Asked • 03/19/19

How does a packet find its way from a LAN device to a router, or vice versus?

I am trying to understand how packets are sent from one device to another in a wireless network? (Perhaps the same question also applies to a wired network) How does a router know in which physical direction to send a packet in order for a particular IP/MAC address to receive it? Or is this not the case, and is the data sent out or scattered in a random direction, and all devices on a network listen to all network traffic and act only on those matching its IP/MAC address? If the latter is true, does this not raise security vulnerabilities? And is the same is true of wired networks?

1 Expert Answer

By:

Jackson J. answered • 07/16/23

Tutor
5 (173)

Cisco Certified Internetworking Expert (CCIE) Senior Network Engineer
About this tutor ›
About this tutor ›

Hi,


It will be easier to tackle this from a Wired Network perspective first, before reviewing how it works with Wireless. Although they do work very similarly, the main difference will be the behavior of Hardware (MAC) Address forwarding between the Endpoint devices and the Switch vs. Endpoint devices and a Wireless Access Point/Controller. In order to understand how this concept works on Wired Networks, it's important to first understand the OSI and TCP/IP model, but more specifically know how the IEEE (Institute of Electrical and Electronics Engineers) 802.3 standard (which is "Ethernet") Switching works and also how IPv4 Routing and ARP works.


The best way to explain this is to give you a scenario of one PC trying to communicate with another PC that resides within a separate Network. We will look at how the traffic would get from one device to the other and the interactions between the Network devices between the two PCs.


Here's a basic Network Diagram of the scenario:


  1. PC-A ==> Switch-A ==> RouterX <== Switch-B <== PC-B

Let's look at the following steps that will occur when PC-A tries to ping PC-B:


  1. (PC-A has an IP Host Address of 192.168.1.2 and Subnet Mask of 255.255.255.0)
  2. (PC-A has a MAC Address of "A" but in reality a MAC Address is a Hexadecimal string that's 48 Bytes long and typically in the format of: "00:01:01:AA:AA:AA" for example. But for the purpose of this exercise we will simply use "A")
  3. (PC-B has an IP Host Address of 192.168.2.3 and Subnet Mask of 255.255.255.0)
  4. (PC-A has a MAC Address of "B")
  5. (Router-X has a MAC Address of "C")


