101
0/228
Loading content...
If switches are the workhorses of local networks, routers are the traffic directors of the internet. Every packet crossing network boundaries—whether traveling between offices, data centers, or continents—passes through routers that make intelligent decisions about where to send it next.
Routers operate at Layer 3 (Network Layer), making forwarding decisions based on IP addresses rather than MAC addresses. This higher-layer operation enables capabilities that switches fundamentally cannot provide: inter-network routing, broadcast domain segmentation, and path selection across complex topologies.
Understanding router operation at a deep level is essential for network engineers. While switches create connectivity within networks, routers create connectivity between networks—and that inter-network boundary is where most interesting (and challenging) network design decisions occur.
By completing this page, you will understand how routers build routing tables, make forwarding decisions using longest prefix match, process packets across network boundaries, interact with Layer 2 at each hop, and provide the critical network services that differentiate them from switches.
A router is a Layer 3 networking device that forwards packets between different IP networks based on destination IP addresses and routing table information. Unlike switches that operate within a single broadcast domain, routers interconnect broadcast domains and make decisions about the optimal path for traffic.
Key Characteristics of Routers:
Router Internal Architecture:
┌─────────────────────────────────────────────────────────────────────────────┐
│ ROUTER INTERNAL ARCHITECTURE │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Interface 0 │ │ Interface 1 │ │ Interface 2 │ │ Interface N │ │
│ │ (Ethernet) │ │ (Ethernet) │ │ (Serial) │ │ (WiFi) │ │
│ │ 192.168.1.1 │ │ 10.0.0.1 │ │ 172.16.0.1 │ │ 192.168.50.1 │ │
│ └──────┬───────┘ └──────┬───────┘ └──────┬───────┘ └──────┬───────┘ │
│ │ │ │ │ │
│ └─────────────────┴─────────────────┴─────────────────┘ │
│ │ │
│ ┌──────────────┴──────────────┐ │
│ │ ROUTING ENGINE │ │
│ │ ┌───────────────────────┐ │ │
│ │ │ Forwarding Table │ │ ◄── Data Plane │
│ │ │ (FIB - Fast Lookup) │ │ (Hardware ASIC) │
│ │ └───────────────────────┘ │ │
│ │ ┌───────────────────────┐ │ │
│ │ │ Routing Table │ │ ◄── Control Plane │
│ │ │ (RIB - Complete) │ │ (CPU/Software) │
│ │ └───────────────────────┘ │ │
│ └──────────────┬──────────────┘ │
│ │ │
│ ┌──────────────┴──────────────┐ │
│ │ ROUTE PROCESSOR │ │
│ │ - Routing protocol engine │ │
│ │ - BGP, OSPF, EIGRP, RIP │ │
│ │ - Best path selection │ │
│ │ - RIB → FIB compilation │ │
│ └─────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Key Components:
The control plane runs routing protocols, builds routing tables, and handles management (SSH, SNMP). It's CPU-based and relatively slow. The data plane (forwarding plane) actually moves packets—using ASICs for line-rate performance. Modern routers separate these planes for both performance and security.
The routing table (Routing Information Base or RIB) is the router's map of the network. It contains entries that tell the router how to reach various network destinations. Understanding how this table is built is essential to understanding router behavior.
Sources of Routing Information:
Administrative Distance (AD):
When multiple sources provide routes to the same destination, the router uses Administrative Distance to choose the most trustworthy source:
| Route Source | Administrative Distance |
|---|---|
| Connected | 0 |
| Static | 1 |
| EIGRP summary | 5 |
| eBGP | 20 |
| EIGRP (internal) | 90 |
| IGRP | 100 |
| OSPF | 110 |
| IS-IS | 115 |
| RIP | 120 |
| iBGP | 200 |
| Unknown/Unreachable | 255 |
Lower AD = More trusted. If both OSPF (AD=110) and RIP (AD=120) advertise the same network, OSPF wins.
