CCIE RS – Written – Network Principles – Identify Cisco Express Forwarding Concepts

Identify Cisco Express Forwarding Concepts

CEF – Cisco Express Forwarding

Overcomes disadvantages of fast switching.

CEF builds its own structure that mirrors the entire routing and MAC table – CEF Table and Adjacency Table

  • Optimized L3 forwarding path through a router or multilayer switch
  • Optimizes routing table lookup
    • Creates special easily searched structure based on IP routing table
  • CEF is only used for unlabeled packets

CEF Table

  • Stripped down version of the routing table
  • show ip cef summary
    • 2 Components build the CEF table
      • FIB and Adjacency table

Distributed CEF (dCEF)

  • FIB that runs on each line card

Order of Operations

  1. Compression and Decompression
  2. Encyption
  3. Inbound Access List 
  4. Unicast Reverse Path Checking
  5. Input rate limiting
  6. Physical broadcast handling (ip helper address)
  7. Decrement TTL
  8. Inspection subsystem (firewall, ZBFW)
  9. Outside to Inside NAT
  10. Handle router alert flags in IP header
  11. Search outbound interface in routing table
  12. Policy routing
  13. WCCP
  14. Inside to Outside NAT
  15. Encryption
  16. Output Access List
  17. Inspection (ZBFW)
  18. TCP Intercept processing

Process Switching

First switching method implemented in IOS. Contains the least amount of performance optimization and consumes large amounts of CPU. 

Platform independant, universal across all Cisco IOS based products. Provides some load sharing capabilities – per packet. Packets are automatically distributed across multiple paths based on the routing metrics. The routing metrics determine which path to take

Disadvantages – Lack of speed. Requires a routing table lookup for every packet. As the routing table grows the time to perform a lookup increases. Longer lookup times increases CPU utilization

Fast Switching

Store frequently used subset of the larger data and set it in local storage for faster access. Fast switching uses caching. IOS uses concept of fast cache – copy of Reachability/Interface/MAC-header learned from process switching packets

Does not support per-packet load sharing. This is due to separation of routing and forwarding due to fast switching (lack of deterministic load-balancing). CEF addresses this issue


  • Lack of overlapping cache entries
  • Any routing or ARP change invalidated large sections of the route cache
  • First packet must be process switched to a destination to build route cache
  • Inefficient load balancing 

RIB – Routing Information Base

Each routing protocol creates its own routing database that get tied together to build the routing table

Routing Table

  • Routing table is built in the Control Plane (along with ARP table)
  • Routing table is passed down to the Data Plane to build the FIB (along with Adjacency Table)
  • FIB + Adj Table = CEF

FIB – Forwarding Information Base

  • Similar to routing table
  • Generated by multiple routing protocols, maintaining only the next hop for a particular route

LFIB – Label Forwarding Information Base

  • Used for labeled packets (MPLS)
  • Prefix to label mapping maintained in the LIB
    • LIB – Label Information Base: A database used by an LSR to store labels learned from other LSRs, as well as labels assigned by the local LSR.
  • LIB + Routing Table build the LFIB

Adjacency Table

  • Contains MAC header information needed to switch the packet
  • Packet header for directly connected next hops
  • Populated with data from the ARP table

Adjacency Entire Types

  • Cache adjacency: This type of entry contains the correct outbound interface and the correct MAC address for its FIB entry. The MAC address is the IP address’s MAC address if the destination’s subnet is directly connected to the router, or is the MAC address of the router that the packet needs to be sent to if the destination’s subnet is not directly connected to the router currently processing the packet.
  • Receive adjacency: This type of entry handles packets whose final destinations include the router itself. This includes packets whose IP addresses are assigned to the router itself, broadcast packets, and multicasts that have set up the router itself as one of the destinations.
  • Null adjacency: Handles packets destined to a NULL interface. Packets with FIB entries pointing to NULL adjacencies will normally be dropped.
  • Punt adjacency: Deals with packets that require special handling or can not be switched by CEF. Such packets are forwarded to the next switching layer (generally fast switching) where they can be forwarded correctly.
  • Glean adjacency: This adjacency is created when the router knows that either the destination IP’s subnet is directly connected to the router itself and it does not know that destination device’s MAC address, or the router knows the IP address of the router to forward a packet to for a destination, but it does not know that router’s MAC address. Packets that trigger this entry will generate an ARP request.
  • Discard adjacency: FIB entries pointing to this type of adjacency will be discarded.
  • Drop adjacency: Packets pointing to this entry are dropped, but the prefix will be checked.

