Other Models

How routers process incoming packets (NAT process)

When a router receives a packet:

• It checks if the receiving port is a NAT outside port.
  • If so:
    • It checks to determine whether the packet is UDP, TCP or ICMP to get the packet's source and destination port.
    • It refers to the NAT table (using the global addresses) for the necessary translation.
      • If it finds a match for the packet (a translation exists):
        • It replaces the inside address and port with the local version.
        • It translates the destination IP address and port
  • If the receiving port is not a NAT outside port, or if it is a NAT outside port but the requested IP address is not in the NAT table:
    • The router checks to see if there is a route to the destination IP.
      • It drops the packet if (any):
        • There is no route.
        • It finds a route, but the outgoing port of that route entry is the same as the receiving port.
      • If there is a route, it sends a reply with the receiving port's MAC address.

How routers process outgoing packets (NAT process)

When a router wants to send a packet out a port:

• It checks if the outgoing port is a NAT inside port.
  • If so:
    • It looks up its NAT table for the necessary translations.
    • It captures the packet's source and destination ports and sets a timer for the packet (depending on the packet's encapsulation type).
      • For a TCP packet the timer is 24 hours.
      • For a UDP packet the timer is 5 minutes.
      • For an ICMP packet the timer is 1 minute.
    • It looks up the NAT table
  • If the receiving port is not a NAT outside port, or if it is a NAT outside port but the requested IP address is not in the NAT table:
  • The router checks to see if there is a route to the destination IP.
    • It drops the packet if (any):
      • There is no route.
      • It finds a route, but the outgoing port of that route entry is the same as the receiving port.
    • If there is a route, it sends a reply with the receiving port's MAC address.

How routers process incoming packets in the NATv6 process

• It checks if the packet is received from v4 lower process or v6 lower process.
• If so:
• Check if the prefix address is valid.
• If the destination is in the valid network:
  • It checks to determine whether the packet is UDP, TCP or ICMPv6/ICMPv4 to get the packet's source and destination port.
  • It refers to the NAT table (using the inside global addresses) for the necessary translation.
  • If it finds a match for the packet (a translation exists):
    • It replaces the inside global address and port with the local version.
    • Then it translates the destination IP address and port.
    • If a valid NAT entry is found in the table, form a new IP header – IPv6 or IPv4 depending on which higher process the packet has to be sent.
• If the requested IP address is not in the NAT table:
  • The packet is sent to the corresponding higher process from where it was received.
  • The router checks to see if there is a route to the destination IP.
  • It drops the packet if (any):
    • There is no route.
    • It finds a route, but the outgoing port of that route entry is the same as the receiving port.
    • If there is a route, it sends a reply with the receiving port's MAC address.
                                                                                  

How routers process outgoing packets in the NATv6 process

• It checks if the packet is send from v4 higher process or v6 higher process.
• If packet is from higher process of v4 stack:
  • Send it to the lower process of v4 stack.
• If packet is from higher process of v6 stack:
  • Send it to the lower process of v6 stack.

How devices use ARP to send IP packets

When a device sends an IP packet (flowchart here):

• If the destination IP is a broadcast, it sets the packet's destination MAC address to the broadcast MAC address and sends the packet out.
• If the destination IP is a multicast, it sets the packet's destination MAC address to the multicast MAC address and sends the packet out.
• If the destination IP is a unicast, it looks up the ARP table to see if the destination IP matches an entry's IP address in the ARP table.
  • If a match exists, it:
    • Sets the packet's destination MAC address to the entry's MAC address.
    • Sends out the IP packet.
  • If a match does not exist, it:
    • Drops the IP packet.
    • Sends an ARP request out.
    • Adds that request to the list of ARP requests.
    • Sets and starts the timer for it as it waits for an ARP reply.

How devices send ARP requests

When a device wants to send an ARP request (flowchart here):

• It will NOT send the request if (any):
  • The sending port is down.
  • The sending port does not have a valid IP address.
  • A request for the same IP address is already sent.
• If none of the above is true, it proceeds with the ARP request. It:
  • Constructs an ARP request for the IP address in question.
  • Sets the destination MAC address to the broadcast address.
  • Adds the request to the list of existing requests.
  • Sets and starts a timer for this request.
  • Sends the request.
  • Waits for an ARP reply.
  • Drops the request from the list if time expires.

How devices process incoming ARP packets

When a device receives an ARP packet (flowchart here):

• It drops the packet if (any):
  • The receiving port is not up.
  • The device is a switch and an active VLAN interface is not up.
  • The packet's source IP is not in the same subnet as the receiving port's subnet.
• If the above is not true, it proceeds to process the packet:
  • It checks to see if the packet is an ARP request or an ARP reply.
  • If the packet is an ARP request, it checks to see if the packet's destination IP matches the receiving port's IP address.
    • If they match, the device sends a reply with the receiving port's MAC address.
    • If they do not match:
      • If the device is not a router, it drops the packet.
      • If the device is a router, refer to "How routers process ARP requests."
  • If the packet is an ARP reply, the device checks if it submitted a request for the IP address found in the reply.
    • It drops the packet if there is no such request in the list.
    • If the packet is in the ARP request list:
      • The device now removes the request from the list.
      • If the ARP table does not contain an entry with the IP and MAC addresses found in the packet, it will make a new entry with those addresses.
      • If the ARP table already contains an entry with the IP and MAC addresses found in the packet, it just resets that entries' timer. That entry will be removed from the table when its timer expires.

How routers process ARP requests

When a router receives an ARP packet (continuing from "How devices process incoming ARP packets"):

• It checks the NAT status on the receiving port.
  • If the receiving port is a NAT outside port, the router checks the NAT table for the packet's destination IP.
    • If the requested IP address is in the NAT table, the router sends a reply with the receiving port's MAC address.
  • If the receiving port is not a NAT outside port, or if it is a NAT outside port but the requested IP address is not in the NAT table:
    • The router checks to see if there is a route to the destination IP.
      • It drops the packet if (any):
        • There is no route.
        • It finds a route, but the outgoing port of that route entry is the same as the receiving port.
      • If there is a route, it sends a reply with the receiving port's MAC address.

How an ACL works

ACL for IPv4 and IPv6 works the same way except the input of different versions of IP addresses.

When a router receives a packet on an interface:

• ACL checks for inbound ACL and if inbound ACL is configured on the interface:
• If the inbound ACL is empty, it permits the packet.
• If the inbound ACL contains statements:
• If the packet matches the criteria of any of the statements and:
• If the statement permits the packet, it passes the ACL process.
• If the statement denies the packet it drops the packet.
• If there is no match in the list ACL drops the packet by default.

When a router sends a packet on an interface:

• ACL checks for outbound ACL and if outbound ACL is configured on the interface:
• If the packet is generated locally, it permits the packet.
• If the outbound ACL is empty, it permits the packet.
• If the outbound ACL contains statements:
• If the packet matches the criteria of any of the statements and:
• If the statement permits the packet, the packet passes the ACL process.
• If the statement denies the packet, it drops the packet.
• If there is no match in the list, the ACL drops the packet by default.