Every time data travels across a network, a router must decide the next hop—this is the IP routing process. Understanding exactly how a router receives a frame, decapsulates it, looks up the destination IP in its routing table, and forwards it out the correct interface is fundamental to both the CCNA 200-301 exam and real-world network engineering. Exam objective 3.1, 'Describe the routing concepts,' requires you to explain this process step by step, including how packet and frame headers change at each hop. Without this knowledge, you cannot troubleshoot connectivity issues or design efficient networks.
Jump to a section
Imagine a large postal sorting office that handles millions of letters daily. Each letter arrives in an outer envelope (Layer 2 frame) addressed to the sorting office itself (destination MAC = the office's address). The postal worker opens the outer envelope and extracts the inner letter (IP packet) which has a destination address (IP address) that might be local or far away. The worker checks a giant wall chart (routing table) that lists every known city and which outgoing truck (interface) to use for each city. If the destination city is not listed, the worker sends the letter to a default truck (default route) that handles unknown addresses. Before the letter can be placed on the truck, it must be put into a new outer envelope (new Layer 2 frame) addressed to the next sorting office (next-hop router's MAC address). The worker also updates the 'handling stamp' (TTL field) by subtracting one—if it reaches zero, the letter is discarded. This process repeats at every sorting office until the letter reaches its final destination, where the last worker delivers it to the specific building (host) based on the inner letter's address. The key mechanistic point: the inner letter (IP packet) never changes its destination address, but the outer envelope (frame) is rewritten at every hop with new source and destination MAC addresses. Also, the worker must know which outgoing interface to use—this is the routing table lookup based on the longest prefix match.
What is the IP Routing Process?
The IP routing process is the set of steps a router performs to forward an IP packet from one network to another. It is the core function of a router and is essential for communication between devices on different subnets. The process involves receiving a frame, extracting the IP packet, consulting the routing table, and then re-encapsulating the packet into a new frame for the next hop.
Step-by-Step Mechanism
When a router receives a frame on an interface, the following occurs: 1. Frame Reception: The router checks the destination MAC address in the frame header. If it matches the interface's MAC address or is a broadcast (FF:FF:FF:FF:FF:FF), the router accepts the frame. Otherwise, it is discarded. 2. Decapsulation: The router strips off the Layer 2 frame header and trailer, revealing the IP packet. 3. Routing Table Lookup: The router examines the destination IP address in the packet header. It performs a longest prefix match lookup in the routing table. The routing table contains entries for directly connected networks, static routes, and dynamic routes learned via routing protocols like OSPF or EIGRP. Each entry has a prefix (network address and subnet mask) and a next-hop IP address or outgoing interface. 4. Packet Validation: The router decrements the Time-to-Live (TTL) field by 1. If TTL reaches 0, the packet is discarded and an ICMP Time Exceeded message is sent back to the source. The router also verifies the IP header checksum and recalculates it after TTL change. 5. Encapsulation: After determining the next-hop IP address (or that the destination is directly connected), the router needs to build a new frame. It looks up the next-hop IP address in its ARP cache to find the corresponding MAC address. If not found, it sends an ARP request. The router then creates a new Layer 2 frame with:
- Source MAC: MAC address of the outgoing interface - Destination MAC: MAC address of the next-hop router (or destination host if directly connected) - The IP packet remains unchanged (except TTL and checksum) 6. Transmission: The router sends the new frame out the appropriate interface.
Key Concepts: Hop-by-Hop Forwarding
IP routing is hop-by-hop. Each router makes an independent forwarding decision based on its own routing table. The source IP and destination IP in the packet never change (except NAT). The Layer 2 addresses change at every hop. This is a critical exam point: the destination MAC address is always the next-hop router's MAC, not the final destination's MAC.
