1
00:00:00,000 --> 00:00:08,000
So what happens if A now wants to ping a remote device in a separate subnet?

2
00:00:08,000 --> 00:00:11,000
So now for example, A with IP address 10.1.1.1

3
00:00:11,000 --> 00:00:17,000
Wants to ping device B with IP address 10.1.2.1

4
00:00:17,000 --> 00:00:21,000
In these examples I’m discussing ICMP or ping traffic

5
00:00:21,000 --> 00:00:23,000
but something similar would happen

6
00:00:23,000 --> 00:00:27,000
if you were sending HTTP, FTP or other traffic.

7
00:00:27,000 --> 00:00:33,000
what’s important to note here is that these devices are in separate subnets

8
00:00:33,000 --> 00:00:36,000
we are using a /24 mask in this topology.

9
00:00:36,000 --> 00:00:41,000
So host A is not in the same subnet as host B.

10
00:00:41,000 --> 00:00:44,000
now the first thing the PC will do is to check whether the IP address

11
00:00:44,000 --> 00:00:49,000
it's trying to communicate with is in a separate subnet

12
00:00:49,000 --> 00:00:52,000
or in the same subnet as itself.

13
00:00:52,000 --> 00:00:57,000
It does this by doing a logical end using the network mask.

14
00:00:57,000 --> 00:01:00,000
So in this case we’ve got /24 mask

15
00:01:00,000 --> 00:01:04,000
the IP address of PC A is 10.1.1.1

16
00:01:04,000 --> 00:01:09,000
and it’s trying to ping an IP address 10.1.2.1/24

17
00:01:09,000 --> 00:01:15,000
in dotted decimal notation looks like this 255.255.255.0

18
00:01:15,000 --> 00:01:19,000
Which means the network portion is the first 3 octets of the address.

19
00:01:19,000 --> 00:01:24,000
So the local PC 10.1.1.1 compares the network portion with the device that

20
00:01:24,000 --> 00:01:28,000
it's trying to communicate with to check if the device is local or remote.

21
00:01:28,000 --> 00:01:32,000
In this case the network portion of the address is different.

22
00:01:32,000 --> 00:01:38,000
So the local PC knows that the remote device is in a different subnet

23
00:01:38,000 --> 00:01:43,000
to itself and it will therefore send the traffic  to its default gateway

24
00:01:43,000 --> 00:01:47,000
to get to the remote subnet on which the device resides.

25
00:01:47,000 --> 00:01:50,000
Now in this example we are assuming that device A

26
00:01:50,000 --> 00:01:52,000
has a default gateway configured.

27
00:01:52,000 --> 00:01:57,000
So device A has been configured with the default gateway of the router

28
00:01:57,000 --> 00:02:03,000
10.1.1.100 so the PC will firstly check if it has the router's MAC address

29
00:02:03,000 --> 00:02:05,000
in its local ARP cache

30
00:02:05,000 --> 00:02:08,000
It does this because its need to send the traffic

31
00:02:08,000 --> 00:02:11,000
to the router to get to the remote device.

32
00:02:11,000 --> 00:02:14,000
And because this is an Ethernet segment a layer 2

33
00:02:14,000 --> 00:02:16,000
Mac address is required for communication.

34
00:02:16,000 --> 00:02:20,000
Ethernet once again requires that MAC address is be use at

35
00:02:20,000 --> 00:02:23,000
layer 2 for transmission across an Ethernet network.

36
00:02:23,000 --> 00:02:27,000
So at layer 2 a Mac address is required by the PC

37
00:02:27,000 --> 00:02:32,000
the PC would have been configured with the default gateway of 10.1.1.100

38
00:02:32,000 --> 00:02:35,000
which is an IP address at layer 3

39
00:02:35,000 --> 00:02:38,000
but the MAC address of the default gateway wouldn’t have been

40
00:02:38,000 --> 00:02:41,000
configured on the PC, so there’s no entry on the local PC

41
00:02:41,000 --> 00:02:43,000
for the MAC address of its default gateway

42
00:02:43,000 --> 00:02:47,000
and thus it will need to send out a broadcast unto the segment

43
00:02:47,000 --> 00:02:52,000
asking who has IP address 10.1.1.100 in other words

44
00:02:52,000 --> 00:02:55,000
this is an ARP request looking for the MAC address

45
00:02:55,000 --> 00:02:59,000
associated with the IP address of the default gateway.