Metric (Cost):
Within a single routing protocol, the metric determines the best path:
Routing Table Structure:
┌─────────────────────────────────────────────────────────────────────────────┐
│ ROUTING TABLE EXAMPLE │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ Router# show ip route │
│ │
│ Codes: C - connected, S - static, R - RIP, O - OSPF, B - BGP │
│ │
│ Gateway of last resort is 10.0.0.254 to network 0.0.0.0 │
│ │
│ C 192.168.1.0/24 is directly connected, GigabitEthernet0/0 │
│ C 10.0.0.0/24 is directly connected, GigabitEthernet0/1 │
│ S 172.16.0.0/16 [1/0] via 10.0.0.2 │
│ O 192.168.2.0/24 [110/20] via 10.0.0.3, 00:05:12, GigabitEthernet0/1 │
│ O 192.168.3.0/24 [110/30] via 10.0.0.3, 00:05:12, GigabitEthernet0/1 │
│ B 8.8.8.0/24 [20/0] via 10.0.0.254, 01:23:45 │
│ S* 0.0.0.0/0 [1/0] via 10.0.0.254 │
│ │
│ Key: [Administrative Distance/Metric] │
│ via <next-hop IP> │
│ out <exit interface> │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Each route entry contains:
The default route (0.0.0.0/0) is the "gateway of last resort." When no other route matches a destination, this route is used. It's essential for internet connectivity—without it, the router wouldn't know where to send packets destined for unknown networks.
When a packet arrives at a router, the forwarding decision follows a precise algorithm. The core of this algorithm is the longest prefix match (LPM)—a concept critical to understanding how routers work.
The Forwarding Algorithm:
┌─────────────────────────────────────────────────────────────────────────────┐
│ ROUTER FORWARDING ALGORITHM │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ PACKET ARRIVES ON INTERFACE X: │
│ │
│ 1. VALIDATE PACKET: │
│ └→ Check IP header checksum (drop if invalid) │
│ └→ Check TTL (drop if TTL=0, send ICMP Time Exceeded) │
│ │
│ 2. EXTRACT DESTINATION IP: │
│ └→ Read 32-bit destination IP from IP header │
│ │
│ 3. ROUTING TABLE LOOKUP (Longest Prefix Match): │
│ └→ Compare destination IP against all routing entries │
│ └→ Find ALL matching entries │
│ └→ Select entry with LONGEST prefix (most specific match) │
│ │
│ 4. DETERMINE NEXT HOP: │
│ └→ From matched route, get next-hop IP and exit interface │
│ │
│ 5. DECREMENT TTL: │
│ └→ TTL = TTL - 1 │
│ └→ If TTL becomes 0, drop packet and send ICMP Time Exceeded │
│ │
│ 6. RECALCULATE CHECKSUM: │
│ └→ TTL change requires new IP header checksum │
│ │
│ 7. BUILD NEW LAYER 2 FRAME: │
│ └→ ARP lookup for next-hop IP to get next-hop MAC │
│ └→ Set source MAC = exit interface's MAC │
│ └→ Set destination MAC = next-hop's MAC │
│ │
│ 8. TRANSMIT FRAME: │
│ └→ Encapsulate IP packet in new Ethernet frame │
│ └→ Send out exit interface │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Longest Prefix Match (LPM) Explained:
The routing table may contain multiple entries that match a destination IP. LPM selects the most specific (longest prefix) match:
┌─────────────────────────────────────────────────────────────────────────────┐
│ LONGEST PREFIX MATCH EXAMPLE │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ Destination IP: 10.1.2.100 │
│ │
│ Routing table entries: │
│ ┌───────────────────┬─────────────┬────────────────┐ │
│ │ Network │ Prefix Len │ Next Hop │ │
│ ├───────────────────┼─────────────┼────────────────┤ │
│ │ 0.0.0.0/0 │ /0 (0 bits) │ 192.168.1.1 │ ◄ Matches (default) │
│ │ 10.0.0.0/8 │ /8 (8 bits) │ 192.168.1.2 │ ◄ Matches │
│ │ 10.1.0.0/16 │ /16 (16 bits) │ 192.168.1.3 │ ◄ Matches │
│ │ 10.1.2.0/24 │ /24 (24 bits) │ 192.168.1.4 │ ◄ Matches (BEST!) │
│ │ 10.2.0.0/16 │ /16 (16 bits) │ 192.168.1.5 │ Does not match │
│ └───────────────────┴─────────────┴────────────────┘ │
│ │
│ Winner: 10.1.2.0/24 → Next hop 192.168.1.4 │
│ Why: /24 is the longest matching prefix (most specific route) │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Why LPM Matters:
LPM enables hierarchical routing and route aggregation:
The internet routing table contains ~900,000 prefixes of varying lengths. LPM hardware (TCAM) can perform lookups against all prefixes in parallel, finding the longest match in constant time—essential for gigabit/terabit routing performance.
