Routers – Layer 3 Forwarding, Routing Tables, and Configuration

1. What Is a Router?

A router is a Layer 3 (Network layer) device in the OSI model whose primary job is to forward IP packets between different networks. Where a switch moves frames within a single LAN using MAC addresses, a router moves packets between different IP networks using IP addresses and a routing table. Every time a packet crosses from one network to another — from your LAN to the internet, from one office to another, from one VLAN to another — it passes through a router.

Office LAN
Internet
192.168.1.0/24
203.0.113.0/24
┌──────────────┐
┌──────────────┐
│ PC           │                  │ Web Se
│ 192.168.1.10 │──→ [Router] ──→  │ 203.0.
└──────────────┘   ↑
└──────────────┘
Strips the Ethernet frame,
reads the IP destination,
consults the routing table,
builds a new Ethernet frame,
forwards out the correct interface

Key functions performed by a router: inter-network packet forwarding using IP addresses; broadcast domain segmentation (broadcasts do not cross router interfaces); path selection using routing protocols and metrics; NAT/PAT for private-to-public address translation; ACL-based traffic filtering; DHCP relay for forwarding DHCP broadcasts across subnets.

Related pages: Switches | Hubs | OSI Layer Functions | MAC vs IP | IP Addressing | show ip route | NAT | Static NAT | Dynamic NAT | OSPF Areas & LSAs | Default Routes

2. Routers vs Switches vs Hubs

Device OSI Layer Addressing Used Forwarding Logic Broadcast Domain Collision Domain
Hub Layer 1 (Physical) None — no addressing awareness Repeats all electrical signals to every port — no intelligence; every device on the hub shares one collision domain All ports in one domain All ports in one domain
Switch Layer 2 (Data Link) MAC addresses — builds a MAC address table (CAM table) by learning source MACs on each port Forwards frames only to the port where the destination MAC was learned; floods unknown MACs to all ports All switch ports in one domain (unless VLANs used) Each port is its own collision domain (full-duplex)
Router Layer 3 (Network) IP addresses — consults routing table keyed by network prefixes Strips incoming Layer 2 frame, reads IP header, longest-prefix-match lookup in routing table, builds new Layer 2 frame for next hop, forwards out correct interface Each router interface is its own broadcast domain — broadcasts do not cross the router Each port its own domain

See: Switches | Hubs | MAC vs IP | Frame Forwarding

3. Router Hardware Components

Component Type Contents / Purpose Persists on Reboot?
CPU Hardware Executes IOS instructions; processes routing protocol updates; handles ACL evaluation, NAT translation, and management plane tasks. High CPU = possible routing issue or attack. N/A
RAM Volatile memory Stores the running configuration (active settings), routing table, ARP cache, packet buffers, and IOS data structures while the router is powered on No — lost on power-off or reload
NVRAM Non-volatile memory Stores the startup configuration — the config that is loaded into RAM when the router boots. Command: copy running-config startup-config saves RAM → NVRAM Yes — survives reboot
Flash Non-volatile storage Stores the Cisco IOS image (the router's operating system). Can hold multiple IOS versions; the boot system variable controls which is loaded Yes — survives reboot
ROM Read-only memory Contains the bootstrap program (POST — power-on self test), the ROM Monitor (ROMmon) for recovery mode, and a minimal IOS image used when Flash fails Yes — factory-programmed, read-only
Interfaces Hardware I/O Physical ports (GigabitEthernet, Serial) and logical interfaces (subinterfaces, loopbacks, SVIs) through which packets enter and exit the router N/A
Cisco router boot sequence:1. POST (ROM) — self-test hardware2. Bootstrap (ROM) — locate and load IOS3. IOS loaded from Flash into RAM4. Startup config loaded from NVRAM into RAM → becomes running config5. Router operationalMemory summary:RAM → running config, routing table, ARP cache (lost on reboot)NVRAM → startup config (survives reboot)Flash → IOS image (survives reboot)ROM → bootstrap, POST, ROMmon (permanent)

4. How a Router Forwards a Packet — Step by Step

Understanding packet forwarding is the most important concept on this page. Every router decision follows the same process every time a packet arrives.