  1. After you enter the "ping 192.168.2.3" command on PC-A, PC-A will perform a Logical "AND" Operation on the Source IP (192.168.1.2) and Destination IP (192.168.2.3), comparing its IP Host Address and Subnet Mask against the IP Address of the Destination Host in order determine whether or not it is on the same network as the Host that it is pinging. The reason it does this is to determine whether or not it has to send the Ethernet Frame to the Router or if it can send it directly to the Destination Host. In IP Routing, if a Destination Host resides within a different network, then the packet must be routed by a Router (or any device that has a Route Processor and does Routing "Layer 3")
  2. After PC-A makes an assessment; comparing the combination of its own IP Host Address and Subnet Mask and the IP Host Address of PC-B, it is able to determine that the two devices are on two separate networks (You can take my course if you would like to know why this is so and to learn more about IP Subnetting) and therefore when PC-A sends the Ethernet Frame containing the Ping "Echo Request", it will fill out the Destination MAC Address field in the Ethernet Frame to it's "Default Gateway's", (or in this case, RouterX's) MAC Address. It already knows the IP Address of it's Default Gateway (Router) because it already has it configured on it's NIC card. (A Ping Echo Request is encapsulated in an IP Packet and that IP Packet is then further encapsulated in the Ethernet Frame).
  3. PC-A will now actually build the Ethernet Frame containing the Ping Echo Request and as it's filling out all of the required fields in the Ethernet Frame, it looks in its ARP Cache and realizes that it doesn't have the MAC Address for it's Default Gateway (RouterX - 192.168.1.1). This typically happens when the NIC Card on the PC has just initialized and the PC and Router still have not yet communicated. It knows the IP Host Address for RouterX (because it's already configured on the PC, but now it need's the MAC Address Associated with that IP.
  4. This is where the protocol ARP (Address Resolution Protocol) comes into play. In order for PC-A to find the Associated MAC Address, it needs to send a Broadcast Message, containing an "ARP Request", which asks all hosts in the same network to please Reply if they have a Network Interface configured with the MAC Address listed in the ARP Request. In other words, the ARP Request asks: "Who has the MAC Address for the IP Address of 192.168.1.1)." So PC-A then suspends (pauses) the sending of the Ethernet Frame containing the Ping Echo Request and it generates a separate Ethernet Frame containing the ARP Request for RouterX's MAC Address.
  5. PC-A will send that Ethernet Frame containing the ARP Request to Switch-A and this is where the Switch will perform a couple of it's basic functions:
  6. Address Learn: It learns the MAC Address listed in the "Source MAC Address" field of the Ethernet Frame that it just received and associates it with the Switchport from which it received it on and stores that information in it's MAC Address Table.
  7. Filter/Forward: It will look in the "Destination MAC Address" field of the Ethernet Frame and if it sees "12 F's" (FF:FF:FF:FF:FF:FF), this indicates that the Frame is a Broadcast Frame and therefore, the Frame needs to be "Flooded" (copied and sent out to) every port on the Switch except the port upon which the Frame came in on. Since an ARP Request is one type of a Broadcast Frame, that is what will happen in this instance.
  8. Only Router-X will receive the ARP Request (Because Routers create a boundary for Broadcasts. Broadcasts are not forwarded beyond a Router Interface by default) and store the MAC Address within the "Source MAC Address" field (which is PC-A's MAC Address - "A") along with the Associated IP Host Address of PC-A (192.168.1.2) into its ARP Cache.
  9. Router-X realizes that it has an Interface with that Destination IP Address (192.168.1.1) configured on it. So, according to the standards of ARP (Address Resolution Protocol), Router-X is now obligated to send an Ethernet Frame containing an ARP Reply.
  10. Since Router-X had stored PC-A's MAC Address and IP Host Address into its ARP Cache from the ARP Request that PC-A sent out earlier. This ARP Reply will now be encapsulated in a Unicast Ethernet Frame, with PC-A's MAC Address ("A") filled out in the Destination MAC Address field and it's own MAC Address ("B") filled out in the Source MAC Address field of the Ethernet Frame and it will send that Frame to Switch-A.
  11. Switch-A receives Router-X's Ethernet Frame containing the ARP Reply and performs it's basic functions again, but this time with a twist on the 2nd Function ("Filter/Forward"):
  12. Address Learn: It learns the MAC Address in the "Source MAC Address" field of the Ethernet Frame that it just received (which is now Router-X's MAC Address this time) and associates it with the Switchport from which it received it on and stores that information in it's MAC Address Table
  13. Filter/Forward: It will look in the "Destination MAC Address" field of the Ethernet Frame and see that there is now a single MAC Address (PC-A's MAC - "A") and therefore, it will look in it's MAC Address Table to see if it has an entry for it along with which Switchport that the MAC Address can be found. It will surely find an entry for that MAC Address/Switchport combination since PC-A had previously sent an Ethernet Frame containing an ARP Request to the Switch and it was stored in the MAC Table. Therefore, Switch-A will Forward the Ethernet Frame containing Router-X's ARP Reply out of the Switchport where PC-A can be found only.
  14. PC-A will receive the Ethernet Frame containing Router-X's ARP Reply (which contains RouterX's MAC Address) and stores it in it's ARP Cache.
  15. At this point, PC-A can now Un-suspend the Ping Echo Request since it has all of the information to fill out the Ethernet Frame and now fills the Destination MAC Address field with Router-X's MAC Address.

Now, you may be wondering at this point, "if PC-A is supposed to be pinging PC-B, why is it going through the trouble of trying to acquire information from Router-X? How will the Ping Echo Request even reach PC-B and how will PC-B know that the Ping is meant for it?"


This is where it's crucial to understand how Ethernet Switching, which operates at Layer 2 and IP Routing, which operates Layer 3 interact and the different Addressing Mechanisms used by both. Therefore, a thorough understanding of the OSI and/or TCP/IP model is required. PC-A and PC-B reside on two different Networks (Subnets) therefore, a Router (Router-X) is required to Route traffic between them. Since Router-X has an Interface in Both Networks or "LANs" (192.168.1.0/24 and 192.168.2.0/24), it can route traffic between both LANs.


**The key point is that in order for the PCs to send the packets to the Router, the ieee 802.3 Ethernet standard requires them to communicate at Layer 2 using Ethernet Frames which contain their "Hardware" or "MAC" Addresses, which are burned into their NIC Cards. But, inside of those Ethernet Frames (in the Payload field) lies the actual IP Packet that contains the Data that one Host is trying to send to another.


