port showing where the destination MAC has been previously learned.
Pic. 4 - SW1 outbound interface.
SW1 performs an additional check. It must make sure that the inbound interface (F0/1) and the
outbound one (F0/15) belong to the SAME VLAN. As the F0/15 (outbound) interface is in a trunking
mode, and allows ALL VLANs by default, the frame can be sent out that port. The frame is moved to the
outbound interface (F0/15) and the TAG is going to be injected with the source VLAN identifier (VLAN
10).
Step 5
The SW3 (port F0/15) is receiving the frame with the TAG containing source VLAN 10. It refreshes the
entry regarding the sender's MAC address (0050.BF9C.456A) on port F0/15. As this interface is also
configured as a trunk, it accepts the frame with the 802.1q TAG inserted into the frame. It processes the
frame trying to find the outbound interface by looking at the destination MAC address (000F.F752.EFE0).
The entry is found in the CAM as shown below (pic. 5).
Pic. 5 - Default Gateway MAC address Entry on SW3.
The SW3 realizes that the outbound port is also a trunk interface. The frame is moved to F0/1 interface
and the TAG (with source VLAN 10) is going to be preserved while sending this frame towards R1's F0/0
interface.
Step 6
Here's a tricky part. Normally, the R1 would expect to see just a regular Ethernet header (no TAG in it),
but R1 has been configured to accept frames with the TAG containing VLAN 10 in it! Look at the picture
below.
Pic. 6 - R1 accepts Ethernet header with the TAG containing VLAN 10 identifier.
Can you see this line: encapsulation dot1Q 10?
The TAG with VLAN 10 is allowed on this sub-interface. Now, since the layer 2 header is useless
(remember that a router is a layer 3 device), it is stripped off and ditched. What is now being processed
is the IP header. The R1, reads the destination IP address (192.168.20.1), and tries to find the outbound
interface in the routing table by comparing source and destination IP addresses.
Step 7
Destination IP address (192.168.20.1) is compared with the entries in the routing table. The longest
number that matches our destination points to F0/0.20 sub-interface (pic. 7). According to the routing
table, the destination IP address (192.168.20.1) is directly connected to R1 (sub-interface F0/0.20).
Pic. 7 - R1 routing table.
The packet is moved from F0/0.10 sub-interface (inbound), to the F0/0.20 sub-interface (outbound).
Step 8
Since the interface is also configured with encapsulation dot1Q, the packet is going to be encapsulated
with new source and destination MAC addresses and the TAG with the new source VLAN identifier
(VLAN 20). Take a look at the picture below (pic. 8).
Pic. 8 - R1's outbound sub-interface configuration.
Step 9
R1 encapsulates IP packet the Ethernet header as follows:
Src IP=192.168.10.1
Dst IP=192.168.20.1
Src MAC=000F.F752.EFE0
Dst MAC=0010.5AD3.E4E0 (PC2)
VLAN ID=20
Since the destination for the packet is directly connected to R1, the destination MAC address (that
of PC2) is found in the ARP cache on R1. If one is not found, R1 sends ARP request asking for it as the
destination is directly connected network.
Pic. 9 - ARP Cache on R1 shows MAC address for 192.168.20.1 (the last entry).
Step 10
The frame leaves sub-interface F0/0.20 with the TAG containing source VLAN 20 identifier as perR1's
configuration (pic. 8).
Step 11
SW3 receives the frame on its F0/1 interface, but this time the MAC addresses look like below:
Src MAC: 000F.F752.EFE0 (R1's f0/0)
Dst MAC: 0010.5AD3.E4E0 (PC2)
SW3 refreshes the source MAC on its F0/1 interface. It is configured as trunk port, the TAG containing
source VLAN 20 is allowed to be there.
Step 12
SW3 processes the frame and reads the destination MAC address (0010.5AD3.E4E0) trying to find the
outbound interface for that destination.The entry is found pointing to F0/15 as the outbound interface
(pic. 10)
Pic. 10 - SW3 entry for PC2 MAC address.
Step 13
The frame is delivered back to F0/15 of SW1. SW1 refreshes the source MAC address (000F.F752.EFE0)
on its interface F0/15 and does the looks up in its CAM table trying to find the outbound interface for
our destination MAC address (PC2). One is found as shown below.
Pic. 11 - SW1 finds the outbound interface for destination MAC (PC2)
Since both ports: inbound and outbound are trunks, the frame is sent out that port carrying VLAN 20.
You can now guess what happens when the frame is delivered to SW2 port F0/13. Source MAC address
is going to be refreshed on that port in the MAC address table (source here is the R1's MAC address).
The inbound interface F0/13 on SW2 is configured as trunk port so it allows the TAG to be part of the
Ethernet header. The SW2's outbound interface is going to be F0/1. Since this port is configured as an
'access' interface and is member of VLAN 20, both source and destination VLANs are the same. The
frame is moved to the port F0/1, then the TAG is removed, as the outbound port is in 'access mode' and
the frame is finally sent to PC2.
You may now be wondering why the path between the two VLANs looks like this. Why does SW3not
send the frame directly to SW2 but it sends it back through SW1?
In order to answer that question, I must explain the details of Spanning-Tree Protocol. But this is the
topic I will focus on in the upcoming lessons (starting with lesson 19).
Before we leave VLANs for good, I would like to dedicate one more lesson to it. In this lesson (lesson 18)
I will try to help you check if you truly understand the implications of using VLANs, access and trunking
interfaces. I'll also show you Cisco proprietary protocol called Vlan Trunking Protocol (VTP). This protocol
is used to disseminate the VLANs among switches automatically.
[] OSI Layer Example with Web Browser:
LAYER EXAMPLE FUNCTION/ACTIVITY
A web browser such as Internet Explorer or Netscape provides the

