What's the difference between an L3 switch and a router?

All forwarding is switching. Routing is something else.

For us, forwarding and switching will be synonyms. In those examples, no routing is happening, only switching. Accepting a packet, consulting a table to decide where the packet goes next, and transmitting it there, is switching.

Protocols that decide what belongs in the table are routing protocols. RIP, OSPF, and IS-IS are examples of routing protocols, and the device that implements these protocols is doing routing.

The data plane and the control plane

The data plane is much weirder. It contains many CPU's, but none of them wired like a traditional computer. They'll be running tiny programs written by joyless electrical engineers in disgusting pseudoassembler languages, stored in ad-hoc memory devices. The CPUs will probably be Harvard architecture because electrical engineers are comfortable with arbitrary rigidity and have cargo-cult design habits. They will call their programs ``microcode,'' but in general this label is unfair. For example most gigabit Ethernet MAC chips include one or two MIPS cores, the same instruction set used in the old SGI workstations, the Sony Playstation 2, and the control planes of many routers and switches. And if you look at the ``network module'' of a low-end Cisco router, which is part of the data plane, you'll probably see a recognizeable discrete CPU like a 68k, an 80186, an i960---something like that (XXX -- I should dig for what they actually use). The electrical engineers call it ``microcode'' because they're too dumb to get a compiler toolchain working, so they try to imply it would be inappropriate to want one.

There are other non-CPUish things on the data plane just as there are non-CPUish chips in an ordinary computer or in a control plane, but they're wired abnormally around the flow of packets through the router or switch. There will be FPGA's (look for chips stamped Xilinx, Lattice, Altera) and custom ASIC's with the router or switch vendor's name stamped right on them. Many of these FPGA's and ASIC's do have some strange task, yes, but you'll find each chip often spends a quarter of its silicon real estate on a RISC-ish CPU core like ARM or MIPS. CPU-ish and non-CPUish things are often in the same chip, but instead of one big pool of memory there are smaller pools each with different, specific purposes.

The custom logic and so-called ``microcode'' of these many CPUs on the data plane act in concert, accepting simple direction from the control plane, to perform switching. Because the CPUs run small programs with tight loops, they probably don't do much interrupt handling or context switching, maybe none at all. This keeps the data plane's latency extremely low, on the order of the transmission time of a single packet.

What's the device called?	What's the data plane doing?	What's the control plane doing?
Unix PeeCee router	doesn't exist	L3 switching sometimes L2 switching and STP probably not doing routing (but can, Quagga/XORP)
Linksys/D-Link/Netgear junk	L2 switching	L3 switching (doesn't do routing, nor even STP)
L2 switch	L2 switching	STP/IGMP, SNMP
L3 switch	L3 switching, L2 switching	routing, STP/IGMP, SNMP
router	L3 switching sometimes L2 switching	routing, SNMP sometimes STP

If you run Quagga on your Unix PeeCee, the above table isn't correct for you. Quagga running in userspace is sort of like the control plane in a real router, and the kernel IP stack is sort of like the data plane. The routing socket API that Quagga uses to talk to the kernel is similar in purpose to the interface between the control plane and data plane in a real router. However, I think this analogy harms understanding more than it helps! The Unix PeeCee still doesn't have a data plane. These words are reserved for physical wires inside the device over which packets flow, and chips that implement functions. In a Unix PeeCee, there is a single plane---packets flow through the CPU, through the same wires and chips that are implementing OSPF and other control plane functions. Some real routers with separate planes also have, within the control plane, a boundary between kernel and userspace---this boundary is a feature of the real router's control plane that's generally none of your concern. The interface between the data and control planes is something physical, not a software API or system call vector. And, adding to the confusion, some real routers with data planes can forward packets on the control plane when the packets need special mangling. Cisco calls forwarding packets through the control plane ``process switching.'' On a Unix PeeCee, everything is process-switched.

Fancier devices can push more of their function into data planes. L2 switches---the simplest data plane---can bridge Ethernet frames out the right port based on destination MAC address, and I think the learning function, where the switch associates ports with destination MAC's by watching the source MAC's of frames it receives, also happens in the data plane.

L3 switches can pass IP traffic in the general case. The data plane has to read past the Ethernet frame header to the IP address and TCP/UDP port numbers. It has to rewrite the Ethernet frame's destination MAC address with that of the next-hop it's looked up in the ARP table, and replace the source MAC address with its own. Because of this rewriting, it has to recalculate CRC's for the Ethernet FCS, which L2 data planes don't need to do. It also has to decrement L3 IP TTL's (no more storms!). And because it has to decrement TTL's, it has to calculate and rewrite both IP checksums and Ethernet CRC's, which L2 switches don't have to do either. It has to do all these things. But there are tricks. The data plane of both the Cisco 6500 and the Extreme i-series can't forward the following types of packets in the data plane, which means they're punted up to the control plane.

