Routing & Switching Advanced

A switch operates at Layer 2 and forwards Ethernet frames by their destination MAC address. It builds a MAC address table (CAM table) through learning: when a frame arrives on a port, the switch records the frame’s source MAC against that port.

To forward, the switch looks up the destination MAC. A known destination is sent out one port only (unicast). An unknown destination is flooded out every port except the ingress port. Broadcast and multicast frames are also flooded within the broadcast domain. Idle entries age out (typically after 300 seconds).

A router operates at Layer 3 and forwards packets by destination IP address. For every packet it consults the routing table and selects the route whose network prefix matches the destination using the longest-prefix match rule: the most specific (longest mask) matching entry wins.

For example, with routes for 10.1.0.0/16 and 10.1.1.0/24, a packet to 10.1.1.5 matches both, but the router uses 10.1.1.0/24 because /24 is more specific than /16. The router then decrements the IP TTL, rewrites the Layer-2 header, and sends the packet toward the next hop.

The routing table (RIB, Routing Information Base) lists every network the router knows how to reach. Each entry records the destination prefix, how it was learned (the source, shown as a code letter), the next-hop address and/or exit interface, and the administrative distance and metric in brackets.

In Cisco IOS, show ip route prints a legend: C = directly connected, S = static, R = RIP, O = OSPF, D = EIGRP, B = BGP, and S* or O*E2 for a default route. A pair like [110/65] means administrative distance 110 and metric 65.

Routes enter the table from three kinds of source. Directly-connected routes appear automatically when an interface is up and has an IP address and mask; the router knows that network is local. Static routes are configured by an administrator and never change unless edited. Dynamic routes are learned from a routing protocol (RIP, OSPF, EIGRP, BGP) that exchanges reachability with neighbours and adapts when the topology changes.

Static routing is simple and predictable but does not scale or react to failures; dynamic routing scales and self-heals at the cost of CPU, memory and protocol complexity.

A default route matches any destination not covered by a more specific entry. It is written as 0.0.0.0/0 — a prefix of length zero, so it is the least specific possible match and is used only when nothing else matches. Because longest-prefix match always prefers more specific routes, the default is the natural fallback.

The router that the default points to is the gateway of last resort. Hosts have an equivalent concept: their configured default gateway. A static default route is typical at the network edge, pointing toward the ISP.

When two different sources offer a route to the same prefix, the router picks the one with the lowest administrative distance (AD) — a measure of how trustworthy a source is. Typical Cisco defaults: connected = 0, static = 1, EIGRP = 90, OSPF = 110, RIP = 120, external BGP = 20, internal BGP = 200. Lower AD wins, so a static route (1) beats an OSPF route (110) to the same network.

When two routes come from the same protocol, the protocol’s own metric breaks the tie: RIP uses hop count, OSPF uses cost (based on bandwidth), EIGRP uses a composite of bandwidth and delay. AD chooses between protocols; metric chooses within a protocol.

A static route is defined with ip route followed by the destination network, its mask, and either a next-hop IP, an exit interface, or both. A floating static route adds a higher administrative distance so it only activates if the primary (dynamic) route disappears — a common backup technique.

Static routes are ideal for stub networks (a site with a single exit), for default routes toward an ISP, and as deliberate, predictable overrides. The cost is manual maintenance: every topology change must be edited by hand.

Dynamic routing protocols fall into two main families. Distance-vector protocols (RIP, and EIGRP in part) advertise the distance (a metric such as hop count) and direction (next hop) to each network — essentially "routing by rumour", sharing their own table with neighbours. They are simple but converge slowly and can form loops, mitigated by split horizon, route poisoning and hold-down timers.

Link-state protocols (OSPF, IS-IS) flood descriptions of each link to every router, so every router builds an identical map of the topology and independently runs Dijkstra’s shortest-path algorithm. They converge faster and resist loops, at the cost of more CPU and memory.

RIP (Routing Information Protocol) is a simple distance-vector protocol whose only metric is hop count — the number of routers a packet crosses. Its maximum usable metric is 15 hops; a route of 16 hops is considered unreachable (infinity), which caps the size of a RIP network and prevents counting to infinity from running forever.

RIP broadcasts (RIPv1) or multicasts (RIPv2) its entire table every 30 seconds, converges slowly, and ignores bandwidth — a 16-hop gigabit path looks worse than a 2-hop modem link. RIPv2 added classless masks (VLSM/CIDR), multicast updates to 224.0.0.9, and authentication. It survives mainly in small or legacy networks.

OSPF (Open Shortest Path First) is the most common interior link-state protocol. Routers discover neighbours with Hello packets, exchange Link-State Advertisements (LSAs) describing their links, and assemble them into a shared link-state database. Each router runs Dijkstra’s SPF to find the lowest-cost path; cost is derived from interface bandwidth (cost = reference-bandwidth / bandwidth).