means for your computer to contact a web server and download
several files that go together to produce a single web page.
You can request a web page by typing in a web address (a URL) or by
Web clicking a link in an open web page. The web browser is
APPLICATION
Browser an APPLICATION. The web browser application gives you the means
to select a web server, contact the server and request a web page.
The web browser handles the process of finding the web server (the
remote computer that has the web page you want stored on it) ,
requesting the desired web page and displaying all the files contained
within the web page.
The web browser handles PRESENTATION of the web page to the
user by converting the files stored at the web server into formats
used to display them on your computer.
Your web browser supports varous text formats (UNICODE and
ASCII), image file formats (JPG, GIF, PNG, BMP), audio file formats
(WAV, MP3, AIFF) as well as Hypertext Markup Language (HTML) and
PRESENTATION one or more scripting languages (JavaScript, JScript, VBScript).
Conversion of data from one format to another is the job of
the PRESENTATION layer. A web browser can convert these file
formats into the local formats used on the local computer for
displaying images, playing sounds and displaying text; if it cannot, it
HTTP often can launch an application which does understand the format.
Much of the PRESENTATION layer conversions are handled in the
program you're running.
When you request a web page, a the web browser opens
a TCP connection to the web server. The web server sends back
the web page and closes the connection. Your web browser then
parses the HTML of the web page. Within the web page are
SESSION instructions written in HTML tags which tell the browser where to find
additional files to be displayed within the web page such as style
sheets, sound files, images, movies, Flash files and applets.
Your web browser automatically opens additional TCP connections to
the web server. Each TCP connection is a SESSION.
To communicate with a web server your computer must open
a TCP connection to the web server and request a web page.
TRANSPORT TCP The TCP connection breaks up theweb page into managable chunks,
lables them with numbers so they can be reassembled in the correct
order and TRANSPORTS the pieces across the correct SESSION.
NETWORK IP ARP Internet Protocol (IP) is a NETWORK layer protocol that uses unique
addresses for the web server and for your computer. IP provides the
means for your computer to determine whether the web server is a
local computer or a computer located somewhere on the Internet. To
reach a web server on the Internet, IP protocol also allows
your computer to figure out how to reach the Internet web server via
your default gateway. Your computer creates a message addressed to
the web server with your computer's return IPaddress.
Your computer uses ARP to figure out the physical MAC address of
the default gateway and then passes the data to
the NETWORK layer.
E LLC Once the request from your web browser has been created it is sent
T to the network card. Once it reaches your network card it must be
DATA LINK H converted into a message that is sent from your computer to
E MAC the default gateway which will forward the message to the Internet.
R At the DATA LINK layer, the web request is inserted inside a network
N request to the default gateway.
E CSMA/
PHYSICAL The physical layer provides the means to transmit the web page
T CD request to the default gateway.

