MLS and CEF Snippet

[ marQes study notes V1 ]

1. Multi Layer Switching – Catalyst Switches, such as 3560, 3750 (depending on IOS),
4500 and 6500, can also forward frames based on Layer 3 and Layer 4 information
contained in the packet. Naturally, Layer 2 switching is still performed at the same time
because the upper layer relies on the Physical Layer as the encapsulated data is
contained in Ethernet frames. Also, if a frame is destined to be Multilayer switched, the
destination MAC address in the Ethernet Frame (look up occurs in CAM) will be of the
Layer 3 engine, which is typically a MSFC or Route Processor (depending on Platform)
2. First Generation of MLS – Is called Fast Switching or Route Caching, in which a Route
Processor (RP) must process the 1st packet to determine the destination (as a typically
router would do). Fast Switching builds an on-demand forwarding table. The 1st packet for
a destination is process switched - (Cisco IOS process copies the packet to the CPU
memory and looks up the destination IP address in the IP routing table) . The Switch Engine
(SE) listens to the 1st packet flow and learns the resulting destination, and sets up a short
cut entry in its MLS cache (also known as IP fast switching route cache.) Once there is an
entry in the MLS cache, the SE forwards subsequent packets for the same traffic flow in
hardware. The MLS cache is not permanent as some entries are delete that are not
switched, freeing up memory. Or when a prefix in the routing table changes, entries in the
MLS cache are also invalidated (deleted), and the 1st packet to the destination for an
invalidated entry need to be processed switched (via RP). This term of MLS is also known
as “Route once Switch many”, on demand-based or Netflow switching.
• To enable fast switching on an interface use ip route-cache
• To display entries in the route cache show ip cache verbose
• Entries in the MLS cache are the IP Prefix, the Age of the entry, next hop IP
address, next hop interface and Layer 2 rewrite address (for frame re-
encapsulation before it is transmitted) For example, if a frame needs to be further
sent on via a Serial link that uses HDLC, the Layer 2 rewrite address would list
0F00800 (0F00 = HDLC and 800 = IPv4, indicating the encapsulated data). If the
frame needs to sent out via an Ethernet interface, the Layer 2 rewrite address
consists of a 48 bit destination MAC, 48 bit source MAC and 16 bit for the
protocol number. This would list 00604700881F00036CC898570800
3. Second Generation of MLS - Is called Topology Based Switching, which builds the fast
switching cache in advance. As such, each IP prefix and next hop IP has an entry in the
CEF switching table, which is also dynamically updated when something in the routing
table changes. CEF has 2 main data structures, namely the Forwarding Information Base
(FIB), and an Adjacency Table. The Adjacency table feeds the FIB with Layer 2
destination information so that forwarding can be done efficiently without the need to ARP
for next hop destination MAC addresses.
4. The CEF Table (FIB Table) – Is part of the Forwarding Plane (also referred Data Plane)
and holds Layer 3 forwarding information such as IP Prefix, Next Hop IP address,
outgoing interface (egress port, or VLAN ID) and next hop Layer 2 MAC addresses, so
that no further table look up (ARP requests etc..) are not necessary. The CEF table,
however, does not include the IP Prefix admin distance or metric - as this is not required.
To display the contained of the FIB table use show ip cef | <ip prefix> | detail

1 of 4
5. The Adjacency Table – Holds next hop Layer 2 MAC addresses , outgoing interface
(egress port, or VLAN ID), and Layer 3 next hop address for directly attached hosts, is
responsible for Frame Layer 2 rewrite - (For Ethernet, it contains the Layer 2 header of the
new destination MAC, source MAC Address and Ethertype, which is the Layer 3 payload).
Devices discover each others MAC addresses either dynamically on multi-access medium
such as Ethernet, via ARP, or statically via ATM or Frame Relay map statements, inverse
ARP on ATM or Frame Relay. For serial links using PPP or HDLC, the Layer 2 header is a
complete PPP or HDCL header, including the Layer 3 protocol ID.. The Adjacency Table
feeds the FIB with this information’s. To display the table use show adjacency | vlan
6. Components and Terms – Layer 3 engine, contains the Routing Table (RIB) and ARP
Table (Cache), whereas the Layer 3 forwarding engine, contains CEF (FIB) and
Adjacency Table, and a separate Rewrite Engine, which is responsible for packet rewrite.
7. Update Overview - IP Routing Protocol create the Routing Table (RIB), which populates
the CEF Table (FIB). In the CEF table, prefixes with the longest match are listed first. The
ARP cache is built dynamically, or statically, and populates the Adjacency Table.
8. Frame Forwarding – When a frame arrives at a switch port, it is placed into one of the
ports ingress queues, which can (defined by QOS) have a different priority levels. As the
frame is services and pulled off from the ingress queues, the switch must decide where to
forward the frame (which egress port, CAM lookup), whether it should forward the frame
(ACL, TCAM lookup) and how (QOS, TCAM lookup). The destination MAC address is
used as an index to the CAM table. If the frame contains a Layer 3 packet to be
forwarded, the destination MAC address is that of the Layer 3 port on the Switch.
9. Packet Forwarding – In a MLS, a packet arrives at the ingress queue and is inspected for
both Layer 2 and Layer 3 destination addresses. In MLS, the decision where to forward
the frame is based on 2 address tables (CAM and FIB), whereas the decision how to
forward the packet is still based on the ACL, and when (at what level) by QOS. As with
Layer 3, the FIB is consulted, using the destination IP address as an index. These table
lookups (CAM, FIB, TCAM) are carried out simultaneously.
10. Packet Rewrite – Is carried out by a separate process and needs to the done before the
packet leaves the router. The packet header must be rewritten before it is forwarded by a
Router or Multilayer Switch. The content (payload) of the packet is untouched:
10.1 Layer 3 IP address (typically a prefix) identified the next hop IP address and
founds its Layer 2 destination address. The frames new destination Layer 2
address is changed to the next hop device MAC address.
10.2 Layer 2 source addresse is changed to the outbound Layer 3 router/switch
interface. In case of a multi layer switch, the source MAC will be the Supervisor.
10.3 Layer 3 IP TTL will be decremented by 1
10.4 Layer 3 IP Checksum will be recalculated to include changes to the IP header
10.5 Layer 2 FCS is recalculated to include the changes to the Layer 2 & 3 headers.
11. MLS exceptions – Not all packets can be MLS switched and sent (punted) to the CPU for
process switching. In CEF, this term is referred to CEF Punt .The expectations are:
• ARP request and replies
• ICMP redirect
• IP TTL has expired
• If prefix is not found in FIB
• If FIB table is full
2 of 4
 • Routing Protocol updates
• CDP packets
• Packet needed encryptions, compression or are tunnelled
• Packets triggered by NAT, which means that a NAT operation on a packet is
required (translated to inside or outside.) The Cat 6500 Sup 720 can handle NAT
in hardware though.

