Routers – Layer 3 Forwarding, Routing Tables, and Configuration

1. What Is a Router?

A router is a Layer 3 (Network layer) device in the OSI model whose primary job is to forward IP packets between different networks. Where a switch moves frames within a single LAN using MAC addresses, a router moves packets between different IP networks using IP addresses and a routing table. Every time a packet crosses from one network to another — from your LAN to the internet, from one office to another, from one VLAN to another — it passes through a router.

  Office LAN                         Internet
  192.168.1.0/24                     203.0.113.0/24
  ┌──────────────┐                  ┌──────────────┐
  │ PC           │                  │ Web Server   │
  │ 192.168.1.10 │──→ [Router] ──→  │ 203.0.113.50 │
  └──────────────┘   ↑             └──────────────┘
                 Strips the Ethernet frame,
                 reads the IP destination,
                 consults the routing table,
                 builds a new Ethernet frame,
                 forwards out the correct interface

Key functions performed by a router: inter-network packet forwarding using IP addresses; broadcast domain segmentation (broadcasts do not cross router interfaces); path selection using routing protocols and metrics; NAT/PAT for private-to-public address translation; ACL-based traffic filtering; DHCP relay for forwarding DHCP broadcasts across subnets.

2. Routers vs Switches vs Hubs

Device	OSI Layer	Addressing Used	Forwarding Logic	Broadcast Domain	Collision Domain
Hub	Layer 1 (Physical)	None — no addressing awareness	Repeats all electrical signals to every port — no intelligence; every device on the hub shares one collision domain	All ports in one domain	All ports in one domain
Switch	Layer 2 (Data Link)	MAC addresses — builds a MAC address table (CAM table) by learning source MACs on each port	Forwards frames only to the port where the destination MAC was learned; floods unknown MACs to all ports	All switch ports in one domain (unless VLANs used)	Each port is its own collision domain (full-duplex)
Router	Layer 3 (Network)	IP addresses — consults routing table keyed by network prefixes	Strips incoming Layer 2 frame, reads IP header, longest-prefix-match lookup in routing table, builds new Layer 2 frame for next hop, forwards out correct interface	Each router interface is its own broadcast domain — broadcasts do not cross the router	Each port its own domain

See: Switches | Hubs | MAC vs IP | Frame Forwarding

3. Router Hardware Components

Component	Type	Contents / Purpose	Persists on Reboot?
CPU	Hardware	Executes IOS instructions; processes routing protocol updates; handles ACL evaluation, NAT translation, and management plane tasks. High CPU = possible routing issue or attack.	N/A
RAM	Volatile memory	Stores the running configuration (active settings), routing table, ARP cache, packet buffers, and IOS data structures while the router is powered on	No — lost on power-off or reload
NVRAM	Non-volatile memory	Stores the startup configuration — the config that is loaded into RAM when the router boots. Command: `copy running-config startup-config` saves RAM → NVRAM	Yes — survives reboot
Flash	Non-volatile storage	Stores the Cisco IOS image (the router's operating system). Can hold multiple IOS versions; the boot system variable controls which is loaded	Yes — survives reboot
ROM	Read-only memory	Contains the bootstrap program (POST — power-on self test), the ROM Monitor (ROMmon) for recovery mode, and a minimal IOS image used when Flash fails	Yes — factory-programmed, read-only
Interfaces	Hardware I/O	Physical ports (GigabitEthernet, Serial) and logical interfaces (subinterfaces, loopbacks, SVIs) through which packets enter and exit the router	N/A

  Cisco router boot sequence:
  1. POST (ROM) — self-test hardware
  2. Bootstrap (ROM) — locate and load IOS
  3. IOS loaded from Flash into RAM
  4. Startup config loaded from NVRAM into RAM → becomes running config
  5. Router operational

  Memory summary:
  RAM      → running config, routing table, ARP cache   (lost on reboot)
  NVRAM    → startup config                              (survives reboot)
  Flash    → IOS image                                  (survives reboot)
  ROM      → bootstrap, POST, ROMmon                    (permanent)

4. How a Router Forwards a Packet — Step by Step

Understanding packet forwarding is the most important concept on this page. Every router decision follows the same process every time a packet arrives.