Load Balancing Hash

  • Distribute packets across multiple links based on L3 routing information
  • CEF can use multiple parallel links without additional hardware multiplexers
  • Number of paths is limited by number of entries in routing protocols into the routing table
    • Default is 4 entries on IOS
  • BGP is exception with 1
    • Max of 6 paths
  • 2 Modes of Load Balancing
    • Per-Destination (Default)
  • All packets to a given destination are forwarded on same path
  • Route-cache built for every destination address
  • Software driven table
  • Memory and processor intensive
  • Does not guarantee even load balancing if a bulk of the traffic is destined to a single destination
    • Per-Packet
  • Guarantees full load balancing
  • Packets may arrive out of order
    • Problem for voice/video traffic
    • Causes delay
  • Process determines outgoing interface for each packet using the routing table and least used interface
    • Processor intensive
    • Not suited for higher speed links


Ip route-cache
Explicitly enable CEF on an interface
Ip load-sharing [per-packet | per-destination]
Change load balancing type
Show ip cef

Load Balancing Algorithm

  • Original algorithm -The original Cisco Express Forwarding load-balancing algorithm produces distortions in load sharing across multiple routers because the same algorithm was used on every router. Depending on your network environment, you should select either the universal algorithm (default) or the tunnel algorithm instead.
  • Universal algorithm -The universal load-balancing algorithm allows each router on the network to make a different load sharing decision for each source-destination address pair, which resolves load-sharing imbalances. The router is set to perform universal load sharing by default.
  • Tunnel algorithm -The tunnel algorithm is designed to balance the per-packet load when only a few source and destination pairs are involved.
  • Include-ports algorithm -The include-ports algorithm allows you to use the Layer 4 source and destination ports as part of the load-balancing decision. This method benefits traffic streams running over equal cost paths that are not load shared because the majority of the traffic is between peer addresses that use different port numbers, such as Real-Time Protocol (RTP) streams. The include-ports algorithm is available in Cisco IOS Release 12.4(11)T and later releases.

ECMP – Equal Cost Multi-path

Polarization concept and avoidance


  • An effect when the hash algorithm chooses a particular path and the redundant path remains unused
  • CEF performs load balancing once the RIB is calculated


  • Alternate between default (SIP and DIP) and full (SIP+DIP+L4 Ports) hashing inputs configurations at each layer of the network
    • Hashing Algorithms
      • Default – Use the source and destination IP address, with unequal weights given to each link in order to prevent polarization.
      • Simple – Use the source and destination IP address, with equal weight given to each link.
      • Full – Use the source and destination IP address and Layer 4 port number, with unequal weights.
      • Full Simple – Use the source and destination IP address and Layer 4 port number, with equal weights given to each link.
  • Alternate between even and odd number of ECMP links at each layer of the network
    • The hash algorithm load-balances this way by default:
      • 1: 1
      • 2: 7-8
      • 3: 1-1-1
      • 4: 1-1-1-2
      • 5: 1-1-1-1-1
      • 6: 1-2-2-2-2-2
      • 7: 1-1-1-1-1-1-1
      • 8: 1-1-1-2-2-2-2-2
    • Disable CEF polarization
      • Anti-polarization weight
      • Mls ip cef load-sharing full simple
  • Concept of unique-ID/ universal-ID to avoid cef polarization
    • Default: universal
      • Adds 32 bit router specific value to the hash function
      • Randomly generated by the router during boot process
    • Unique-ID does not work on even number of equal cost paths due to hardware limitations
      • IOS adds one link into hardware adjacency table when even number exisits to make system think there is an odd number
    • Ip cef load-sharing algorithm universal [id]

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.