Network Layer & Ethernet — Cable Run CTS1305C

Slide 1 of 13  |  CTS1305C  |  Week 2
Network Layer
& Ethernet
IP routing, packet structure, ARP, ICMP, and how data crosses network boundaries.
A user on the 10.0.1.0/24 network cannot reach a server on 172.16.0.0/16. Ping fails. The switch shows the user's MAC. The problem is not at Layer 2 — it is a Layer 3 routing issue. This presentation teaches you how packets find their way.
13 Slides Week 2 Layer 3 Deep Dive Routing + Protocols
Slide 2 of 13
IP Routing Concepts
How routers make forwarding decisions for every packet.
Network A 10.0.1.0/24 PC: 10.0.1.5 Router R1 e0: 10.0.1.1 e1: 192.168.0.1 Looks up routing table Router R2 e0: 192.168.0.2 e1: 172.16.0.1 Network B 172.16.0.0/16 Server: 172.16.0.10
Routing Process
When a router receives a packet, it reads the destination IP, checks its routing table for the best matching route, decrements the TTL, recalculates the L2 header (new source/destination MAC), and forwards the packet out the appropriate interface.
Slide 3 of 13
The Routing Table
Every router maintains a table that maps networks to next-hop addresses.
Destination NetworkSubnet MaskNext HopInterfaceMetricSource
10.0.1.0255.255.255.0Directly connectedEth00Connected
192.168.0.0255.255.255.0Directly connectedEth10Connected
172.16.0.0255.255.0.0192.168.0.2Eth11Static
0.0.0.00.0.0.0192.168.0.254Eth11Default
Longest Prefix Match
When multiple routes match, the router selects the one with the longest (most specific) subnet mask. A /24 route wins over a /16 for the same destination.
Default Route (0.0.0.0/0)
The "gateway of last resort." If no other route matches, the packet is sent to the default gateway. Every host and router should have one.
Slide 4 of 13
The Default Gateway
A host's exit point to reach any network beyond its own subnet.
Host 10.0.1.50 GW: 10.0.1.1 Mask: 255.255.255.0 Same subnet? YES: ARP for dest MAC NO: ARP for gateway MAC Router (GW) 10.0.1.1 Forwards to remote nets
How a Host Decides
The host performs a bitwise AND between the destination IP and its own subnet mask. If the result matches the host's network address, the destination is local (send directly via ARP). If not, it is remote — send the frame to the default gateway's MAC address, with the remote IP still in the packet header.
Slide 5 of 13
ARP — Address Resolution Protocol
Resolving IP addresses to MAC addresses on the local network.
Host A 10.0.1.5 ARP Request (broadcast) "Who has 10.0.1.1? Tell 10.0.1.5" ARP Reply (unicast) "10.0.1.1 is at AA:BB:CC:11:22:33" Router 10.0.1.1 ARP Cache 10.0.1.1 AA:BB:CC:11:22:33 Cached for ~300 seconds
Security Note
ARP has no authentication. ARP spoofing/poisoning is a common Layer 2 attack where a malicious host sends fake ARP replies to redirect traffic. Mitigation: Dynamic ARP Inspection (DAI) on managed switches.
Slide 6 of 13
ICMP — Internet Control Message Protocol
The network's error-reporting and diagnostic protocol.
Echo Request/Reply
ping sends ICMP Type 8 (request). The target replies with Type 0 (reply). Tests reachability and round-trip time.
Destination Unreachable
Type 3. Returned when a router cannot forward a packet: network unreachable, host unreachable, port unreachable, or fragmentation needed but DF bit set.
Time Exceeded
Type 11. Sent when TTL reaches 0. This is how traceroute/tracert works: incrementing TTL to discover each hop.
TRACEROUTE MECHANISM Source Hop 1 TTL=1 Hop 2 TTL=2 Hop 3 TTL=3 Destination
Important
ICMP is not a transport protocol — it does not carry application data. It rides directly on top of IP (protocol number 1). Firewalls often block ICMP, so a failed ping does not necessarily mean the host is down.
Slide 7 of 13
IPv4 Packet Structure
The Layer 3 header fields that control routing and delivery.
IPv4 HEADER (20 bytes minimum) Version 4 bits IHL 4 bits ToS / DSCP 8 bits (QoS) Total Length 16 bits (max 65535) Identification / Flags / Fragment Offset 32 bits (fragmentation) TTL 8 bits (hop limit) Protocol 8 bits (TCP=6,UDP=17) Header Checksum 16 bits Source IP Address (32 bits) Destination IP Address (32 bits)
Key Fields
TTL: decremented by 1 at each router; prevents routing loops. Protocol: tells the receiving host which Layer 4 protocol to use (1=ICMP, 6=TCP, 17=UDP). Source/Dest IP: never change during transit (NAT is the exception).