Step 1 — Packet arrives on an interfaceRouter receives an Ethernet frame on GigabitEthernet0/0.Destination MAC = router's own MAC → router accepts the frame.Step 2 — Strip the Layer 2 frameRouter discards the Ethernet header and trailer.Reads the IP header: Dst IP = 10.0.0.5, Src IP = 192.168.1.10.Step 3 — Decrement TTLRouter decrements the TTL field by 1.If TTL reaches 0 → discard packet; send ICMP Time Exceeded to source.Step 4 — Routing table lookup (longest-prefix match)Router searches its routing table for the most specific matchto destination IP 10.0.0.5:10.0.0.0/8 via 192.168.1.2 ← less specific (/8)10.0.0.0/24 via 192.168.1.2 ← more specific (/24) ← WINSMost specific match (longest prefix) is selected.Step 5 — Next-hop ARP resolutionRouter checks ARP cache for next-hop IP (192.168.1.2).If not cached: sends ARP Request → receives ARP Reply → caches MAC.Step 6 — Build a new Layer 2 frameNew Ethernet frame:Src MAC = router's outgoing interface MACDst MAC = next-hop's MAC (from ARP)Payload = original IP packet (with decremented TTL)Step 7 — Forward out the correct interfaceFrame exits on GigabitEthernet0/1 toward next-hop 192.168.1.2.

See: MAC vs IP (hop-by-hop addressing) | ARP | show ip route

5. The Routing Table

The routing table is the router's map of the network — a database of known destinations and how to reach them. Every forwarding decision is made by consulting this table. Use show ip route to view the full table. 

  Router# show ip route

  Codes: C - connected, S - static, R - RIP, O - OSPF,
         D - EIGRP, B - BGP, * - candidate default

  Gateway of last resort is 0.0.0.0/0 to 203.0.113.1

  C    192.168.1.0/24 is directly connected, GigabitEthernet0/0
  C    10.0.0.0/24 is directly connected, GigabitEthernet0/1
  S    172.16.0.0/16 [1/0] via 192.168.1.2
  O    10.10.0.0/24 [110/2] via 10.0.0.2, GigabitEthernet0/1
  S*   0.0.0.0/0 [1/0] via 203.0.113.1

  Column meanings:
  C   = Connected route (directly attached network — automatic)
  S   = Static route (manually configured)
  O   = OSPF-learned route
  [1/0]  = [Administrative Distance / Metric]
         AD=1 means static; AD=110 means OSPF
  via X  = next-hop IP address
  S*  = default route (gateway of last resort — used when no specific match)

Longest-Prefix Match

When multiple routing table entries could match a destination IP address, the router always selects the most specific match — the entry with the longest prefix (most bits in the subnet mask). If no match exists, and a default route (0.0.0.0/0) is present, the packet is forwarded via the default route. If no default route exists, the packet is dropped and an ICMP "Destination Unreachable" is sent back.

Routing table entries:10.0.0.0/8 via 192.168.1.1 ← covers 10.x.x.x10.1.0.0/16 via 192.168.1.2 ← covers 10.1.x.x10.1.1.0/24 via 192.168.1.3 ← covers 10.1.1.x0.0.0.0/0 via 203.0.113.1 ← default — matches anythingPacket destined for 10.1.1.50:Matches 10.0.0.0/8 (/8 = 8-bit match)Matches 10.1.0.0/16 (/16 = 16-bit match)Matches 10.1.1.0/24 (/24 = 24-bit match) ← LONGEST → WINS→ Forwarded via 192.168.1.3Packet destined for 10.5.5.5:Matches 10.0.0.0/8 only → forwarded via 192.168.1.1

Route Sources and Administrative Distance

When multiple routing protocols or methods (e.g., OSPF and a static route) know a route to the same destination, Administrative Distance (AD) determines which source is trusted and installed in the routing table. Lower AD wins. See Administrative Distance.