  Step 1 — Packet arrives on an interface
  Router receives an Ethernet frame on GigabitEthernet0/0.
  Destination MAC = router's own MAC → router accepts the frame.

  Step 2 — Strip the Layer 2 frame
  Router discards the Ethernet header and trailer.
  Reads the IP header: Dst IP = 10.0.0.5, Src IP = 192.168.1.10.

  Step 3 — Decrement TTL
  Router decrements the TTL field by 1.
  If TTL reaches 0 → discard packet; send ICMP Time Exceeded to source.

  Step 4 — Routing table lookup (longest-prefix match)
  Router searches its routing table for the most specific match
  to destination IP 10.0.0.5:
    10.0.0.0/8   via 192.168.1.2       ← less specific (/8)
    10.0.0.0/24  via 192.168.1.2       ← more specific (/24) ← WINS
  Most specific match (longest prefix) is selected.

  Step 5 — Next-hop ARP resolution
  Router checks ARP cache for next-hop IP (192.168.1.2).
  If not cached: sends ARP Request → receives ARP Reply → caches MAC.

  Step 6 — Build a new Layer 2 frame
  New Ethernet frame:
    Src MAC = router's outgoing interface MAC
    Dst MAC = next-hop's MAC (from ARP)
    Payload = original IP packet (with decremented TTL)

  Step 7 — Forward out the correct interface
  Frame exits on GigabitEthernet0/1 toward next-hop 192.168.1.2.

See: MAC vs IP (hop-by-hop addressing) | ARP | show ip route

5. The Routing Table

The routing table is the router's map of the network — a database of known destinations and how to reach them. Every forwarding decision is made by consulting this table. Use show ip route to view the full table.

  Router# show ip route

  Codes: C - connected, S - static, R - RIP, O - OSPF,
         D - EIGRP, B - BGP, * - candidate default

  Gateway of last resort is 0.0.0.0/0 to 203.0.113.1

  C    192.168.1.0/24 is directly connected, GigabitEthernet0/0
  C    10.0.0.0/24 is directly connected, GigabitEthernet0/1
  S    172.16.0.0/16 [1/0] via 192.168.1.2
  O    10.10.0.0/24 [110/2] via 10.0.0.2, GigabitEthernet0/1
  S*   0.0.0.0/0 [1/0] via 203.0.113.1

  Column meanings:
  C   = Connected route (directly attached network — automatic)
  S   = Static route (manually configured)
  O   = OSPF-learned route
  [1/0]  = [Administrative Distance / Metric]
         AD=1 means static; AD=110 means OSPF
  via X  = next-hop IP address
  S*  = default route (gateway of last resort — used when no specific match)

Longest-Prefix Match

When multiple routing table entries could match a destination IP address, the router always selects the most specific match — the entry with the longest prefix (most bits in the subnet mask). If no match exists, and a default route (0.0.0.0/0) is present, the packet is forwarded via the default route. If no default route exists, the packet is dropped and an ICMP "Destination Unreachable" is sent back.

  Routing table entries:
    10.0.0.0/8   via 192.168.1.1   ← covers 10.x.x.x
    10.1.0.0/16  via 192.168.1.2   ← covers 10.1.x.x
    10.1.1.0/24  via 192.168.1.3   ← covers 10.1.1.x
    0.0.0.0/0    via 203.0.113.1   ← default — matches anything

  Packet destined for 10.1.1.50:
    Matches 10.0.0.0/8  (/8  = 8-bit match)
    Matches 10.1.0.0/16 (/16 = 16-bit match)
    Matches 10.1.1.0/24 (/24 = 24-bit match) ← LONGEST → WINS
  → Forwarded via 192.168.1.3

  Packet destined for 10.5.5.5:
    Matches 10.0.0.0/8 only → forwarded via 192.168.1.1

Route Sources and Administrative Distance

When multiple routing protocols or methods (e.g., OSPF and a static route) know a route to the same destination, Administrative Distance (AD) determines which source is trusted and installed in the routing table. Lower AD wins. See Administrative Distance.