Keep in mind that this entire system didn't spring into existence in a day, it
took decades for dozens of developments to come together to make the process of
requesting, retreiving, delivering and displaying web pages possible.
- See more at:
http://www.inetdaemon.com/tutorials/basic_concepts/network_models/osi_model/
real_world_example.shtml#sthash.1vVmbhQK.dpuf

Path and Switching Details

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Path and Switching Details

Uploaded by

Copyright:

Available Formats

CCNA & CCNP Basic

[A] Path Determination and Switching Function Details

Step 2: Router R1 receives the Ethernet frame

Step 3: Packet arrives at router R2

-Server (Receiving Host) – Router A ----- Router B ---------Client (Receiving Host)

[C] Layer 3 Packet Rewriting Using Router:

[E] Packet Flow: A Day in the Life of a Web Page Request:

[F] How PING Works? / Behind the PING:

*Let’s exam what happens after a ping command is issued.

 Step 1, command “ping 192.168.10.134″ is issued in the console at host A.

 ICMP then creates an echo request payload.

 ICMP creates an echo reply payload.

[ ] Tracing packet flow between a Hub and Switch

SWITCH will send the response back to HUB.

PC4 will send the frame down to SWITCH

SWITCH will send the frame to HUB

[ ] How do switches work by tracing packet flow

[] Explain in detail, PC1 wants to communicate to PC2

In the emulator it says ALL requests took a total of 0.012sec.

Answers to “how do switches work by tracing packet flow” post

[ ] Explain in detail, PC1 wants to communicate to PC2

ROUTER sends the packet out to the network to SWITCH2

Understanding ARP Request Process Article covers the following CCNA/ICND1 Exam Topics:

Under Operation of IP Data Networks:

1. Identify common applications and their impact on the network.

2. Predict the data flow between two hosts across a network.

Recommended Study Plan:

1. Download the ICND1v2 Exam Topics Sheet from Cisco Website.

3. Or Start with Understanding Web Browser DNS Lookup Article.

Average Time Required Studying this Article: 1 Hour

ARP Protocol Process

Mapping IP address to MAC Address

Resolving IPv4 addresses to MAC addresses

Maintain a cache of MAC to IP address Mapping Table

Detailed ARP Request and Reply Process

Let’s Dig Deeper into the Process

Unicast, Broadcast, and Multicast Frames

Unicast frame: indicates that only 2 network devices talking to each other.

And finally Little bit about ICMP

Internet Control Message Protocol (ICMP) Why it’s important for Troubleshooting?

Detailed ICMP header

How ARP Works:

Data, Segments, Packets, and Frames

It started with PC1 requesting www.ccnahub.com homepage from a Web-Server.

The difference between IP Routing and MAC Forwarding Concept

Two main Concepts:

Step 2: R3’s Upstream using Ethernet LAN Port

Note: 172.16.10.0 via 10.50.20.2 using f0/0 >>> 10.50.20.2 is R2’s IP address which is next router,

Step 3: R2’s Upstream using Ethernet WAN Port

Note: 172.16.10.0 via 10.50.10.2 using s0/0 >>> (10.50.10.2 is R1’s IP address which is the next router,

Step 4: R1’s Upstream using PPP Leased Line Serial Port

Post Office Concept Mapped to TCP/IP Concept

[ ] Routing Back IP Packets

Step 1: Server’s Downstream

Starting with Web-Server’s HTTP Service responding to PC1’s Browser with ccnahub.com’s homepage.

Step 2: R1’s Upstream using Ethernet LAN

Note: 192.168.1.0 via 10.50.10.2 using serial0/0 >>> 10.50.10.2 is R2’s IP address which is the next Router,

Step 3: R2’s Upstream using Serial Port

Note: 192.168.1.0 via 10.50.10.1 using f0/0 >>> 10.50.10.1 is R3’s IP address which is thenext router,

Step 4: R3’s Upstream using Ethernet WAN Port

Media Access Control (MAC) Address

1. The Port numbers are flipped on the reply stage