Route Source Administrative Distance Code in Routing Table
Directly connected 0 C
Static route 1 S
EIGRP (summary) 5 D
BGP (external) 20 B
EIGRP (internal) 90 D
OSPF 110 O
RIP 120 R
Unknown / unreachable 255

See: Administrative Distance | show ip route

6. Types of Routing

Type How Routes Are Learned Best For Cisco IOS Command / Protocol
Directly Connected Automatically added when an interface is configured with an IP address and is up/up Local networks — no configuration needed Automatic; code C in routing table
Static Routing Manually entered by an administrator Small networks, stub networks, specific path control, default routes ip route <network> <mask> <next-hop>
RIP (v2) Distance vector — routers share full routing tables every 30 seconds; metric = hop count (max 15) Very small, simple networks; legacy environments; lab practice only router rip / version 2 / network
OSPF Link-state — routers flood LSAs to build identical LSDB; SPF algorithm calculates best paths; metric = cost (based on bandwidth) Enterprise networks of any size; fast convergence; hierarchical area design router ospf <pid> / network <net> <wildcard> area <n>
EIGRP Hybrid (distance vector + link-state features); uses DUAL algorithm; metric = composite (bandwidth + delay by default); Cisco-proprietary Cisco-only networks; fast convergence; supports unequal-cost load balancing router eigrp <AS> / network <net>
BGP Path vector — exchanges network prefixes between Autonomous Systems; uses TCP port 179; metric = policy-based attributes (AS-PATH, MED, etc.) Internet routing between ISPs and large enterprises; multi-homed internet connections router bgp <AS> / neighbor / network

Static Route Configuration

  ! Route to network 10.0.0.0/24 via next-hop 192.168.1.2:
  Router(config)# ip route 10.0.0.0 255.255.255.0 192.168.1.2

  ! Default route — forward all unmatched traffic to 203.0.113.1:
  Router(config)# ip route 0.0.0.0 0.0.0.0 203.0.113.1

  ! Floating static route (backup — higher AD so OSPF wins normally):
  Router(config)# ip route 10.0.0.0 255.255.255.0 192.168.1.3 150
  ! AD=150 means this route is only used if OSPF (AD=110) route disappears

See: Static Routing Configuration | Default Routes | Static Routing Lab

OSPF Configuration

  Router(config)# router ospf 1
  Router(config-router)# router-id 1.1.1.1
  Router(config-router)# network 192.168.1.0 0.0.0.255 area 0
  Router(config-router)# network 10.0.0.0 0.0.0.255 area 0
  Router(config-router)# passive-interface GigabitEthernet0/0
  ! passive-interface stops OSPF hellos on LAN ports (prevents neighbour
  ! adjacency with end hosts, but still advertises the connected network)

See: OSPF Areas & LSAs | OSPF Single-Area Configuration | OSPF Neighbor States | Administrative Distance | OSPF Single-Area Lab

7. Router Interfaces

Interface Type Description Use Case
GigabitEthernet (Gi) Physical LAN port; 1 Gbps; connects to switches or directly to end devices LAN gateway — default gateway for hosts on the connected subnet
FastEthernet (Fa) Physical LAN port; 100 Mbps; found on older Cisco routers (800, 1800, 2600 series) Legacy LAN connections and lab routers
Serial (Se) Physical WAN port; used for point-to-point WAN links (leased lines, Frame Relay, HDLC, PPP); requires a DCE/DTE cable in lab environments WAN connections to ISP or branch offices over leased lines
Subinterface (Gi0/0.10) Logical division of a physical interface; each subinterface carries one VLAN; configured with encapsulation dot1q <vlan-id> Router-on-a-stick — inter-VLAN routing using a single trunk link to a switch
Loopback (Lo) Virtual interface; always up/up as long as the router is running; never physically fails Router ID for OSPF/BGP; management address; testing and diagnostics
Tunnel Virtual interface for GRE or IPsec tunnels; encapsulates one protocol inside another VPN tunnels between sites; GRE over IPsec for encrypted site-to-site connectivity

Router-on-a-Stick (Inter-VLAN Routing)

  Scenario: Route between VLAN 10 (192.168.10.0/24) and VLAN 20 (192.168.20.0/24)
  using a single trunk link from the router to the switch.

