The Layer 3 forwarding of the router mainly relies on the CPU, while the Layer 3 forwarding of the Layer 3 switch is completed by the ASIC chip, which determines the huge difference in forwarding performance between the two. Of course, Layer 3 switches cannot completely replace routers. The rich interface types, good traffic service level control, and powerful routing capabilities of routers are still the weak links of Layer 3 switches. The current Layer 3 switch generally divides the Layer 2 network through VLANs and implements Layer 2 switching. At the same time, it can realize Layer 3 IP mutual access between different VLANs. Before discussing the forwarding principle of Layer 3 switches, it is necessary to explain the behavior of hosts on different networks when accessing each other:
(1) Before initiating communication, the source host compares the IP of the host with the IP of the destination host. If the two are located in the same network segment (the same network number is calculated with the netmask), then the source host directly communicates with the destination host. The host sends an ARP request, obtains the physical layer (MAC) address of the other party after receiving the ARP reply from the destination host, and then uses the other party's MAC as the destination MAC of the message to send the message. This is the case when hosts located in the same VLAN (network segment) visit each other, and the switches used for interconnection perform Layer 2 switching and forwarding;
(2) When the source host determines that the destination host and the host are located in different network segments, it will submit the message through the gateway (Gateway), that is, send an ARP request to obtain the MAC corresponding to the gateway IP address, and after getting the gateway's ARP response , and use the gateway MAC as the destination MAC of the packet to send the packet. Note that the source IP of the sent packet is the IP of the source host, and the destination IP is still the IP of the destination host. This is the case when hosts located in different VLANs (network segments) visit each other. At this time, the switches used for interconnection perform Layer 3 switching and forwarding.
In order to facilitate the understanding of the Layer 3 switching principle discussed later , here is a brief introduction to the internal structure of the Layer 3 switch, as shown in Figure 1:
Figure 1 Layer 3 Switch Hardware Structure
The two major parts of the Layer 3 switch are ASID and CPU, and their functions They are as follows:
1. ASIC: completes the main Layer 2 and Layer 3 forwarding functions, including the MAC address table for Layer 2 forwarding and the Layer 3 forwarding table for IP forwarding;
2.CPU: used for forwarding control, mainly for maintenance Some software entries (including software routing table, software ARP table, etc.), and configure the hardware Layer 3 forwarding table of the ASIC according to the forwarding information of the software entry. Of course, the CPU itself can also complete software Layer 3 forwarding.
From the structure of the Layer 3 switch and the functions of each part, it can be seen that what really determines the high-speed switching and forwarding is the Layer 2 and Layer 3 hardware entries in the ASIC, and the hardware entries of the ASIC come from the software entries maintained by the CPU.
The following describes the forwarding principle of a Layer 3 switch based on the communication between hosts in two networking situations.
Network 1 is shown in Figure 2. The source and destination hosts of communication are connected to the same Layer 3 switch, but they are located in different VLANs (network segments). For a Layer 3 switch, the two hosts are located in its directly connected network segment, and the routes corresponding to their IP addresses are all directly connected routes.
