Three-layer Ethernet switch ip fdb table and its code example: How to filter incoming and outgoing packets in the access list when a three-layer Ethernet switch suffers from hardware processing problems in the following text, what about collecting evidence and contacting the security department or institution?
Hardware processing process:
The main table items are: L2 MAC address table, and L3 Ethernet switch ip address fdb table. These two tables are used to save the forwarding information. When the forwarding information is complete, all packets are forwarded and processed by hardware without the intervention of software. The functions of the two tables are independent and there is no mutual relationship between them, because as long as a packet enters the switch, the hardware will distinguish whether the package is a layer-2 or layer-3 Ethernet switch. Either.
For example, display mac-address:
Mac addr vlan idstateport index aging time (s)
2017.21cf.73f4 1 Learned Ethernet0/19 266
0002.557c.5a791 Learned Ethernet0/12 225
0004.7673.0b381 Learned Ethernet0/9 262
0005.5d04.96481 Learned Ethernet0/16 232
0005.5df5.9f64 1 Learned Ethernet0/16 300
The MAC address table is an IVL Method for exact matching. The key parameters are Vlan ID and Port index.
For example, show ipfdb all:
0: System 1: Learned 2: UsrCfg Age 3: UsrCfg noAge Other: Error
Ip Address RtIf VTag VTValid Port Mac Status
10.11.83.77 22 Invalid GigabitEthernet2/1 00-e0-fc-00-55-18 1
10.11.198.2822Invalid GigabitEthernet2/1 00-e0-fc-00-55-18 1
10.63.32.2 22 Invalid GigabitEthernet2/1 00-e0-fc-00-55-18 1
10.72.20.100 22 Invalid GigabitEthernet2/1 00-e0-fc-00-55-18 2
10.75.35.10322Invalid GigabitEthernet2/1 00-e0-fc-00-55-18 2
10.75.35.20.22invalid GigabitEthernet2/1 00-e0-fc-00-55-18 2
Route interface index RtIf ):
This index is used to determine the route interface under which the forwarding table is located. For 3526 products, the number of supported route interfaces is 32. Vlan tag: This value indicates the VLAN, this VLAN corresponds to the routing interface; Vlan tag valid bit VTValid): used to identify whether to insert Vlan tag tags in the forwarded packets.
Port index Port ):
It is used to describe the outbound port of the forwarding table. Next Hop MAC: the MAC header in the packet is reencapsulated for each hop forwarded by a layer-3 Ethernet switch, the hardware ASIC chip encapsulates the packet header based on the values in this field. Two important concepts:
Resolution, not resolved. Each time a message is received, ASIC extracts the Source and Destination addresses from the packets and searches for them in the MAC Table or IP Fdb Table. If the addresses can be found in the forwarding Table, the address is resolved. If the address cannot be found, the address is considered unresolved.
Based on whether the address is the source or the target, it can also be a combination of source parsing, target unparsed, and so on. The hardware itself can broadcast the packet in the VLAN without parsing the L2 network. However, the hardware itself does not process the unresolved packet address of the L3 Ethernet switch, however, CPU interruption occurs, which is handled by software.
The hardware processing can be described in this sentence:
After receiving the packet, determine whether the packet is a two-or three-tier Ethernet switch packet, and then determine whether the Source and Destination addresses have been resolved. If the packet has been resolved, the hardware completes the packet forwarding, if it is not resolved, the CPU is interrupted and the software is used to learn the unresolved address.
Driver code:
The key core of the task is the address resolution task. In this task, you can learn the reported unresolved addresses so that the hardware can complete subsequent packet forwarding without any software intervention. Address management task: In order to facilitate software management and maintenance, the software part saves a copy of the address table that is the same as the hardware transfer table. Fibforwarding information base) table: the information of this table comes from the routing information in the ip route table. The reason why this table is placed in the driver section is for the convenience of Address Resolution tasks when finding ip addresses.
Example of a layer-3 Ethernet switch:
Display fib:
Destination/MaskNexthopFlag Interface
0.0.0.0/0 10.110.20.9 IVLAN-Interface2
10.110.48.0/21 10.110.48.1 D VLAN-Interface1
10.110.48.1/32 127.0.0.1 D InLoopBack0
10.110.20.8/3010.110.20.10 D VLAN-Interface2
10.110.20.10/32 127.0.0.1 D InLoopBack0
127.0.0.0/8127.0.0.1 D InLoopBack0
Layer-3 Ethernet switch forwarding involves two key threads: address learning thread and message forwarding thread, which are similar to layer-2 thread; the packet forwarding thread mainly forwards packets based on the ipfdb table generated by the address learning thread. If there is enough information in the thread, all the forwarding processes are completed by hardware, if the information is insufficient.
The address learning thread is required for learning, and the hardware of the report cannot be forwarded, and the report will be forwarded to the software protocol stack for forwarding. The address learning thread is mainly used to generate the hardware Forwarding table ipfdb table. In fact, ipfdb table is similar to the two-layer MAC address table, however, the meanings and roles of specific table items are different.
There is a problem: in a vro or other software forwarding engine, every packet received will go to the route table to check the next hop, and then query the ARP table to find the next hop MAC, however, in a layer-3 Ethernet switch such as S3526), the route table and ARP table do not need to be checked during packet forwarding. In this case, does the two tables have no effect?
The answer is no. In the S3526 layer-3 Ethernet switch forwarding process, the process is generally like this. The first packet hardware cannot be forwarded and IP address learning is required, at the same time, in order to ensure no packet loss, the paper is also forwarded by the software, after the completion of learning.
Second, the third packet will always be forwarded by hardware. In this process, you can also use "one route, multiple exchanges" to summarize the image. In a single route, you need to use the route table and ARP table to learn IP addresses, and forward the first packet. In the next multi-switching process, you only need to have ipfdb table.