Unlike Layer 2 switches that rely on Spanning Tree Protocol to prevent loops, routers use the Time to Live (TTL) field as their primary loop prevention mechanism.
TTL Operation:
The TTL field is an 8-bit value (0-255) in the IP header. It represents the maximum number of hops a packet can traverse:
┌─────────────────────────────────────────────────────────────────────────────┐
│ TTL MECHANISM │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ 1. Source host sets initial TTL (typically 64, 128, or 255) │
│ │
│ 2. At each router: │
│ a. Receive packet │
│ b. Check TTL value │
│ - If TTL > 1: Decrement TTL, forward packet │
│ - If TTL = 1: Decrement to 0, DROP packet, send ICMP │
│ - If TTL = 0: DROP packet immediately (should never receive) │
│ │
│ 3. If dropped due to TTL expiry: │
│ └→ Send ICMP Type 11 (Time Exceeded) to source IP │
│ └→ Include first 64 bits of original packet's data │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Loop Prevention via TTL:
If a routing loop exists (packets circle endlessly between routers), TTL prevents infinite loops:
┌─────────────────────────────────────────────────────────────────────────────┐
│ ROUTING LOOP WITH TTL │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ Router A thinks: "To reach 10.5.0.0, send to Router B" │
│ Router B thinks: "To reach 10.5.0.0, send to Router A" ← LOOP! │
│ │
│ Packet with TTL=64: │
│ Host → A (TTL=63) → B (TTL=62) → A (TTL=61) → B (TTL=60) → ... │
│ ... → A (TTL=1) → B (TTL=0) → DROP + ICMP Time Exceeded │
│ │
│ Without TTL: Packet would loop forever, consuming bandwidth │
│ With TTL: Packet is automatically discarded after 64 hops │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
TTL Uses Beyond Loop Prevention:
Why This Differs from Layer 2:
Switches have no TTL mechanism in Ethernet frames. A Layer 2 loop causes frames to circulate indefinitely, amplifying each iteration:
| Layer | Loop Prevention | Detection Time | Traffic Impact |
|---|---|---|---|
| Layer 2 | STP (blocks ports) | Seconds to minutes | Broadcast storm until STP converges |
| Layer 3 | TTL (per-packet) | Immediate (per packet) | Limited to TTL × bandwidth |
Layer 3's TTL approach is inherently more robust—each packet protects itself, requiring no coordination between routers.
Attackers can craft packets with low TTL values that expire at target routers, forcing them to generate ICMP responses. This can be used for reconnaissance (mapping network topology) or as a DoS vector (exhausting router CPU). Rate-limiting ICMP generation mitigates this.
One of the most critical concepts in understanding router operation is how Layer 3 routing and Layer 2 switching interact at each hop. The IP addresses remain constant end-to-end, but MAC addresses change at every router.
The Hop-by-Hop Reality:
┌─────────────────────────────────────────────────────────────────────────────┐
│ PACKET JOURNEY ACROSS ROUTERS │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ Source: PC-A (192.168.1.10, MAC: AA:AA:AA:AA:AA:AA) │
│ Dest: PC-B (10.0.0.50, MAC: BB:BB:BB:BB:BB:BB) │
│ │
│ SEGMENT 1: PC-A to Router-1 │
│ ┌────────────────────────────────────────────────────────────────┐ │
│ │ Ethernet Header: │ │
│ │ Src MAC: AA:AA:AA:AA:AA:AA (PC-A) │ │
│ │ Dst MAC: R1:R1:R1:R1:R1:R1 (Router-1 interface) │ │
│ │ IP Header: │ │
│ │ Src IP: 192.168.1.10 (stays constant) │ │
│ │ Dst IP: 10.0.0.50 (stays constant) │ │
│ │ TTL: 64 │ │
│ └────────────────────────────────────────────────────────────────┘ │
│ │
│ SEGMENT 2: Router-1 to Router-2 │
│ ┌────────────────────────────────────────────────────────────────┐ │
│ │ Ethernet Header: ← COMPLETELY NEW! │ │
│ │ Src MAC: R1:R1:R1:R1:R1:R2 (Router-1 exit interface) │ │
│ │ Dst MAC: R2:R2:R2:R2:R2:R1 (Router-2 interface) │ │
│ │ IP Header: │ │
│ │ Src IP: 192.168.1.10 (unchanged) │ │
│ │ Dst IP: 10.0.0.50 (unchanged) │ │
│ │ TTL: 63 (decremented) │ │
│ └────────────────────────────────────────────────────────────────┘ │
│ │
│ SEGMENT 3: Router-2 to PC-B │
│ ┌────────────────────────────────────────────────────────────────┐ │
│ │ Ethernet Header: ← COMPLETELY NEW AGAIN! │ │
│ │ Src MAC: R2:R2:R2:R2:R2:R2 (Router-2 exit interface) │ │
│ │ Dst MAC: BB:BB:BB:BB:BB:BB (PC-B) │ │
│ │ IP Header: │ │