Route Source	Administrative Distance	Code in Routing Table
Directly connected	0	C
Static route	1	S
EIGRP (summary)	5	D
BGP (external)	20	B
EIGRP (internal)	90	D
OSPF	110	O
RIP	120	R
Unknown / unreachable	255	—

See: Administrative Distance | show ip route

6. Types of Routing

Type	How Routes Are Learned	Best For	Cisco IOS Command / Protocol
Directly Connected	Automatically added when an interface is configured with an IP address and is up/up	Local networks — no configuration needed	Automatic; code C in routing table
Static Routing	Manually entered by an administrator	Small networks, stub networks, specific path control, default routes	`ip route <network> <mask> <next-hop>`
RIP (v2)	Distance vector — routers share full routing tables every 30 seconds; metric = hop count (max 15)	Very small, simple networks; legacy environments; lab practice only	`router rip` / `version 2` / `network`
OSPF	Link-state — routers flood LSAs to build identical LSDB; SPF algorithm calculates best paths; metric = cost (based on bandwidth)	Enterprise networks of any size; fast convergence; hierarchical area design	`router ospf <pid>` / `network <net> <wildcard> area <n>`
EIGRP	Hybrid (distance vector + link-state features); uses DUAL algorithm; metric = composite (bandwidth + delay by default); Cisco-proprietary	Cisco-only networks; fast convergence; supports unequal-cost load balancing	`router eigrp <AS>` / `network <net>`
BGP	Path vector — exchanges network prefixes between Autonomous Systems; uses TCP port 179; metric = policy-based attributes (AS-PATH, MED, etc.)	Internet routing between ISPs and large enterprises; multi-homed internet connections	`router bgp <AS>` / `neighbor` / `network`

Static Route Configuration

  ! Route to network 10.0.0.0/24 via next-hop 192.168.1.2:
  Router(config)# ip route 10.0.0.0 255.255.255.0 192.168.1.2

  ! Default route — forward all unmatched traffic to 203.0.113.1:
  Router(config)# ip route 0.0.0.0 0.0.0.0 203.0.113.1

  ! Floating static route (backup — higher AD so OSPF wins normally):
  Router(config)# ip route 10.0.0.0 255.255.255.0 192.168.1.3 150
  ! AD=150 means this route is only used if OSPF (AD=110) route disappears

See: Static Routing Configuration | Default Routes | Static Routing Lab

OSPF Configuration

  Router(config)# router ospf 1
  Router(config-router)# router-id 1.1.1.1
  Router(config-router)# network 192.168.1.0 0.0.0.255 area 0
  Router(config-router)# network 10.0.0.0 0.0.0.255 area 0
  Router(config-router)# passive-interface GigabitEthernet0/0
  ! passive-interface stops OSPF hellos on LAN ports (prevents neighbour
  ! adjacency with end hosts, but still advertises the connected network)

See: OSPF Areas & LSAs | OSPF Single-Area Configuration | OSPF Neighbor States | Administrative Distance | OSPF Single-Area Lab

7. Router Interfaces

Interface Type	Description	Use Case
GigabitEthernet (Gi)	Physical LAN port; 1 Gbps; connects to switches or directly to end devices	LAN gateway — default gateway for hosts on the connected subnet
FastEthernet (Fa)	Physical LAN port; 100 Mbps; found on older Cisco routers (800, 1800, 2600 series)	Legacy LAN connections and lab routers
Serial (Se)	Physical WAN port; used for point-to-point WAN links (leased lines, Frame Relay, HDLC, PPP); requires a DCE/DTE cable in lab environments	WAN connections to ISP or branch offices over leased lines
Subinterface (Gi0/0.10)	Logical division of a physical interface; each subinterface carries one VLAN; configured with `encapsulation dot1q <vlan-id>`	Router-on-a-stick — inter-VLAN routing using a single trunk link to a switch
Loopback (Lo)	Virtual interface; always up/up as long as the router is running; never physically fails	Router ID for OSPF/BGP; management address; testing and diagnostics
Tunnel	Virtual interface for GRE or IPsec tunnels; encapsulates one protocol inside another	VPN tunnels between sites; GRE over IPsec for encrypted site-to-site connectivity

Router-on-a-Stick (Inter-VLAN Routing)

  Scenario: Route between VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24)
  using a single trunk link from the router to the switch.