  Switch configuration (trunk to router):
  Switch(config)# interface GigabitEthernet0/24
  Switch(config-if)# switchport mode trunk

  Router configuration (subinterfaces):
  Router(config)# interface GigabitEthernet0/0
  Router(config-if)# no ip address          ! physical interface — no IP
  Router(config-if)# no shutdown

  Router(config)# interface GigabitEthernet0/0.10
  Router(config-subif)# encapsulation dot1q 10          ! tag for VLAN 10
  Router(config-subif)# ip address 192.168.10.1 255.255.255.0
  Router(config-subif)# no shutdown

  Router(config)# interface GigabitEthernet0/0.20
  Router(config-subif)# encapsulation dot1q 20          ! tag for VLAN 20
  Router(config-subif)# ip address 192.168.20.1 255.255.255.0
  Router(config-subif)# no shutdown

  ! Hosts in VLAN 10 use 192.168.10.1 as their default gateway.
  ! Hosts in VLAN 20 use 192.168.20.1 as their default gateway.
  ! Traffic between VLANs flows up the trunk, through the router, back down.

See: Router-on-a-Stick Guide | VLANs | Trunking

8. Router Configuration Basics

  ! ── Initial setup ───────────────────────────────────────────────
  Router(config)# hostname R1

  ! Set enable secret (privileged EXEC password — encrypted):
  Router(config)# enable secret Cisco123!

  ! ── Configure LAN interface ─────────────────────────────────────
  Router(config)# interface GigabitEthernet0/0
  Router(config-if)# description LAN — connected to Switch SW1
  Router(config-if)# ip address 192.168.1.1 255.255.255.0
  Router(config-if)# no shutdown
  Router(config-if)# exit

  ! ── Configure WAN interface ─────────────────────────────────────
  Router(config)# interface GigabitEthernet0/1
  Router(config-if)# description WAN — connected to ISP
  Router(config-if)# ip address 203.0.113.2 255.255.255.252
  Router(config-if)# no shutdown
  Router(config-if)# exit

  ! ── Configure loopback (router ID for OSPF/BGP) ─────────────────
  Router(config)# interface Loopback0
  Router(config-if)# ip address 1.1.1.1 255.255.255.255
  Router(config-if)# exit

  ! ── Static default route to ISP ──────────────────────────────────
  Router(config)# ip route 0.0.0.0 0.0.0.0 203.0.113.1

  ! ── Enable SSH for secure remote management ──────────────────────
  Router(config)# ip domain-name netstuts.com
  Router(config)# crypto key generate rsa modulus 2048
  Router(config)# username admin privilege 15 secret AdminPass1!
  Router(config)# line vty 0 4
  Router(config-line)# login local
  Router(config-line)# transport input ssh
  Router(config-line)# exec-timeout 5 0

  ! ── Save configuration ────────────────────────────────────────────
  Router# copy running-config startup-config
  (or: Router# wr)

See: SSH Configuration | SSH & Telnet Security | show running-config | SSH Configuration Lab

9. NAT and PAT on a Router

NAT (Network Address Translation) allows devices with private RFC 1918 IP addresses to access the internet by translating their private source IPs to a public IP at the router. PAT (Port Address Translation), also called NAT Overload, is the most common variant — it allows thousands of inside hosts to share a single public IP using unique source port numbers.

NAT Type Mapping Use Case Key Command
Static NAT One-to-one permanent Public-facing servers that need inbound connections (web server, mail server, VPN endpoint) ip nat inside source static <private> <public>
Dynamic NAT Many-to-many from a pool Multiple users, each needing a dedicated public IP for a session ip nat inside source list <acl> pool <name>
PAT (Overload) Many-to-one (port-based) Home/office internet sharing — thousands of users through a single public IP ip nat inside source list <acl> interface <int> overload

PAT Configuration (Most Common)

  ! Define which inside hosts can use NAT:
  Router(config)# access-list 1 permit 192.168.1.0 0.0.0.255

  ! Bind the ACL to the outside interface with overload (PAT):
  Router(config)# ip nat inside source list 1 interface GigabitEthernet0/1 overload

  ! Mark the inside (LAN) interface:
  Router(config)# interface GigabitEthernet0/0
  Router(config-if)# ip nat inside

  ! Mark the outside (WAN) interface:
  Router(config)# interface GigabitEthernet0/1
  Router(config-if)# ip nat outside

  ! Verify translations:
  Router# show ip nat translations
  Router# show ip nat statistics

See: NAT Overview | Static NAT | Dynamic NAT | PAT (NAT Overload) | Private vs Public IP

10. Router Security

  ! ── Secure the console port ──────────────────────────────────────
  Router(config)# line console 0
  Router(config-line)# password ConPass1!
  Router(config-line)# login
  Router(config-line)# exec-timeout 3 0       ! lock after 3 minutes idle