Special packets

Anyway, here are some comprehensible ``special'' traffic types that both Cisco and Extreme switch on the control plane instead of the data plane.

• ARP. Merely flooding the switch with packets destined to an unused IP address can overwhelm the control plane, because these packets will always need ARP resolution. Once the control plane gets an ARP reply for a working destination IP, it'll install an entry in the ARP cache stored inside the data plane, and (for Cisco, not Extreme) everything else to that destination is hardware-switched by the data plane.
• IP packets with TTL=1. These are not forwarded, and need an ICMP type 11 code 0 sent back (traceroute or routing loops).
• packets too big for their assigned output interface, which need to be fragmented (IPv4), to have an ICMP unreachable fragmentation needed packet sent (IPv4 with DF option), or to have an ICMP too-big sent (IPv6).
• packets that are too short or have checksum errors
• of course, packets destined to the router itself, that aren't being forwarded, go to the control plane, like ICMP echo-requests, routing protocols, ssh, SNMP, STP. For L3, Cisco calls this the ``CEF receive adjacency.'' I guess this is obvious.

  But for example Cisco has interest (and some progress) in implementing BFD on the data plane. BFD is a very simple UDP-based HELLO protocol meant to bolt onto routing protocols like OSPF and IS-IS, and its primary design motivation was to replace the HELLO protocols built into the control-plane routing protocols with something simple enough to implement on the data plane, so HELLO timers could be set extremely short, like 50ms or less, instead of the current practice, tens of seconds. Once BFD is implemented on a data plane somewhere, that'll be a case of packets aimed at the router itself which aren't sent to the control plane.

Flow forwarding vs. longest-prefix

The value the table returns is an output interface and an optional next-hop IP address. If the table includes the optional next-hop value, the right way to forward the packet is, look up the next-hop with ARP, set the destination MAC to the one given in the ARP reply, and then dump the frame onto the wire indicated by the output interface field. If the next-hop is missing, instead look up the destination IP with ARP, and use that ARP reply to overwrite the destination MAC address.

So far we've described two tables:

routing table: {destination IP, prefix length} -> {output interface, next-hop IP}

ARP cache: {wire IP, output interface} -> {destination MAC address}

show ip cef only shows the first table, but in practice, I suspect Cisco combines the two tables. Next-hops that don't have destination MAC's from ARP yet are marked with the CEF glean adjacency and sent to the control plane for buffering. (another nasty DDoS vector.)

These two tables are enough to implement L3 switching, but not what we call routing on this page (OSPF, IS-IS, BGP). Unlike the way we usually think of Unix routers that I've just described, real routers contain more than one copy of a routing table. The RIB is a table of L3 destinations and next-hops kept inside the control plane. The RIB can contain more than one tuple for a single destination, and when this happens some of the routes to a given destination may be inactive, because they don't have the best metric. On Cisco, show ip route pretty-prints the RIB, and punctuation characters mark the active and inactive routes. The FIB, copied from the RIB, contains only active routes, and contains no metrics.

The FIB might still contain multiple routes to a single destination, if the data plane is intended to load-balance traffic across two interfaces or next-hops. The most accepted way to do load-balancing is to key the FIB lookup off a hash of the TCP and UDP port numbers---this guarantees a given TCP circuit will follow the same path, unless control plane's OSPF/IS-IS/BGP routing protocols decide to redirect it, which won't happen often. This insures the packets belonging to that TCP circuit arrive in order (which isn't important, but some people think it is, and other people design very stupid not-Internet-ready UDP protocols where in-order delivery actually is important). The RADIX multipath scheme can also reduce flows' RTT variance (``jitter''), which is nice for TCP and critical for VoIP.

On Cisco, show {ip,ipv6} cef is one way to pretty-print something like the FIB. The FIB more or less belongs in the data plane, but as we'll see, this is arguable.

The two tables I described above aren't enough to implement what people now expect of a router (or even an L3 switch). Policy routing demands putting more values into the lookup key of the FIB such as: source IP address, IP TOS, packet size, maybe TCP or UDP port numbers. Access lists mean sometimes the output interface will be ``discard this packet.'' Unless the access list or policy routing rules can be translated (``compiled'' or ``optimized'') somehow, we may need to add some kind of sequence number in the lookup key because policy routing and access lists both have a first-match character, which means modifying the longest-match lookup rule. We are already maybe needing strange kinds of specially-constructed silicon memory to store the FIB in a way that longest-match lookups are O(1). Achieving O(1) lookups is even harder with all this policy routing and access list stuff. In general it's not acceptable to have rules that access lists can't be ``too long,'' so O(1) lookups is a requirement.