  Switch configuration (trunk to router):
  Switch(config)# interface GigabitEthernet0/24
  Switch(config-if)# switchport mode trunk

  Router configuration (subinterfaces):
  Router(config)# interface GigabitEthernet0/0
  Router(config-if)# no ip address          ! physical interface — no IP
  Router(config-if)# no shutdown

  Router(config)# interface GigabitEthernet0/0.10
  Router(config-subif)# encapsulation dot1q 10          ! tag for VLAN 10
  Router(config-subif)# ip address 192.168.10.1 255.255.255.0
  Router(config-subif)# no shutdown

  Router(config)# interface GigabitEthernet0/0.20
  Router(config-subif)# encapsulation dot1q 20          ! tag for VLAN 20
  Router(config-subif)# ip address 192.168.20.1 255.255.255.0
  Router(config-subif)# no shutdown

  ! Hosts in VLAN 10 use 192.168.10.1 as their default gateway.
  ! Hosts in VLAN 20 use 192.168.20.1 as their default gateway.
  ! Traffic between VLANs flows up the trunk, through the router, back down.

See: Router-on-a-Stick Guide | VLANs | Trunking

8. Router Configuration Basics

  ! ── Initial setup ───────────────────────────────────────────────
  Router(config)# hostname R1

  ! Set enable secret (privileged EXEC password — encrypted):
  Router(config)# enable secret Cisco123!

  ! ── Configure LAN interface ─────────────────────────────────────
  Router(config)# interface GigabitEthernet0/0
  Router(config-if)# description LAN — connected to Switch SW1
  Router(config-if)# ip address 192.168.1.1 255.255.255.0
  Router(config-if)# no shutdown
  Router(config-if)# exit

  ! ── Configure WAN interface ─────────────────────────────────────
  Router(config)# interface GigabitEthernet0/1
  Router(config-if)# description WAN — connected to ISP
  Router(config-if)# ip address 203.0.113.2 255.255.255.252
  Router(config-if)# no shutdown
  Router(config-if)# exit

  ! ── Configure loopback (router ID for OSPF/BGP) ─────────────────
  Router(config)# interface Loopback0
  Router(config-if)# ip address 1.1.1.1 255.255.255.255
  Router(config-if)# exit

  ! ── Static default route to ISP ──────────────────────────────────
  Router(config)# ip route 0.0.0.0 0.0.0.0 203.0.113.1

  ! ── Enable SSH for secure remote management ──────────────────────
  Router(config)# ip domain-name netstuts.com
  Router(config)# crypto key generate rsa modulus 2048
  Router(config)# username admin privilege 15 secret AdminPass1!
  Router(config)# line vty 0 4
  Router(config-line)# login local
  Router(config-line)# transport input ssh
  Router(config-line)# exec-timeout 5 0

  ! ── Save configuration ────────────────────────────────────────────
  Router# copy running-config startup-config
  (or: Router# wr)

See: SSH Configuration | SSH & Telnet Security | show running-config | SSH Configuration Lab

9. NAT and PAT on a Router

NAT (Network Address Translation) allows devices with private RFC 1918 IP addresses to access the internet by translating their private source IPs to a public IP at the router. PAT (Port Address Translation), also called NAT Overload, is the most common variant — it allows thousands of inside hosts to share a single public IP using unique source port numbers.

NAT Type	Mapping	Use Case	Key Command
Static NAT	One-to-one permanent	Public-facing servers that need inbound connections (web server, mail server, VPN endpoint)	`ip nat inside source static <private> <public>`
Dynamic NAT	Many-to-many from a pool	Multiple users, each needing a dedicated public IP for a session	`ip nat inside source list <acl> pool <name>`
PAT (Overload)	Many-to-one (port-based)	Home/office internet sharing — thousands of users through a single public IP	`ip nat inside source list <acl> interface <int> overload`

PAT Configuration (Most Common)

  ! Define which inside hosts can use NAT:
  Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255

  ! Bind the ACL to the outside interface with overload (PAT):
  Router(config)# ip nat inside source list 1 interface GigabitEthernet0/1 overload

  ! Mark the inside (LAN) interface:
  Router(config)# interface GigabitEthernet0/0
  Router(config-if)# ip nat inside