Figure 2 Layer 3 Forwarding Network
Figure 2 shows the MAC, IP addresses, and gateways of two hosts, as well as the MAC addresses of Layer 3 switches and the IP addresses of Layer 3 interfaces configured in different VLANs. When PC A initiates an ICMP request to PC B, the process is as follows: (Assuming that no hardware forwarding entry has been established on the Layer 3 switch)
1. PC A first checks that the destination IP address 2.1.1.2 (PC B) is not the same as itself A network segment, so it sends an ARP request for the corresponding MAC address of the gateway address 1.1.1.1;
2. After receiving the ARP request from PC A, L3_SW checks the request message and finds that the requested IP is its own Layer 3 interface IP, so it sends an ARP reply and includes its own Layer 3 interface MAC (MAC S) in it. At the same time, it will also record the relationship between PC A's IP address and MAC address (1.1.1.2<==>MAC A) in its own ARP entry (because the ARP request packet contains the sender's IP and MAC);
3. After PC A gets the ARP reply from the gateway (L3_SW), it assembles the ICMP request message and sends it. The message's destination MAC = MAC S , source MAC = MAC A , source IP = 1.1.1.2 , Destination IP = 2.1.1.2;
4. After L3_SW receives the message, it first updates the MAC address table according to the source MAC+VID (that is, VLAN ID) of the message. Then, it searches the MAC address table according to the destination MAC+VID of the packet, and finds an entry that matches the MAC address of its own Layer 3 interface. Here to explain, after the Layer 3 switch configures the Layer 3 interface IP for the VLAN, it will add the Layer 3 interface MAC+VID entry in the MAC address table of the switch chip, and set the Layer 3 forwarding flag of the entry. When the destination MAC of the packet matches such an entry, it indicates that Layer 3 forwarding is required, so it continues to search the Layer 3 entry of the switching chip;
5. The chip searches for the Layer 3 entry according to the destination IP of the packet. No entry has been established, so the search fails, so the packet is sent to the CPU for software processing;
6. The CPU searches its software routing table according to the destination IP of the packet, and finds that a directly connected network segment (corresponding to PC B) matches. network segment), so it continues to search its software ARP table, but the search still fails. Then L3_SW will send an ARP request corresponding to MAC address 2.1.1.2 on all ports of VLAN3 corresponding to the destination network segment;
7. After PC B receives the ARP request sent by L3_SW, it checks and finds that the requested IP is its own IP, so it sends ARP reply and include its own MAC (MAC B) in it. At the same time, record the correspondence between L3_SW's IP and MAC (2.1.1.1 <==> MAC S) into its own ARP table;
8. After receiving the ARP reply from PC B, L3_SW records the corresponding relationship between its IP and MAC (2.1.1.2<==>MAC B) in its own ARP table, and sends the ICMP request message of PC A to the PC B, the destination MAC of the message is modified to PC B's MAC (MAC B), and the source MAC is modified to its own MAC (MAC S). At the same time, add an entry (including IP, MAC, egress VLAN, egress port, etc.) to the Layer 3 table entry of the switch chip according to the Layer 3 forwarding information just obtained, so that the subsequent PC A can send the message of PC B. 9. After receiving the ICMP request message forwarded by
L3_SW, PC B responds to PC A with an ICMP response. The forwarding process of the ICMP response message is similar to the previous one, only because L3_SW has obtained the corresponding relationship between the IP and MAC of PC A before, and also adds the relevant Layer 3 entry in the switch chip, so this message is directly sent by the switch. The chip hardware forwards it to PC A; in
this way, the subsequent round-trip messages are directly forwarded by the switching chip through the process of checking the MAC table => checking the three-layer forwarding table.
As can be seen from the above process, the three-layer switching makes full use of the principle of "one-time routing (CPU forwarding of the first packet and establishment of a three-layer forwarding hardware entry) and multiple exchanges (subsequent packet chip hardware forwarding)" to achieve forwarding performance and The perfect unification of three-layer switching.
The three-layer forwarding process in another networking situation is described below, as shown in Figure 3.
Figure 3 Layer 3 Forwarding Networking 2
Figure 3 shows the MAC, IP addresses, gateways of the two hosts, the MAC of the two Layer 3 switches, and the Layer 3 interface IPs of different VLAN configurations. Suppose a static route is configured on L3_SW1: ip route2.1.1.0 255.255.255.0 3.1.1.2; a static route is configured on L3_SW2: ip route1.1.1.0 255.255. 255.0 3.1.1.1. Of course, routing information can also be obtained through the interaction of dynamic routing protocols. For the knowledge of routing, please refer to related documents.
