Analysis of layer-3 Switching Principle

The principle of layer-3 switching has always been the most difficult for many readers to understand. In daily reader exchanges, we often see readers raise this issue, especially the differences and connections between layer-3 switching and routing principles. In fact, a layer-3 switch is closely related to both layer-2 switching and routing, and relies on layer-3 ARP protocol. The following describes the principle of layer-3 switching.

Layer-3 Switching Principle

L2 switches generally use the CAM table in the hardware chip of ASIC (Application Specific Integrated Circuit, dedicated IC, therefore, the forwarding performance is very high. The layer-3 forwarding of a layer-3 Switch relies on the ASIC chip (the router's routing function depends mainly on the CPU software). However, apart from the CAM table used for layer-2 switching, A three-tier hardware Forwarding Table dedicated for layer-3 Forwarding is also saved.

The layer-3 Switching Principle of a layer-3 switch is complex. The layer-3 switching process of a layer-3 Switch of different manufacturers is different in different network environments. As shown in 7-55, only one layer-3 switch is directly connected to two hosts in different CIDR blocks. The main steps are as follows:

(1) Before initiating communication, the source host compares its IP address with the IP address of the target host. If the source host determines that the destination host is in a different network segment from its own, it needs to submit packets through the gateway, so it first needs to obtain the gateway's MAC address through an ARP request packet (when the source host does not know the gateway's MAC address ), that is, the source host sends an ARP request frame to obtain the MAC address corresponding to the gateway IP address.

(2) After receiving the ARP request from the source host, the gateway responds with an ARP response packet. The "source MAC address" in the response packet contains the MAC address of the gateway.

(3) After receiving the ARP response from the gateway, the source host uses the MAC address of the gateway as the "Destination MAC address" of the packet and uses the IP address of the source host as the "source IP address" of the packet ", use the IP address of the target host as the "Destination IP address". First, send the data sent to the destination host to the gateway.

Basic Process of layer-3 Switching

(4) After receiving the data sent from the source host to the target host, the Gateway knows that the IP addresses of the source host and the target host are not in the same network segment, upload the datagram to the layer-3 switching engine (ASIC chip) to check whether there is a layer-3 forwarding table for the target host.

(5) If no table item for the target host is found in the three-tier hardware forwarding table, view the software route table from the CPU request. If there is a route table item for the network segment of the target host, you also need to obtain the MAC address of the target host, because the packets are encapsulated by frames at the link layer. The CPU of the layer-3 Switch sends an ARP broadcast request packet to the CIDR Block of the target host to obtain the MAC address of the target host.

(6) After obtaining the MAC address of the target host, the switch adds the corresponding table items to the ARP table and forwards the aura package from the source host to the target host. The layer-3 Switch layer-3 engine generates a layer-3 hardware forwarding table for the target host based on the route table.

Data packets that arrive at the target host can be directly exchanged using the forwarding table items in the three-tier hardware forwarding table, no longer need to view the route table in the CPU.

The above process is applicable to mutual access between hosts in different VLANs (network segments). In this case, the switches used for interconnection are used for layer-3 Exchange forwarding. This is the principle of "one route, multiple switches.

Layer-3 switching example

In layer-3 switching, the basic principles of host communication between different CIDR blocks on the same vswitch and those of different CIDR blocks on different vswitches are the same, but the specific procedures are different. This section only describes the three-layer switching principle described in the previous section in the simple scenario of "communication between hosts in different network segments on the same switch.

As shown in, the source and target hosts of the communication are connected to the same layer-3 switch, but they are located in different VLANs (also in different network segments ). For a layer-3 Switch, both hosts are located in its direct connection CIDR block, and the routes corresponding to their IP addresses are all directly connected routes. The figure shows the MAC address, IP address, gateway IP address (that is, the corresponding VLAN interface IP address) of the two hosts, and the MAC address of the layer-3 switch.

Note: Although VLAN is divided in this example, we did not mention VLAN tags in the following data forwarding process, because in this example, both hosts of the communication are connected to the same layer-3 switch. The port type is Access, and the transmitted and received data frames are non-VLAN labeled. In the example described in the next section, VLAN tags are involved in data forwarding.

Example of layer-3 switching between hosts in different CIDR blocks on the same vswitch

When pc a sends data packets to pc B for the first time, the data packet transmission process is as follows: (assume that no hardware forwarding table is set up on the layer-3 Switch)

(1) pc a first checks that the destination IP address 2.1.1.2 (pc B) is not in the same CIDR block as itself. Therefore, the data packets to be sent are cached. It knows that this packet must be forwarded by the gateway, so first, check that you already know the MAC address of the Gateway (that is, check whether there is a mac address table entry corresponding to the gateway IP address in the ARP table of host A of PC ). If so, when packets sent to pc B are encapsulated as data frames, set the value of the "target MAC address" field to the MAC address of the Gateway (that is, mac s of the layer-3 Switch, the ports and VLANs on the vswitch share one or more MAC addresses ).

(2) If pc a does not find the gateway MAC address in its ARP table, it first sends an ARP broadcast request packet to the Gateway (which is actually sent to all nodes in the VLAN, to obtain the MAC address of the gateway IP address 1.1.1.1. The "source MAC address" Field of the ARP request packet is the MAC address "mac a" of pc a, and the "Destination MAC address" is filled in the full 0 format because it is unknown; enter the IP address (1.1.1.2) of pc a and the IP address of the Gateway (1.1.1.1) in the "source IP address" and "Destination IP address" fields respectively ).

