Cis187 Switch 4 Intervlanrouting Mls Cef

CIS 187 Multilayer Switched Networks
CCNP Switch
Inter-VLAN Routing, Multilayer Switching and CEF
Rick Graziani
Cabrillo College
graziani@cabrillo.edu
Spring 2010
Inter-VLAN Routing
Internetwork Communications
C:>ping 172.16.30.100
Can two hosts on different subnets communicate without a router?

No
What would happen if a host tried to ping another host?
They could not communicate.
Would it send an ARP Request? Why or why not?
The host would not send an ARP Request because there is no
default-gateway.
3
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address.
Check ARP cache for entry of Destination IP Address and its MAC Address.
If no entry, ARP Request Destination IP Address asking for MAC Address.
Then Destination MAC Address will be that of the Default Gateway.

Check ARP cache for entry of Default Gateways IP Address and its MAC Address.
If no entry, ARP Request Default Gateways IP Address asking for MAC Address.
4
InterVLAN Routing
VLAN 1
External Router
VLAN 2
VLAN 3
Router on a stick
VLANs 1, 2, 3
Trunk
VLAN 1
Multilayer Switch
VLAN 2
Or Trunk
VLAN 3
External Router
Router(config)# inter fa 0/1
Router(config-if) ip address 172.16.1.1 255.255.255.0
Configure Router On A Stick: 802.1Q Trunk Link
172.16.10.100/
24
172.16.20.100/
24
interface GigabitEthernet1/1
switchport mode trunk
Router on a stick is very

simple to implement.
interface GigabitEthernet5/0
no shutdown ! Does not show in config
!
interface GigabitEthernet5/0.2
description VLAN 2
encapsulation dot1Q 2 native
ip address 172.16.1.2 255.255.255.0
!
description VLAN 10
encapsulation dot1Q 10
ip address 172.16.10.1 255.255.255.0
!
description VLAN 20
ip address 172.16.20.1 255.255.255.0
!
description VLAN 30
ip address 172.16.30.1 255.255.255.0
!
description VLAN 40
ip address 172.16.40.1 255.255.255.0
Multilayer Switches
Multilayer Switch Interfaces

Layer 2: Access or Trunk Ports
Logical Interface (SVI)
Physical Interface
Performs both Layer 2 switching and interVLAN routing.

Layer 2 Interface: Access or Trunk ports
Layer 3 Interface
Has an IP address assigned to it.
The Default Gateway for any hosts connected to that interface or VLAN.
Physical interface
Same as a router
Aka Routed Port
Example: interface gigabit 0/1
Logical Interface
Represents an entire VLAN
Switched Virtual Interface (SVI)
Example: interface vlan 10

Layer 2: Access or Trunk Ports
Logical Interface (SVI L3)
Physical Interface (L3)
DLS1# show interface gig 0/2 switchport

Name: Gig0/2
Switchport: Enabled
<output omitted>
Layer 2 or Layer 3 Interface?

Default on most Catalyst switches: Layer 2
Default on Catalyst 6500: Layer 3
Verify mode:
Switch# show interface type mod/num switchport
Switchport: Think Layer 2
Enabled: Layer 2
Disabled: Layer 3

Name: Gig0/2
Switchport: Disabled
Layer 3
<output omitted>
DLS1# config t
DLS1(config)# interface gig 0/2
DLS1(config-if)# switchport
Converts interface to Layer 2
DLS1(config-if)# end
Name: Gig0/2
Layer 2
Switchport: Enabled
<output omitted>
If in Layer 3 mode switchport interface command puts the port into

Layer 2 mode.
10
Layer 3 Port Configuration

Physical Interfaces

DLS1(config-if)# no switchport
DLS1(config-if)# ip address 192.168.1.1 255.255.255.252
Physical switch ports can operate as Layer 3 interfaces using the

interface command:
Switch(config)# interface type mod/num
Switch(config-if)# no switchport
Switch(config-if)# ip address ip-address mask
11
Try it
Download:
PT-TopologySwitchBlockMLS.pkt
Configure the
appropriate interfaces
in DLS1 and DLS2 as
physical layer 3
addresses.
Note: Core has the first
host addresses.
What happens if you configure the IP address BEFORE issuing the no

switchport command?
12

DLS1(config-if)# no shutdown
DLS1(config)# interface fa 0/1
DLS2(config)# interface fa 0/2
Verify by pinging neighbor interface.