Slide 8 of 13
TTL — Time to Live
The packet's self-destruct counter that prevents infinite routing loops.
Source TTL=128 Hop 1 TTL=127 Hop 2 TTL=126 TTL=0 DROPPED Default TTL: Windows=128, Linux=64, Cisco=255
Loop Prevention
Without TTL, a packet caught in a routing loop would circle forever, consuming bandwidth. TTL ensures every packet has a finite lifespan.
OS Fingerprinting
Default TTL values vary by OS. Seeing TTL=127 in a ping reply (128 - 1 hop) suggests a Windows machine. This is used in network reconnaissance.
Slide 9 of 13
Static vs Dynamic Routing
Two approaches to populating the routing table.
Static Routing
Routes are manually configured by the administrator. Simple, predictable, no overhead. Best for small networks or specific paths (e.g., default route, stub networks). No automatic failover — if a link goes down, you must update manually.
Dynamic Routing
Routes are automatically learned from neighboring routers using routing protocols. Adapts to topology changes. More CPU/memory overhead. Essential for medium-to-large networks. Provides automatic failover.
When to Use Which
Static: small networks, stub networks, default routes, security-sensitive paths. Dynamic: enterprise/ISP networks, redundant paths, growing topologies. Most real networks use a combination of both.
Slide 10 of 13
Dynamic Routing Protocols
An introduction to the protocols that automate routing decisions.
RIP (v1/v2)
Distance-vector protocol. Uses hop count as its metric (max 15 hops). Simple but slow to converge. Good for small/lab networks. RIPv2 adds VLSM and authentication.
OSPF
Link-state protocol. Uses cost (based on bandwidth) as its metric. Fast convergence, scalable. Divides networks into areas. Open standard (RFC 2328). The enterprise workhorse.
EIGRP
Advanced distance-vector (Cisco, now open). Uses composite metric (bandwidth + delay). Very fast convergence with DUAL algorithm. Supports unequal-cost load balancing.
Routed vs Routing Protocols
Routed protocol: the protocol being routed (IP, IPv6). Routing protocol: the protocol that builds routing tables (OSPF, EIGRP, RIP). IP is routed; OSPF is the routing protocol that helps routers learn where to send IP packets.
Slide 11 of 13
Routed vs Routing Protocols
Two very different categories that often get confused.
Routed Protocols Carry user data across networks IPv4, IPv6 Assigned to host interfaces Used by end devices + routers Routing Protocols Build and maintain routing tables OSPF, EIGRP, RIP, BGP Run between routers only Exchange topology information
Administrative Distance
When multiple routing sources provide paths to the same destination, the router trusts the one with the lowest AD: Connected (0), Static (1), EIGRP (90), OSPF (110), RIP (120).
Metric
Within a single routing protocol, the metric determines the best path. Lower is better. OSPF uses cost (bandwidth), RIP uses hop count, EIGRP uses a composite of bandwidth + delay.
Slide 12 of 13
End-to-End Packet Flow
Putting it all together — from source host to destination host.
1. ARP Resolve GW MAC 2. Frame Build L2 frame 3. Switch Forward by MAC 4. Router Route by IP 5. New Frame New L2 header 6. Deliver Dest receives IP addresses stay the same. MAC addresses change at every hop.
Critical Distinction
The Layer 3 header (source/destination IP) remains constant end-to-end. The Layer 2 header (source/destination MAC) is rewritten at every router hop. This is the fundamental relationship between routing and switching.
Slide 13 of 13
Summary & Key Takeaways
Everything you need to remember from this presentation.
1 Routers forward packets by checking the destination IP against the routing table and selecting the longest prefix match.
2 The default gateway is the router interface on the local subnet. Hosts use it for all traffic to remote networks.
3 ARP resolves IP to MAC on the local segment (broadcast request, unicast reply). ARP cache entries expire after ~300 seconds.
4 ICMP provides error reporting (Destination Unreachable, Time Exceeded) and diagnostics (ping, traceroute).
5 TTL is decremented at each hop. When it reaches 0, the packet is dropped and an ICMP Time Exceeded is sent back.
6 Static routing is manual; dynamic routing (RIP, OSPF, EIGRP) automates route discovery and adapts to changes.
7 IP addresses stay constant end-to-end; MAC addresses are rewritten at every hop.
Back to our scenario: the user at 10.0.1.5 cannot reach 172.16.0.10. Check the routing table on R1 — does it have a route for 172.16.0.0/16? If not, add a static route or enable OSPF. Once the route exists, packets will flow.