Arp request packets are encapsulated into Ethernet frames again after being transmitted down to the Ethernet data link layer. The value of the "source MAC address" field in the Ethernet frame header is still the MAC address "mac a" of pc ", the target MAC address field value is the broadcast MAC address FF-FF-FF-FF-FF-FF, And the Frame Type field is filled with the ARP Protocol number 0x0806. For ARP messages and ARP frame formats, see section 7.3.10 of this chapter.

(3) After receiving the ARP request packet from pc a, the layer-3 switch checks the request packet and finds that the requested IP address (that is, the "Destination IP address") is its own layer-3 interface IP address, therefore, an ARP response packet is sent back to pca a, and the corresponding layer-3 interface MAC (mac s) is filled in the "target MAC address" Field of the response packet. At the same time, through the analysis of arp request packets sent by pc a, the relationship between the IP address of pc a and the MAC address (1.1.1.2 <=> mac a) is recorded in the ARP table, then, use the IP address (as the "Destination IP address") and MAC address (as the "next-hop MAC address") of pc "), and information such as the port number directly connected to the switch is sent to the three-layer hardware forwarding table in the layer-3 Switch ASIC chip. In this case, the first Forwarding Table item is available in the three-tier hardware forwarding table, that is, the forwarding table item of pc.

Note: In a layer-3 switch, the most important thing is that it has a "layer-3 hardware forwarding table" dedicated for layer-3 forwarding. It is related to the "ARP table", but there are also differences. The ARP table only maps IP addresses and MAC addresses, excluding the forwarding egress and corresponding VLAN IDs. The three-layer hardware forwarding table includes all of these, forming one: the relationship between the destination IP address, vlan id, port, and next-hop MAC address. During layer-3 forwarding, the source and target MAC addresses fields after frame encapsulation are changed. The "Destination MAC address" in the original IP packet is used as the "next-hop MAC address" for forwarding ", the original "source MAC address" is changed to the MAC address of the layer-3 switch, and the source and destination IP addresses remain unchanged (because this is encapsulated in the "data" part of the frame ). In addition, the L3 forwarding table is stored on the ASCI hardware chip and directly called by the ASIC chip, while the ARP table is stored in the middle and called by the CPU software. However, the three-tier hardware Forwarding Table item is provided by the CPU.

(4) After receiving the ARP response packet from the gateway, pc a changes the "Destination MAC address" of the packet sent to pc B to the gateway MAC address (MAC S1) after the frame encapsulation ), otherwise, send the data packet to the Gateway (layer-3 Switch ).

(5) After receiving this packet, a layer-3 Switch uses the "Destination MAC address" as its MAC address, and the "Destination IP address" and "source IP address" are not in the same network segment, therefore, it will be directly submitted to the ASIC chip responsible for layer-3 switching. check whether there are table items in the layer-3 hardware forwarding table based on the "Destination IP address" (IP address 2.1.1.2 of pc B) in the package, because it is the first communication, the result is a failure to search, so the packet is then transferred to the CPU for software routing.

(6) The CPU will also search for its software route table based on the "Destination IP address" in the package and find that it matches a direct connection CIDR Block (the CIDR Block corresponding to pc B ), as a result, we continue to query the corresponding MAC address in the ARP table. It is also because it is the first search, so the search still fails. If the corresponding MAC address is found in the ARP table, the data can be directly forwarded by the software route table.

(7) The following example shows that the MAC address corresponding to pc B is not found in the ARP table. At this time, the CPU of the layer-3 Switch sends an arp broadcast request packet to all ports in AN 3 of the CIDR block of pc B, and finds that the "Destination IP address" is the MAC address corresponding to 2.1.1.2. The "source MAC address" of the packet after frame encapsulation is the MAC address (mac s) of the layer-3 switch, and the "Destination MAC address" is all 0, "Source IP Address" is the gateway IP address (2.1.1.1) of VLAN 3, and "Destination IP address" is the IP address of pc B (2.1.1.2 ).

(8) After receiving the ARP request packet sent by the CPU of the layer-3 Switch, pc B checks and finds that the requested IP address is its own IP address, so it sends an ARP response packet, and include your MAC address (mac B) in it. At the same time, record the relationship between the gateway IP address and the MAC address (2.1.1.1 <=> mac s) of VLAN 3 on the layer-3 switch to your ARP table.

(9) After receiving the ARP response packet from pc B, the CPU of the layer-3 Switch maps its IP address to the MAC address (2.1.1.2 <=> mac B) record it to your ARP table, and send the IP address, MAC address, and port number of the switch to the layer-3 Switch for forwarding. In this case, the forwarding table has two corresponding table items, pc a and pc B.

(10) the CPU Of A layer-3 Switch forwards IP packets sent from pc a to pc B Based on the obtained MAC address and port information and the software route table information, this completes the first one-way communication between pc a and pc B.

The layer-3 engine inside the chip has saved the complete forwarding path information from pc a to pc B, so in the future, pc a and pc B will communicate with each other, when A site in another CIDR Block wants to communicate with pc a or pc B, the ASIC chip of the layer-3 Switch directly forwards the package from the specified port in the corresponding layer-3 hardware forwarding table, instead, you do not have to submit the package to the CPU for routing. This is the so-called "one-time route (that is, the corresponding direct connection CIDR block is found through the CPU route table), multiple exchanges" principle, greatly improving the forwarding speed.