Today we are going to see how switches and a router interact with each other by tracing ARP and ICMP packet flow. Here’s the network we are going to be playing with today:
We’re going to look at a couple of things here. The biggest thing to keep in the back of your mind is two things.
- Switches break up collision domains
- Routers break up broadcast domains
While you will see me cover #1 in this post you should really check out my previous post to see better examples: Tracing packet flow between a Hub and Switch
We will focus most of this post on #2. Very much like all my post so it makes seeing what device is talking on the network I’ve handed out custom MAC addresses on each device. The MAC address will look like 0010.1111.1111 for PC1(192.168.1.1) and 0010.2222.2222 for PC2 (192.168.1.2). Each computer set to use ROUTER’s closest port as their “Default Gateway”.
All Devices all get turned on all at the same time. Non of them will have any information in their MAC or Routing tables.
I ran an “Arp –a” to prove it doesn’t know a thing about PC4’s MAC address yet. PC1 will ping PC4. Because PC1 has no idea PC4’s MAC address PC1 will need to send out an ARP request to figure out how to get to router one since 192.168.2.4 is not on the same network.
This is how the header will look (notice it doesn’t have a target MAC address yet!)
The Broadcast ARP request is sent to SWITCH1. SWITCH1 now has learned about PC1’s MAC address and put it in it’s MAC Address table.
The ARP broadcast is sent out all ports except the port it came in on. That means PC2, PC3 and ROUTER. Notice how the router breaks up the broadcast domain. PC4->PC6 do not get the request.
Router1 one sends back a request. It put’s PC1’s address in the “Target MAC” address field. It also puts it’s own address in the SRC MAC address field. It also put’s PC1’s MAC address into it’s own MAC Address table.
Because ROUTER’s MAC address is in the SRC MAC field SWITCH1 will now add that address to it’s own MAC Address table:
PC1 now knows how to get to it’s default gateway so that the packet can be routed to the external network 192.168.2.0 /24 network. The Router’s MAC address is added to it’s own MAC address table. PC1 creates a ICMP packet (layer 3) and encapsulates it in an Ethernet frame. That frame has a SRC MAC address of PC1 and a Destination MAC address of ROUTER.
The ping (ICMP) is sent to SWITCH1. Switch knows where 192.168.1.254 is so it directly sends the frame to ROUTER.
When the packet gets to ROUTER, ROUTER realized that it it doesn’t know what the MAC address is of PC4. Because ICMP requests are unicast, the router drops the packet. ROUTER then creates a ARP broadcast to find out what MAC address PC4 has.
Router sends the ARP broadcast out to onto the network to SWITCH2. SWITCH2 will add ROUTER’s mac address to it’s MAC address table.
Switch sends the ARP Broadcast out every port but the port it came in on. PC5 and PC6 drop the request. PC4 says “It’s Me!”
As you would expect PC4 replies back to ROUTER by sending the response back on the network. SWITCH2 will add PC4’s MAC address to it’s MAC address table.
ROUTER get’s PC4’s response back. ROUTER adds PC4’s MAC address into it’s MAC address table.
It’s at this point something kind of funky happens. When I first started out I didn’t quite get it. It’s at this exact moment something will change on PC1’s command prompt. You will see a “Request timed out” message. The reason for this is the computer waited to hear back the ping (ICMP) reply but never received one because ROUTER dropped the packet because it didn’t know PC4’s MAC address. This does NOT mean that there is something wrong with the hardware!
PC1 at this point says.. I’ guess something happened to my first ICMP request. I guess I should send request 2 of 4. So it creates a new request.
PC1 will send out the 2nd ICMP ping out to the network. SWITCH1 get’s the frame. SWITCH2 says “Hey I know where ROUTER is” and forwards it directly to ROUTER.
ROUTER and decapsulates the frame. It see’s the packet is needing to be sent on to PC4. It encapsulates the packet in a brand new Ethernet frame. Because of the previous ARP request it now has PC4’s MAC address. **NOTE** – The source MAC address on the new Ethernet Frame is set to ROUTER’s MAC address (gig0/1). The internal SRC IP address in the packet remains the same. If ROUTER changed the SRC IP address to it own IP address, PC4 would never know how to send the packet back to PC1!
ROUTER sends the packet out to the network to SWITCH2
SWITCH receives the frame and looks at the header. Because it knows where PC4’s MAC address it can send the frame directly to PC4.
PC4 receives the frame and sends it back to PC1. It changes the Frame header by setting the originating MAC to itself and the destination address to ROUTER1. The IP address in the reply packet will be for PC1 and the SRC address is PC4’s.
SWITCH2 will send the frame directly to ROUTER because it has it’s MAC address in it’s MAC table.
ROUTER decapsulates the frame and see’s the packet is being sent to the IP address of PC1. It sees that it has PC1’s MAC address. It encapsulates the packet again and makes the SRC address it’s own MAC address. It makes the destination address that of PC1. It sends the packet on its way to to SWITCH1.
Again SWITCH1 knows where to send the frame so it sends it directly to PC1. It knows because it has PC1’s mac address in it’s MAC address table. PC1 receives the ping ICMP reply.
It’s at this very instant that we have completed the loop. PC1 has sent the ICMP request and it was routed to PC4. PC4 responded and it’s response was routed back to PC1. The Command prompt on PC1 will change ever so slightly to inform you that
All subsequent requests (3 to 4) will all get replies assuming that there is no issues with the networking equipment.