The Riverstone 15000 Edge Router was one of the first L3 switches. It doesn't have the word ``switch'' in its name, but with the benefit of hindsight we can see, that's what it was. Riverstone's idea was flow forwarding---a sneaky way to get these policy routing and access list features while using much less fancy FIB-storage memory chips, less fancy even than chips capable of longest-match.

A ``flow'' is now an accepted, first-class entity in the L3 world since the ``flow label'' field got put into IPv6. The IPv6 flow label is at layer 3, not layer 4 or 5 or whatever silly OSI-layer-model-memorizers will tell you. It's missing in IPv4, but in that case it can be approximated by the header hash of protocol and port numbers I spoke of earlier that's useful for multipath, multiple FIB entries for a single destination, and for implementing WFQ output queues that punish poorly-behaved flows that aren't using good congestion-backoff algorithms.

well, whatever... I don't mean to ramble. The point is, the flow idea is already used for more than just flow switching. A flow is supposed to approximate a single conversation, like an established TCP circuit, or a UDP streaming source sending a string of packets with the same UDP source and destination ports and no more than a few seconds between packets. Riverstone's idea is to optimize their data plane for long flows. They replace traditional FIB lookups with a flow lookup in a table that has one entry per flow. The first packet of each flow gets switched by the control plane. The traditional FIB then stays in the control plane, or it can be a nonexistent thing derived from the RIB on demand. The FIB in the data plane is replaced with a route cache or a flow cache. I think Extreme calls it an IPFDB.

This has some cheap, convenient consequences. The data plane doesn't have to implement access lists because only permitted combinations of source, destinaiton, protocol, and port number will be entered into the route cache. The data plane doesn't need to implement load balancing, either, because the control plane can implement best-common-practice RADIX load balancing by giving different next-hops to the tens, hundreds, thousands of route cache children that may spawn from a pair of RIB entries calling for a load-balanced route.

As far as I can tell, the Extreme IPFDB route cache always contains fully-specified entries with:

{input interface, source IP, destination IP, L4 protocol (which can be only TCP or UDP), L4 source port, L4 destination port} -> {output interface, L2 destination MAC, boolean: rewrite or don't-rewrite the source MAC}

(With flow forwarding in general, sometimes input interface is part of the table, and other times there is a separate table for each input interface.)

Extreme's fully-populated-route-cache requirement (which might be a fantasy of mine, not an actual requirement, but...) means, they forward anything that's not TCP or UDP through the control plane. That includes ICMP pings passing through the switch, GRE tunnels, IPsec---any IP protocol besides TCP or UDP. I find the idea of putting something like that on the public Internet a little chilling! I don't actually have a fast enough Internet connection for it to matter. I also don't enable ipforwarding on any Extreme VLAN that's in front of my firewall. The Extreme stuff works well for me, but this flow forwarding idea has some drawbacks.

There's another problem. Flow-forwarding switches aren't good enough for certain traffic mixes. Suppose the traffic mix is in front of a load balancer (which must be a lot more expensive than your flow-based L3 switch!), a few gigabits worth of web users reloading slashdot.org or search.yahoo.com. Here is the first problem: the flows are short. They're probably only 4 - 10 packets for each connection, and in this case one connection is two flows. The route cache on the data plane doesn't have infinite size---it will fill up, or ``thrash.'' And the first packets of these flows will overwhelm the control plane.

You might say, ``well what if we don't store so much in the route cache. What if we don't need to implement policy routing and access lists? We just want to do BGP on the switch, and any other fancy stuff we need to do will be the load balancer's job.'' Riverstone let you control how many fields go into the route cache lookup key. ip set forwarding-mode destination-based implements this what-if, but the Riverstone route cache still doesn't contain longest-match destinations. It contains IPv4 /32's, and the control plane still has to put them there. If your pool of webservers is sending back TCP SYNACK's to web browsers all over the Internet, the control plane will still be overwhelmed by first-packets, and the data plane route cache will still overflow with cached entries. It's not solveable this way.

The answer is to pay for a device that has a fancier longest-match FIB in its data plane---Cisco 6500 with a modern supervisor, instead of Extreme Alpine/i-series or Riverstone 15000. Extreme even sells this bizarre longest-match module for the BlackDiamond, but it still doesn't seem able to switch the backplane's full bandwidth in longest-match mode.

