Related subjects:

[IP Adventure] A Packet's Adventures on Routers - 05

[IP Adventure] A Packet's Adventures on Routers - 04

[IP Adventure] A Packet's Adventures on Routers - 03

[IP Adventure] A Packet's Adventures on Routers - 02

[IP Adventure] A Packet's Adventures on Routers - 01

[IP Adventure] A Packet's Adventures on Routers - Introduction

IP Unicast Forwarding Process

The previous chapters describe how a packet is processed on the forwarding plane. In performing this action, the forwarding process is the most important process and varies with the service. The forwarding processes of different services will be detailed in the following chapters. This chapter describes IPv4 and IPv6 unicast forwarding processes.

9.1  IPv4 Unicast Forwarding

        Getting Started with IPv4 Unicast Forwarding

Firstly, let's review the IP unicast forwarding process using Ethernet frames as an example.

The following figure shows a simple IP forwarding scenario. PC-A in LAN 1 sends an IP packet to PC-B in LAN 2 through a router. This router is the gateway of PC-A.

The destination IP address of the packet is the IP address of PC-B, the source IP address is the IP address of PC-A, the destination MAC address is the MAC address of port 1 on the router, and the source MAC address is the MAC address of PC-A.

Forwarding process on the router:

1.    Upon receipt of the packet, the router parses it because the destination MAC address is the MAC address of Port 1. If the destination MAC is not a local MAC address, the router directly performs Layer 2 forwarding without parsing the packet.

2.    Finding that the protocol carried in the packet is IPv4 (the value of eth_type being 0x800), the router performs IPv4 forwarding accordingly.

3.    The router searches the IP forwarding table (FIB). Knowing that the packet is not destined for itself and that the outbound interface is Port 2, the router does not parse the rest content in the IP header.

4.    The router changes the destination MAC address to the MAC address of PC-B, and the source MAC address to the MAC address of Port 2, and forwards the packet through Port 2.

IPv4 Forwarding Process on the Router

The following figure shows the complete IPv4 forwarding process. In the process, we should pay attention to FIB-based forwarding and encapsulation info obtaining.

FIB-based forwarding:

1.    Checks whether the destination MAC address is a local MAC address. If not, the router performs L2 forwarding. If so, the router proceeds to the next step.

2.    Checks whether the protocol type of the packet is IPv4.

For example, in the case of an Ethernet frame, the router checks whether the value of eth_type is 0x800. If not, the router performs the corresponding forwarding process. If so, the router proceeds to the next step.

3.    Checks whether the packet length, IP address, and checksum are correct. If not, the router discards the packet. If so, the router proceeds to the next step.

4.    Checks whether the destination IP address is a unicast IP address. If not, the router performs the corresponding forwarding process. If so, the router proceeds to the next step.

5.    Searches the FIB for the next-hop IP address and outbound interface corresponding to the destination IP address. In the case of a public packet, the router searches the public FIB. In the case of a VPN packet, the router searches the FIB of the corresponding VPN.

FIB:

Destination/Mask  Nexthop    Flag  TimeStamp  Interface            TunnelID

10.2.5.0/24       10.2.5.5    U     t[5847]   GigabitEthernet1/0/0     0x0

10.2.5.5/32       127.0.0.1   HU    t[5847]   InLoop0                  0x0

·         If equal-cost routes are available for load balancing, they are all displayed in the FIB. The router uses the load balancing hash algorithm to select one from them. For details about load balancing, see Special Topic - Load Balancing.

·         If fast reroute (FRR) is enabled, the router selects the primary or backup route based on the status of the outbound interface. If the interface is Up, it selects the primary route. Otherwise, it selects the backup route.

·         If the outbound interface is a trunk interface, the router uses the trunk load balancing hash algorithm to select one trunk member interface as the outbound interface.

6.    If unicast reverse path forwarding (URPF) check is enabled, the router searches the FIB based on the source IP address. In the case of loose URPF check, a packet passes the check as long as the outbound interface is a physical interface. Specifically, the outbound interface cannot be the CPU or a Null, TE, or IPv4 tunnel interface. In the case of strict URPF check, the router searches the FIB based on the inbound interface and source IP address of each packet. If a corresponding route exists in the FIB and the inbound interface of the packet is the outbound interface of the route, the packet passes the check; otherwise, the router discards the packet. If the inbound interface is a VLAN sub-interface, the outbound interface must be the inbound interface, and the two interfaces must have the same VLAN ID.

NOTE:

In most cases, after a router receives a packet, it searches for a route based on the destination IP address of the packet. If a route is available, the router forwards the packet accordingly. If no route is available, the router discards the packet.

If URPF check is enabled, the router obtains the source address and inbound interface of the packet, searches the FIB for a route destined for the source IP address, and checks whether the outbound interface of the route is the inbound interface of the packet. URPF check prevents attacks that use spoofed source IP addresses.

However, multiple routes to the same destination IP address may exist in the FIB in some scenarios, such as in a load balancing scenario. The outbound interfaces of the routes are different. If URPF is configured in this case, packet loss will occur. To prevent this problem, use loose URPF check. In loose URPF mode, a packet can pass the URPF check as long as there is a route destined for the source IP address of the packet, regardless of whether the outbound interface of the route matches the inbound interface of the packet.

