TSHOOT – IPv4 Route Selection / Packet Switching process, Static Routing for IPv4 and IPv6 with troubleshooting!


Above is the IP Packet Switching architecture, with the IP Route / ARP Table at the “Control Plane” at the Top, which then feeds the FIB (Forward Information Base) aka IP CEF and Adjacency Table to perform Hardware Packet Switching.

Packet Switching is covered extremely in depth in this article, however it will be briefly revisited here to understand the full scope of the decision making that goes into determining and taking the best route to a destination!

Best IP Route selection, Packet Switching (CEF / AT), and troubleshooting cmds

The IP Route table is populated by information collected at the Data Plane of the Packet Switching Architecture (IP CEF / Adjacency Table), and is processed by the “Routing Protocol Data Structure” to determine which of the many advertised routes to a destination will be selected for use in the IP Route Table.

This is of course ultimately determined by the Administrate Distance (AD) as shown here:

  • 0 – Connected Interface
  • 1 – Static route
  • 5 – EIGRP Summary route
  • 20 – eBGP (Exterior BGP)
  • 90 – EIGRP (Internal)
  • 110 – OSPF
  • 115 – IS-IS
  • 120 – RIP
  • 140 – EGP
  • 160 – ODR (On Demand Routing)
  • 170 – EIGRP External (Redistributed)
  • 200 – iBGP (Interior BGP)
  • 255 – Unknown (Not Trusted)

Some of those values you won’t see on exam day, but that is the entire list, note that OSPF AD doesn’t change when its Redistributed (Internal / External) however its Cost goes up in the IP Route Table (right portion # in brackets after network # in route table).

Floating static routes are configured with an intentionally higher AD value by adding a # at the end of the “ip route …” statement, and is used as a backup route if the primary static route becomes unavailable.

***A real world use for a floating static route, is I’ve used these to cutover ISP’s remotely for companies, by setting a floating static route then changing the WAN IP Address on the outside interface of an ASA or Router.

It will drop the connection for a moment, the floating static route will then be injected into the route table when the primary is detected as down, and connectivity will resume within about 5 seconds. That is my real world case use for the day 🙂 ***

AD can also be changed for Dynamic Routing Protocols as well, so beware of this!

It can be seen under “sh ip protocol” in the distance values, or in the running config with “sh run | b router (ospf/eigrp/bgp)” output, as the command to change it is done in the router process via “distance …” with different values for different protocols depending on the values being changed.

To view the distance commands for each protocol, view the Cisco article here.

The IP Route Table and its L3 to L2 Mappings / ARP table (“sh ip arp”) are considered to be in the “Control Plane” as the best routes are determined and assigned here, and this then feeds IP CEF / Adjacency Table information in the “Data Plane” to perform hardware Packet Switching where the IP Route Table routes are what populate CEF.

The AD can be adjusted to manipulate which route is chosen, the next decision when the same protocol / same AD has two routes to a destination is Metric / Cost.

This is determined by the dynamic routing protocols in different ways, for example OSPF uses Link / Interface speeds as the “Cost” to the a destination and lowest path cost wins as best route when AD matches, whereas EIGRP uses K Weights which are 5 values made up of different metrics – All the can be changed in multiple ways:

  • Changed in the “Router Process” configuration
  • Changed on Interface Configuration
  • Changed in “redistribute …” statements when Redistribution is in play

If you are rusty on any of these, use any search engine or search “redistribution” on this website and you will find plenty of articles on Dynamic Routing Redistribution!

To gather information on how routes were learned (IP Route / ARP Table):

  • “sh ip route” – This will show the determined best routes to destinations, which protocol they were learned from / if they are locally known, and the next hop
  • “sh ip route (x.x.x.x)” – Mask is optional, shows how the route was learned, info about the route (AD / Metric / Cost), age since route was learned, egress interface to taken to destination
  • “sh ip route” – Same info as “sh ip route” ! Great command to check which route in the IP Route Table a Host will take!
  • “sh ip arp” – Shows Layer 3 to Layer 2 (IP to MAC Address) mappings, useful for Layer 2 Protocols as Frame-Relay or Multi-point interfaces!
  • “sh frame map” – Shows Frame-Relay IP-to-DLCI mappings, this information is the local IP to locally-significant DLCI #
  • “sh ip nhrp” – Shows the “Underlay” (Internet) and “Overlay” (Private IP / mGRE Network Address) mappings

To really drive it home, those last 3 commands really compliment each other for Frame-Relay / mGRE / DMVPN troubleshooting and verification!

