Would you like to inspect the original subtitles? These are the user uploaded subtitles that are being translated: 1 00:00:00,000 --> 00:00:08,000 So what happens if A now wants to ping a remote device in a separate subnet? 2 00:00:08,000 --> 00:00:11,000 So now for example, A with IP address 10.1.1.1 3 00:00:11,000 --> 00:00:17,000 Wants to ping device B with IP address 10.1.2.1 4 00:00:17,000 --> 00:00:21,000 In these examples I�m discussing ICMP or ping traffic 5 00:00:21,000 --> 00:00:23,000 but something similar would happen 6 00:00:23,000 --> 00:00:27,000 if you were sending HTTP, FTP or other traffic. 7 00:00:27,000 --> 00:00:33,000 what�s important to note here is that these devices are in separate subnets 8 00:00:33,000 --> 00:00:36,000 we are using a /24 mask in this topology. 9 00:00:36,000 --> 00:00:41,000 So host A is not in the same subnet as host B. 10 10 00:00:41,000 --> 00:00:44,000 now the first thing the PC will do is to check whether the IP address 11 11 00:00:44,000 --> 00:00:49,000 it's trying to communicate with is in a separate subnet 12 12 00:00:49,000 --> 00:00:52,000 or in the same subnet as itself. 13 13 00:00:52,000 --> 00:00:57,000 It does this by doing a logical end using the network mask. 14 14 00:00:57,000 --> 00:01:00,000 So in this case we�ve got /24 mask 15 15 00:01:00,000 --> 00:01:04,000 the IP address of PC A is 10.1.1.1 16 16 00:01:04,000 --> 00:01:09,000 and it�s trying to ping an IP address 10.1.2.1/24 17 17 00:01:09,000 --> 00:01:15,000 in dotted decimal notation looks like this 255.255.255.0 18 18 00:01:15,000 --> 00:01:19,000 Which means the network portion is the first 3 octets of the address. 19 19 00:01:19,000 --> 00:01:24,000 So the local PC 10.1.1.1 compares the network portion with the device that 20 20 00:01:24,000 --> 00:01:28,000 it's trying to communicate with to check if the device is local or remote. 21 21 00:01:28,000 --> 00:01:32,000 In this case the network portion of the address is different. 22 22 00:01:32,000 --> 00:01:38,000 So the local PC knows that the remote device is in a different subnet 23 23 00:01:38,000 --> 00:01:43,000 to itself and it will therefore send the traffic to its default gateway 24 24 00:01:43,000 --> 00:01:47,000 to get to the remote subnet on which the device resides. 25 25 00:01:47,000 --> 00:01:50,000 Now in this example we are assuming that device A 26 26 00:01:50,000 --> 00:01:52,000 has a default gateway configured. 27 27 00:01:52,000 --> 00:01:57,000 So device A has been configured with the default gateway of the router 28 28 00:01:57,000 --> 00:02:03,000 10.1.1.100 so the PC will firstly check if it has the router's MAC address 29 29 00:02:03,000 --> 00:02:05,000 in its local ARP cache 30 30 00:02:05,000 --> 00:02:08,000 It does this because its need to send the traffic 31 31 00:02:08,000 --> 00:02:11,000 to the router to get to the remote device. 32 32 00:02:11,000 --> 00:02:14,000 And because this is an Ethernet segment a layer 2 33 33 00:02:14,000 --> 00:02:16,000 Mac address is required for communication. 34 34 00:02:16,000 --> 00:02:20,000 Ethernet once again requires that MAC address is be use at 35 35 00:02:20,000 --> 00:02:23,000 layer 2 for transmission across an Ethernet network. 36 36 00:02:23,000 --> 00:02:27,000 So at layer 2 a Mac address is required by the PC 37 37 00:02:27,000 --> 00:02:32,000 the PC would have been configured with the default gateway of 10.1.1.100 38 38 00:02:32,000 --> 00:02:35,000 which is an IP address at layer 3 39 39 00:02:35,000 --> 00:02:38,000 but the MAC address of the default gateway wouldn�t have been 40 40 00:02:38,000 --> 00:02:41,000 configured on the PC, so there�s no entry on the local PC 41 41 00:02:41,000 --> 00:02:43,000 for the MAC address of its default gateway 42 42 00:02:43,000 --> 00:02:47,000 and thus it will need to send out a broadcast unto the segment 43 43 00:02:47,000 --> 00:02:52,000 asking who has IP address 10.1.1.100 in other words 44 44 00:02:52,000 --> 00:02:55,000 this is an ARP request looking for the MAC address 45 45 00:02:55,000 --> 00:02:59,000 associated with the IP address of the default gateway. 