7.    If the destination IP address is not a local IP address, the router decreases the TTL in the packet header by 1, recalculates and modifies the checksum value, and performs subsequent operations, such as CAR. If the destination IP address is a local IP address (the next-hop IP address being 127.0.0.1), the router sends the packet to the upstream TM component.

Finally, the SFU sends the packet to the downlink LPU based on the outbound interface information (including the destination LPU and outbound interface).

Encapsulation info obtaining

On the downlink LPU, the PFE searches for an ARP entry based on the next-hop or destination IP address and the VLAN ID to obtain the destination MAC address, and searches for the MAC address of the outbound interface. Then, the PFE replaces the destination MAC address with the MAC address of the next hop, and replaces the source MAC address with the MAC address of the local outbound interface.

ARP table:

IP ADDRESS      MAC ADDRESS     EXPIRE(M) TYPE   INTERFACE  VPN-INSTANCE

------------------------------------------------------------------------100.2.150.51    0018-8201-4daa            I -    GE0/0/0

100.2.200.7     0013-d326-a32f  1         D-0    GE0/0/0

192.1.23.1      00e0-fcd5-c877            I -    GE1/0/2

37.1.3.1        00e0-fcd5-c863            I -    GE1/0/3

If no corresponding ARP entry exists, the ARP learning function is triggered, with the steps detailed as follows:

1.    The router sends an ARP request packet. The destination MAC address of the packet is a broadcast address, the destination IP address is the IP address of the next hop, and the source IP address is a local IP address.

2.    Because the destination MAC address of the packet is a broadcast address, all devices or hosts (including the next-hop device) in the LAN can receive the packet. Upon receipt of the packet, the next-hop device parses it and finds that the destination IP address is its own IP address, it replies with an ARP response packet carrying its own MAC address.

3.    After the router receives the response packet, it obtains and adds the next-hop MAC address to the ARP entry table.

Outbound Check and Encapsulation

If the destination IP address of the packet is a local IP address, the outbound interface processing module sends the packet to the CPU of the LPU. Finally, the packet is sent to the CPU of the MPU. 

If the destination IP address of the packet is not a local IP address, the outbound interface processing module checks whether the packet length is greater than the MTU. If the packet length is less than the MTU, the module sends the packet the PIC. The PIC calculates the frame check sequence (FCS) based on the content of the data frame to be sent, and encapsulates the interframe space, preamble, start-of-frame delimiter (SFD), and FCS to the frame. Then, the PIC converts the data frame to optical or electrical signals, and sends the signals to the outbound interface.

If the packet length exceeds the MTU, the router checks the DF bit in the packet header. If the DF bit is 0, the router fragments the packet and then sends the fragments to the PIC. If the DF bit is 1, the source end of the packet does not allow fragmentation. In this case, the router performs CP-CAR check and sends the packet to the CPU of the LPU, and then to the CPU of the MPU. Finally, the router responds to the source end with an ICMP Too-Big message.

9.2  IPv6 Unicast Forwarding

IPv4 and IPv6 forwarding processes are similar, with the following differences:

·         In the IPv4 forwarding process, the router searches the FIBv4 and ARP entries. In the IPv6 forwarding process, the router searches the FIBv6 and neighbor table.

·         In the IPv6 forwarding process, if the length of a packet exceeds the interface IPv6 MTU, the router does not fragment the packet. Instead, it sends it to the CPU and responds to the source end with an ICMP Too-Big message.

IPv6 neighbor table:

[Router] display ipv6 neighbors 

----------------------------------------------------------------

IPv6 Address : 2012::2

Link-layer   : 00e0-fcc2-13b6                             State : STALE

Interface    : GE0/0/0                                    Age   : 0

VLAN         : -                                          CEVLAN: -

VPN name     :                                         Is Router: TRUE

Secure FLAG  : UN-SECURE

IPv6 Address : FE80::2E0:FCFF:FEC2:13B6

Link-layer   : 00e0-fcc2-13b6                             State : STALE

Interface    : GE0/0/0                                    Age   : 0

VLAN         : -                                          CEVLAN: -

VPN name     :                                         Is Router: TRUE

Secure FLAG  : UN-SECURE

----------------------------------------------------------------

 

 

Related subjects: [IP Adventure] A Packet's Adventures on Routers - 05 [IP Adventure] A Packet's Adventures on Routers - 04 [IP Adventure] A Packet's Adventures on Routers - 03 [IP Adventure] A Packet's Adventures on Routers - 02 [IP Adventure] A Packet's Adventures on Routers - 01 [IP Adventure] A Packet's Adventures on Routers - Introduction

Related subjects:

[IP Adventure] A Packet's Adventures on Routers - 05

[IP Adventure] A Packet's Adventures on Routers - 04

[IP Adventure] A Packet's Adventures on Routers - 03

[IP Adventure] A Packet's Adventures on Routers - 02

[IP Adventure] A Packet's Adventures on Routers - 01

[IP Adventure] A Packet's Adventures on Routers - Introduction

Good tutorial

IP Unicast Forwarding Process concepts documented exactly

Thanks for sharing IP unicast forwarding process

well design data doc