13
Physical Interfaces and EtherChannel
192.168.2.1
192.168.2.2
SwitchA(config)# interface port-channel 5

SwitchA(config-if)# no switchport
SwitchA(config-if)# ip address 192.168.2.1 255.255.255.252
SwitchB(config)# interface port-channel 5
SwitchB(config-if)# no switchport
SwitchB(config-if)# ip address 192.168.2.2 255.255.255.252
If several interfaces are bundled together using EtherChannel the IP

address is assigned to the port-channel interface, not the individual
physical links.
To configure Layer 3 EtherChannels,:
First you must create the port-channel logical interface
Then you add the Ethernet ports into the port-channel
14
What about EtherChannel Interfaces?

Fa 0/11
Fa 0/11
Port-channel 5
192.168.2.1
Port-channel 5
Fa 0/12
Fa 0/12
192.168.2.2
SwitchA(config)# interface port-channel 5

SwitchA(config-if)# no switchport
SwitchA(config-if)# ip address 192.168.2.1 255.255.255.252
SwitchA(config)# interface range fa 0/11 - 12
SwitchA(config-if-range)# no ip address
SwitchA(config-if-range)# no switchport
SwitchA(config-if-range)# channel-group 5 mode active
SwitchB(config)# interface port-channel 5
SwitchB(config-if)# no switchport
SwitchB(config-if)# ip address 192.168.2.2 255.255.255.252
SwitchB(config)# interface range fa 0/11 - 12
SwitchB(config-if-range)# no ip address
SwitchB(config-if-range)# no switchport
SwitchB(config-if-range)# channel-group 5 mode active
First you must create the port-channel logical interface

Then you add the Ethernet ports into the port-channel
Using LACP in this example.
Remember, the channel-group number is associated with the port-channel interface.
15
192.168.2.1
SwitchA# show ip inter brief
Port-channel5
192.168.1.1
YES manual up
SwitchA# ping 192.168.1.2
!!!!!
SwitchA# show ether summ
Flags: D - down
P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3
S - Layer2
U - in use
f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
192.168.2.2
up
Number of channel-groups in use: 1

Number of aggregators:
1
Group Port-channel Protocol
Ports
------+-------------+-----------+----------------------------------------------5
Po5(RU)
LACP
Fa0/11(P)
Fa0/12(P)
DLS1#
16
SVI Interfaces
- Logical Interfaces
Switch(config)# vlan vlan-number

Switch(config-vlan)# name vlan-name
SwitchA(config)# interface vlan vlan-number
SwitchA(config-if)# ip address ip-address mask
SwitchA(config-if)# no shutdown
Layer 3 functionality can also be enabled for an entire VLAN.

The IP address is assigned to the logical interface the VLAN.
This is needed when routing is required between VLANs.
SVI (Switched Virtual Interface)
No physical connection
VLANs must be created before the SVI can be used.
The IP address associated of the VLAN interface is the default gateway of
the workstation.
17
Remember our Switch Block
We created the SVI interfaces!