It works similarly with Wireless Networks however, the Address Learning and Forwarding is different with the 802.11 standards than it is with Ethernet. You will have to take my course to find out more ;-)

Upvote 0 Downvote
More
Report

Jackson J.

tutor
TL;DR - Your question is answered in Steps 6-8 but it would behoove you to read through the entire narrative ;-) Important Takeaways: The IP Packet (Layer 3) contains the Source IP Address and the Destination IP Address. Therefore, PC-A will have generated an IP Packet containing the actual Ping Echo Request which has PC-A's IP Host Address filled out in the "Source IP Address field" and it will fill in PC-B's IP Host Address in the "Destination IP Address" field of the IP packet. This is how the Ping Request will actually be delivered to PC-B. This IP Packet gets encapsulated into an Ethernet Frame therefore, it never gets modified.** When Router-X receives the Ping Echo Request destined to PC-B, it will de-encapsulate the Ethernet Frame and inspect the IP packet inside. It will look at the Destination IP Address field to be more specific. This is the main basic nature of how Routers function by default. Router-X will see that the IP packet is destined for "192.168.2.3" (or PC-B) and it will look in it's Routing Table for a match. Since it has an Interface that is Directly Connected to that Network (192.168.2.0/24), it will send the IP Packet out of that Interface. It's important to know that if there were multiple entries for 192.168.2.0 with varying Subnet Mask Lengths, the Router would choose the entry with the most specific match, or longest Prefix as a Tie-Breaker. This is a process called the "Longest Prefix Match". Since this Packet is destined for a different LAN/Network, the Packet needs to be Encapsulated into a NEW Ethernet Frame at Layer 2 according to the 802.3 Standard and sent out of the Router Interface pointing to Switch-B now. That means that Router-X would need to send an ARP Request for the MAC Address of the Host who has a NIC Card associated with the IP Address of 192.168.2.3. Steps 1-11 will occur again, but this time for Router-X trying to obtain the MAC Address for PC-B so that it can Route PC-A's Ping Echo Request to it. As you can guess, the Source MAC Address of this New Ethernet Frame is Router-X's Interface that's configured with the 192.168.2.1 Default Gateway Address and the Destination MAC Address is the Broadcast Address (FF:FF:FF:FF:FF:FF) since it is currently unknown. After Steps 1-11 are followed for this communication between Router-X and PC-B and then PC-B finally receives PC-A's IP Packet, PC-B is then obligated to send a Ping Echo Reply back to PC-A according to the ICMP (Internet Message Control Protocol) Standard. Similar steps are followed for PC-B to send the Ping Echo Reply to PC-A and that's how devices communicate from LAN to LAN :) When the Hosts are on the same LAN/Network, a Router is not required and they can simply send Ethernet Frames to each other. The Switch that those Hosts are connected to will perform the Basic Functions that I mentioned earlier in Steps 5 and 10. Once the MAC Address Table of the Switch is populated with proper information on which Switchport that a particular MAC Address can be found, it can then forward traffic out to that port accordingly. But it will need to either learn it first or if the MAC Address is unknown, then it will "Flood" the Frame out of every port except for the port that the Frame came in on. To answer your question, the Router serves as the "Default Gateway" for Hosts that reside in a Network that it has a Router Interface directly connected to, because Router Interfaces lead to Networks (LANs or WANs). By way of 802.3 Ethernet Addressing and the ARP Protocol, the Router can learn the MAC Address of the Host Device that it needs to route packets for or to. And the Router maintains a Routing Table that contains entries of Networks where Hosts can be reached. If a Router is not directly connected to a Network, it typically will have an entry that points to a neighboring Router that can forward the packet towards it's destination. Typically, Routers contain a "Default Route" entry (0.0.0.0/0) that points to another Gateway Router which can point to all Networks unknown to the Router. Also, I know you're probably thinking all of this Broadcasting of traffic is inefficient and causes unnecessary traffic and also unsecure. What happens if a Hacker is sitting inside the Network and uses a Hacking Tool to send Packets out to the Network impersonating the MAC Address of the real Router (RouterX)! Basically launching a "Main-In-The-Middle" Attack! Strides have been made where Fabric Networks and Software-Defined Networking allows for Broadcast traffic to be limited or prevented from being flooded throughout the LAN all together. The security of MAC Address Spoofing is a valid concern and therefore, Countermeasures have been developed; such as "Dynamic ARP Inspection" which allows Switches to validate ARP Packets within a Network. "DAI" snoops the ARP operations passing through it and keeps a Database of IP to MAC Address Bindings. The Switch essentially intercepts, logs, and discards ARP packets with invalid MAC address to IP address bindings.
Report

07/16/23

Still looking for help? Get the right answer, fast.

Ask a question for free

Get a free answer to a quick problem.
Most questions answered within 4 hours.

OR

Find an Online Tutor Now

Choose an expert and meet online. No packages or subscriptions, pay only for the time you need.