Routing Table Components
A routing table entry includes: - Network Prefix: Destination network address and subnet mask (e.g., 192.168.1.0/24) - Next Hop: IP address of the next router to reach that network - Outgoing Interface: Interface to use - Administrative Distance (AD): Trustworthiness of the route source (e.g., 0 for connected, 1 for static, 110 for OSPF, 90 for EIGRP internal) - Metric: Cost to reach the network (e.g., OSPF cost, EIGRP composite metric) - Route Source: How the route was learned (C for connected, S for static, O for OSPF, D for EIGRP)
IOS CLI Verification Commands
To view the routing table: show ip route
Example output:
Router# show ip route
Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2
i - IS-IS, su - IS-IS summary, L1 - IS-IS level-1, L2 - IS-IS level-2
ia - IS-IS inter area, * - candidate default, U - per-user static route
o - ODR, P - periodic downloaded static route, H - NHRP, l - LISP
+ - replicated route, % - next hop override
Gateway of last resort is not set
10.0.0.0/8 is variably subnetted, 2 subnets, 2 masks
C 10.1.1.0/24 is directly connected, GigabitEthernet0/0
L 10.1.1.1/32 is directly connected, GigabitEthernet0/0
192.168.1.0/24 is variably subnetted, 2 subnets, 2 masks
C 192.168.1.0/24 is directly connected, GigabitEthernet0/1
L 192.168.1.1/32 is directly connected, GigabitEthernet0/1
S 172.16.0.0/16 [1/0] via 10.1.1.2
O 10.0.0.0/8 [110/2] via 10.1.1.3, 00:00:15, GigabitEthernet0/0Key fields: the code letter (C, S, O), network prefix, administrative distance and metric in brackets, next-hop IP, and outgoing interface.
To see ARP cache: show ip arp
Router# show ip arp
Protocol Address Age (min) Hardware Addr Type Interface
Internet 10.1.1.1 - 0011.2233.4455 ARPA GigabitEthernet0/0
Internet 10.1.1.2 120 0011.2233.4466 ARPA GigabitEthernet0/0
Internet 192.168.1.1 - 0011.2233.4477 ARPA GigabitEthernet0/1Interaction with Related Protocols
ARP: Used to resolve next-hop IP to MAC. If the destination is on the same subnet, the router ARPs for the destination host. If not, it ARPs for the next-hop router.
ICMP: Used for error reporting (e.g., TTL exceeded, destination unreachable). The router sends ICMP messages back to the source when it cannot forward a packet.
Routing Protocols: Build the routing table dynamically. OSPF uses cost, EIGRP uses composite metric. The router uses the best route based on AD and metric.
NAT: Changes the source IP (and sometimes destination) in the packet header, which is an exception to the rule that IP headers remain unchanged.
When a host needs to send a packet to a different subnet, it uses its default gateway. The default gateway is the router's IP address on that subnet. The host encapsulates the packet with the destination MAC of the default gateway. The router then routes the packet onward.
Exam Traps
Longest prefix match: The router always chooses the most specific route (largest subnet mask). For example, if there is a route for 10.0.0.0/8 and 10.1.1.0/24, a packet destined to 10.1.1.5 uses the /24 route.
Administrative distance: When multiple routing protocols provide a route to the same network, the router uses the one with the lowest AD. For example, a static route (AD 1) is preferred over an OSPF route (AD 110).
Metric comparison: Only routes from the same routing protocol are compared by metric. If a route is learned via OSPF and another via EIGRP, the router compares AD first, not metric.
TTL: The router decrements TTL by exactly 1. If TTL is 1, it decrements to 0 and discards. The TTL field is 8 bits, max value 255.
Fragmentation: If the outgoing interface MTU is smaller than the packet size, the router may fragment the packet (unless the DF bit is set). Fragmentation happens at the router, not the source, in some cases.
Summary
The IP routing process is a fundamental concept that involves frame reception, decapsulation, routing table lookup, TTL decrement, new encapsulation, and transmission. Understanding this process is critical for troubleshooting and design. The CCNA exam tests your ability to trace a packet through a network, identify where the process breaks, and understand the role of ARP, MAC addresses, and routing tables.
Host sends packet to default gateway
Host A (192.168.1.10/24) wants to send a packet to Host B (10.1.1.20/24). Since Host B is on a different subnet, Host A determines it must send the packet to its default gateway (192.168.1.1). Host A checks its ARP cache for the MAC address of 192.168.1.1. If not present, it sends an ARP request: 'Who has 192.168.1.1? Tell 192.168.1.10'. The router responds with its MAC. Host A then builds a frame with source MAC = its own, destination MAC = router's MAC, and encapsulates the IP packet (source IP 192.168.1.10, destination IP 10.1.1.20). The frame is sent onto the Ethernet segment.