The forwarding process in this networking situation is similar to the networking 1 situation in Figure 2, and the details that have been analyzed before are omitted in the following flow explanation. When PCA initiates an ICMP request to PCB, the process is as follows: (Assuming that no hardware forwarding entry has been established on the Layer 3 switch)
1. PC A first checks out the destination IP address 2.1.1.2 (PC B) and its own It is not in the same network segment, so it obtains the MAC (MAC S1) corresponding to the gateway address 1.1.1.1 through ARP resolution. Then, PC A assembles the ICMP request message and sends it. The message's destination MAC=MAC S1, source MAC=MAC A, source IP=1.1.1.2, and destination IP=2.1.1.2;
2. After L3_SW1 receives the message, First, the MAC address table is updated according to the source MAC+VID of the packet. Then, it searches the MAC address table according to the destination MAC+VID of the message, and finds an entry that matches its own Layer 3 interface MAC, so it continues to search the chip's Layer 3 forwarding table;
3. Since no entry has been created before, the Layer 3 The forwarding table search fails, so the packet is sent to the CPU for software processing; 4. The CPU
searches its routing software table according to the destination IP of the packet, and finds a matching route 2.1.1.0/24, its next hop The IP address is 3.1.1.2, so continue to find out whether 3.1.1.2 has a corresponding ARP, but the search still fails. Then L3_SW1 initiates an ARP request in VLAN4 corresponding to the next hop address 3.1.1.2, and gets a response from L3_SW2, thereby obtaining the correspondence between I and MAC (3.1.1.2 <==> MAC S2);
5. L3_SW1 forwards the ICMP request message sent by PC A to L3_Sw2, the destination MAC of the message is modified to the MAC of L3_SW2 (MAC S2), and the source MAC is modified to its own MAC (MAC S1). At the same time, add the forwarding information just used to the 30% forwarding table of the switching chip, including the matching network segment 2.1.1.0/24, the MAC of the next hop address (MAC S2), the egress VLAN, the egress port. In this way, subsequent packets sent to 2.1.1.2 can be directly forwarded through the switching chip hardware;
6. After L3_SW2 receives the message, it is similar to the processing in networking 1. After checking the MAC table => checking the three-layer forwarding table => sending the CPU => matching the direct route => ARP parsing => adding the forwarding message at the same time In the process of hardware entry, the message is forwarded to PC B. At this time, the destination MAC of the message is modified to the MAC of PC B (MAC B), and the source MAC is modified to the MAC of L3_SW2 (MAC S2). In this way, the subsequent messages sent to 2.1.1.2 are directly forwarded by the switching chip hardware;
7. PC B responds with ICMP after receiving the ICMP request message from PC A. Since in the process of forwarding the ICMP request message, the nodes at both ends of each network segment have obtained the corresponding relationship between the IP and MAC of the other party through ARP analysis, so the forwarding of the response message is completely completed by the switching chip (check the MAC table = >Check the Layer 3 forwarding table => Send); in
this way, subsequent round-trip messages are directly forwarded by the switching chip through the process of checking the MAC table => Checking the Layer 3 forwarding table.
From the forwarding process in the above two networking situations, it can be seen that the forwarding of the three-layer switch has the following characteristics:
1. The first packet is forwarded by the CPU, and the hardware table entry of the switch chip is established at the same time; the subsequent packets are directly forwarded by the switch chip, that is It is often said that "one route, multiple exchanges";
2. The hardware forwarding of the switching chip does not care about the specific next hop IP address of the route, and the hardware layer 3 table entry only contains the destination address (or network segment), The MAC, egress VLAN, and egress port corresponding to the destination IP (or next-hop IP); (It should be noted here that not all hardware Layer 3 entries of all Layer 3 switches will contain "egress ports".)
3. IP report Every time the text is forwarded at Layer 3, its source and destination MACs will change, but the source IP and destination IP remain unchanged.
In the three-layer switching and forwarding, the switching chip (ASIC) plays a crucial role, so the performance and forwarding characteristics of the three-layer switch mainly depend on the realization mechanism of the switching chip. The Layer 3 switching principle explained in the section on Layer 3 switching principle is only a general forwarding process. For Layer 3 switches using different switching chips, some details of the hardware forwarding process are different. This section mainly introduces several different implementations on the structure of the hardware three-layer table entry and the table lookup method.
As can be seen from the previous description, Layer 3 forwarding necessarily requires routing information, and the route selection in the forwarding process determines the final export of the packet. Layer 3 switches only integrate this routing function into the switching chip. . There are two ways of route selection: exact match and longest match. Exact match means that the destination IP address and the address information of the route must exactly match, while the longest match is to select the one with the longest mask among all routes containing the destination address.
