Category: IP Forwarding

IP Forwarding: Policy Routing

All normal IP Forwarding decisions are usually made as a result of the Destination Address in the IP Headers of a packet.  Wherever the packet is trying to go, the next hop is determined based on the Destination Address.  Policy routing allows a router to make next hop routing decisions based on other information besides the destination IP Address.

Policy routing is configured on an interface that’s expected to receive specific kinds of traffic.  The interface command instructs the IOS to process incoming packets with different logic BEFORE normal forwarding logic takes place.


Incoming traffic is matched against a route-map policy referenced on the interface.  Traffic is matched according to the matching criteria in the route-map.  Actions defining specific routing instructions are applied to traffic using the set command.

Use of the default keyword essentially means that policy routing tries the normal destination routing first, THEN resorts to set commands in the route-map only when the router finds no matching routes in its routing table for the destination address.  To clarify this…if the only route in the routing table that matches the destination using  the default route, that packet is treated as if no route match occurred, proceeding to use the set statements to define next hop in the route-map as configured.

A single route-map sequence can hold multiple set statements, if there are multiple set statements they are processed in the following order:

  1. set ip next-hop
  2. set interface
  3. set ip default next-hop
  4. set default interface

Use of the set interface and set default interface commands is strongly recommended only with point to point interfaces.  It doesn’t mean it won’t work on multi-access interfaces, but its known that it can cause problems if used on those interface types.


IP Forwarding: MLS Routed Ports

Routed Ports on Multilayer Switches are switchports that have been turned into Layer 3 ports that you can assign an IP address to and route with.  Using the ‘no switchport’ command on an interface makes that port a Routed Port.

You can apply an IP address to it, however you cannot create sub-interfaces on that port.  That interface is not placed into any USER DEFINED VLAN…(internal usage VLANs are created for each routed port).  The switch does not keep any layer 2 information for the interface, the adjacency table lists the outgoing physical interface which means that Layer 2 switching logic is not required for that port.

Ethernet Port Channels can be configured as routed ports as well.  To do so you mush configure the no switchport command on all participating interfaces and then add those ports to the channel group.  The Port Channel that’s created will inherit the properties of the ports that have been assigned and an IP address can then be configured on the port channel interface.  Existing layer 2 port channels cannot be converted to layer 3 and vice versa without completely removing the port channel first.

Internal Usage VLANs

These VLANs are created on behalf of a routed port, the normal way Switches Forward frames is by using VLANs, so when a routed port is configured, that port is bound to an internal VLAN the switch uses to pass traffic unto.  These VLANs are hidden and not stored in the VLAN database file.  Assignment of internal usage VLANs to routed ports is done at runtime.  Conflicts can come up as a result if an admin tries creating a VLAN ID with an already used internal usage VLAN. To prevent this you must configure the Internal Usage VLAN Allocation policy to assign VLANs in order of ascending or descending opposite of the range in which you have VLANs configured.  for example your extended VLANs are all in the low 1000’s, you’ll want to change the allocation policy to descending so internal usage VLANs are allocated starting at 4000 going down to avoid VLAN overlap.


IP Forwarding: MLS SVI’s

Multilayer Switching allows for routing using a Switched Virtual Interface.  This is a logical virtual interface used as the routing gateway for a specific VLAN/Subnet.  Since this is a virtual port used for routing… the port itself can also go up and down given certain scenarios:

SVI Port can go down if:

  • the SVI is set to be ADMIN Down, the SVI interface will be shutdown
  • the corresponding vlan doesn’t actually exist on the device (SVI with no VLAN)
  • up, line protocol down – the VLAN exists but the port by which the VLAN traverses is on a port not in STP forwarding or not allowed on that trunk

Likewise the port can be in an up/up state indicating that all is well and the SVI should be capable of forwarding that traffic.

To avoid instances where you have an up interface but line protocol is down, one of the following must be true:

  • at least one physical trunk must be up,up and have the SVIs VLAN allowed, not pruned, and in STP forwarding.
  • at least one physical switch port is up/up and has the VLAN configured as an access or voice VLAN in the STP forwarding state.


IP Forwarding: CEF

Cisco Express Forwarding is the most efficient method of switching packets to date, to understand how it works you must first understand the most crucial part of routing a packet through a router is defining how to construct the layer 2 frame header to allow the packet to be properly encapsulated toward its next hop, and then forwarding that frame out the correct interface.

This crucial part is referred to as the layer 2 frame rewrite.  Something to consider is that the routing table itself can hold thousands of prefix entries, but any specific router will only ever have a handful of neighbors (next hop to any particular destination).  All destinations through a specific next hop will use the same layer 2 rewrite information and must be encapsulated with the same header before it’s transmitted to that next hop to reach those destinations.  CEF makes this layer 2 rewrite step more efficient by pre-constructing the layer 2 headers and saving them to memory in an adjacency table.