│ │ Src IP: 192.168.1.10 (unchanged) │ │
│ │ Dst IP: 10.0.0.50 (unchanged) │ │
│ │ TTL: 62 (decremented again) │ │
│ └────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
ARP at Every Hop:
To build each new Layer 2 header, routers use ARP (Address Resolution Protocol) to find the next-hop's MAC address:
┌─────────────────────────────────────────────────────────────────────────────┐
│ ROUTER ARP BEHAVIOR │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ Router determines next-hop IP from routing table (e.g., 10.0.0.2) │
│ │
│ 1. Check ARP cache for 10.0.0.2: │
│ - If FOUND: Use cached MAC address │
│ - If NOT FOUND: Send ARP request, wait for reply │
│ │
│ 2. Once MAC is known: │
│ - Build Ethernet header with next-hop's MAC as destination │
│ - Encapsulate IP packet │
│ - Transmit frame │
│ │
│ ARP Cache (example): │
│ ┌──────────────────┬───────────────────┬────────────┐ │
│ │ IP Address │ MAC Address │ Interface │ │
│ ├──────────────────┼───────────────────┼────────────┤ │
│ │ 10.0.0.2 │ AA:BB:CC:11:22:33 │ Gi0/1 │ │
│ │ 10.0.0.3 │ AA:BB:CC:44:55:66 │ Gi0/1 │ │
│ │ 192.168.1.10 │ AA:AA:AA:AA:AA:AA │ Gi0/0 │ │
│ └──────────────────┴───────────────────┴────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Proxy ARP:
In some configurations, routers perform Proxy ARP—responding to ARP requests on behalf of hosts on other networks. This allows hosts without proper default gateway configuration to reach external networks, though it's generally discouraged in modern networks.
IP addresses are for end-to-end identification; MAC addresses are for hop-to-hop delivery. A router's job is to use IP addresses to determine the path, then use MAC addresses to actually move the packet to the next hop. This separation is what enables internet-scale routing.
A defining characteristic of routers—and a key difference from switches—is how they handle broadcast traffic.
Routers Do NOT Forward Broadcasts:
When a router receives a packet destined for a broadcast address, it does not forward that packet to other interfaces. This behavior is fundamental and critical for network scalability.
┌─────────────────────────────────────────────────────────────────────────────┐
│ BROADCAST BEHAVIOR AT ROUTER │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ Broadcast packet arrives: Dst IP = 255.255.255.255 │
│ │
│ Router action: │
│ 1. Accept packet (if destined to this router) │
│ 2. Process locally if applicable (e.g., DHCP relay) │
│ 3. DO NOT FORWARD to other interfaces │
│ │
│ ┌────────────────────────────────────────────────────────────────┐ │
│ │ Subnet A Subnet B │ │
│ │ 192.168.1.0/24 10.0.0.0/24 │ │
│ │ │ │ │ │
│ │ │ ┌──────────┐ │ │ │
│ │ └─────────│ ROUTER │──────────┘ │ │
│ │ └──────────┘ │ │
│ │ │ │
│ │ Broadcast in Subnet A: NEVER reaches Subnet B │ │
│ │ Broadcast in Subnet B: NEVER reaches Subnet A │ │
│ │ │ │
│ └────────────────────────────────────────────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Why This Matters:
This broadcast-blocking behavior makes routers essential for:
DHCP Relay (Helper Address):
Since routers block broadcasts, DHCP requests (which are broadcasts) can't reach DHCP servers on other subnets. DHCP Relay (or IP helper-address) solves this:
┌─────────────────────────────────────────────────────────────────────────────┐
│ DHCP RELAY OPERATION │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ 1. Client broadcasts DHCP Discover (Dst: 255.255.255.255) │
│ 2. Router receives broadcast on local interface │
│ 3. Router sees it's a DHCP packet AND has helper-address configured │
│ 4. Router CONVERTS broadcast to unicast: │
│ - Changes destination to DHCP server IP (helper-address) │
│ - Adds relay agent information (giaddr = client's subnet) │
│ 5. Router forwards as regular unicast to DHCP server │
│ 6. DHCP server responds to router (using giaddr) │
│ 7. Router relays response to client (broadcast or unicast) │
│ │
│ Configuration: │
│ interface GigabitEthernet0/0 │
│ ip address 192.168.1.1 255.255.255.0 │
│ ip helper-address 10.0.0.100 ← DHCP server │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Multicast Handling:
Unlike broadcasts, routers can forward multicast—but only with explicit configuration of multicast routing protocols (PIM, IGMP, etc.).