Even a longest-match FIB will still have a limited size, and this matters. It's actually worse in a certain way. For example, for the Cisco 6500, to run a default-free full BGP table, you have to buy the PFC3BXL instead of the PFC3B. If you are not running a full BGP table, you don't have to buy the XL version of the PFC, though they still tried to sell us one. Now, suppose the traffic mix is made of longer flows, big data transfers, instead of reloads of tiny web pages, so Extreme's flow-switching is fine. But suppose this time the L3 switch needs to run a full BGP table from two or more different ISP's. In this case, the control plane needs to have enough DRAM to keep a full BGP table in the RIB, but the data plane's route cache sizing only cares how quickly flows are brought up and torn down, not a bit about how big is the RIB. Extreme flow-switching has another cost advantage here. On Cisco, not only does the MFSC still need enough DRAM for a full-feed RIB, but one also needs the XL version of the PFC to store the >200k rows of longest-match FIB in the data plane.

Tunneling

Some routers will do IPsec on the data plane, but only the small ones. (discussed below)

In general, the data planes of routers are slower and more flexible than those of L3 switches. However, I think this is less true as you pay more money for the device---as we've discussed already, the most expensive L3 switches have longest-match FIB's instead of flow-forwarding (Extreme) or an optional exact-match mode (Riverstone). Likewise, the most expensive routers can switch small packets at line rate, but have lots of quirky limitations about which features one can use with which line cards.

Unix PeeCee router	L3 switch	Old-style traditional router
has no data plane	has data plane, but might do flow-cacheing	always has a longest-prefix FIB in the data plane
can have about four gigabit Ethernet interfaces	a few hundred gigabit Ethernet interfaces are possible	The ``old'' ones I'm talking about here would never have more than five or ten gigabit interfaces.
can forward about a million packets per second. doesn't matter if they're big or small packets.	relatively unexotic configurations can forward line-rate packets of any size in and out every interface	often unable to forward tiny packets at line rate.
QoS is horribly unreliable, and there is a large amount of unpreventable jitter you have to put up with. In short, QoS, if it works at all, is only helpful on <10Mbit/s links. However, extremely complicated and IMHO useful link-sharing policies are implemented in Linux and BSD, such as HSFC.	QoS is based on the DiffServ model: marking and policing is a separate action from scheduling. While complicated marker/policers are possible, only the most primitive scheduling is available---strict priority scheduling with RED.	There are some class-based schedulers, but I don't know of an HFSC implementation.
Long latency. Lots of jitter. crap.	low latency, low jitter	low latency, low jitter
statistics collection not reliable. counters poorly-marked and full of lies.	reliable statistics, per-port and sFlow/NetFlow, collected by data plane	reliable statistics, per-port and sFlow/NetFlow, collected by data plane
mostly has no silicon problems with BGP full feed. Usually the FIB can fit inside the CPU's L2 cache.	flow-forwarding platforms like Extreme don't care if they have a BGP full feed or a small routing table. Longest-prefix platforms like C6500 need the PFC..XL cards to forward packets with a full BGP feed.	no one ever discusses the CEF table capacity of a line card in a low-end router. I'm not sure why this isn't a problem, but line cards manufactured when the BGP default-free zone was 1/10th its current size are fully expected to do CEF forwarding with a full BGP feed, and to give the same performance they did when they were new. I need to understand the data planes of low-end routers a little better to explain this. It may also be untrue---I'd like to know if there are any full-feed problems on Juniper. Does Juniper even make ``low-end'' routers?
IPv6 was a software upgrade. Everything is always a software upgrade.	extremely obstinate about supporting IPv6, and when supported, full of gotchya's like multicast v6.	IPv6 was a software upgrade, and there's good support in the data plane.
Does tunneling.	no tunneling, or does tunneling on the control plane. none, never.	Always does tunneling, and does it on the data plane.
could do MPLS if anyone wrote software that complicated for a PeeCee, but no one does	sometimes you can't do MPLS on an ordinary switchport. Only special line cards of higher cost and lower port density can face the MPLS core, but all platforms offer some way to architect a network that depends on line-rate MPLS. It is part of the vendors' vision about who will buy these switches.	I think they usually do MPLS just fine on the data plane, but I don't know how to configure MPLS yet, so i'm not positive.
I think they will do about 100Mbit/s of IPsec, but I'm not sure.	Usually no IPsec at all. On fancy software like Cisco's, they will give you control plane IPsec which is intended only for protection of traffic to or from the control plane, like telnet/ssh, SNMP, or the one routing protocol that needs IPsec: OSPFv3. There's an extremely weird IPsec module for the 6500 that will do one or two gigabits of IPsec (on a switch with a 32Gbit/s - 720Gbit/s backplane :/ ), but in addition to being disgustingly slow, it's a strange, clumsy thing to configure.	Seamless integration of IPsec. They can do IPsec on the data plane, but sometimes you have to pay extra for the IPsec chip. Low-end routers' IPsec capacity seems to be in the neighborhood of 1/2 - 1/4 of their total forwarding capacity. High-end routers are like the L3 switch for IPsec and can't do any meaningful amount of it.

The Future