(MSFC) is responsible for control-plane operations, and the supervisor Policy Feature Card (PFC) is responsible for the data-plane operations.

---

Content 4.3 Deploying CEF-Based Multilayer Switching 4.3.3 Identifying the Multilayer Switch Packet Forwarding Process CEF separates the control plane hardware from the data plane hardware and switching. ASICs separate the control plane and data plane, thereby achieving higher data throughput. The control plane is responsible for building the FIB and adjacency tables in software. The data plane is responsible for forwarding IP unicast traffic using hardware. When traffic cannot be processed in hardware, the traffic must receive processing in software by the Layer 3 engine, thereby not receiving the benefit of expedited hardware-based forwarding. A number of different packet types may force the Layer 3 engine to process them. Some examples of IP exception packets are the following :

• IP packets that use IP header options. (Packets that use TCP header options are switched in hardware because they do not affect the forwarding decision.)
• Packets that have an expiring IP Time to Live (TTL) counter.
• Packets that are forwarded to a tunnel interface.
• Packets that arrive with non-supported encapsulation types.
• Packets that are routed to an interface with non-supported encapsulation types.
• Packets that exceed the maximum transmission unit (MTU) of an output interface and must be fragmented.

CEF-based tables are initially populated and used as follows :

• The FIB is derived from the IP routing table and is arranged for maximum lookup throughput.
• The adjacency table is derived from the ARP table, and it contains Layer 2 rewrite (MAC) information for the next hop.
• CEF IP destination prefixes are stored in the TCAM table, from the most specific to the least specific entry.
• When the CEF TCAM table is full, a wildcard entry redirects frames to the Layer 3 engine.
• When the adjacency table is full, a CEF TCAM table entry points to the Layer 3 engine to redirect the adjacency.
• The FIB lookup is based on the Layer 3 destination address prefix (longest match).

The FIB table is updated when the following occurs:

• An ARP entry for the destination next hop changes, ages out, or is removed.
• The routing table entry for a prefix changes.
• The routing table entry for the next hop changes.

These are the basic steps for initially populating the adjacency table: Step 1 The Layer 3 engine queries the switch for a physical MAC address. Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine. This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by the switch to initiate Layer 3 packet lookups. Step 3 The switch installs wildcard CEF entries, which point to drop adjacencies (for handling CEF table lookup misses). Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and associated VLAN). The switch creates the (MAC, VLAN) Layer 2 CAM entry for the Layer 3 engine. Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS. Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected networks. The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies. Only the first few packets for a connected destination reach the Layer 3 engine so that the Layer 3 engine can use ARP to locate the host. A throttling adjacency is installed so that subsequent packets to that host are dropped in hardware until an ARP response is received. The throttling adjacency is removed when an ARP reply is received (and a complete rewrite adjacency is installed for the host). The switch removes the throttling adjacency if no ARP reply is seen within 2 seconds to allow more packets through to reinitiate ARP. This relieves the Layer 3 engine from excessive ARP processing or from ARP-based denial of service attacks. Figure provides an example of ARP throttling, which consists of these steps: Step 1 Host A sends a packet to host B. Step 2 The switch forwards the packet to the Layer 3 engine based on the “glean” entry in the FIB. A glean adjacency entry indicates that a particular next hop should be directly connected, but there is no MAC header rewrite information available. Step 3 The Layer 3 engine sends an ARP request for host B and installs the drop adjacency for host B. At this point, subsequent frames destined for host B from host A are dropped (ARP throttling). Step 4 Host B responds to the ARP request. The Layer 3 engine installs an adjacency for host B and removes the drop adjacency. The adjacency table is populated as adjacencies are discovered. Each time an adjacency entry is created (such as through the ARP protocol) a link-layer header for that adjacent node is pre-computed and stored in the adjacency table. After a route is determined, it points to a next hop and corresponding adjacency entry. The route is subsequently used for encapsulation during CEF switching of packets. A route might have several paths to a destination prefix, as when a router is configured for simultaneous load balancing and redundancy. For each resolved path, a pointer is added for the adjacency corresponding to the next-hop interface for that path. This mechanism is used for load balancing across several paths. In addition to adjacencies associated with next-hop interfaces (host-route adjacencies), other types of adjacencies are used to expedite switching when certain exception conditions exist. When the prefix is defined, prefixes requiring exception processing are cached with one of the following special adjacencies:

• Null adjacency: Packets destined for a null0 interface are dropped. This can be used as an effective form of access filtering.
• Glean adjacency: When a router is connected directly to several hosts, the FIB table on the router maintains a prefix for the subnet rather than for the individual host prefixes. The subnet prefix points to a glean adjacency. When packets need to be forwarded to a specific host, the adjacency database is gleaned for the specific prefix.
• Punt adjacency: Features that require special handling, or features that are not yet supported in conjunction with CEF switching paths, are forwarded to the next switching layer for handling. For example, the packet may require CPU processing. Features that are not supported are forwarded to the next-higher switching level.
• Discard adjacency: Packets are discarded.
• Drop adjacency: Packets are dropped, but the prefix is checked.

When a link-layer header is appended to packets, FIB requires the appended header to point to an adjacency corresponding to the next hop. If an adjacency was created by FIB and not discovered through a mechanism such as ARP, the Layer 2 addressing information is not known, and the adjacency is considered incomplete. The packet is forwarded to the route processor where an ARP request would be used to find the Layer 2 information and complete the adjacency. These are the steps that would occur when you use CEF to forward frames between host A and host B on different VLANs: Step 1 Host A sends a packet to host B. The switch recognizes the frame as a Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3 engine MAC. Step 2 The switch performs a CEF lookup based on the destination IP address (IP-B). The packet hits the CEF entry for the connected (VLAN20) network and is redirected to the Layer 3 engine using a glean adjacency. Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for the host B IP address. Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20. Step 5 Host B sends an ARP response to the Layer