Thursday, March 19, 2009

Understanding how packets transverse in a network

One of the first things you have to know on your way to CCNA is what really happens inside a network,how packets transverse e.t.c. I won’t talk a lot about the OSI model and layers, there are plenty of articles about that - but I'll focus on the last 3 layers: Network, Data link and Physical layer.





** LAB included!



As your data goes down in the OSI model layers in PC-0, from the application layer to the transport layer it arrives at the 3rd layer the NETWORK layer. The network layer takes the transport layer SEGMENT (that’s how the data called after it passes at the transport layer) and encapsulates that segment with a header and it becomes a PACKET.



The packet header includes, information that is relative to the Layer 3 (Routers and Layer 3 Switches) devices. Layer 2 devices (Switches, Bridges) have nothing to do with that information.





The packet header includes many options that aren't really relative to your CCNA studies, so I'll not cover them all and stick to those that are related to the CCNA course.

  • Version: the version of the IP, currently we are using v4 while v6 is being implemented too.
  • Total length: This field includes the length of the IP datagram, included the IP header.
  • TTL (Time to Live): this field indicates how many hops a data packet should be transmitted across the network before it is discarded. Each successful route by a router, decrease this value by 1. When it gets to 0, the packet is discarded.
  • Protocol: These fields specify which protocol is used in the segment. TCP identified by the number 6, UDP is 17.
  • Destination IP address: This is the destination IP address of the packet. (the IP of the receiving host). It is used by the Layer 3 device to route the packet to its particular destination, and assure that only the destination device receives that packet.
  • Source IP address: the opposite of the destination IP. This field holds the IP of the sending device, so when the receiving host would want to reply it will know to whom it should send the packet.
  • Data: this field carries the data that being sent in the packet.

Then, after all the IP packet fields are filled, the packet moves down to Layer 2 - the Data Link layer and being encapsulated by ARPA protocol and becomes a FRAME. The frame is used to transmit files on the local LAN or between two nodes in physical address environment. The frame includes source and destination MAC addresses - a MAC address is the PHYSICAL ADDRESS (hard coded) of a device. It is a unique address for each device in Ethernet network! The frame also has a FCS trailer, that's for error-detection.

After that, the Data Link layer passes the FRAME to the PHYSICAL layer, there the frame is translated into bits - 0's and 1's - and being transmitted over the cable.That was a brief overview of the process, to make it easier for you.


Now what is happening when a packet is received on a ROUTER?

  • The router collects the streaming bits and reassemble them, that's make a FRAME. Then, the FRAME is given to the Layer2.

  • The router then checks the DEST. MAC address in the frame, if the frame DEST. MAC address is the MAC address of the receiving interface, router actually STRIPS the Layer2 encapsulation - and we are left with the PACKET which contains layer 3 details, and that is handed over to Layer3.
  • The router looks at the DEST. IP address in the PACKET, and then looking for a route for it in its ROUTING TABLE. If the router finds a route entry for the destination route, it forwards it out of the right interface. Else, it will discard the packet.

Now what is happening when a packet is received on a SWITCH?


Well switches doesn't really receives packets, they receives FRAMES. The switch reassembles the bits into FRAME. Now, this is how a switch handles FRAMES:

  • The switch actually first CHECK THE SOURCE MAC ADDRESS of the frame! Why it does that? That's how switches build their MAC address table. If the switch has the source MAC of the frame in its table, it goes to step 2. else, it adds the SOURCE MAC address with the RECEIVED port on the switch to its MAC address table.

  • Then, the switch checks the DEST. MAC address and looks if it fits to one of its MAC address table entry. If its finds a fit, the switch will FORWARD the frame - it will send the frame out the specific port. If it has not found a match in its MAC table, that frame actually called "unknown unicast frame" - and what the switch does with those kind of frames is FLOODING it out ALL OF ITS PORTS except the port it received it. (The originator of the frame).

Note: The switch doesn't even get to the point of a PACKET. Switches DON’T check or modify a packet! They mess only with the FRAME itself!

Switches also DON’T change the Source & Destination of the MAC ADDRESSES! What switches actually do is receiving a frame, checking where it supposes to be forwarded, and forward it AS IT IS to the right destination depending upon its internet table called as the CAM ( content addressable memory ) table.

For routers, routers just CHECK the IP addresses in the packet. PACKETS source & destination addresses are not being CHANGED / MODIFIED by the router, the router is only a station on the way of the packet!

But what routers do is CHANGING the SOURCE & DESTINATION of the MAC addresses in the FRAME!

MAC addresses are used to forward frames over a local LAN. Now if a packet arrived on the router, that means it needs to be forwarded to other local LAN, so it is outside of the LAN of the originator of the packet. So, the router change's the SOURCE MAC address to its FORWARDING port MAC address, and the DESTINATION MAC address is changed to the next station along the way! (It might be another router or the destination device)

Let's illustrate a way packet goes from PC 0 to PC1.



Let’s say PC0 sends traffic to PC1. PC0 will look for the MAC address of PC1 in its mac-address table. (I'll not get into the ARP process here, so let’s assume ARP process already done).

PC0 will send the packet as follows: SOURCE IP - 10.0.0.2, DESTINATION IP - 20.0.0.2
And regarding the MAC address in the frame, what would it be? - SOURCE MAC - aaaa:aaaa:aa10, and DESTINATION MAC - oooo:oooo:oo10 !

Next, the router receives the packet on its E0/0 interface, it compares the destination mac address in the frame to its own mac address of the interface that received the frame, and it founds a match. That means this frame destinated to him, so it will decapsulate the frame and forwards the packet to the layer3 process.

At layer 3, the router will look at the destination IP address of the packet. Then it will look for a match for it in its routing table. It will find one, thru the network 30.0.0.0! So, the router will encapsulate the packet into frame again, but this time with that MAC information:

Source MAC - oooo:oooo:oo30
Destination MAC - rrrr:rrrr:rr30

You got the point? The MAC addresses are used to forward traffic across a LAN, and IP is used across different LANs and WANs!

R1 will do the same process as R0 did, and will forward out this packet thru its E0/0 interface right to the destination! So,

Source MAC address is - rrrr:rrrr:rr30
Destination MAC address is - bbbb:bbbb:bb20.

To sum it all up: Note that the IP's remained the same through the whole process! The packet at PC1 still has the same source and destination IP addresses in it. The MAC addresses are always changed when crossing through devices, except switches!!!

** Get the LAB and start practicing! - Packet LAB