8-2. Cisco Express Forwarding Cisco Express Forwarding (CEF) handles all packet forwarding in hardware, for all packets in a flow. CEF is implemented on the Catalyst 2948G-L3, 4908G-L3, 4000 Supervisor III, and 3550 series switches. It is also implemented on the Catalyst 6000 as a cooperation between the PFC2 Layer 3 switching engine and the MSFC2 route processor module. A route processor runs routing protocols and populates the following tables: - - The normal routing table A table of routes and next-hop destinations as determined by the routing protocols, administrative distances, metrics, and so on.
- - The Forwarding Information Base (FIB) Every known route is represented in the FIB as a hierarchical tree structure. Longest-match routes can then be quickly looked up in hardware, pointing to the next-hop entry in the adjacency table.
- - The adjacency table Every next-hop router address and Address Resolution Protocol (ARP) reply that is discovered is entered into the adjacency table, giving an efficient Layer 3-to-Layer 2 forwarding lookup.
CEF supports high-performance switching of IP, IP multicast, and IPX traffic. CEF can switch packets over up to six equal-cost paths to a common destination. CEF can use Reverse Path Forwarding (RPF) to make sure packets arrive on interfaces that are the best return paths to the source. This can be used to detect forged or spoofed addresses in received packets, in the case of some malicious activity. IP multicast traffic is switched by CEF only for multicast groups within 225.0.0.* through 239.0.0.* and 224.128.0.* through 239.128.0.*. CEF will not switch anything in 224.0.0.* because those addresses are reserved for routing protocols and must be flooded to all ports that are forwarding in a VLAN. When the route processor creates the FIB, the FIB information is downloaded and used by the switching engine hardware. On a Catalyst 6000, the FIB is downloaded from the MSFC2 to the PFC2 module, as well as any distributed forwarding cards (DFCs) that are present. In addition to the CEF tables, a NetFlow forwarding table (identical to that of MLS) is independently generated just to provide flow-based accounting information. This information can be exported to external applications. See section "8-3: NetFlow Data Export" for more information.
CEF Configuration TIP CEF is automatically enabled on the switch platforms that support it, and cannot be disabled.
1. | (Optional) Use RPF to detect forged or malformed packets:
COS | N/A | IOS | (interface) ip verify unicast reverse-path [list]
|
By default, RPF is globally disabled on the switch. RPF can be enabled on specific VLAN interfaces.
For each packet received on the interface, CEF checks to see that a valid route back to the source address is present in the FIB. The return route must use the receiving interface as one possible path back to the source. If multiple equal-cost paths exist to the source, any of them are valid.
By default, CEF drops all inbound packets that fail the RPF test on the interface. A standard or extended IP access list list (number or name) can be given to conditionally drop these packets. Packets that meet the permit condition are forwarded even if they fail RPF, whereas the ones that meet the deny condition are dropped.
| 2. | (Optional; Catalyst 6000 only) Tune CEF load balancing:
COS | [View full width] set mls cef load-balance {full |  source-destination-ip}
| IOS | N/A |
Traffic flows are load-balanced flows across parallel paths according to a hash function based on source and destination addresses (source-destination-ip, the default) or source and destination addresses and port numbers (full). CEF does not support per-packet load balancing.
| 3. | (Optional; Catalyst 6000 only) Control the rate of CEF packets returned to the RP:
COS | N/A | IOS | (global) mls ip cef rate-limit pps
|
Some packets cannot be fully forwarded by CEF and must be returned to the RP (MSFC2) for processing. These include packets requiring an ARP request and packets destined for an RP interface. Although these are normal activities, they can be exploited as a denial-of-service attack against the RP.
You can limit the rate that packets are sent to the RP to pps (0 to 1,000,000 packets per second, default 0 or no rate limiting).
|
Displaying Information About CEF You can use the switch commands in Table 8-3 to display helpful information about CEF. These labels are used to differentiate the commands for different switch platforms: COS Catalyst operating system, used by Catalyst 6000 Supervisor. IOS Cisco IOS Software, used by Catalyst 6000 MSFC2, Catalyst 2948G-L3, 4908G-L3, 4000 Supervisor III, and 3550. Sup IOS "Supervisor IOS." Cisco IOS Software for the Catalyst 6000 Supervisor 2.
TIP Remember that a Catalyst 6000 switch splits the CEF function across the MSFC2 and PFC2. If you display information about CEF on the MSFC2, you will see only the portion that creates the FIB and adjacency tables. Although the MSFC2 can use its own CEF to forward packets that are not Layer 3 switched by the PFC2, it generally only creates, downloads, and updates the FIB and adjacency tables for the PFC2. To view the CEF information that performs the Layer 3 switching, you must issue commands on the Catalyst Supervisor module where the PFC2 resides. Naturally, if you have a switch running native IOS code, you will see one set of integrated CEF information that is created on the MSFC2 and used by the PFC2 module.
Table 8-3. Commands to Display CEF InformationDisplay Function | Switch OS | Command |
|---|
FIB created by MSFC2 or RP | COS | N/A | IOS | [View full width] (exec) show ip cef [[unresolved [detail]] | [detail | summary]] (exec) show ip cef [network [mask]] [longer-prefixes] [detail] (exec) show ip cef [vlan number] [detail]
| Sup IOS | show mls cef [prefix] [mask] show mls cef [module number | summary]
| FIB used by PFC2 | COS | show mls cef show mls entry cef ip [[ip-addr/]mask-len] show mls entry cef ipx [[ipx-addr/]mask-len]
| IOS | N/A | Sup IOS | [View full width] show mls cef [module number | summary] show mls cef ip [{prefix [mask | module number]} | {module number}] show mls cef ipx [{prefix [mask | module number]} | {module number}]
| Adjacency table | COS | [View full width] show mls entry cef adjacency show mls entry cef ip [[next-hop-addr/]32] adjacency show mls entry cef ipx [[next-hop-addr/]mask-len] adjacency
| IOS | [View full width] (exec) show adjacency [type number] [detail] [summary] (exec) show ip cef adjacency type number ip-prefix [detail] (exec) show ip cef adjacency {discard | drop | glean | null | punt} [detail]
| Sup IOS | [View full width] (exec) show mls cef adjacency [count | mac-address number] [module number]
| CEF multicast entries | COS | [View full width] show mls multicast entry [all] [short | long] show mls multicast entry [mod] [vlan vlan-id] [group ip-addr] [source ip-addr] [long | short]
| IOS | [View full width] (exec) show mls ip multicast group group-address [interface type number | statistics]
| Sup IOS | [View full width] show mls cef ip multicast [{prefix [mask | module num]}]]
| Active VLAN interfaces used by MSFC2 CEF | COS | show mls cef interface [vlan] show mls cef mac
| IOS | N/A | Sup IOS | show mls cef mac
|
When the FIB table contents are displayed, each entry is shown with a "FIB-type" field: Receive The destination is associated with an MSFC interface (mask of length 32). Connected The destination is associated with a connected network. resolved The destination is associated with a valid next-hop address and adjacency. drop Drop packets associated with this destination. wildcard Match-all entry (drop or MSFC redirect), when no default route is present. default Default route. (Wildcard will point to default route.)
When the adjacency table contents are displayed, each entry is shown with an "AdjType" field: drop, null, loopbk Drop packets (don't forward). frc drp Drop adjacency because of ARP throttling. punt Redirect to MSFC for further processing. no r/w Redirect to MSFC because packet rewrite is incomplete.
|
