3.2 Router Forwarding Decisions

Understanding how a router decides where to send each packet is essential for the CCNA 200-301 exam. The forwarding process follows a strict, testable order of operations, and exam items frequently hand you a routing table and ask which entry wins.

The Forwarding Decision Process

When a router receives a packet on an ingress interface, it strips the Layer 2 frame, inspects the destination IP, and walks this sequence:

Step 1 — Routing-table lookup. The router compares the destination IP against every route, treating each as a prefix/mask pair.

Step 2 — Longest prefix match. If multiple entries match, the most specific (longest mask) wins. A /28 beats a /24, which beats a /16, which beats the /0 default.

Step 3 — Administrative distance. Only if two matching routes have the same prefix length but come from different sources does AD break the tie. Lower AD wins.

Step 4 — Metric. If AD also ties (same protocol, same prefix), the lower metric wins.

Step 5 — Equal-cost multipath (ECMP). If prefix, AD, and metric are all equal, all such routes are installed and traffic is load-balanced.

Step 6 — Default route. If nothing specific matches but a 0.0.0.0/0 route exists, the packet goes to the gateway of last resort.

Step 7 — Drop. With no match and no default, the router discards the packet and returns ICMP Destination Unreachable (Type 3) to the source.

At every hop the router also decrements the IP TTL by 1. If TTL reaches 0, the packet is dropped and ICMP Time Exceeded (Type 11) is sent back — this is exactly what traceroute exploits to map a path.

Routing vs. Switching: Why Routers Don't Flood

This difference is a favorite trap: a router never floods an unknown unicast — no route means the packet dies.

Cisco Express Forwarding (CEF)

Cisco Express Forwarding (CEF) is the default switching method on modern Cisco routers and Layer 3 switches. The CPU does not examine every packet individually (process switching); instead, forwarding decisions are pre-computed and pushed to hardware for line-rate performance. CEF relies on two tables.

FIB (Forwarding Information Base)

• A mirror of the routing table, reorganized for ultra-fast lookups.
• Holds destination prefix, next-hop, and outgoing interface.
• Rebuilt automatically whenever the routing table (RIB) changes.

Adjacency Table

• Holds the Layer 2 rewrite information: destination MAC, source MAC, and any VLAN tag.
• Pre-resolved by ARP (IPv4) or Neighbor Discovery (IPv6) so the router need not ARP per packet.

CEF forwarding flow: packet arrives → FIB lookup returns the next-hop and egress interface → FIB points to the matching adjacency entry → adjacency supplies the new Layer 2 header → router rewrites the frame, decrements TTL, and forwards. Verify with show ip cef and show adjacency.

Equal-Cost Multipath (ECMP)

When multiple routes to the same destination tie on AD and metric, the router installs all of them and balances traffic across the paths:

Router# show ip route 10.1.1.0
  10.1.1.0/24 [110/20] via 10.0.0.1, GigabitEthernet0/0
                [110/20] via 10.0.0.5, GigabitEthernet0/1

Both entries are OSPF (AD 110) with cost 20, so traffic spreads across both interfaces. By default OSPF installs up to 4 equal-cost paths (configurable up to 32 with maximum-paths). CEF can balance per-destination (default) or per-packet.

Packet Processing Summary

On the Exam: Memorize the hierarchy — longest prefix match → AD → metric → ECMP. Scenario items will list several matching routes and expect you to pick the single installed path, or test that an unrouted packet is dropped (never flooded).

Worked Example: Which Path Wins?

Suppose a router must forward a packet to 172.16.5.10 and the table holds three matching entries: a static route to 172.16.0.0/16, an OSPF route to 172.16.5.0/24, and an EIGRP route to 172.16.5.0/24. First apply longest prefix match: 172.16.5.0/24 is more specific than the /16, so the static /16 is eliminated immediately even though static has the best AD. Now two /24 routes remain, from different protocols, so AD decides: EIGRP (90) beats OSPF (110). The router installs the EIGRP /24. This shows why you cannot shortcut to AD — prefix length is always evaluated first, and a great AD on a less-specific route loses to any longer match.

Process Switching vs. CEF Switching

Before CEF, routers used process switching, where the CPU performed a full route lookup for every packet — slow and CPU-intensive. Fast switching improved on this by caching the first packet's decision for later packets in a flow. CEF replaces both by building the FIB and adjacency table in advance from the routing table, so no packet requires a CPU route lookup. On the CCNA, know that CEF is the default and the most efficient, and that it is what show ip cef displays. If CEF is disabled, forwarding falls back to slower methods and high traffic can spike CPU.

Load-Balancing Behavior

When ECMP installs several equal paths, CEF distributes traffic two ways. Per-destination balancing (the default) sends all packets for a given source/destination pair down the same path, preserving packet order for a flow while still spreading different flows across links. Per-packet balancing alternates links packet by packet, maximizing link use but risking out-of-order delivery. The CCNA expects you to know ECMP exists, that OSPF defaults to four equal paths, and that CEF — not the routing protocol — actually balances the traffic across the installed next hops.