  ! Mark the outside (WAN) interface:
  Router(config)# interface GigabitEthernet0/1
  Router(config-if)# ip nat outside

  ! Verify translations:
  Router# show ip nat translations
  Router# show ip nat statistics

See: NAT Overview | Static NAT | Dynamic NAT | PAT (NAT Overload) | Private vs Public IP

10. Router Security

  ! ── Secure the console port ──────────────────────────────────────
  Router(config)# line console 0
  Router(config-line)# password ConPass1!
  Router(config-line)# login
  Router(config-line)# exec-timeout 3 0       ! lock after 3 minutes idle

  ! ── Secure auxiliary port (if present) ──────────────────────────
  Router(config)# line aux 0
  Router(config-line)# no exec
  Router(config-line)# exec-timeout 0 1

  ! ── Encrypt all plain-text passwords in config ───────────────────
  Router(config)# service password-encryption

  ! ── Apply an ACL to VTY lines (allow only management subnet) ────
  Router(config)# ip access-list standard MGMT_ONLY
  Router(config-std-nacl)# permit 192.168.100.0 0.0.0.255
  Router(config)# line vty 0 4
  Router(config-line)# access-class MGMT_ONLY in

  ! ── Apply ACL to block inbound traffic on WAN interface ─────────
  Router(config)# ip access-list extended WAN_INBOUND
  Router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any log
  Router(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any log
  Router(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any log
  Router(config-ext-nacl)# permit ip any any
  Router(config)# interface GigabitEthernet0/1
  Router(config-if)# ip access-group WAN_INBOUND in
  ! Blocks RFC 1918 addresses arriving from the internet (spoofed)

11. Advanced Router Features

Feature	Description	Use Case
Policy-Based Routing (PBR)	Routes traffic based on criteria beyond destination IP — source IP, protocol, port, or packet size — overriding the normal routing table decision	Send VoIP traffic over a low-latency link; route traffic from specific users through a proxy; send large file transfers via a high-bandwidth WAN link
Route Redistribution	Imports routes from one routing protocol into another — e.g., redistributing static routes into OSPF, or importing EIGRP routes into OSPF	Connecting networks running different routing protocols during a migration; multi-vendor environments
VRF (Virtual Routing and Forwarding)	Creates multiple independent routing tables on a single physical router — each VRF is isolated and can reuse overlapping IP address space	ISP multi-tenant environments; separating management traffic from production traffic; overlapping IP spaces in enterprise mergers
MPLS (Multiprotocol Label Switching)	Forwards packets based on labels rather than IP lookups — labels are added by ingress routers and swapped at each hop until removed at the egress router; enables traffic engineering and VPN services	ISP core networks; enterprise WAN via MPLS provider; Layer 3 VPN services (MPLS L3VPN)
DHCP Server	Cisco routers can act as DHCP servers, assigning IP addresses, subnet masks, default gateways, and DNS servers to hosts on connected networks	Small branch offices without a dedicated DHCP server; lab environments
DHCP Relay (ip helper-address)	Forwards DHCP broadcast requests from one subnet to a DHCP server on a different subnet — DHCP broadcasts cannot cross router interfaces without this	Centralised DHCP server serving multiple VLANs or subnets through one or more routers

See: How DHCP Works | DHCP Configuration | DHCP Relay

12. Troubleshooting

Symptom	Likely Cause	Diagnostic Command
Host cannot reach a remote network	Missing route in routing table; interface down; wrong default gateway on host	`show ip route` — check for route to destination; `show ip interface brief` — verify interfaces are up/up
Interface shows "administratively down"	Interface was shut down with the `shutdown` command	`show interfaces`; fix: `no shutdown` on the interface
Route exists but traffic is still dropped	ACL on the interface blocking the traffic; NAT misconfiguration; return path missing (asymmetric routing)	`show access-lists`; `show ip nat translations`; trace the return path with `traceroute`
Routing table missing expected OSPF routes	OSPF neighbour not in Full state; area mismatch; network command not matching the interface	`show ip ospf neighbor` — check state; `show ip ospf interface` — verify area and network type
NAT not translating — inside hosts cannot reach internet	`ip nat inside` / `ip nat outside` not set; ACL not permitting inside hosts; wrong interface in overload command	`show ip nat statistics` — check for misses; `show running-config` `\| include nat` — verify all four config elements are present
Cannot SSH into router	SSH not configured; no RSA key generated; VTY line not configured for SSH; ACL blocking SSH port 22	`show ip ssh`; `show line vty 0 4`; verify `crypto key generate rsa` was run. See SSH & Telnet Security.