46
00:02:59,000 --> 00:03:04,000
When the broadcast is received by the hub, it will flood it out of all ports

47
00:03:04,000 --> 00:03:06,000
except the ports on which they arrived

48
00:03:06,000 --> 00:03:09,000
PC C will receive the broadcast at layer 2

49
00:03:09,000 --> 00:03:12,000
but when reading the layer 3 information it will see that

50
00:03:12,000 --> 00:03:18,000
this is an ARP for 10.1.1.100 which is not its IP address.

51
00:03:18,000 --> 00:03:22,000
So PC C will therefore drop the ARP request.

52
00:03:22,000 --> 00:03:25,000
The router however will process the ARP request.

53
00:03:25,000 --> 00:03:28,000
Firstly it will receive the traffic at layer 2

54
00:03:28,000 --> 00:03:33,000
because this is a broadcast and when it reads the layer 3 information

55
00:03:33,000 --> 00:03:37,000
it will see that this is an ARP request for its IP address.

56
00:03:37,000 --> 00:03:44,000
So the router will reply with an ARP reply to PC A ARP request.

57
00:03:44,000 --> 00:03:49,000
The ARP reply is a unicast address so source MAC address is G

58
00:03:49,000 --> 00:03:53,000
the router's MAC address, destination MAC address is A

59
00:03:53,000 --> 00:03:55,000
source IP address is the router's IP address

60
00:03:55,000 --> 00:03:59,000
destination IP address is A IP address.

61
00:03:59,000 --> 00:04:02,000
The hub will once again flood the traffic out of all ports

62
00:04:02,000 --> 00:04:05,000
except the port on which it arrived.

63
00:04:05,000 --> 00:04:08,000
C will drop the frame because it's not destined to itself.

64
00:04:08,000 --> 00:04:11,000
Notice in the frame the destination MAC address is A

65
00:04:11,000 --> 00:04:14,000
but the PCs MAC address is C, so it will drop the frame.

66
00:04:14,000 --> 00:04:18,000
And what’s important to note is that it’s the Network Interface Card

67
00:04:18,000 --> 00:04:23,000
that drops the frame and not the central CPU of the PC.

68
00:04:23,000 --> 00:04:28,000
A will receive the frame and upon a receipt will process the frame

69
00:04:28,000 --> 00:04:30,000
because the destination MAC address is itself.

70
00:04:30,000 --> 00:04:35,000
So at layer 2 the frame is accepted by the NIC or Network Interface Card .

71
00:04:35,000 --> 00:04:35,000
The layer 2 information is strip and forward it to high layer protocols.

72
00:04:35,000 --> 00:04:44,000
Because this is an ARP reply its process by high layer protocols

73
00:04:44,000 --> 00:04:51,000
and the ARP cache is updated with the MAC address of the router, so PC A

74
00:04:51,000 --> 00:04:57,000
now has a mapping saying that IP address 10.1.1.100 uses MAC address G

75
00:04:57,000 --> 00:05:02,000
so this is the important, PC A knows that the IP address

76
00:05:02,000 --> 00:05:05,000
10.1.1.100 is associated with MAC address G.

77
00:05:05,000 --> 00:05:13,000
So the PC can send traffic to the network destined for the remote PC 10.1.2.1

78
00:05:13,000 --> 00:05:18,000
with the source IP address set to 10.1.1.1 itself

79
00:05:18,000 --> 00:05:22,000
but notice please that the source MAC address is the local PC

80
00:05:22,000 --> 00:05:25,000
and the destination MAC address is the router.

81
00:05:25,000 --> 00:05:31,000
The layer 2 frame goes to the router and hence the layer 2

82
00:05:31,000 --> 00:05:35,000
information contains the local segment MAC addresses.

83
00:05:35,000 --> 00:05:39,000
Source MAC address the PC, destination MAC address the router.