OSPF scales by dividing the network into areas; all areas must connect to the backbone area 0. Area Border Routers summarise between areas, which limits LSA flooding and SPF scope. On multi-access segments OSPF elects a Designated Router (DR) and Backup DR to reduce adjacencies. Convergence is fast because topology changes trigger immediate flooding and recalculation.

EIGRP (Enhanced Interior Gateway Routing Protocol), originally Cisco-proprietary and later opened, is an advanced distance-vector (sometimes called hybrid) protocol. It uses the DUAL algorithm to guarantee loop-free paths and offers very fast convergence by pre-computing backup routes (feasible successors) it can switch to instantly.

EIGRP forms neighbour relationships with Hellos, sends only incremental, triggered updates (not periodic full tables), and uses a composite metric based mainly on bandwidth and delay. Its default administrative distance for internal routes is 90, lower than OSPF’s 110, so an EIGRP route is preferred over an OSPF route to the same network when both run.

BGP (Border Gateway Protocol) is the routing protocol that holds the internet together. It runs between organisations, each identified by an Autonomous System (AS) number, exchanging reachability for blocks of address space. BGP is a path-vector protocol: every advertisement carries the full list of AS numbers (the AS_PATH) a route has traversed, which is used to detect loops and to influence path selection.

BGP does not choose paths by speed; it selects on policy attributes (local preference, AS_PATH length, MED and more), letting operators steer traffic according to business and peering agreements. It runs over TCP port 179, is very stable, and converges deliberately rather than quickly.

Hosts use a single configured default gateway; if that router fails, they lose all off-subnet connectivity. First-Hop Redundancy Protocols (FHRPs) solve this by letting several routers share a single virtual IP (and virtual MAC) that the hosts point to. One router is active and forwards; a standby takes over within seconds if the active fails, transparently to the hosts.

HSRP (Hot Standby Router Protocol) is Cisco-proprietary, with one active and one standby router. VRRP (Virtual Router Redundancy Protocol) is the open IETF standard with a master and one or more backups. GLBP adds load balancing across gateways. All provide gateway resilience without reconfiguring the hosts.

Redundant switch links improve resilience but create Layer-2 loops: because Ethernet frames have no TTL, a broadcast can circulate forever, multiplying into a broadcast storm that melts the network. STP (Spanning Tree Protocol, IEEE 802.1D) prevents this by building a loop-free logical tree, blocking redundant links until they are needed.

Switches elect a single root bridge (lowest bridge ID = priority + MAC). Each other switch selects one root port (lowest cost toward the root), and each segment a designated port; remaining ports are placed in blocking. Classic 802.1D ports move through blocking → listening → learning → forwarding, taking up to ~50 seconds; Rapid STP (802.1w) converges in seconds.

EtherChannel (link aggregation, IEEE 802.3ad / LACP) bundles several physical links between two switches into one logical link. This increases bandwidth and provides redundancy, and crucially STP treats the bundle as a single link — so all member links can forward without being blocked as loops.

Channels can be negotiated with LACP (the open standard, modes active/passive) or Cisco’s PAgP, or set unconditionally with mode on. Traffic is distributed across members by a hashing algorithm (on MAC, IP or port), so a single flow uses one link, but many flows spread across the bundle. All members must share the same speed, duplex and VLAN settings.

Routing problems are diagnosed top-down. show ip route answers "does the router even know how to reach the destination?" — a missing or wrong entry explains many failures. ping tests basic reachability with ICMP echo request/reply; success confirms a working bidirectional path, while timeouts suggest a break or a blocked return path.

traceroute reveals the path hop by hop. It sends packets with increasing TTL: the first router (TTL 1) replies with ICMP Time Exceeded, the next (TTL 2) does the same, and so on, mapping each hop until the destination answers. A trace that stops or loops at a particular hop pinpoints where forwarding breaks. Together these tools localise faults between configuration, the routing table and the data path.

Follow one packet end to end. A host comparing the destination IP to its own subnet decides the destination is remote, so it sends the frame to its default gateway, using ARP to find the gateway’s MAC. The router receives the frame, strips the Layer-2 header, and performs a longest-prefix-match lookup in its routing table.

It selects the best route (lowest AD, then lowest metric), decrements the TTL, rewrites the Layer-2 header with the next hop’s MAC, and forwards out the chosen interface. Each subsequent router repeats the process until a router has a directly-connected route for the destination and delivers the packet on the final segment. Layer 3 carries the packet across networks; Layer 2 carries the frame across each hop.

Modern campus networks blur the line between switching and routing with the Layer-3 switch: a device that switches frames at wire speed within a VLAN and routes packets between VLANs in hardware (ASICs), far faster than a traditional software router. Inter-VLAN routing is done with Switched Virtual Interfaces (SVIs) — a virtual interface per VLAN that acts as that VLAN’s gateway.

This lets designers push routing toward the access/distribution layer, shrinking Layer-2 domains (and thus STP scope and broadcast storms) while keeping high performance. The same routing concepts apply: SVIs create connected routes, and static or dynamic protocols handle the rest. Routing and switching are not rivals but complementary layers of one forwarding system.