OPERATOR REFERENCE · LAYER 3

Layer 3 Field Reference
IP Addressing, Routing & Subnetting

addressing → subnetting → routing table → routing protocols → NAT → ACLs → packet walkthrough
PC · 192.168.1.10/24
default gateway
ROUTER · 192.168.1.1
routing table lookup
REMOTE NETWORK
01 IP Addressing & Subnet Cheat Table
CIDRSubnet MaskHostsWildcard
/24255.255.255.02540.0.0.255
/25255.255.255.1281260.0.0.127
/26255.255.255.192620.0.0.63
/27255.255.255.224300.0.0.31
/28255.255.255.240140.0.0.15
/29255.255.255.24860.0.0.7
/30255.255.255.2522 (point-to-point)0.0.0.3
P

Private Ranges (RFC 1918)

  • 10.0.0.0/8
  • 172.16.0.0/12
  • 192.168.0.0/16
C

Classful Reference

  • Class A: 1–126, /8 default
  • Class B: 128–191, /16 default
  • Class C: 192–223, /24 default
Modern networks use CIDR, not class boundaries — reference only.

Special Addresses

  • 127.0.0.1 — loopback
  • 169.254.x.x — APIPA (no DHCP)
  • 255.255.255.255 — local broadcast
02 Routing Table Basics

What's in an Entry

  • Destination network + mask
  • Next-hop IP or exit interface
  • Administrative Distance (source trust)
  • Metric (path cost within that source)
i

View the Table

show ip route show ip route 10.20.30.0
Longest prefix match always wins, regardless of AD or metric.

Route Selection Order

  • 1. Longest prefix match
  • 2. Lowest Administrative Distance
  • 3. Lowest metric (same source)
03 Static Routes & Dynamic Protocols

Static Route

ip route 10.20.30.0 255.255.255.0 192.168.1.1 ip route 0.0.0.0 0.0.0.0 192.168.1.1
Second line is the default route (gateway of last resort).

Floating Static

ip route 10.20.30.0 255.255.255.0 192.168.1.2 210
Higher AD (210) makes it a backup — only used if the primary route disappears.

OSPF Quick Start

router ospf 1 network 10.0.0.0 0.0.0.255 area 0
SourceDefault ADType
Directly connected0Most trusted
Static route1Manual
EIGRP (internal)90Dynamic, Cisco proprietary
OSPF110Dynamic, link-state, open standard
RIP120Dynamic, distance-vector, legacy
EBGP20Dynamic, path-vector, inter-AS
Unknown/unreachable255Never installed
04 Inter-VLAN Routing

Router-on-a-Stick

interface gi0/0.10 encapsulation dot1Q 10 ip address 192.168.10.1 255.255.255.0
One physical trunk link, one subinterface per VLAN.

SVI (Multilayer Switch)

interface vlan 10 ip address 192.168.10.1 255.255.255.0 no shutdown ip routing
Faster and more scalable than router-on-a-stick for high VLAN counts.
05 ARP & ICMP
?

ARP Process

Host broadcasts "who has this IP?" on the local segment; the owner replies unicast with its MAC. Result is cached in the ARP table.

show arp / show ip arp
!

Common ICMP Types

  • Type 0 — Echo Reply
  • Type 3 — Destination Unreachable
  • Type 8 — Echo Request
  • Type 11 — Time Exceeded (TTL)

TTL & Traceroute

Each router hop decrements TTL by 1. TTL reaching 0 triggers an ICMP Time Exceeded back to the sender — this is how traceroute maps the path.

06 NAT
1:1

Static NAT

ip nat inside source static 10.0.0.5 203.0.113.5
Fixed one-to-one mapping — used for servers needing a consistent public IP.

Dynamic NAT

ip nat pool NATPOOL 203.0.113.1 203.0.113.10 netmask 255.255.255.0 ip nat inside source list 1 pool NATPOOL
Pool of public IPs assigned on demand — no fixed mapping.

PAT (NAT Overload)

ip nat inside source list 1 interface gi0/0 overload
Many private hosts share one public IP, differentiated by source port — most common home/office setup.
07 Access Control Lists
1

Standard ACL

access-list 10 permit 192.168.1.0 0.0.0.255 interface gi0/1 ip access-group 10 out
Filters by source IP only — place close to the destination.
2

Extended ACL

access-list 110 permit tcp 192.168.1.0 0.0.0.255 any eq 443 interface gi0/0 ip access-group 110 in
Filters by source, destination, protocol, and port — place close to the source.
08 IPv4 Header (Key Fields)
Ver/IHL1 B
DSCP1 B
Total Length2 B
ID + Flags/Frag4 B
TTL1 B
Protocol1 B
Src IP4 B
Dst IP4 B
Payloaddata / L4 segment
version/header length
QoS + total size
fragmentation control
lifetime + next protocol
addressing
data
Protocol field tells the receiver what's inside: 1=ICMP, 6=TCP, 17=UDP.
09 What Happens — PC Sends to a Remote Network
1

PC checks its own subnet

PC compares the destination IP against its own IP + subnet mask. Different subnet → traffic must go to the default gateway, not directly to the destination.

Local routing decision
2

ARP for the gateway's MAC

If not already cached, PC broadcasts an ARP request for its default gateway's IP. The router replies with its own MAC address.

Layer 2 resolution
3

Packet built and framed

PC builds the IP packet: source IP = itself, destination IP = the remote host, TTL set (commonly 64/128), protocol field set. This is wrapped in an Ethernet frame with destination MAC = the gateway's MAC (not the remote host's).

Encapsulation
4

Router receives and de-encapsulates

Router strips the Ethernet header, exposing the IP packet, and checks the destination IP against its routing table.

Layer 3 processing
5

Routing table lookup

Router performs a longest-prefix match. If found, it identifies the next-hop IP and correct exit interface; if not, and no default route exists, it drops the packet and returns ICMP Destination Unreachable.

Longest prefix match
6

TTL decremented

Router decrements TTL by 1. If TTL hits 0, the packet is dropped and an ICMP Time Exceeded is sent back — this is what limits routing loops and powers traceroute.

Loop protection
7

Re-encapsulated with a new Layer 2 header

The IP packet (source/destination IP unchanged) gets a brand-new Ethernet frame for the next hop — new source MAC (router's outbound interface) and new destination MAC (next router, or the ARP-resolved destination host on the final hop).

Re-framing per hop
8

Repeat until destination LAN

Every router in the path repeats steps 4–7. The IP header stays constant end-to-end (aside from TTL); only the Layer 2 framing changes hop by hop.

Hop-by-hop
9

Final delivery

The last router ARPs for the destination host on its local subnet (if not cached) and delivers the frame directly — the destination host receives it, checks the destination MAC and IP both match, and passes the payload up the stack.

Delivery
10 Common Layer 3 Faults
SymptomLikely Cause
Can't reach anything off-subnetMissing/wrong default gateway on host
Some remote networks unreachableMissing route, wrong AD/metric, route not advertised
Asymmetric routing / odd latencyUnequal-cost paths, floating static misconfigured
NAT translation failsACL not matching traffic, pool exhausted, wrong interface roles
Traceroute stops mid-pathACL blocking ICMP, firewall dropping Time Exceeded
CheckCommand
Routing tableshow ip route
ARP cacheshow ip arp
NAT translationsshow ip nat translations
ACL hit countsshow access-lists
Path to destinationtraceroute x.x.x.x