Essential Troubleshooting Commands

  Router# show ip route              ! View full routing table
  Router# show ip route 10.0.0.5     ! Check specific destination
  Router# show ip interface brief    ! Interface status summary (up/down/IP)
  Router# show interfaces Gi0/0      ! Full interface details (errors, drops)
  Router# show running-config        ! View active configuration
  Router# show startup-config        ! View saved configuration (NVRAM)
  Router# show version               ! IOS version, uptime, memory, license
  Router# show ip ospf neighbor      ! OSPF adjacencies
  Router# show ip nat translations   ! Active NAT/PAT entries
  Router# ping 10.0.0.5              ! Test Layer 3 reachability
  Router# traceroute 10.0.0.5        ! Trace path hop-by-hop
  Router# debug ip packet            ! Real-time packet processing (use with care)
  Router# debug ip routing           ! Real-time routing table changes
  Router# undebug all                ! Turn off all debug output

13. Exam Tips & Key Points

Routers operate at Layer 3 and make forwarding decisions based on IP addresses and the routing table. Every router interface is its own broadcast domain — broadcasts do not cross routers.
Router memory types: RAM (running config, routing table — lost on reboot); NVRAM (startup config — persists); Flash (IOS image — persists); ROM (bootstrap, POST, ROMmon — factory-programmed).
Longest-prefix match — the router always uses the most specific matching route (most bits in the mask). A /24 beats a /16 beats a /8. The default route (0.0.0.0/0) is used only when nothing more specific matches.
Administrative Distance (AD) — determines which routing source is trusted when multiple sources know the same route. Connected=0, Static=1, EIGRP=90, OSPF=110, RIP=120. Lower AD wins.
Know static route syntax: ip route <network> <mask> <next-hop>. Default route: ip route 0.0.0.0 0.0.0.0 <next-hop>.
Router-on-a-stick uses subinterfaces (one per VLAN) on a single trunk link for inter-VLAN routing. Each subinterface needs encapsulation dot1q <vlan-id>.
NAT types: Static (1:1 permanent), Dynamic (pool-based), PAT/Overload (many-to-one using ports — most common). Both interfaces need ip nat inside / ip nat outside.
Use SSH not Telnet for remote management — SSH encrypts the session; Telnet sends credentials in plain text. See SSH & Telnet Security.
Key troubleshooting commands: show ip route, show ip interface brief, show interfaces, show ip nat translations, ping, traceroute.

14. Summary Reference Table

Topic	Key Detail
OSI Layer	Layer 3 (Network) — uses IP addresses
Primary function	Forward packets between different IP networks
Broadcast domain	Each interface is its own broadcast domain
Routing table lookup	Longest-prefix match — most specific route wins
Default route	`ip route 0.0.0.0 0.0.0.0 <next-hop>`
RAM contents	Running config, routing table, ARP cache (volatile)
NVRAM contents	Startup config (non-volatile — survives reboot)
Flash contents	IOS image (non-volatile)
Administrative Distance — OSPF	110
Administrative Distance — Static	1
Inter-VLAN routing method	Router-on-a-stick (subinterfaces + trunk) or Layer 3 switch (SVI)
View routing table	`show ip route`
Secure remote management	SSH (`transport input ssh` on VTY lines). See SSH & Telnet Security.

Router Quiz

1. A router operates at which OSI layer, and what type of address does it use to make forwarding decisions?

A. Layer 1 — it uses electrical signal levels to decide which port to forward traffic on B. Layer 2 — it uses MAC addresses to forward frames within the same LAN segment C. Layer 3 — it uses IP addresses and the routing table to forward packets between different networks, stripping and rebuilding Layer 2 frames at every hop D. Layer 4 — it uses TCP/UDP port numbers to direct traffic to specific applications

Correct answer is C. Routers are Layer 3 devices. They read the IP destination address in the packet header, look it up in the routing table using longest-prefix match, then strip the incoming Layer 2 frame and build a new one for the next hop. See OSI Layer Functions.

