CCNP R&S 001: Cisco Express Forwarding (CEF)

Cisco Express Forwarding (or CEF for short) is a layer 3 switching technology propriety to Cisco. CEF allows hardware level routing (switching) to happen without using CPU cycles. Due to this the router is able to perform routing at much lower latency and higher throughput while maintaining low CPU utilization. CEF is enabled/disabled with the (no) ip cef configuration command.

Packet Switching Methods

Yes, routers are doing switching.

  1. Ingress interface receives a packet
  2. The Router does it’s thing
  3. Egress interface expels a packet with new layer 2 information

This is (albeit layer 3) switching.

The three methods a Cisco Router can use for it’s switching logic are:

  • Process Switching: This is the slowest method. The CPU has to handle all the packet processing and due to many interrupts, other processes may suffer.
  • Fast Switching: The first packets the router receives with a destination it doesn’t know about will use process switching. The fast switching cache then stores the results for reuse. Subsequent packets to the same destination use the cached path.
  • Cisco Express forwarding: When using CEF, the Route Processor (RP) handles the majority of packet switching. Inside the RP is the Forward Information Base (FIB) and Adjacency Tables which are explained below.

CEF Data Structures

CEF consists of two main data structures:

  • Forwarding Information Base (FIB) table: The FIB acts like the routing table in many ways. It contains all routes that the router knows about along with any hosts.
  • Adjacency Table: This stores Layer 2 next hop information for all entries on the FIB table. These will be hosts on the connected networks that the router is part of. Stored Layer 2 information includes MAC addresses for Ethernet or DLCI for frame relay.

Forwarding Information Base

FIB contains necessary information from the routing table, stripping out unneeded information like Administrative Distances, Metrics, Age of Routes, Tags. In addition, known /32 next hop and /32 local interfaces are stored. Routing table updates are applied to the FIB immediately. Finally, packets that don’t match any FIB table entries are dropped.

The show ip cef command lists the contents of the FIB table:

R8#show ip cef
Prefix              Next Hop             Interface              FastEthernet0/0           drop          receive             FastEthernet0/0             FastEthernet0/0             FastEthernet0/0             FastEthernet0/0             FastEthernet0/0             FastEthernet0/0         attached             FastEthernet0/0         receive             FastEthernet0/0         receive       receive             FastEthernet0/0         drop         drop        receive         drop  receive

Adjacency Tables

The adjacency table stores layer 2 information about adjacent nodes. A node is adjacent when it’s reachable within a single hop. CEF uses the adjacency table as a map for IP > MAC addresses and substitutes the correct MAC address during encapsulation.

The show command for viewing the Adjacency Table is show adjacency.

Protocol Interface                 Address
IP       Serial1/0                 point2point(7)
IP       Serial1/1                 point2point(7)
IP       Serial1/2                 point2point(7)
IP       Serial1/3                 point2point(7)
IP       FastEthernet0/0 

Adjacency Types

Some adjacency types can’t be CEF switched and need to be processed by the CPU, or dropped.

  • Glean: This is when the router doesn’t yet know the host MAC address in the adjacency table and therefor has to ARP. The CPU is responsible for ARPing, then the router will wait for an ARP reply. While waiting for the reply the Adjacency Table will store the host address without the MAC address. This will be the glean state.
  • Punt: Directed at the CPU, for example if you’re running EIGRP you’ll get punt adjacency to (the EIGRP multicast).
  • Null: This is a valid packet but needs to be dropped. You can point a Static Route to null0 to drop packets here.
  • Discard: A Security Policy blocks and drops the packet.
  • Drop: This means either CRC failure or no route to destination. The packets dropped


CEF can’t be used to switch all packet types. These will generally be <1% of any routers traffic and therefor isn’t an issue but it’s still good to know. These packets include:

  • Packets directed at the Router itself
  • Traffic from Routing Protocols (RIP, EIGRP, OSPF, BGP)
  • Packets that need to be encrypted
  • ARP Requests

Share this post

Leave a Reply