  ! ── Secure auxiliary port (if present) ──────────────────────────
  Router(config)# line aux 0
  Router(config-line)# no exec
  Router(config-line)# exec-timeout 0 1

  ! ── Encrypt all plain-text passwords in config ───────────────────
  Router(config)# service password-encryption

  ! ── Apply an ACL to VTY lines (allow only management subnet) ────
  Router(config)# ip access-list standard MGMT_ONLY
  Router(config-std-nacl)# permit 192.168.100.0 0.0.0.255
  Router(config)# line vty 0 4
  Router(config-line)# access-class MGMT_ONLY in

  ! ── Apply ACL to block inbound traffic on WAN interface ─────────
  Router(config)# ip access-list extended WAN_INBOUND
  Router(config-ext-nacl)# deny ip 10.0.0.0 0.255.255.255 any log
  Router(config-ext-nacl)# deny ip 172.16.0.0 0.15.255.255 any log
  Router(config-ext-nacl)# deny ip 192.168.0.0 0.0.255.255 any log
  Router(config-ext-nacl)# permit ip any any
  Router(config)# interface GigabitEthernet0/1
  Router(config-if)# ip access-group WAN_INBOUND in
  ! Blocks RFC 1918 addresses arriving from the internet (spoofed)

See: Firewalls | ACL Overview | Applying ACLs | Named ACLs | SSH Configuration | SSH & Telnet Security

11. Advanced Router Features

Feature Description Use Case
Policy-Based Routing (PBR) Routes traffic based on criteria beyond destination IP — source IP, protocol, port, or packet size — overriding the normal routing table decision Send VoIP traffic over a low-latency link; route traffic from specific users through a proxy; send large file transfers via a high-bandwidth WAN link
Route Redistribution Imports routes from one routing protocol into another — e.g., redistributing static routes into OSPF, or importing EIGRP routes into OSPF Connecting networks running different routing protocols during a migration; multi-vendor environments
VRF (Virtual Routing and Forwarding) Creates multiple independent routing tables on a single physical router — each VRF is isolated and can reuse overlapping IP address space ISP multi-tenant environments; separating management traffic from production traffic; overlapping IP spaces in enterprise mergers
MPLS (Multiprotocol Label Switching) Forwards packets based on labels rather than IP lookups — labels are added by ingress routers and swapped at each hop until removed at the egress router; enables traffic engineering and VPN services ISP core networks; enterprise WAN via MPLS provider; Layer 3 VPN services (MPLS L3VPN)
DHCP Server Cisco routers can act as DHCP servers, assigning IP addresses, subnet masks, default gateways, and DNS servers to hosts on connected networks Small branch offices without a dedicated DHCP server; lab environments
DHCP Relay (ip helper-address) Forwards DHCP broadcast requests from one subnet to a DHCP server on a different subnet — DHCP broadcasts cannot cross router interfaces without this Centralised DHCP server serving multiple VLANs or subnets through one or more routers

See: How DHCP Works | DHCP Configuration | DHCP Relay

12. Troubleshooting

Symptom Likely Cause Diagnostic Command
Host cannot reach a remote network Missing route in routing table; interface down; wrong default gateway on host show ip route — check for route to destination; show ip interface brief — verify interfaces are up/up
Interface shows "administratively down" Interface was shut down with the shutdown command show interfaces; fix: no shutdown on the interface
Route exists but traffic is still dropped ACL on the interface blocking the traffic; NAT misconfiguration; return path missing (asymmetric routing) show access-lists; show ip nat translations; trace the return path with traceroute
Routing table missing expected OSPF routes OSPF neighbour not in Full state; area mismatch; network command not matching the interface show ip ospf neighbor — check state; show ip ospf interface — verify area and network type
NAT not translating — inside hosts cannot reach internet ip nat inside / ip nat outside not set; ACL not permitting inside hosts; wrong interface in overload command show ip nat statistics — check for misses; show running-config | include nat — verify all four config elements are present
Cannot SSH into router SSH not configured; no RSA key generated; VTY line not configured for SSH; ACL blocking SSH port 22 show ip ssh; show line vty 0 4; verify crypto key generate rsa was run. See SSH & Telnet Security.