The adjacency table is uses the routing tables IP address and next hops as well as the ARP tables Layer 3 to Layer 2 mapping tables to create and cache the layer 2 headers for each neighbor (adjacency)

Once this is completed and packets are destined to those neighbors, the router will simply use the pre-constructed next hop layer 2 frame to forward packets to that next without needing to visit the ARP table or the Routing table to make a forwarding decision.

Something else to consider is that the routing table itself is not optimized for rapid lookups.  It contains important information needed to build the routing table such as Administrative Distance, or route metrics, age, etc…  Routing table entries may require recursive lookups, once a destination network entry is matched in a routing table, the next hop information might contain only the IP address of the next hop but NOT the egress interface.  So at that point the next hops IP address must be looked up in the routing table, these recursive lookups can theoretically go on forever.  Even when it finds the final routing entry that contains an egress next hop interface, the routing table doesn’t have any information needed to rewrite the layer 2 headers to forward the packet.  This last hop address with an interface must have an ARP entry for the egress interface to know how to rewrite the layer 2 frame header.

CEF improves upon this lookup by storing the destination prefixes in a separate data structure called the Forward Information Base (FIB).  The FIB is cached in router memory and contains pointers toward the appropriate adjacency entry that contains the prepared layer 2 header and egress information toward the next hop.

Once the FIB and adjacency tables are created, the routing table is not used anymore to route packets.  With FIB routers the routing table can be used for packets that require more complex processing, however for plain packet forwarding only the FIB and adjacency tables are used.  The routing table becomes a source of routing data to build the FIB and adjacency table contents but no longer used to route packets.  At this point the routing table is referred to as the Routing Information Base (RIB) it is the master copy of routing information from which the FIB and other tables are populated.

Other protocols have their own internal routing tables called RIBs but these are separate from the routers routing table and should not be confused with the RIB in a FIB router.

Multi-layer switches and high end router platforms go further and store the FIB and adjacency in the Ternary Content Addressable Memory (TCAM) to perform even faster lookups.





IP Forwarding: Fast Switching

Fast switching makes the routing of packets more efficient by caching the next hop information of packets to a specific destination, so subsequent packets don’t have to go through the lookup process to determine what the next hop is going to be.

Fast switching accomplishes this by processing the first packet received to an unknown destination with Process switching.  When process switching the first packet, this allows Fast switching to save the next hop information by caching the next hop information in the CPU.  Cache entries are timed out quickly to prevent the CPU from being overloaded with cache information for multiple destinations.  Likewise the initial process switched lookup can also be cpu intensive if there are an influx of packets destined for addresses not found in cache.  At the time of its inception Fast switching was an enormous improvement to the process switched problem.


IP Forwarding: Process Switching

Process switching is the act of a router taking a received frame and processing it through the CPU of the router to collect and learn next hop information, and cache that information for subsequent packets.  This can be extremely CPU intensive if packets are destined to a wide range of IP addresses the CPU has not yet learned about and cached.  Process switching is needed in some instances such as Fast switching however overall it is considered to be the least desired method of processing packets there is given the alternate cached methods available.


IP Forwarding

IP Forwarding or IP routing is the function of a network device receiving an IP packet, making a decision of where to send the packet next, and then forwarding the packet.  Here is the internal forwarding logic used when an IP packet is received:

  1. Router receives a frame and checks the received FCS, if errors are found the frame is discarded.  The router does not try to recover the lost packet.
  2. If no errors are found, the the router checks the Type field and extracts the packet from the Frame.  The Data Link header and trailer are discarded.
  3. Assuming an IPv4 packet, the header checksum is verified, if the IP header checksum shows a mismatch the packet is discarded.  IPv6 packets skip this step as IPv6 headers do not contain a checksum.
  4. If the IP header checksum passed, the router checks the destination IP address to see if it is one of the locally configured networks on the router.  If the packet destination matches an IP on the router the packet has arrived at its destination.  The router analyzes the protocol field in the IP header, identifying the upper layer protocol and hands the packets data payload over to the relevant upper protocol driver.
  5. If the destination address DOES NOT match an IP configured on the router, the packet must continue to be routed to its destination.  The router verifies if the TTL is greater than 1, if not the packet is dropped and an ICMP Time Exceeded message is sent to the packet’s sender. (Source IP)
  6. The router checks its IP routing table for the most specific prefix match of the packets destination IP address.
  7. a matched entry includes the outgoing interfaces and next hop router, this information is used by the router to look up the next hop routers layer 2 address in the appropriate mapping table suc has ARP, IP/DLCI, dialer maps, etc…  This lookup is needed to build a new Data Link frame and optionally dial the proper number.
  8. Before creating a new frame, the router updates the IP header TTL or Hop Count field require a re-computation of the IPv4 header checksum
  9. The router encapsulates the IP packet in a new Data Link header and trailer to create a new frame.

This does not contain the logic used for Fast switching or CEF switching.