Router receives and decapsulates frame
The router's GigabitEthernet0/0 interface receives the frame. It checks the destination MAC: it matches the interface's MAC address (or is a broadcast). The router accepts the frame, strips off the Ethernet header and trailer, revealing the IP packet. It examines the destination IP address (10.1.1.20) and prepares to route it. The router also verifies the FCS (Frame Check Sequence) to ensure no errors occurred during transmission. If the frame has errors, it is discarded.
Router performs routing table lookup
The router consults its routing table for the destination 10.1.1.20. It searches for the longest prefix match. Assume the routing table has an entry: 'O 10.1.1.0/24 [110/2] via 10.1.1.1, 00:00:15, GigabitEthernet0/1'. The network 10.1.1.0/24 matches, and the next hop is 10.1.1.1 (which is the router's own interface IP on that subnet? Actually, next hop should be another router, but for direct connection, it would be 'C 10.1.1.0/24 is directly connected, GigabitEthernet0/1'. In this step, we assume the destination is directly connected, so the router knows it can reach 10.1.1.20 directly out GigabitEthernet0/1. The router also checks that the outgoing interface is up/up. If the route is via a next hop, the router must have a route to that next hop (usually directly connected).
Router decrements TTL and recalculates checksum
The router decrements the TTL field in the IP header by 1. If the original TTL was 128, it becomes 127. If TTL becomes 0, the router discards the packet and sends an ICMP Time Exceeded message back to the source (192.168.1.10). Because the TTL changed, the IP header checksum must be recalculated. The router computes the new checksum and updates the header. Note: The IP packet's source and destination IP addresses remain unchanged (unless NAT is applied).
Router builds new frame for next hop
Since the destination 10.1.1.20 is directly connected to GigabitEthernet0/1, the next hop is the destination host itself. The router needs to know the MAC address of 10.1.1.20. It checks its ARP cache. If not present, it sends an ARP request out GigabitEthernet0/1: 'Who has 10.1.1.20? Tell 10.1.1.1' (the router's own IP on that interface). Host B responds with its MAC. The router then builds a new Ethernet frame with source MAC = its GigabitEthernet0/1 MAC, destination MAC = Host B's MAC. The IP packet (unchanged except TTL and checksum) is encapsulated. The frame is then transmitted out GigabitEthernet0/1.
Destination host receives and processes packet
Host B receives the frame. It checks the destination MAC: matches its own. It decapsulates the frame, extracts the IP packet, and sees the destination IP is its own IP (10.1.1.20). It processes the packet (e.g., delivers to the upper layer protocol like TCP or UDP). If the destination IP were not its own, it would either forward the packet (if IP forwarding is enabled) or drop it. This step completes the routing process for a single packet. For the return traffic, the same process occurs in reverse, with Host B sending to its default gateway (10.1.1.1) and the router routing back to 192.168.1.10.
In enterprise networks, the IP routing process is at the heart of all inter-subnet communication. Consider a typical three-tier campus network: access switches connect end users, distribution switches aggregate traffic, and core routers provide high-speed connectivity between buildings and to the WAN. When a user in Building A (VLAN 10, subnet 10.1.10.0/24) wants to access a server in Building B (VLAN 20, subnet 10.1.20.0/24), the access switch forwards the frame to the default gateway (a distribution switch or router). This device routes the packet based on its routing table, which may contain OSPF-learned routes to the server subnet. The routing process ensures that traffic takes the optimal path, possibly through redundant links, and that failures are handled by dynamic routing protocols.
Another common scenario is a branch office connecting to a central data center over a WAN link. The branch router has a default route pointing to the WAN interface, and the data center routers have more specific routes. When a branch user accesses a cloud application, the router performs the routing process: it receives the frame from the LAN, looks up the destination (say, 203.0.113.50), finds a route via the WAN, encapsulates the packet into a new frame (e.g., PPP or HDLC), and sends it. The service provider network then routes the packet further. In this case, the routing table may have a static default route (0.0.0.0/0) with a next-hop IP of the provider edge router.