Essential Troubleshooting Commands

  Router# show ip route              ! View full routing table
  Router# show ip route 10.0.0.5     ! Check specific destination
  Router# show ip interface brief    ! Interface status summary (up/down/IP)
  Router# show interfaces Gi0/0      ! Full interface details (errors, drops)
  Router# show running-config        ! View active configuration
  Router# show startup-config        ! View saved configuration (NVRAM)
  Router# show version               ! IOS version, uptime, memory, license
  Router# show ip ospf neighbor      ! OSPF adjacencies
  Router# show ip nat translations   ! Active NAT/PAT entries
  Router# ping 10.0.0.5              ! Test Layer 3 reachability
  Router# traceroute 10.0.0.5        ! Trace path hop-by-hop
  Router# debug ip packet            ! Real-time packet processing (use with care)
  Router# debug ip routing           ! Real-time routing table changes
  Router# undebug all                ! Turn off all debug output

See: ping | traceroute | show ip route | show interfaces | show ip interface brief | show running-config

13. Exam Tips & Key Points

  • Routers operate at Layer 3 and make forwarding decisions based on IP addresses and the routing table. Every router interface is its own broadcast domain — broadcasts do not cross routers.
  • Router memory types: RAM (running config, routing table — lost on reboot); NVRAM (startup config — persists); Flash (IOS image — persists); ROM (bootstrap, POST, ROMmon — factory-programmed).
  • Longest-prefix match — the router always uses the most specific matching route (most bits in the mask). A /24 beats a /16 beats a /8. The default route (0.0.0.0/0) is used only when nothing more specific matches.
  • Administrative Distance (AD) — determines which routing source is trusted when multiple sources know the same route. Connected=0, Static=1, EIGRP=90, OSPF=110, RIP=120. Lower AD wins.
  • Know static route syntax: ip route <network> <mask> <next-hop>. Default route: ip route 0.0.0.0 0.0.0.0 <next-hop>.
  • Router-on-a-stick uses subinterfaces (one per VLAN) on a single trunk link for inter-VLAN routing. Each subinterface needs encapsulation dot1q <vlan-id>.
  • NAT types: Static (1:1 permanent), Dynamic (pool-based), PAT/Overload (many-to-one using ports — most common). Both interfaces need ip nat inside / ip nat outside.
  • Use SSH not Telnet for remote management — SSH encrypts the session; Telnet sends credentials in plain text. See SSH & Telnet Security.
  • Key troubleshooting commands: show ip route, show ip interface brief, show interfaces, show ip nat translations, ping, traceroute.

14. Summary Reference Table

Topic Key Detail
OSI Layer Layer 3 (Network) — uses IP addresses
Primary function Forward packets between different IP networks
Broadcast domain Each interface is its own broadcast domain
Routing table lookup Longest-prefix match — most specific route wins
Default route ip route 0.0.0.0 0.0.0.0 <next-hop>
RAM contents Running config, routing table, ARP cache (volatile)
NVRAM contents Startup config (non-volatile — survives reboot)
Flash contents IOS image (non-volatile)
Administrative DistanceOSPF 110
Administrative Distance — Static 1
Inter-VLAN routing method Router-on-a-stick (subinterfaces + trunk) or Layer 3 switch (SVI)
View routing table show ip route
Secure remote management SSH (transport input ssh on VTY lines). See SSH & Telnet Security.

Router Quiz

A router operates at which OSI layer, and what type of address does it use to make forwarding decisions?

Correct answer is C. Routers are Layer 3 devices. They read the IP destination address in the packet header, look it up in the routing table using longest-prefix match, then strip the incoming Layer 2 frame and build a new one for the next hop. See OSI Layer Functions.

A router's routing table contains: 10.0.0.0/8 via 192.168.1.1; 10.1.0.0/16 via 192.168.1.2; 10.1.1.0/24 via 192.168.1.3; 0.0.0.0/0 via 203.0.113.1. A packet arrives destined for 10.1.1.100. Which route is used?

Correct answer is B. Routers always use the most specific match — the entry with the longest prefix (most 1-bits in the mask). All three specific routes match 10.1.1.100, but /24 is more specific than /16 which is more specific than /8. The default route (0.0.0.0/0) is only used when no more specific entry exists. See show ip route.