I will have you recreate some of them
18
Creating VLANs
DLS1: Create and name the user VLANs: 10,
11, 20 and 21.
DLS1: Create and name a Management VLAN
(used to telnet into switches)
DLS1: Create and name a NATIVE VLAN other
than VLAN 1 (default)
DLS1: Create and name a Garbage VLAN
(assigned to all unused ports.)
All ports that are not used (trunks and
access) will be assigned as an access
port to this VLAN.
DLS1
vlan 2
name NATIVE
vlan 10
name Engineering
vlan 11
name IT
vlan 20
name Sales
vlan 21
name Administration
vlan 99
name ManagementVLAN
vlan 222
name GarbageVLAN
19
Management VLAN
For each device in the network
we configured it to be a member
of the management VLAN.
On each switch
Switch(config)# inter vlan 99
Switch(config-if)# description Management VLAN
Switch(config-if)# ip address 172.16.99.x 255.255.255.0
Switch(config-if)# no shutdown
20
Default Gateway
Configure DLS1 to be the
default gateway for VLANs 10
and 11.
All hosts on these VLANs will
use these addresses as their
default gateway addresses.
DLS1(config)# inter vlan 10
DLS1(config-if)# description Engineering VLAN
DLS1(config-if)# description IT VLAN
21
Default Gateway
Configure DLS2 to be the
default gateway for VLANs 20
and 21.
All hosts on these VLANs will
use these addresses as their
default gateway addresses.
DLS2(config-if)# description Sales VLAN
DLS2(config-if)# no shut
DLS2(config-if)# description Administration VLAN
DLS2(config-if)# no shut
22
Verifying
Verify IP addresses
DLS1#show ip inter brief

Interface
IP-Address
OK? Method Status
Protocol
FastEthernet0/1
192.168.4.6
YES manual up
up
GigabitEthernet0/1
192.168.1.1
YES manual up
up
Vlan10
172.16.10.1
YES manual up
up
Vlan11
172.16.11.1
YES manual up
up
Port-channel 1
DLS1#
unassigned
YES manual up
up
23
Configuring a Routed
Port
Step 1 : Configure IP routing.
Switch(config)#ip routing
Step 2 : Create a routed port.

Switch(config-if)#no switchport
Step 3 : Assign an IP address to the routed port.

Switch(config-if)#ip address ip-address mask
Step 4 : Configure the IP routing protocol if needed.

Switch(config)#router ip_routing_protocol <options>
24
Configuring Inter-VLAN
Routing Through an SVI
Step 2 : Create an SVI interface.

Switch(config)#interface vlan vlan-id
Step 3 : Assign an IP address to the SVI.


25
Enabling CEF (Cisco Express Forwarding)

The commands required to enable CEF are platform
dependent:
On the Cisco Catalyst 3550 switch (enabled by default)
Switch(config-if)#ip route-cache cef
We are going to discuss CEF and Multilayer Switching next.

By default the 3550/3560 has CEF enabled by default.
The only thing left is to configure routing on the two distribution layer
switches.
26
Routing
Enable routing on DLS1 and
DLS2.
Configure EIGRP DLS1 and
DLS2.
Turn off auto-summarization
DLS1(config)# ip routing
DLS1(config)# router eigrp 1
DLS1(config-router)# network 172.16.0.0
DLS1(config-router)# no auto-summary
DLS2(config)# ip routing
DLS2(config)# router eigrp 1
DLS2(config-router)# no auto-summary
27
Verifying
Verify routing
DLS1#show ip route
Core Network
1.0.0.0/24 is subnetted, 1 subnets
D
1.1.1.0 [90/25628160] via 192.168.1.5, 00:00:07, FastEthernet0/1
C
172.16.10.0 is directly connected, Vlan10
C
D
172.16.20.0 [90/25625856] via 192.168.1.2, 01:29:41, GigabitEthernet0/1
DLS2 Networks (VLANs)
D
C
C
192.168.1.0 is directly connected, GigabitEthernet0/1
C
192.168.1.4 is directly connected, FastEthernet0/1
D
Network between DLS2 and Core
DLS1#
28
Traditional and CEF Based

Multilayer Switching
Multilayer Switching
Traditional MLS
CEF-Based MLS
Multilayer switching - ability of a Catalyst switch to support switching and

routing of packets in hardware.
Optional support for Layers 4 through 7 switching in hardware as well.
A route processor (or Layer 3 engine) must download software-based
routing, switching, access lists, QoS, and other information to the
hardware for packet processing.
30
Traditional and CEF-based MLS
Traditional MLS
CEF-Based MLS
Cisco Catalyst switches use either:

Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture.
All leading-edge Catalyst switches support CEF-based multilayer
switching
31
Traditional MLS
RP
SE
Dual effort between:
Route Processor (RP)
Switching Engine (SE)
Traditional MLS: Route once, switch many
Specialized Application-Specific Integrated Circuits (ASICs) perform Layer
2 rewrite operations of routed packets:
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC).
Because the source and destination MAC addresses change during
Layer 3 rewrites, the switch must recalculate the CRC for these new
MAC addresses.
32
Traditional MLS
SE:
Listens in to the first packet going to the router (RP) and going from the
router (RP).
If the SE can switch the packet in both directions:
It can learn a shortcut path for subsequent packets to use.
Thus, bypassing the router (RP).
This technique is also known as: Netflow-based switching.
With traditional MLS, the Layer 3 engine (route processor) and switching
ASICs work together to build Layer 3 entries on the switch.
33
Traditional MLS
MSFC
RSFC
RSM
Hardware consists of:

Independent RP
NetFlow-capable SE
Netflow switching (or route cache switching) performed on Cisco hardware
such as:
Catalyst 6000 Supervisor 1/1a and Multilayer Switch Feature Card
(MSFC)
Catalyst 550 with a Route Switch Module (RSM)
Route Switch Feature Card (RSFC)
External Router
34
Traditional MLS
dot1q Tag
(inside Eth. Hdr)
VLAN
Ethernet Header
D-MAC= 00-000C-11-11-11
S-MAC= 00-AA-00-11S-MAC=
00-AA11-11
00-11-11-11
IP Header
S-IP =
10.1.1.10
IP
Data
D-IP =
10.1.2.20
The switch forwards the first packet in any flow to the Layer 3 engine for
processing using software switching/routing.
After the routing of the first packet in the flow, the Layer 3 engine programs
the hardware-switching components for routing for subsequent packets.
35
MLS-RP
Candidate Packet Info
The Destination MAC

Address is one of the
routers interfaces.
There is not an existing
flow, so I will flag this as
a candidate packet.
Layer 3 Info
S-IP 10.1.1.10
D-IP 10.1.2.20
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
MLS-SE
dot1q Tag
(inside Eth. Hdr)
VLAN
Ethernet Header
D-MAC= 00-000C-11-11-11
S-MAC= 00-AA00-11-11-11
IP Header
S-IP =
10.1.1.10
IP
Data
D-IP =
10.1.2.20
Workstation A sends a packet to workstation B,

Workstation A sends the packet to its default gateway (which is the RSM).
Switch (MLS-SE) recognizes this packet as an MLS candidate packet because the
destination MAC address matches the MAC address of the MLS router (MLS-RP).
As a result, the switch creates a candidate entry for this flow.
36
MLS-RP
MLS-SE
dot1q Tag
(inside Eth. Hdr)
VLAN 2
Ethernet Header
D-MAC= 00-AA00-22-22-22
S-MAC= 00-000C-22-22-22
IP Header
S-IP =
10.1.1.10
IP
Data
D-IP =
10.1.2.20
Next, the router accepts the packets from workstation A, rewrites the Layer 2
MAC addresses and CRC, and forwards the packet to workstation B.
The switch refers to the routed packet from the RSM as the enabler packet.
37
MLS-RP

Layer 3 Info
S-IP 10.1.1.10
D-IP 10.1.2.20
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
MLS-SE
dot1q Tag
(inside Eth. Hdr)
VLAN
2
Ethernet Header
D-MAC= 00-AA00-22-22-22
S-MAC= 00-000C-22-22-22
IP Header
S-IP =
10.1.1.10
IP
Data
D-IP =
10.1.2.20
MLS-SE recognizes various matches including CAM, details not included.