| Traffic Type | Switch Behavior | Router Behavior |
|---|---|---|
| Unicast | Forward to learned port | Route based on IP |
| Broadcast | Flood all ports | Block (do not forward) |
| Multicast | Flood (or IGMP snoop) | Forward if multicast routing enabled |
Multicast routing is complex, requiring protocols like:
Use routed boundaries to control broadcast domains. As a rule of thumb: every VLAN should have a corresponding subnet, bounded by a routed interface. This provides both L2 segmentation (via VLANs) and L3 isolation (via routing).
Routers provide many services beyond basic packet forwarding. These additional capabilities are key differentiators from switches.
Access Control Lists (ACLs):
ACLs filter traffic based on Layer 3/4 criteria:
┌─────────────────────────────────────────────────────────────────────────────┐
│ ACCESS CONTROL LISTS │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ Standard ACL (filter by source IP only): │
│ access-list 10 permit 192.168.1.0 0.0.0.255 │
│ access-list 10 deny any │
│ │
│ Extended ACL (filter by source, destination, protocol, ports): │
│ access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 80 │
│ access-list 101 permit tcp 192.168.1.0 0.0.0.255 any eq 443 │
│ access-list 101 deny ip any any │
│ │
│ Applied to interface: │
│ interface GigabitEthernet0/1 │
│ ip access-group 101 in ← Filter inbound traffic │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
ACLs enable:
Network Address Translation (NAT):
NAT translates between private (internal) and public (external) IP addresses:
┌─────────────────────────────────────────────────────────────────────────────┐
│ NAT OPERATION │
├─────────────────────────────────────────────────────────────────────────────┤
│ │
│ Inside Network Router (NAT) Outside Network │
│ 192.168.1.0/24 Internet │
│ │
│ PC: 192.168.1.10 ──► [Src: 192.168.1.10] ──► [Src: 203.0.113.5] ──► Web │
│ [Dst: 8.8.8.8] [Dst: 8.8.8.8] │
│ │
│ NAT Translation Table: │
│ ┌───────────────────────────────────────────────────────────────┐ │
│ │ Inside Local │ Inside Global │ Protocol:Ports │ │
│ │ 192.168.1.10:5000 │ 203.0.113.5:1024 │ TCP │ │
│ │ 192.168.1.11:6000 │ 203.0.113.5:1025 │ TCP │ │
│ └───────────────────────────────────────────────────────────────┘ │
│ │
│ Response from web server: │
│ [Dst: 203.0.113.5:1024] ──► Router reverses translation │
│ [Dst: 192.168.1.10:5000] ──► PC receives response │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
Quality of Service (QoS):
Routers can prioritize traffic based on classification:
Other Router Services:
Traditional switches operate at Layer 2 and don't examine IP headers. They can't filter by IP address, perform NAT, or classify traffic by application. This is why routers remain essential even in networks with sophisticated Layer 3 switches.
This page has provided a comprehensive examination of how routers operate at Layer 3. Understanding these mechanisms reveals why routers are essential for inter-network communication and how they complement switches in network design.
You now understand how routers make forwarding decisions, build routing tables, handle broadcasts, and provide Layer 3 services. This knowledge prepares you to make informed decisions about when to use switches versus routers.
Next: We'll synthesize switch and router knowledge to answer the critical design question: When to Use Each. You'll learn the decision framework for choosing between Layer 2 and Layer 3 approaches in various network scenarios.