46 46 00:02:59,000 --> 00:03:04,000 When the broadcast is received by the hub, it will flood it out of all ports 47 47 00:03:04,000 --> 00:03:06,000 except the ports on which they arrived 48 48 00:03:06,000 --> 00:03:09,000 PC C will receive the broadcast at layer 2 49 49 00:03:09,000 --> 00:03:12,000 but when reading the layer 3 information it will see that 50 50 00:03:12,000 --> 00:03:18,000 this is an ARP for 10.1.1.100 which is not its IP address. 51 51 00:03:18,000 --> 00:03:22,000 So PC C will therefore drop the ARP request. 52 52 00:03:22,000 --> 00:03:25,000 The router however will process the ARP request. 53 53 00:03:25,000 --> 00:03:28,000 Firstly it will receive the traffic at layer 2 54 54 00:03:28,000 --> 00:03:33,000 because this is a broadcast and when it reads the layer 3 information 55 55 00:03:33,000 --> 00:03:37,000 it will see that this is an ARP request for its IP address. 56 56 00:03:37,000 --> 00:03:44,000 So the router will reply with an ARP reply to PC A ARP request. 57 57 00:03:44,000 --> 00:03:49,000 The ARP reply is a unicast address so source MAC address is G 58 58 00:03:49,000 --> 00:03:53,000 the router's MAC address, destination MAC address is A 59 59 00:03:53,000 --> 00:03:55,000 source IP address is the router's IP address 60 60 00:03:55,000 --> 00:03:59,000 destination IP address is A IP address. 61 61 00:03:59,000 --> 00:04:02,000 The hub will once again flood the traffic out of all ports 62 62 00:04:02,000 --> 00:04:05,000 except the port on which it arrived. 63 63 00:04:05,000 --> 00:04:08,000 C will drop the frame because it's not destined to itself. 64 64 00:04:08,000 --> 00:04:11,000 Notice in the frame the destination MAC address is A 65 65 00:04:11,000 --> 00:04:14,000 but the PCs MAC address is C, so it will drop the frame. 66 66 00:04:14,000 --> 00:04:18,000 And what�s important to note is that it�s the Network Interface Card 67 67 00:04:18,000 --> 00:04:23,000 that drops the frame and not the central CPU of the PC. 68 68 00:04:23,000 --> 00:04:28,000 A will receive the frame and upon a receipt will process the frame 69 69 00:04:28,000 --> 00:04:30,000 because the destination MAC address is itself. 70 70 00:04:30,000 --> 00:04:35,000 So at layer 2 the frame is accepted by the NIC or Network Interface Card . 71 71 00:04:35,000 --> 00:04:35,000 The layer 2 information is strip and forward it to high layer protocols. 72 72 00:04:35,000 --> 00:04:44,000 Because this is an ARP reply its process by high layer protocols 73 73 00:04:44,000 --> 00:04:51,000 and the ARP cache is updated with the MAC address of the router, so PC A 74 74 00:04:51,000 --> 00:04:57,000 now has a mapping saying that IP address 10.1.1.100 uses MAC address G 75 75 00:04:57,000 --> 00:05:02,000 so this is the important, PC A knows that the IP address 76 76 00:05:02,000 --> 00:05:05,000 10.1.1.100 is associated with MAC address G. 77 77 00:05:05,000 --> 00:05:13,000 So the PC can send traffic to the network destined for the remote PC 10.1.2.1 78 78 00:05:13,000 --> 00:05:18,000 with the source IP address set to 10.1.1.1 itself 79 79 00:05:18,000 --> 00:05:22,000 but notice please that the source MAC address is the local PC 80 80 00:05:22,000 --> 00:05:25,000 and the destination MAC address is the router. 81 81 00:05:25,000 --> 00:05:31,000 The layer 2 frame goes to the router and hence the layer 2 82 82 00:05:31,000 --> 00:05:35,000 information contains the local segment MAC addresses. 83 83 00:05:35,000 --> 00:05:39,000 Source MAC address the PC, destination MAC address the router. 