Switching Question

I'm a bit confused on part of the operation of clients and switches. When a client has data that it wants to send a remote web server, it knows that web servers ip address, and nothing more. Since this web server is not on the same subnet as the client, the client says 'okay, i need to send this to the default gateway' and since I know the IP of the gateway, i can just send it there. So, what happens?

Is the layer 2 address changed to that of the gateway router? is the layer 3 address changed from that of the webserver to that of the router? It seems more likely to me that it's the layer 2 address since we most liekly don't know the mac of the web server to start with.

What does this have to do with switching, you might ask? Well, the question arised when I started considering the idea concept in the operation of a switch recieving a unicast address, how if it recieves a packet for an unknown mac, it forwards it out all interfaces aside from the one that it came in on. Since I know that packet sniffing other people's traffic is impossible without arp poisioning, I'm trying to figure out what mac our imaginary frame has when it reaches the switch.

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

bmauro

Alright - I haven't done this in awhile so hopefully I'll either get this right or someone will correct me

If PC1 wants to send a packet to PC2, but PC2 is on another network, and the two have NEVER communicated before, first PC1 will send an ARP request. This request is a broadcast to all devices on the LAN segment, since PC2 is on another network, the Rotuer will respond to this request with IT'S OWN MAC address.

Once PC1 has the MAC address of the Router it encapsulates the IP Packet into an Ethernet frame with the Router's MAC address in the destination field. The frame is forwarded from PC1 - then through the switch - and at this point the switch looks at the destination MAC address up in it's MAC table and sees and entry and forwards the frame out the correct interface. The frame was UNTOUCHED by the switch.

Once the Router receives the frame, it tears the Ethernet header and trailer away (the part added during the encapsulation stage) and extracts the IP Packet. With this packet in hand the Router sees what network it is destined for and looks up the IP address in it's routing table. If there is NOT a match found and no default route defined then the IP Packet is discarded. If there is a match the Router then encapsulates the IP Packet again according to the correct protocol defined on the exiting interface (HDLC, PPP, Frame Relay).

Hope thats right, and I hope that helps!!!

Kaminsky

I am a bit confused about this as well.

I understand what bmauro wrote on how it gets to the router. What happens then?

If the ultimate destination is on a server the other side of the planet how does it get from your local router to there and then back again?

I imagine your routes for unknown destinations would eventually lead out of your organisation to your ISP. Then what?

I don't think this is on my ccna but if someone could explain just for my personal understanding of the whole process I would appreciate it.

bmauro

If you are trying to get to a server on the other side of the planet, and your router gets the packet, but does NOT have a route to that network, and does NOT have a default network or default route configured, then the router drops the packet.

Now on the other hand - if you're router has some sort of default route configured and a packet arrives with an unknown destination - it will probably be forwarded to the ISP, and their routing tables contain 100,000's of entries. That would probably fall into BGP category which I'm not too familiar with.

dissolved

Rearden wrote:

I'm a bit confused on part of the operation of clients and switches. When a client has data that it wants to send a remote web server, it knows that web servers ip address, and nothing more. Since this web server is not on the same subnet as the client, the client says 'okay, i need to send this to the default gateway' and since I know the IP of the gateway, i can just send it there. So, what happens?

Is the layer 2 address changed to that of the gateway router? is the layer 3 address changed from that of the webserver to that of the router? It seems more likely to me that it's the layer 2 address since we most liekly don't know the mac of the web server to start with.

What does this have to do with switching, you might ask? Well, the question arised when I started considering the idea concept in the operation of a switch recieving a unicast address, how if it recieves a packet for an unknown mac, it forwards it out all interfaces aside from the one that it came in on. Since I know that packet sniffing other people's traffic is impossible without arp poisioning, I'm trying to figure out what mac our imaginary frame has when it reaches the switch.

MAC addresses generally do not leave the subnet.

When a PC has a frame it wants to send, the PC looks in it's own routing table for the information on what to do. It sees the default gateway and forwards the frame to the gateway (may do an ARP request first). Upon receiving it, the default gateway examines the IP header , looks in it's own routing table and makes a decision on what to do. The router will not touch layer 3 information (ie: IP) unless it is performing NAT translation. When the packet reaches the webserver, the source MAC address on the packet will be the webservers default gateway MAC.

dissolved

example:

client PC (10.10.1.2 aa:aa:aa)
|
|
|
client gateway (10.10.1.1 bb:bb:bb)
|
|
|
|
webserver gateway (192.168.1.1 cc:cc:cc:)
|
|
|
webserver (192.168.1.2 dd:dd:dd:)

When the client sends the packet, the source IP will be 10.10.1.2 and the source MAC will be aa:aa:aa

The destination IP will be 192.168.1.2 and the destination MAC will be bb:bb:bb

When the packet reaches the webserver, it will have a source IP of 10.10.1.2 and a source MAC address of cc:cc:cc:

The destination IP will be 192.168.1.2 and the destination MAC address will be dd:dd:dd

Everytime a packet crosses a layer 3 device, it is re-framed

DirtySouth

Thats an awesome explenation, dissolved! Thats exactly what I needed to hear.

Kaminsky

So, just to clarify, the source and destination Layer 3 IP stay the same (unless NAT or some such) but it's the MAC addresses and default routes on routers which do the driving to an unknown host on the other side of the world?

sprkymrk

bmauro wrote:

Alright - I haven't done this in awhile so hopefully I'll either get this right or someone will correct me

If PC1 wants to send a packet to PC2, but PC2 is on another network, and the two have NEVER communicated before, first PC1 will send an ARP request. This request is a broadcast to all devices on the LAN segment, since PC2 is on another network, the Rotuer will respond to this request with IT'S OWN MAC address.