Basically, the MLS-SE recognizes that the packet going out of VLAN 2 was the
same one that came in on VLAN 1.
The switch, upon seeing both the candidate and enabler packets, creates an MLS entry
in hardware (MLS Cache) such that the switch rewrites and forwards all future packets
matching this flow.
38
MLS-RP
Found match in MLS

Cache, rewrite Ethernet
Header and send directly
to Host B, forget the
router!
Layer 3 Info
S-IP 10.1.1.10
D-IP 10.1.2.20
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
MLS-SE
Future Packets
MLS
Cache
Dst IP
Src IP
Port
Dst
Port
Src
Port
Dst
MAC
Src
MAC
10.1.2.20
10.1.1.10
TCP
23
1238
00-AA00-2222-22
00-000C-2222-22
VLAN
Interface
3/1
As future packets from the flow arrive, the MLS-SE uses the destination IP address to
look up the entry in the MLS cache.
Finding a match, rewrite engine modifies the necessary header information and
forwards the frame (the packet is not forwarded to the router).
The rewrite operation modifies all the same fields initially modified by the router for the
first packet, including the source MAC and destination MAC addresses.
39
CEF-based MLS
40
CEF
CEF-based MLS forwarding model is used to:

Download the control plane information (such as the access lists) to
the data plane (on the supervisor, port, or line card) for hardware
switching of packets.
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used
by the switch for hardware switching.
CEF is a topology-based forwarding model in which all routing
information is prepopulated into a forwarding information base (FIB).
Result is switches can quickly look up routing information such as IP
adjacencies and next-hop IP and MAC addresses.
41
Routing Table
CEF
DLS1#show ip cef
Prefix
0.0.0.0/0
0.0.0.0/32
1.1.1.0/24
172.16.10.0/24
172.16.10.0/32
172.16.10.1/32
172.16.10.255/32
172.16.11.0/24
172.16.11.0/32
172.16.11.1/32
172.16.11.255/32
172.16.20.0/24
172.16.21.0/24
172.16.99.0/24
172.16.99.0/32
172.16.99.1/32
172.16.99.255/32
192.168.1.0/30
192.168.1.0/32
192.168.1.1/32
192.168.1.2/32
192.168.1.3/32
192.168.1.4/30
192.168.1.4/32
192.168.1.5/32
192.168.1.6/32
192.168.1.7/32
192.168.1.8/30
224.0.0.0/4
224.0.0.0/24
255.255.255.255/32
DLS1#
The two main components of CEF are :

1. FIB
2. Adjacency Table
Next Hop
no route
receive
192.168.1.5
attached
receive
receive
receive
attached
receive
receive
receive
192.168.1.2
192.168.1.2
attached
receive
receive
receive
attached
receive
receive
192.168.1.2
receive
attached
receive
192.168.1.5
receive
receive
192.168.1.2
drop
receive
receive
Interface
FastEthernet0/1
Vlan10
Vlan10
Vlan10
Vlan10
Vlan11
Vlan11
Vlan11
Vlan11
GigabitEthernet0/1
GigabitEthernet0/1
Vlan99
Vlan99
Vlan99
Vlan99
GigabitEthernet0/1
GigabitEthernet0/1
GigabitEthernet0/1
GigabitEthernet0/1
GigabitEthernet0/1
FastEthernet0/1
FastEthernet0/1
FastEthernet0/1
FastEthernet0/1
FastEthernet0/1
GigabitEthernet0/1
Forwarding information base

Makes IP destination switching decisions.
Similar to a routing table: Reformatted into an ordered list with most specific
route first for each IP network/subnet in the routing table.
Ordered with most specific (longest match) first followed by less specific
subnets.
Mirror image of the forwarding information contained in the IP routing table.
When routing or topology changes occur in the network, the IP routing table is
updated, and those changes are reflected in the FIB.
Maintains next-hop address information based on the information in the IP
routing table.
42
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can reach
each other with a single hop across a link layer. (OSPF, EIGRP)
A router normally maintains:
Routing table containing Layer 3 network and next-hop information
ARP table containing Layer 3 to Layer 2 address mapping.
These tables are kept independently.
43
CEF
Next hop?
Layer 2 MAC Addresses,