On the early Layer 3 switches, the switching chips mostly adopted the exact matching method, and their hardware Layer 3 entries only contained the destination IP address without mask information. For example, when forwarding a packet whose destination IP is 2.1.1.2, if the non-direct route 2.1.1.0/24 is matched through software search, then the forwarding information of 2.1.1.2 is added. Go to the switching chip, if the message with the destination IP 2.1.1.3 continues to come and needs to be forwarded, you need to perform a software search again, and add a new table for 2.1.1.3 in the switching chip item. The entry structure of this selection method has high requirements on the hardware resources of the switching chip, because the storage space of the integrated entries in the chip is limited. If a large number of messages with different destination IP addresses are to be sent, a large number of hardware entries need to be added. . The Shockwave virus that once flooded led to the exhaustion of resources of a large number of Layer 3 switches that only supported exact matching at that time. Because one of the means of the shock wave virus is to send a huge number of network segment scanning packets, and most Layer 3 switches are configured with default routes, so that all packets can be found in the CPU software. The destination IP of a virus packet needs to add a new hardware entry and quickly fill up the hardware resources. In this way, the normal data flow of most users cannot be processed at high speed due to exhaustion of forwarding resources.
Due to this defect of the exact matching mode of Layer 3 switches, later Layer 3 switches have added support for the longest matching mode, that is, the hardware Layer 3 table entry can contain both IP addresses and masks, and the longest matching mode is followed when searching. matching principle. This type of Layer 3 switch generally adds routing information to the hardware Layer 3 table when the software routing table is established, including direct routing and non-direct routing. For directly connected routes, the "to CPU" flag of the corresponding hardware Layer 3 entry is always set to 1, and the entry that matches the destination IP of the packet is sent to the CPU for processing, and the CPU software will send an ARP request on the directly connected network segment , and add the acquired ARP information as a host route to the hardware entry (the corresponding "to CPU" flag is set to 0), so that subsequent packets with the same destination IP are directly forwarded through the newly added hardware entry; for For non-directly connected routes, when the ARP information corresponding to the next hop address has not been obtained, the "to CPU" flag of the corresponding hardware layer 3 entry is set to 1, and the destination IP of the packet matches such an entry and is sent to the CPU for processing. The CPU software will send an ARP request on the directly connected network segment corresponding to the next hop address, and update the corresponding hardware three-layer table entry with the next hop MAC, egress VLAN and other information in the obtained ARP information, and then "to CPU" The flag is set to 0, so that subsequent packets whose destination IP matches the non-direct route can be forwarded directly through the modified hardware entry.
At present, most Layer 3 switches can support both exact match entry and longest match entry. Generally speaking, exact match entry corresponds to the ARP table in the software, and the longest match entry corresponds to the direct connection in the software. Routing and indirect routing.
In the Layer 3 forwarding process of the switch, it was mentioned that the hardware Layer 3 entry consists of the destination IP (or network segment), the destination IP (or next-hop IP) corresponding to the MAC, the egress VLAN, and the egress port. Generally, the Layer 3 switching chip can complete the forwarding directly by looking up the Layer 3 forwarding entry. This processing mechanism has a simple process and high forwarding efficiency, but it also complicates the configuration control of the hardware entry by the CPU software, because whenever the MAC and physical port corresponding to the IP address changes, the Layer 3 forwarding entry must be updated. . The possibility of Layer 2 information changing on the switch is relatively large, especially the switch supports redundancy mechanisms such as link aggregation and spanning tree, so in some application environments, the CPU has to update the Layer 3 forwarding table frequently. , once there is a problem with the update (especially the outgoing port error), it will inevitably cause serious adverse effects on the forwarding.
However, not all Layer 3 hardware entries of Layer 3 switches carry outgoing port information, and the hardware entries used by some switching chips only include the destination IP (or network segment) and destination IP (or next hop IP) corresponding to In terms of the forwarding process, there are the following changes: after looking up the Layer 3 forwarding table according to the destination IP of the packet, only the MAC and the egress VLAN corresponding to the destination IP (or next-hop IP) are obtained; then continue according to the MAC+VID To look up the MAC address table, and finally get the outgoing port information, if the lookup of the MAC table fails, it will broadcast on the egress VLAN. Although this processing mechanism increases the processing complexity of the chip, the process is clearer and more reasonable, and the processing of the CPU is simpler, because the change of the physical outlet only needs to be reflected in the MAC address table, and the hardware three-layer table entry does not need to be updated frequently.
The switching chips of these two processing methods have their own advantages, and different manufacturers will choose according to various factors such as cost, reliability, product positioning, etc., which also makes different types of Layer 3 switches in the same application environment. .