Configuring Cisco Express Forwarding
On most platforms, CEF is not enabled by default, so security administrators must remember to enable the feature.
Note Cisco Express Forwarding (CEF) is not a security feature; therefore, CEF will not be covered in detail. However, the majority of the security features discussed in this chapter must have CEF enabled to function.
Use the ip cef global configuration command to enable CEF switching or enable the use of distributed CEF by using the ip cef distributed global configuration command. Distributed CEF functions only on platforms that support a distributed architecture.
To give you an idea about how CEF works, Figure 3.2 shows Router C with multiple connections to other networks. The configuration of Router C to support CEF switching is shown here:
#ip cef distributed
Figure 3.2: Example of CEF network.
The ip cef distributed global configuration command was used to enable CEF on Router C. After it is enabled on Router C, CEF should create an adjacency table listing each connected device. CEF can create an adjacency by using Address Resolution Protocol (ARP); if Router B is using a routing protocol, an adjacency can be created by using the routing protocol B, and an adjacency can be can be created from a static mapping, using a layer 2 protocol. To verify that CEF created the table, use the show adjacency detail command. Listing 3.1 shows the output of the show adjacency detail command issued on Router B after enabling CEF.
Listing 3.1: The adjacency table of Router B.
Router−B#show adjacency detail
Protocol Interface Address
IP Serial5/0/0 point2point(5)
61528 packets, 5684464 bytes
CEF expires: 00:02:17
IP GigEthernet1/0/0 192.168.15.73(2425)
IP ATM8/0/0 192.168.14.253(73)
In Listing 3.1, you can see that Router B has created an adjacency with each of the routers it is connected to. Each of the fields details specifics related to the CEF adjacency. The protocol field lists the routed protocol with which the adjacency is related. The interface field lists the outgoing interface used to reach the adjacency neighbor. The address field is the address of the adjacency and can contain either the adjacency’s next−hop address or a point−to−point address. The numbers that are in parentheses in the address field are used only by the local router and as a reference to the adjacency. The next field is an encapsulation string, which is prepended to each packet. And the last field is a timer, which is periodically refreshed for each neighbor. The adjacency table will periodically refresh each of these neighbors with the exception of the neighbor connected via the ATM interface. Because this entry is a permanent circuit, CEF will not refresh the neighbor.
As mentioned in the section “In Brief” earlier in this chapter, CEF builds its table based on information within the route table, and as such, a one−to−one correlation between the CEF table and the route table is maintained. The CEF table is stable as long as the topology of the route table is stable. The CEF table of Router B can be viewed using the show ip cef command. Listing 3.2 shows the output of the command show ip cef entered on Router B.
Listing 3.2: An example CEF table for Router B.
Further information for each CEF table entry can be seen by issuing the sh ip cef network command. The following information is returned:
Router−B#sh ip cef 184.108.40.206
220.127.116.11/30, version 1046593, cached adjacency 10.191.150.242
0 packets, 0 bytes
via 192.168.241.2, ATM8/0/0, 0 dependencies
next hop 192.168.14.253, ATM8/0/0
valid cached adjacency
The routing table entry for 18.104.22.168 has a next−hop address of 192.168.241.2, which is not directly connected. This entry requires a recursive lookup for the next hop for 192.168.241.2 to determine that 192.168.241.2 can be reached using the next hop of 192.168.14.253, which is reachable sending the packet out interface ATM8/0/0.