2. A router's routing table contains: 10.0.0.0/8 via 192.168.1.1; 10.1.0.0/16 via 192.168.1.2; 10.1.1.0/24 via 192.168.1.3; 0.0.0.0/0 via 203.0.113.1. A packet arrives destined for 10.1.1.100. Which route is used?

A. 0.0.0.0/0 via 203.0.113.1 — the default route covers all addresses B. 10.1.1.0/24 via 192.168.1.3 — longest-prefix match; /24 is the most specific entry that matches 10.1.1.100 C. 10.0.0.0/8 via 192.168.1.1 — the first matching entry in the table D. All three matching routes are used simultaneously (load balancing)

Correct answer is B. Routers always use the most specific match — the entry with the longest prefix (most 1-bits in the mask). All three specific routes match 10.1.1.100, but /24 is more specific than /16 which is more specific than /8. The default route (0.0.0.0/0) is only used when no more specific entry exists. See show ip route.

3. Which router memory type contains the startup configuration that is loaded when the router boots?

A. RAM — volatile memory containing the running configuration B. Flash — non-volatile storage for the IOS image C. ROM — read-only memory containing the bootstrap program D. NVRAM — non-volatile RAM stores the startup-config; it is copied into RAM at boot to become the running-config

Correct answer is D. NVRAM (Non-Volatile RAM) retains its contents through a power cycle and stores the startup configuration. At boot, the startup-config is loaded from NVRAM into RAM where it becomes the running-config. RAM is volatile — it loses all data on power-off. Flash stores the IOS image. ROM contains the bootstrap code and ROMmon. Save with copy running-config startup-config or show running-config to verify what's active.

4. What is the administrative distance (AD) of an OSPF-learned route, and why does this value matter?

A. 110 — if both OSPF and a static route (AD=1) exist for the same network, the static route wins because its lower AD is more trusted; OSPF (110) would only be installed if the static route is removed B. 90 — OSPF uses DUAL algorithm and has the same AD as EIGRP C. 120 — same as RIP because both are IGPs D. 1 — OSPF is the most trusted dynamic routing protocol

Correct answer is A. OSPF has an AD of 110. Administrative Distance is a measure of trustworthiness — lower values are preferred. If the routing table has both an OSPF route and a static route (AD=1) to the same destination, only the static route (lower AD) is installed. OSPF (AD=110), EIGRP (AD=90 internal), RIP (AD=120).

5. An administrator needs to enable inter-VLAN routing using a single physical router interface connected via a trunk to a switch. What technique is used?

A. Spanning Tree Protocol — STP bridges VLANs through the router B. One physical interface per VLAN — each VLAN requires its own dedicated router port C. Router-on-a-stick — the physical interface carries a trunk from the switch; logical subinterfaces are created for each VLAN with encapsulation dot1q and an IP address D. OSPF — OSPF redistributes VLAN routes between subnets

Correct answer is C. Router-on-a-stick allows a single physical interface to route between multiple VLANs. The switch port is configured as a trunk; the router interface is subdivided into logical subinterfaces (e.g., Gi0/0.10, Gi0/0.20), each with encapsulation dot1q <vlan-id> and an IP address that serves as the default gateway for that VLAN.

6. A network engineer types `ip route 0.0.0.0 0.0.0.0 203.0.113.1` on a router. What does this command do?

A. It clears all routes in the routing table and resets to default B. It installs a default route — all packets with no more specific routing table match are forwarded to 203.0.113.1 (the gateway of last resort) C. It creates a host route to 203.0.113.1 with a /32 mask D. It enables OSPF to redistribute all routes as external routes

Correct answer is B. The 0.0.0.0/0 route is the default route — it matches any destination because every IP address matches /0 (zero bits required to match). It is used as the gateway of last resort for packets that don't match any more specific route. It appears in show ip route as S* 0.0.0.0/0 where S=static and *=candidate default.

7. What is PAT (Port Address Translation) and why is it the most commonly deployed form of NAT in home and office networks?

