Enhance your Career in Networking With IPinBits!!!​

IP Packet flow/Fundamentals of Routing

  • This blog will give a high-level explanation on how the basic packet flow works in a network, which includes your PC, Switches and Routers.
  • We will understand each and every step in the below topology with lab, how packet flows from host to host in different networks which passes through switches and routers.
  • Before diving deep into this article, I hope that everyone is familiar with basic functionality of routers and switches how it works.

Just two lines to begin with,

‘’Routers will route between the network always

‘’Switch switches within the subnet’’

We will go through each and every device, and see how the packet is processed in the network with live example along with packet capture. We will check the communication from PC1 who is in 10.0.0.0/24 network to PC4 who is in 20.0.0.0/24.

Let’s dig in, start basic fundamentals of IP Routing:

  • As we know router refers routing table to make forwarding decisions, so how does it select the route.
  • For Routing the below are the basic fundamentals, which will remain the same no matter what new technologies come up.
  1. For routing, its 2-way as in communication, both FORWARD and REVERSE route are necessary.
  2. To select the best path, router does the following lookup in the routing-table in below order:
  • Longest prefix match (/32, /31, /30….).
  • Ad-value (administrative distance assigned to protocols be it static or dynamic)
  • Metric ( depending upon the way the protocols assign like for OSPF its Cost, RIP is No of Hops…)
  • Load balancing.

3.For end to end IP communication, source IP and destination IP wouldn’t change (exception Natting), Source MAC and Destination MAC will change at each and every Hop.

Let’s start the fundamentals of IP routing / basics / packet flow:

Host PC1 wants to communicate with Host PC2, let see how it can be done, how the packet flows and processed at each device.

PART1: PC1 pings PC4, reaches till Router R1

PC1> show ip 

NAME        : PC1[1]
IP/MASK     : 10.0.0.1/24
GATEWAY     : 10.0.0.254
DNS         : 
MAC         : 00:50:79:66:68:00
LPORT       : 20030
RHOST:PORT  : 127.0.0.1:20031
MTU:        : 1500
  • PC1 pings PC4 30.0.0.2.
  • PC1 wants to communicate with PC2, so it will create the packet with Source IP as 10.0.0.1 and see the destination IP as 30.0.0.2 (from ping it adds destination IP), so the 1st question is whether the destination IP is in same subnet(local) or in different subnet (remote).
  • Since the destination IP is in different subnet, PC1 will use the default gateway (R1) to communicate outsides its own network.
  • To deliver the packet, PC1 needs the mac address of default gateway, so it already learned then it add to L2 frame, if not then it will send ARP broadcast and learn the mac of R1, in the this case, it didn’t new the MAC, so it sent ARP request ( ARP= Request Mac for IP) and learned the mac address of R1 as below, couple of things to note is the highlighted part where L2 broadcast ff.ff.ff.ff.ff is used ,  ARP header type 0x0806 from this value everyone comes to know that’s it ARP packet,  for more details on ARP there is separate blog for it.

The ARP packet comes to the S1, Since S1 is switch, switch on receiving the broadcast frame, forwards to all the ports except for the port on which the broadcast came.

On this case, when S1 receives the broadcast frame on it’s Gig0/1 port it will forward to all ports except Gig0/1, switch will also add the mac entry of PC1 in mac table and will add mac of R1 when R1 responds to PC1 with its own mac address for 10.0.0.254.

S1#show mac address-table 
          Mac Address Table
-------------------------------------------

Vlan    Mac Address       Type        Ports
----    -----------       --------    -----
   1    0050.7966.6800    DYNAMIC     Gi0/1
   1    0cd7.dc6d.fe01    DYNAMIC     Gi0/0
Total Mac Addresses for this criterion: 2

Only R1 will send responds since the Targeted IP matches its one of the interfaces, so it will send its MAC address to PC1.

R1#show ip arp 
Protocol  Address          Age (min)  Hardware Addr   Type   Interface
Internet  10.0.0.1                4   0050.7966.6800  ARPA   GigabitEthernet0/1
Internet  10.0.0.254              -   0cd7.dc6d.fe01  ARPA   GigabitEthernet0/1
Internet  20.0.0.1                -   0cd7.dc6d.fe00  ARPA   GigabitEthernet0/0
Internet  20.0.0.2               23   0cd7.dcd1.a800  ARPA   GigabitEthernet0/0

R1#show ip int b
Interface                  IP-Address      OK? Method Status                Protocol
GigabitEthernet0/0         20.0.0.1        YES manual up                    up      
GigabitEthernet0/1         10.0.0.254      YES manual up                    up      
GigabitEthernet0/2         unassigned      YES unset administratively down down    
GigabitEthernet0/3         unassigned      YES unset administratively down down    

This is the first part, PC1 has now learned the mac address of R1 and the frame has reached R1

Current frame would look like this.

PART2: How R1 interprets the above packet and how it will flow towards R2.

Packet has Reached the Router R1, how R1 will interpret this packet now let’s see.