Performance considerations: The routing process must be fast. Routers use hardware-based forwarding (CEF - Cisco Express Forwarding) to avoid per-packet CPU processing. CEF maintains a Forwarding Information Base (FIB) derived from the routing table and an adjacency table for Layer 2 next-hop information. This allows line-rate forwarding. Misconfiguration can cause issues: if a route is missing, packets are dropped (ICMP destination unreachable). If there is a routing loop (e.g., two routes pointing to each other), the TTL will eventually expire, wasting bandwidth. Redistribution between routing protocols must be carefully managed to avoid suboptimal routing or loops. The CCNA exam expects you to understand these real-world implications, such as why you would use a floating static route (higher AD) as a backup, or why OSPF cost is based on bandwidth.
The CCNA 200-301 exam objective 3.1 'Describe the routing concepts' specifically tests your understanding of the IP routing process. Expect scenario-based questions where you must determine the path a packet takes, identify the contents of the frame at each hop, or troubleshoot why a packet is not reaching its destination.
Common wrong answers and traps: 1. 'The destination MAC address remains the same throughout the path.' This is false. The destination MAC changes at every hop to the next-hop router's MAC. Only the destination IP remains constant (unless NAT). 2. 'The router uses the destination MAC to make forwarding decisions.' No, routers forward based on the destination IP. Switches use MAC addresses. Candidates often confuse the two. 3. 'A router will forward a packet even if it doesn't have a route, as long as it has a default gateway.' A router uses a default route (0.0.0.0/0) only if it is configured. If no default route exists, the packet is dropped. The term 'default gateway' applies to hosts, not routers. 4. 'The TTL is decremented by the number of hops remaining.' No, it is decremented by exactly 1 per router. The initial value is set by the source (typically 64, 128, or 255).
Specific values and commands you must memorize:
Default TTL values: Windows uses 128, Linux uses 64, Cisco IOS uses 255 for locally generated packets.
Administrative distances: connected (0), static (1), EIGRP internal (90), OSPF (110), RIP (120).
show ip route command output: recognize codes (C, S, O, D, etc.), understand the bracket [AD/metric].
show ip arp to verify MAC resolution.
ping and traceroute are key troubleshooting tools. traceroute uses TTL to map the path.
Calculation traps: When a packet is fragmented, the offset is calculated in 8-byte units. However, for the routing process itself, you may need to determine the number of fragments based on MTU. The exam might ask: 'If a 1500-byte packet (including IP header) is sent out an interface with MTU 1500, will fragmentation occur?' No, because the packet fits exactly. But if the MTU is 1492 (e.g., PPPoE), fragmentation occurs.
Decision rule for scenario questions: Trace the packet step by step. Always start by identifying the source and destination IPs and subnets. Determine if they are on the same subnet. If not, the packet must go through a router. For each router, ask: Does it have a route to the destination? If yes, what is the next hop? What MAC address will be used? If a router does not have a route, the packet is dropped. Also check for ACLs that might filter traffic. Use the process of elimination: if a question says 'PC1 can ping its default gateway but not PC2,' the issue is likely a missing route on the router or a firewall.
The IP routing process involves frame reception, decapsulation, routing table lookup (longest prefix match), TTL decrement, checksum recalculation, ARP resolution, re-encapsulation, and transmission.
Destination MAC address changes at every hop; destination IP address remains unchanged (except NAT).
TTL is decremented by exactly 1 at each router; if TTL reaches 0, the packet is discarded and an ICMP Time Exceeded message is sent.
The routing table contains directly connected (C), local (L), static (S), and dynamic routes (O, D, R, etc.) with administrative distance and metric.
Default TTL values: Windows 128, Linux 64, Cisco IOS 255 for locally generated packets.
Key verification commands: show ip route, show ip arp, ping, traceroute.
Administrative distances: connected (0), static (1), EIGRP internal (90), OSPF (110), RIP (120).