To gather packet forward / packet switching information (IP CEF / AT):

  • “sh ip cef” – Shows the entire IP CEF table, raw routing information such as next hop IP / interface and network Prefix length with CIDR notation (/28)
  • “sh ip cef x.x.x.x (x.x.x.x)” – Mask is optional, can be Host or Network IP, shows next hop IP / Egress interface information
  • “sh adj det” – Shows local router interface information including the interface IP Address, the local and remote MAC which will show in the format of AAAABBBBCCCCDDDDEEEEFFFF0800, along with encap type info

With the “sh adj detail” MAC the first part in blue is the local interface MAC, the second part in red is the remote connected interfaces MAC, and 0800 in green is the code for IP.

This is the MAC information that will be written to Egress packets on this interface.

To visually demonstrate how the ARP process for CEF works for a new / unknown destination address coming to the port to the CPU pushing info back down to CEF:


Again for full information, check out this CEF article.

IPv4 Static Routing Issues / Troubleshooting

Some issues to immediately ask when working with Static Routing:

  • Is the static route statement correct (both network and subnet mask)?
  • Is traffic taking the default (all 0’s) route instead of matching a route?
  • Is the next hop defined by IP Address or Egress interface?
  • Is the next hop pointing the correct way to avoid a routing loop?

Some commands to verify what routes are configured / being used:

  • “sh run | i ip route” – This will show ALL configured Static Routes whether in the table or not
  • “sh ip proto” or “sh run | b router (ospf/eigrp/etc)” – The first will show what networks are actively being routing be the protocol, the running config output will show the networks and how they were configured

In the IP Route Table you can view the AD manually entered for a static route if not default value of 1, though I like to see all static configured routes if possible in the running configuration, along with the router process information.

The running configuration is a good way to determine of perhaps a wildcard mask was entered as a subnet mask in a router process, a subnet mask for a static route was entered wrong which is why it isn’t showing up in the IP Route Table, etc.

The issue of using a next hop IP vs Egress Interface for Static routing!!!

Using the Egress Interface rather than a Next-Hop IP for a Static Route can cause MAJOR network slow downs, because rather than the Router running “ARP” once and adding the results to ARP Cache for future lookup, it is going to run ARP for the Destination IP every single time a data stream is sent to the destination.

This is seen in “sh ip arp” as a TON of matching MAC Addresses for hosts behind the router, this is because Routers do not forward ARP broadcasts, so “Proxy ARP” is creating a Layer 3 to Layer 2 mapping for every single connection to the destination!

Always use a Next-Hop IP with IPv4 Static Routing, and watch for this on exam day!

IPv6 Static Routing configuration and verification

IPv6 route selection is exactly the same as IPv4, but of course there are some IPv6 quirks:

  • The default AD for an IPv6 static route is 1, can be manually changed the same as IPv4 routes with a # at the end of the “ipv6 route …” statement
  • Link-Local IPv6 addresses can be used across multiple interfaces for IPv6, so if using a Link-Local Address an Egress interface must also be specified
  • If using a Global-Unicast as the Next-Hop IPv6 Addy, no exit interface is needed
  • “ipv6 route 2001::/64 gi1/0/1 FE80::2 12” = Using a Link-Local IP as the next-hop along with the Egress Interface, with a route AD of 12
  • “sh ipv6 route” and “sh ipv6 route static” – This is first to view all IPv6 routes in the IPv6 Route Table, and second command for static IPv6 routes
  • “sh ipv6 neighbors” – IPv6 equivalent to “sh ip arp” as it shows the Layer 3 to Layer 2 mappings, only for neighbors found via NDP / directly connected to the interface
  • !!!CANNOT Map an IPv6 Route to an Egress Interface only, like “ipv6 route 2001::/64 gi1/0/1” as IPv6 does not use Broadcasts / ARP so Layer 2 encapsulation will fail for all traffic going to the destination the static route is set for!!!

There are just a few quirks there to remember, all of which are basic concepts for IPv6 which a candidate will need a solid grasp of to make it through TSHOOT, so if not familiar with some of those address types / behaviors I’d advise brushing up.

That will do it for this one, will hit GRE Troubleshooting next post!

Being that GRE is used to encapsulate IPv6 traffic across IPv4 networks (Internet) to remote IPv6 networks, I wanted to tack it onto this article, but this has gone so long I will keep that post separate as there is quite a bit of content in that subject itself.

Officially half way through the TSHOOT OCG at this point! 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s