  • R1 receives the packet (PC1-S1-R1) now, it will open L2 MAC, see its own mac-address will understand packet has arrived for himself, will ask L3 software to process L3 information and check for forwarding.
  • R1’s L3 software will process the L3 info, check the destination IP, it’s 30.0.0.2.
  • Fundamental point: Router is L3 device, will forward packet based on entry in the routing table, entry can manual (static), dynamic or connected, if entry is there, router will forward to the exact specific out-going interface and if there is no matching entry is present in the routing-table, then it will drop the packet then and there itself.
  • Matching the entry in the routing table is also known as Recursive lookup.
  • So, in our case, R1 will check the destination IP i.e. 30.0.0.2. I have added static route for this destination with next-hop as R2.
R1#show run | sec ip route
ip route 30.0.0.0 255.255.255.0 20.0.0.2
R1#
R1#show ip route          
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        10.0.0.0/24 is directly connected, GigabitEthernet0/1
L        10.0.0.254/32 is directly connected, GigabitEthernet0/1
      20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        20.0.0.0/24 is directly connected, GigabitEthernet0/0
L        20.0.0.1/32 is directly connected, GigabitEthernet0/0
      30.0.0.0/24 is subnetted, 1 subnets
S        30.0.0.0 [1/0] via 20.0.0.2
R1#
  • R1 will do lookup in its own routing table for 30.0.0.0/24 network, and see yes, I have the route to reach this network via 20.0.0.2 and exiting interface as Gig0/0.
  • If there was no route for 30.0.0.0/24 in the routing table, R1 would had drop the packet.
  • Now since the route is present in R1’s routing-table R1 will participate in communication and create its own packet for destination 30.0.0.2.
  • Now R1 needs the mac address for the next-hop to add in it’s L2 header, so if the mac entry is already learned it will add in the L2 header, it not will send ARP request (since router can participate in communication, it can also generate ARP requests).
  • In this case there was no mac address for R2 in the beginning, R1 sends the arp broadcast and learns the mac for R2, please refer the below capture.
  • The below packet is arp request R1 does on the ethernet network, only R2 will reply because of the targeted IP address is 20.0.0.2

The below is the arp reply, in which R2 sends its own mac address.

Also, one thing to note, is whenever a packet crosses router, TTL (time to live is reduced by 1).

So, when R1 sends packet to R2, it will decrement the TTL by 1.

R1 learns the mac, has the route to reach R2, so now R1 will forwards the packet to R2.

This is how the packet looks at R1, leaving for R2.

PART 3 final part:  Packet has R2, now how R2 will process this packet and forward to PC2.

Packet now arrives at R2, will do exact same things that R1 did, open L2 and L3 info will come to know that packet is for itself and needs to reach to the destination 30.0.0.2/24, will do recursive lookup in routing table.

R2#show run | sec ip route
ip route 10.0.0.0 255.255.255.0 20.0.0.1
R2#show ip route          
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
       D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area 
       N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
       E1 - OSPF external type 1, E2 - OSPF external type 2
       i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
       ia - IS-IS inter area, * - candidate default, U - per-user static route
       o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
       a - application route
       + - replicated route, % - next hop override, p - overrides from PfR

Gateway of last resort is not set

      10.0.0.0/24 is subnetted, 1 subnets
S        10.0.0.0 [1/0] via 20.0.0.1
      20.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        20.0.0.0/24 is directly connected, GigabitEthernet0/0
L        20.0.0.2/32 is directly connected, GigabitEthernet0/0
      30.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C        30.0.0.0/24 is directly connected, GigabitEthernet0/1
L        30.0.0.254/32 is directly connected, GigabitEthernet0/1
R2#

Packet captures on R2 when it sends to PC2.

  • So, from the above routing table, there is matching entry for 30.0.0.0/24 network on the out-going interface gig0/1, R2 forwards packet to PC2, if the mac for PC2 is not present in R2’s table, then R2 will also send ARP broadcast similar to R1 and learn PC2 mac and then forward the packet exactly to PC2.
  • When R2 sends packet to PC2, it will decrement the TTL by 1.
  • This is also known as forward routing PC1-S1-R1-R2-S2-PC2.
  • Now when PC2, replies to ping request, all the above similar steps will take place but in reverse order. PC2-S2-R2-R1-S1-PC1.
  • Thing to note is R1 and R2 should both have routes for 10, 20 ,30 network in order to make it work, if any of the route is missing then communication cannot happen in this case.
  • Because for IP communication, forward and reverse both paths are necessary.

Key points:

  1. To communicate outside the local subnet, gateway is used.
  2. For end to end communication, SIP and DIP will never change, but SMAC and DMAC will change at each and every hop.
  3. Whenever packet crosses Router, TTL is decremented by 1.
  4. In case there is no ARP entry in the ARP tables, Hosts and Routers will create ARP broadcast, learn the MAC address via ARP request and reply packets, because this device can participate in IP communications and can modify the packets.
  5. For IP communication to work, both forward and reverse paths are needed.
  6. Switch on receiving broadcast, will forward on all ports except on the port where it received broadcast.
  7. Router will perform recursive lookup (prefix-match, ad-value, metric….) in routing table to check the router/path for DIP.

Related blog posts