These come up on the exam all the time. Here's how to tell them apart.
Routing (Layer 3)
Uses IP addresses for forwarding decisions
Maintains a routing table with network prefixes
Decapsulates and re-encapsulates frames
Operates at Layer 3 (Network layer)
Decrements TTL and recalculates checksum
Switching (Layer 2)
Uses MAC addresses for forwarding decisions
Maintains a MAC address table (CAM table)
Forwards frames without changing headers
Operates at Layer 2 (Data Link layer)
Does not modify TTL or checksum
Mistake
Routers forward packets based on destination MAC address.
Correct
Routers forward packets based on the destination IP address using the routing table. MAC addresses are used only within a single Layer 2 segment.
Many learners confuse the roles of switches and routers; switches use MAC, routers use IP.
Mistake
The TTL field is decremented by the number of hops remaining.
Correct
TTL is decremented by exactly 1 per router. It is an 8-bit field with initial value set by the source (e.g., 128).
The name 'Time to Live' is misleading; it is actually a hop count limit.
Mistake
A router will automatically forward packets to the default gateway if it doesn't have a specific route.
Correct
A router only forwards packets using a default route if one is configured (0.0.0.0/0). Without a default route, packets with no matching route are dropped.
Candidates often apply the host's concept of 'default gateway' to routers.
Mistake
The source IP address changes at each hop to the router's IP.
Correct
The source IP address remains the original host's IP unless NAT is applied. Only the source MAC changes at each hop.
This confusion arises from misunderstanding the encapsulation process.
Reveal each answer, then mark whether you got it right. Score 60%+ to unlock the next chapter.
Routing is the process of building the routing table using routing protocols or static configuration. Forwarding is the actual process of moving a packet from an incoming interface to the outgoing interface based on the routing table. In CCNA, routing refers to the control plane (learning routes), while forwarding is the data plane (packet switching). The IP routing process described in this chapter is forwarding. The exam may ask you to differentiate these terms.
No, normally the router does not change the source IP address. The source IP remains the original host's IP throughout the path. The only exception is when Network Address Translation (NAT) is applied, which changes the source IP (and possibly port). The router does change the source MAC address to that of the outgoing interface. This is a common exam point: IP addresses are end-to-end, MAC addresses are hop-by-hop.
The router will attempt to forward the packet. It will send an ARP request for the destination IP. If no host responds, the ARP request times out, and the router sends an ICMP Destination Unreachable (Host Unreachable) back to the source. The packet is dropped. This is a common troubleshooting scenario: a router has a connected route, but the host is down or not on the subnet.
If the packet is larger than the MTU, the router will fragment the packet (unless the Don't Fragment (DF) bit is set). Fragmentation breaks the packet into smaller pieces, each with its own IP header. The fragments are reassembled at the destination host. If the DF bit is set, the router drops the packet and sends an ICMP Fragmentation Needed message. The exam might test your understanding of MTU and fragmentation.
The 'show ip route' command displays the router's routing table, showing all known networks, how they were learned (connected, static, dynamic), the next-hop IP, outgoing interface, administrative distance, and metric. It is the primary command for verifying routing information and troubleshooting connectivity issues. On the exam, you may be asked to interpret the output to determine the path a packet will take.
When a routing table entry has a next-hop IP that is not directly connected, the router must perform a recursive lookup: it looks up the next-hop IP in the routing table to find the outgoing interface and next-hop MAC. For example, a static route to 10.0.0.0/8 via 192.168.1.1 requires the router to have a route to 192.168.1.0/24 (directly connected). The router resolves the next hop recursively. This is a key concept in understanding how routers forward packets when the next hop is multiple hops away.
Yes, a default route (0.0.0.0/0) matches all destination IPs. If a router has a default route and no more specific route exists, it will use the default route. This is common for edge routers connecting to the internet. The default route has a prefix length of 0, which is the least specific. The router uses longest prefix match, so if a more specific route exists, it is used instead. The exam often tests the concept that a default route is used only when no other match is found.
You've just covered IP Routing Process — now see how well it sticks with free CCNA 200-301 practice questions. Full explanations included, no account needed.
Done with this chapter?