12. CEF Glean state – When the Adjacency table has not a valid MAC address, it must
request the Layer 3 engine to generate an ARP request.
13. Verify CEF - To display the FIB use show ip cef <prefix> <detail>
14. FIB code receive - In FIB, even one entry, a single active interface (i.e. SVI, VLAN20)
can produce many entries in the FIB. For example, an interface with 10.254.254.1 subnet
mask 255.255.255.0, will list 10.254.254.1/32 receive, and 10.254.254.255/32 receive,
plus a few other entries that relates to this IP address and subnet. “Receive” marks that
packet destined for this IP address : 10.254.254.1 and broadcast address 10.254.254.255
must be dealt with internally and sent to the Layer 3 engine for processing. In addition, FIB
will also reserve the default route and list a separate entry 0.0.0.0/32 receive.
15. FIB code attached – Continuing form point 14, the subnet in FIB will be listed
10.254.254.0/24 attached, because it is connected directly to the SVI, VLAN 20
16. CEF load balancing – Default is per destination load sharing and is based on hashing the
source and destination IP address of the IPv4 , IPv6 header, or by looking at the value of
bottom label, if the MPLS payload is not an IPv4 or IPv6 packet. The load sharing type
can changed on interface level can be viewed with show cef interface <mod/num>
17. CEF recursive lookup – The CEF table recursively resolves next hop address of IP
destination. For example, a BGP prefix 10.10.10.10/32 with a next hop 10.33.1.1 in the
routing table, recourses to IGP prefix 10.33.1.1. In the routing table a further lookup would
be necessary to find the next hop of 10.33.1.1. CEF, however, already list the recursive
next hop of 10.22.2.2. Therefore, the BGP prefix 10.10.10.10/32 inherits the next hop
10.22.2.2 from the IGP prefix 10.33.1.1.
• This recursion is not done in the routing table.
• show ip bgp 10.10.10.10 would list 10.33.1.1 - (next hop via IGP)
• show ip cef 10.33.1.1 would list 10.22.2.2 - (next recursive lookup)
• Whereas show ip cef 10.10.10.10 would list 10.22.2.2 –(final next hop)
18. Enable CEF - ip route-cache cef at interface or ip cef at interface or global level
19. Disable CEF – no ip route-cache cef at interface or no ip cef at interface or global level
20. CEF enabled on Platforms – Is enabled on fixed configuration switches, 3750, 3560,
3550, 2950, and Catalyst Switches such as Cat 6500 (Sup 720 MSFC3, Sup 2 + MSFC2)
and Cat 4500 (Sup 3,4,5 and 6E).

3 of 4
21. Distributed CEF (dCEF) – To enhance performance, CEF can be distributed completely
among multiple Layer 3 Forwarding Engines. Because the FIB is self contained for
complete Layer 3 forwarding, it can be replicated across any number of independent
Layer 3 Forwarding Engines .Some platforms (7200 Router) can only use the central CPU
to forward traffic by the CPU in interrupt mode (Process Switched). Other platforms,
however, (6500, 7500, GSR 12000) has distributed intelligence and distributed CPUs,
which enables them to forward the traffic without interrupting the CPU. The CEF and
Adjacency table are dynamically distributed (downloaded) to the CPUs, presented on Line
Cards (Cat 6500 , GSR 12000) or on Versatile Interface Processors ( 7500 Routers). The
Central CPU (MSFC3 on 6500 Sup 720), maintains the routing table and generates the
CEF (FIB) table, which is then dynamically downloaded in full to each of the line cards.
22. CEF aid for MPLS – CEF is the only switching method that is able to label incoming IP
packets. In MPLS, labelled IP packets that enter the Ingress PE router are switched
according the LFIB. IP Packets that enter the Ingress PE router are switches according
the CEF (FIB) table. Regardless of whether the IP packet is switched according to the
LFIB or the CEF (FIB) table, the outgoing IP packet can be either a labelled packet or an
IP packet. For example, at the Ingress PE, the IP packet can be forwarded IP to IP, or as
IP to Label, in which CEF assigns a label or a label stack (in case of MPLS VPN) to an IP
Prefix if the LFIB has a valid (outgoing) label for it.

4 of 4