Hi bmauro, I have a minor correction, and I've only skimmed the rest of this thread, but this stuck out to me.

If PC1 wants to communicate with PC2, but PC2 is on another network...
Okay, remember that arp is not the first thing a computer does when initiating communication with another computer. First comes name resolution, typically either netbios or fqdn/dns. For this it will vary on the exact order of steps, let's say in the example of a web site it may first check it's dns cache, then a dns server, then a hosts file, whatever. Somehow it finds the IP Address first. Once that is done, it determines if the remote host is local or on another network (via ip and netmask). If it is a local address, it will then do an arp broadcast. However, if it is a remote network it will not do an arp broadcast at all, but forward the arp request to the default gateway. It will only broadcast the arp request if the logical address (IP) is on the same network.

Hope that helps.

bmauro

sprkymrk - ya I completely worded that wrong. I was trying to say if PC1 has never sent anything at all (ARP cache completely emtpy), and did not have R1 mac address in its ARP cache, PC1 would use ARP to learn R1's Ethernet MAC address.

But after re-reading my post I can see the problem with how I worded it.

EdTheLad

sprkymrk wrote:

However, if it is a remote network it will not do an arp broadcast at all, but forward the arp request to the default gateway. It will only broadcast the arp request if the logical address (IP) is on the same network.

Hope that helps.

This thread is now full of corrections.

That above statement is not correct, if the destination ip address is on a different network and the arp cache is empty, an arp request will be broadcast with the destination ip address of the default gateway.Arp's are always broadcast, the arp frame has FF.FF.FF.FF.FF.FF as the destination mac address, i.e. its broadcast at layer 2.

sprkymrk

ed_the_lad wrote:

an arp request will be broadcast with the destination ip address of the default gateway.Arp's are always broadcast, the arp frame has FF.FF.FF.FF.FF.FF as the destination mac address, i.e. its broadcast at layer 2.

Yes, thank you.

It still broadcasts, but instead of asking for the mac of the remote host, it asks for the mac of the DG.

Paul Boz

Okay here goes.

Client A on network A wants to send data to client A on network B.

1.) Client A creates a packet and IP determines that it's a distant request, so IP checks the ARP table to see if it has a MAC address to map to the default gateway. If it does, IP forwards the frame to the router's default gateway, which is 192.168.7.1, MAC 0c:5b:dc:43:25:01. At this point, we have the following information about the packet:

Source IP: 192.168.7.3 (host A on network A IP address)
Source MAC: 0c:f1:43:29:fa:b9 (host A on network A MAC Address)

Destination IP:172.16.7.20 (Host A on network B IP address)
Destination MAC: 0c:5b:dc:43:25:01 (MAC of e0 on Router A)

2.) Router A checks the routing table to locate the destination network address. If there is no entry for network 172.16.7.x Router A will either forward the packet to the default interface or discard it if there's no specified default interface. Router A has a routing table entry for the remote network, however, so the router now encapsulates the packet into a layer two frame and sends it out s0 with the following information:

Source IP address: 192.168.7.3
Source MAC: 0c:43:29:fd:ab:c1 (MAC of s0 on Router A)

Destination IP: 172.16.7.20
Destination MAC: 0c:2b:9c:cf:49:a2 (MAC of s0 on Router

3.) Router B does the same thing router A did. It looks to see which interface the remote network (172.16.7.x) is on, then sends the re-encapsulated frame out e0 with the following information:

Source IP address: 192.168.7.3
Source MAC address: 0c:5a:43:29:fd:06

Destination IP address: 172.16.7.20
Destination MAC address: 0c:d6:f1:48:51:d6

4.) The routing process is complete.

Keep in mind that for the most part, switches are dumb. All they do is forward packets from the hosts to the routers, which then route the packets between the networks. Every time you send a packet from a host to a router the frame destination MAC address is the interface that receives the frame, be it the router's interface or the remote host's.

(Oh, and keep in mind that while the frame is being routed it actually gets re-encapsulated with a new MAC layer information set just to get to the exit interface of the router, which then tears it down to be re-sent out of the interface).

EdTheLad

Paul Boz wrote:

Router A has a routing table entry for the remote network, however, so the router now encapsulates the packet into a layer two frame and sends it out s0 with the following information:

Source IP address: 192.168.7.3
Source MAC: 0c:43:29:fd:ab:c1 (MAC of s0 on Router A)

Nice Pic, i hope you dont cry when i tell you this, but a serial interface doesnt have a mac address.

Paul Boz

ed_the_lad wrote:

Paul Boz wrote:

Router A has a routing table entry for the remote network, however, so the router now encapsulates the packet into a layer two frame and sends it out s0 with the following information:

Source IP address: 192.168.7.3
Source MAC: 0c:43:29:fd:ab:c1 (MAC of s0 on Router A)

Nice Pic, i hope you dont cry when i tell you this, but a serial interface doesnt have a mac address.

Yeah I remembered that as soon as I finished my deal. oh well, minus that bit, the rest is still valid

dissolved

Kaminsky wrote:

So, just to clarify, the source and destination Layer 3 IP stay the same (unless NAT or some such) but it's the MAC addresses and default routes on routers which do the driving to an unknown host on the other side of the world?

Correct. The Layer 3 information will never change unless NAT is in effect. The layer 3 device (ie: Router) will decapsulate the frame all the way up to layer 3, look at the information and decide what to do. Since it decapsulated the frame, it must encapsulate it again before firing it off. This is where your MAC address changes.

And yes, MAC addresses are the basis for finding hosts in the same LAN. After that, routers help move the packet to the right direction.