84
00:05:39,000 --> 00:05:44,000
The layer 3 information contains the destination IP address

85
00:05:44,000 --> 00:05:48,000
of the remote host and the local PCs IP address.

86
00:05:48,000 --> 00:05:54,000
The hub will flood the frame to both c and G, C will drop the frame

87
00:05:54,000 --> 00:05:57,000
because the destination MAC address is not itself

88
00:05:57,000 --> 00:06:00,000
the router will receive the frame at layer 2

89
00:06:00,000 --> 00:06:03,000
because its destined to its MAC address of G.

90
00:06:03,000 --> 00:06:07,000
It will then strip the layer 2 information

91
00:06:07,000 --> 00:06:10,000
and read the layer 3 information in the packet.

92
00:06:10,000 --> 00:06:13,000
So now let’s look at a practical example

93
00:06:13,000 --> 00:06:18,000
I’m going to capture traffic in Wireshark, so I'll start the capture

94
00:06:18,000 --> 00:06:24,000
I’m gonna clear my ARP cache, so arp-a shows that no entries

95
00:06:24,000 --> 00:06:29,000
are in the ARP cache at the  moment and then I’m gonna ping hp.com

96
00:06:29,000 --> 00:06:34,000
notice the DNS resolution has taking place, ICMP message has timing out

97
00:06:34,000 --> 00:06:38,000
because a firewall is blocking the ICMP messages to that server.

98
00:06:38,000 --> 00:06:43,000
So here’s another example, lets ping Google com.

99
00:06:43,000 --> 00:06:48,000
Notice pings are succeeding, so I’ll stop the capture.

100
00:06:48,000 --> 00:06:52,000
HP was using an IP address in the 15 range.

101
00:06:52,000 --> 00:06:55,000
So let’s have a look for that ICMP traffic

102
00:06:55,000 --> 00:06:58,000
so notice there’s an ICMP message to hp.com

103
00:06:58,000 --> 00:07:01,000
and you can see that because the address is 15.

104
00:07:01,000 --> 00:07:05,000
And HP own the 15 IP address range.

105
00:07:05,000 --> 00:07:10,000
We didn’t get a reply from the server but the echo request was sent.

106
00:07:10,000 --> 00:07:14,000
What I’d like you to see please is that at layer 2

107
00:07:14,000 --> 00:07:16,000
the source MAC address is my local pc

108
00:07:16,000 --> 00:07:20,000
but the destination MAC address is my local router.

109
00:07:20,000 --> 00:07:26,000
Notice I can see that this is a Cisco device because the MAC address

110
00:07:26,000 --> 00:07:31,000
is shown as Cisco for the OUI or vendor portion of the address.

111
00:07:31,000 --> 00:07:34,000
We can see that by typing arp-a

112
00:07:34,000 --> 00:07:38,000
notice this MAC address is the MAC address associated with IP address

113
00:07:38,000 --> 00:07:43,000
10.0.0.254 IP config shows us that

114
00:07:43,000 --> 00:07:46,000
that is the IP address of the default gateway.

115
00:07:46,000 --> 00:07:50,000
So the traffic is going from my local PC to hp.com

116
00:07:50,000 --> 00:07:53,000
but it’s being routed by my local router.

117
00:07:53,000 --> 00:07:56,000
At layer 3 we have the local PC's IP address

118
00:07:56,000 --> 00:08:00,000
the destination IP address is hp but at layer 2

119
00:08:00,000 --> 00:08:03,000
the source MAC address is my PC

120
00:08:03,000 --> 00:08:06,000
and the destination MAC address is the local router.

121
00:08:06,000 --> 00:08:13,000
And once again sending the traffic to my local default gateway at layer 2.

122
00:08:13,000 --> 00:08:18,000
I can filter the Wireshark capture to show only ICMP traffic again.

123
00:08:18,000 --> 00:08:23,000
Here’s traffic going to Google so source IP address is my local machine

124
00:08:23,000 --> 00:08:27,000
destination IP address is Google but notice at layer 2

125
00:08:27,000 --> 00:08:30,000
the source MAC address is my local PC

126
00:08:30,000 --> 00:08:35,000
and the destination MAC address is once again the local router.