A. PAT maps many private IP addresses to a single public IP by assigning unique source port numbers — allowing thousands of simultaneous sessions through one public IP address B. PAT creates a permanent one-to-one mapping between a private and public IP — used for servers that need inbound connections C. PAT translates only the destination IP address, leaving the source address unchanged D. PAT assigns IPs from a pool — each inside host gets one public IP from the pool for the duration of its session

Correct answer is A. PAT (also called NAT Overload) uses unique source port numbers to track which inside host belongs to each translated session. Because port numbers are 16-bit values (0–65535), a single public IP can theoretically support over 65,000 simultaneous connections. This is why ISPs assign a single public IP to most home broadband connections — PAT handles all the traffic. See NAT Overview.

8. Which command correctly installs a floating static route that acts as a backup to an OSPF-learned route for the same destination?

A. ip route 10.0.0.0 255.255.255.0 192.168.1.2 — AD defaults to 1, lower than OSPF, so this replaces the OSPF route B. ip route 10.0.0.0 255.255.255.0 192.168.1.2 110 — AD=110 ties with OSPF; both routes are installed C. no ip route 10.0.0.0 255.255.255.0 — removes the route to allow OSPF to take over D. ip route 10.0.0.0 255.255.255.0 192.168.1.2 150 — AD=150 is higher than OSPF (110), so OSPF wins normally; only if OSPF disappears does this route get installed

Correct answer is D. A floating static route has a manually configured AD higher than the primary routing protocol. Since OSPF has AD=110, setting the static route's AD to 150 means the static route is less preferred — it stays dormant in the config but only enters the routing table if the OSPF route disappears. For example: ip route 10.0.0.0 255.255.255.0 192.168.1.2 150 — this static route is only installed if the OSPF route (AD=110) is no longer available.

9. Why should SSH be used instead of Telnet for remote router management?

A. SSH encrypts the entire session — all commands and responses, including passwords and configuration data, are transmitted in ciphertext; Telnet sends everything in plain text readable by anyone on the network path B. Telnet is deprecated and no longer supported on Cisco devices — SSH is the only available option C. SSH uses port 80 which passes through firewalls more reliably than Telnet's port 23 D. SSH is faster than Telnet because it uses UDP instead of TCP for its transport

Correct answer is A. Telnet (TCP port 23) transmits all data — including usernames, passwords, and every command typed — in plain text. Anyone capturing traffic on the network path between the admin workstation and the router can read every character of the session with a simple packet capture. SSH (Secure Shell, TCP port 22) uses asymmetric cryptography for key exchange and symmetric encryption (AES, 3DES) for the session data. The entire conversation is encrypted, making credential theft impossible from network captures. SSH also provides server authentication (the router's host key prevents man-in-the-middle attacks) and supports public-key authentication as a more secure alternative to passwords. Configuring SSH requires: ip domain-name, crypto key generate rsa, ip ssh version 2, and transport input ssh on the VTY lines. See SSH & Telnet Security and SSH Configuration Lab.

10. What is the primary use case for Policy-Based Routing (PBR), and how does it differ from normal destination-based routing?

A. PBR encrypts data across VPN tunnels by applying cryptographic policies to specific traffic flows B. PBR assigns IP addresses to clients based on policies — it is an enhancement to DHCP C. PBR routes traffic based on custom policies (source IP, protocol, port, or packet size) rather than just the destination IP address — it overrides the normal routing table decision for matching traffic D. PBR prevents routing loops by applying split-horizon rules to routing protocol updates

Correct answer is C. Normal IP routing is purely destination-based — the router looks up the destination IP in the routing table and forwards the packet accordingly, regardless of where it came from or what application it belongs to. Policy-Based Routing (PBR) breaks this model by allowing an administrator to define routing decisions based on additional criteria: source IP address, destination IP, Layer 4 protocol (TCP/UDP), specific ports, or even packet size. For example: route all HTTP/HTTPS traffic from the Finance VLAN through a proxy server, route VoIP traffic (UDP/RTP) through a low-latency WAN link, or send all traffic from a specific source subnet through a different ISP than the default route specifies. PBR is implemented using route-maps applied to interfaces with ip policy route-map <name>.

← Back to Home