84 84 00:05:39,000 --> 00:05:44,000 The layer 3 information contains the destination IP address 85 85 00:05:44,000 --> 00:05:48,000 of the remote host and the local PCs IP address. 86 86 00:05:48,000 --> 00:05:54,000 The hub will flood the frame to both c and G, C will drop the frame 87 87 00:05:54,000 --> 00:05:57,000 because the destination MAC address is not itself 88 88 00:05:57,000 --> 00:06:00,000 the router will receive the frame at layer 2 89 89 00:06:00,000 --> 00:06:03,000 because its destined to its MAC address of G. 90 90 00:06:03,000 --> 00:06:07,000 It will then strip the layer 2 information 91 91 00:06:07,000 --> 00:06:10,000 and read the layer 3 information in the packet. 92 92 00:06:10,000 --> 00:06:13,000 So now let�s look at a practical example 93 93 00:06:13,000 --> 00:06:18,000 I�m going to capture traffic in Wireshark, so I'll start the capture 94 94 00:06:18,000 --> 00:06:24,000 I�m gonna clear my ARP cache, so arp-a shows that no entries 95 95 00:06:24,000 --> 00:06:29,000 are in the ARP cache at the moment and then I�m gonna ping hp.com 96 96 00:06:29,000 --> 00:06:34,000 notice the DNS resolution has taking place, ICMP message has timing out 97 97 00:06:34,000 --> 00:06:38,000 because a firewall is blocking the ICMP messages to that server. 98 98 00:06:38,000 --> 00:06:43,000 So here�s another example, lets ping Google com. 99 99 00:06:43,000 --> 00:06:48,000 Notice pings are succeeding, so I�ll stop the capture. 100 100 00:06:48,000 --> 00:06:52,000 HP was using an IP address in the 15 range. 101 101 00:06:52,000 --> 00:06:55,000 So let�s have a look for that ICMP traffic 102 102 00:06:55,000 --> 00:06:58,000 so notice there�s an ICMP message to hp.com 103 103 00:06:58,000 --> 00:07:01,000 and you can see that because the address is 15. 104 104 00:07:01,000 --> 00:07:05,000 And HP own the 15 IP address range. 105 105 00:07:05,000 --> 00:07:10,000 We didn�t get a reply from the server but the echo request was sent. 106 106 00:07:10,000 --> 00:07:14,000 What I�d like you to see please is that at layer 2 107 107 00:07:14,000 --> 00:07:16,000 the source MAC address is my local pc 108 108 00:07:16,000 --> 00:07:20,000 but the destination MAC address is my local router. 109 109 00:07:20,000 --> 00:07:26,000 Notice I can see that this is a Cisco device because the MAC address 110 110 00:07:26,000 --> 00:07:31,000 is shown as Cisco for the OUI or vendor portion of the address. 111 111 00:07:31,000 --> 00:07:34,000 We can see that by typing arp-a 112 112 00:07:34,000 --> 00:07:38,000 notice this MAC address is the MAC address associated with IP address 113 113 00:07:38,000 --> 00:07:43,000 10.0.0.254 IP config shows us that 114 114 00:07:43,000 --> 00:07:46,000 that is the IP address of the default gateway. 115 115 00:07:46,000 --> 00:07:50,000 So the traffic is going from my local PC to hp.com 116 116 00:07:50,000 --> 00:07:53,000 but it�s being routed by my local router. 117 117 00:07:53,000 --> 00:07:56,000 At layer 3 we have the local PC's IP address 118 118 00:07:56,000 --> 00:08:00,000 the destination IP address is hp but at layer 2 119 119 00:08:00,000 --> 00:08:03,000 the source MAC address is my PC 120 120 00:08:03,000 --> 00:08:06,000 and the destination MAC address is the local router. 121 121 00:08:06,000 --> 00:08:13,000 And once again sending the traffic to my local default gateway at layer 2. 122 122 00:08:13,000 --> 00:08:18,000 I can filter the Wireshark capture to show only ICMP traffic again. 123 123 00:08:18,000 --> 00:08:23,000 Here�s traffic going to Google so source IP address is my local machine 124 124 00:08:23,000 --> 00:08:27,000 destination IP address is Google but notice at layer 2 125 125 00:08:27,000 --> 00:08:30,000 the source MAC address is my local PC 126 126 00:08:30,000 --> 00:08:35,000 and the destination MAC address is once again the local router. 12245