Which router memory type contains the startup configuration that is loaded when the router boots?

Correct answer is D. NVRAM (Non-Volatile RAM) retains its contents through a power cycle and stores the startup configuration. At boot, the startup-config is loaded from NVRAM into RAM where it becomes the running-config. RAM is volatile — it loses all data on power-off. Flash stores the IOS image. ROM contains the bootstrap code and ROMmon. Save with copy running-config startup-config or show running-config to verify what's active.

What is the administrative distance (AD) of an OSPF-learned route, and why does this value matter?

Correct answer is A. OSPF has an AD of 110. Administrative Distance is a measure of trustworthiness — lower values are preferred. If the routing table has both an OSPF route and a static route (AD=1) to the same destination, only the static route (lower AD) is installed. OSPF (AD=110), EIGRP (AD=90 internal), RIP (AD=120).

An administrator needs to enable inter-VLAN routing using a single physical router interface connected via a trunk to a switch. What technique is used?

Correct answer is C. Router-on-a-stick allows a single physical interface to route between multiple VLANs. The switch port is configured as a trunk; the router interface is subdivided into logical subinterfaces (e.g., Gi0/0.10, Gi0/0.20), each with encapsulation dot1q <vlan-id> and an IP address that serves as the default gateway for that VLAN.

A network engineer types ip route 0.0.0.0 0.0.0.0 203.0.113.1 on a router. What does this command do?

Correct answer is B. The 0.0.0.0/0 route is the default route — it matches any destination because every IP address matches /0 (zero bits required to match). It is used as the gateway of last resort for packets that don't match any more specific route. It appears in show ip route as S* 0.0.0.0/0 where S=static and *=candidate default.

What is PAT (Port Address Translation) and why is it the most commonly deployed form of NAT in home and office networks?

Correct answer is A. PAT (also called NAT Overload) uses unique source port numbers to track which inside host belongs to each translated session. Because port numbers are 16-bit values (0–65535), a single public IP can theoretically support over 65,000 simultaneous connections. This is why ISPs assign a single public IP to most home broadband connections — PAT handles all the traffic. See NAT Overview.

Which command correctly installs a floating static route that acts as a backup to an OSPF-learned route for the same destination?

Correct answer is D. A floating static route has a manually configured AD higher than the primary routing protocol. Since OSPF has AD=110, setting the static route's AD to 150 means the static route is less preferred — it stays dormant in the config but only enters the routing table if the OSPF route disappears. For example: ip route 10.0.0.0 255.255.255.0 192.168.1.2 150 — this static route is only installed if the OSPF route (AD=110) is no longer available.

Why should SSH be used instead of Telnet for remote router management?

Correct answer is A. Telnet (TCP port 23) transmits all data — including usernames, passwords, and every command typed — in plain text. Anyone capturing traffic on the network path between the admin workstation and the router can read every character of the session with a simple packet capture. SSH (Secure Shell, TCP port 22) uses asymmetric cryptography for key exchange and symmetric encryption (AES, 3DES) for the session data. The entire conversation is encrypted, making credential theft impossible from network captures. SSH also provides server authentication (the router's host key prevents man-in-the-middle attacks) and supports public-key authentication as a more secure alternative to passwords. Configuring SSH requires: ip domain-name, crypto key generate rsa, ip ssh version 2, and transport input ssh on the VTY lines. See SSH & Telnet Security and SSH Configuration Lab.

What is the primary use case for Policy-Based Routing (PBR), and how does it differ from normal destination-based routing?

Correct answer is C. Normal IP routing is purely destination-based — the router looks up the destination IP in the routing table and forwards the packet accordingly, regardless of where it came from or what application it belongs to. Policy-Based Routing (PBR) breaks this model by allowing an administrator to define routing decisions based on additional criteria: source IP address, destination IP, Layer 4 protocol (TCP/UDP), specific ports, or even packet size. For example: route all HTTP/HTTPS traffic from the Finance VLAN through a proxy server, route VoIP traffic (UDP/RTP) through a low-latency WAN link, or send all traffic from a specific source subnet through a different ISP than the default route specifies. PBR is implemented using route-maps applied to interfaces with ip policy route-map <name>.

Related Topics & Step-by-Step Tutorials

Continue your routing studies:

Back to Home