Next Hop Information
DLS1# show adjacency detail

Protocol Interface
IP
Vlan99
Address
172.16.99.2
0 packets, 0 bytes
epoch 0
sourced in sev-epoch 3
Encap length 14
0000603E24584400055E6D393C0800
ARP
192.168.1.2
0 packets, 0 bytes
epoch 0
Encap length 14
0000902B293019000C85B044190800
ARP
192.168.1.5
0 packets, 0 bytes
epoch 0
Encap length 14
0000024A0A4301000C85B044010800
ARP
IP tables
GigabitEthernet0/1
Adjacency
The FIB keeps the Layer 3 next-hop address for each entry.
To streamline packet forwarding even more, the FIB has
corresponding Layer 2 information for every next-hop entry.
IP
FastEthernet0/1
This portion of the FIB is called the adjacency table,
consisting of the MAC addresses of nodes that can be reached
in a single Layer 2 hop.
DLS1#
44
CEF
No ARP entry,
L3 forwarding
engine cant
forward packet
in hardware,
must send to L3
Engine.
Ill generate the ARP

Request and get an
ARP Reply.
Adjacency tables (summary, more detail coming)

Built from the ARP table.
As a next-hop address receives a valid ARP entry, the adjacency table
is updated.
If an ARP entry does not exist, the FIB entry is marked as CEF
glean.
This means that the Layer 3 forwarding engine can't forward the
packet in hardware, due to the missing Layer 2 next-hop address.
The packet is sent to the Layer 3 engine so that it can generate an ARP
request and receive an ARP reply.
This is known as the CEF glean state, where the Layer 3 engine must
glean the next-hop destination's MAC address.
45
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state? (L3 engine is
sending ARP Request.)
These packets are dropped.
So input queues do not fill.
So Layer 3 engine does not become too busy worrying about the need for
duplicate ARP requests.
This is called ARP throttling or throttling adjacency.
If an ARP reply is not received in two seconds, the throttling is released so
that another ARP request can be triggered.
After ARP reply is received:
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
46
ARP
Throttling
1. Host A sends a packet to Host B.

CEF lookup shows glean adjacency (ARP entry does not exist so no
entry in adjacency table).
No rewrite information exists.
2. Packet passed to Layer 3 Engine for processing.
47
ARP
Throttling
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds. This allows
for another packet to to
initiate a new ARP
Request.
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks.
Drop packets until ARP

Reply received
(Throttling Adjacency)
ARP
Request
3. Obtaining rewrite information.

L3 Engine sends an ARP Request for Host B and waits for ARP Reply.
Throttling Adjacency: While in glean state, subsequent packets to that host are
dropped, so that input queues do not fill and so the Layer 3 engine isnt busy with
duplicate ARP Requests. (Note: Ciscos routers drop the first packet when there is
no ARP entry, while sending the ARP Request.)
48
ARP
Throttling

Reply received
ARP
Reply
4. Host B sends ARP Reply.
49
ARP
Throttling
10.20.10.2
Host Bs
MAC
Address

Reply received
5. The Layer 3 Engine installs Adjacency for Host B and removes the throttling
(drop) adjacency.
Next: Packet Rewrite (Coming!)
50
Packet Rewrite
Egress
Packet
51
10.20.10.2
Packet Rewrite
L2 Checksum
Default
Gateway
Host A
Host Bs
MAC
Address
L3 Checksum
TTL
The switch receives another packet:

After a multilayer switch finds valid entries in the FIB and adjacency tables,
a packet is almost ready to be forwarded.
One step remainsthe packet header information must be rewritten.
Multilayer switching occurs as quick table lookups:
Find the next-hop address
Outbound switch port.
The IP header must also be adjusted, as if a traditional router had done the
forwarding (TTL).
52
10.20.10.2
Packet Rewrite
L2 Checksum
Host B
Default
Gateway
MAC
Add
L3 switch
Host
A
outbound
interface
Host Bs
MAC
Address
L3 Checksum
TTL
-1
The packet rewrite engine makes the following changes to the packet just prior to
forwarding:
Layer 2 destination address Changed to the next-hop device's MAC address
Layer 2 source address Changed to the outbound Layer 3 switch interface's MAC
address
Layer 3 IP Time To Live (TTL) Decremented by one, as one router hop has just
occurred
Layer 2 frame checksum Recalculated to include changes to the Layer 2 and Layer 3
headers
Layer 3 IP checksum Recalculated to include changes to the IP header
53
10.20.10.2
Packet Rewrite
L2 Checksum
Host B
Default
Gateway
MAC
Add
L3 switch
Host
A
outbound
interface
Host Bs
MAC
Address
L3 Checksum
TTL
-1
A traditional router would normally make the same changes to each packet.
The multilayer switch must act as if a traditional router were being used,
making identical changes.
The multilayer switch:
Can do this very efficiently with dedicated packet rewrite hardware
and with address information obtained from table lookups.
54
10.20.10.2
Packet Rewrite
L2 Checksum
Host B
Default
Gateway
MAC
Add
L3 switch
Host
A
outbound
interface
Host Bs
MAC
Address
L3 Checksum
TTL
-1
The switch performs a Layer 3 lookup

and finds a CEF entry for Host B.
The switch rewrites packets per the
adjacency information and forwards
the packet to Host B on its VLAN.
55
CEF
Catalyst switches do not support routing of all types of frames in hardware.

For example, the following list details common frame types that are not
supported by hardware switching and must punted (sent to the Layer 3
engine for processing):
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF or Accelerated CEF Forwarding decisions done by ASIC
that is central to all interfaces.
Distributed CEF (dCEF) Forwarding decisions done on independently
on interfaces or line modules line cards (faster).
56
Configuring a Routed
Port
Step 2 : Create a routed port.

Switch(config-if)#no switchport
Step 3 : Assign an IP address to the routed port.


57
Configuring Inter-VLAN
Routing Through an SVI
Step 2 : Create an SVI interface.

Switch(config)#interface vlan vlan-id
Step 3 : Assign an IP address to the SVI.


58
Enabling CEF
The commands required to enable CEF are platform
dependent:
On the Cisco Catalyst 4000 switch
Switch(config-if)#ip cef
On the Cisco Catalyst 3550 switch

Switch(config-if)#ip route-cache cef
59
Verifying CEF
Switch#show ip cef [type mod/port | vlan_interface] [detail]
Switch# show ip cef vlan 11 detail

IP CEF with switching (Table Version 11), flags=0x0
10 routes, 0 reresolve, 0 unresolved (0 old, 0 new), peak 0
13 leaves, 12 nodes, 14248 bytes, 14 inserts, 1 invalidations
0 load sharing elements, 0 bytes, 0 references
universal per-destination load sharing algorithm, id 4B936A24
2(0) CEF resets, 0 revisions of existing leaves
Resolution Timer: Exponential (currently 1s, peak 1s)
0 in-place/0 aborted modifications
refcounts: 1061 leaf, 1052 node
Table epoch: 0 (13 entries at this epoch)
172.16.11.0/24, version 6, epoch 0, attached, connected
0 packets, 0 bytes
via Vlan11, 0 dependencies
valid glean adjacency
60
Verify Layer 3 Switching

Switch#show interface {{type mod/port} | {port-channel
number}} | begin L3
Switch#show interface fastethernet 3/3 | begin L3

L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 12 pkt, 778 bytes mcast
L3 out Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes
4046399 packets input, 349370039 bytes, 0 no buffer
Received 3795255 broadcasts, 2 runts, 0 giants, 0 throttles
.....
Switch#
61
Displaying Hardware Layer 3 Switching

Statistics
Switch#show interfaces {{type mod/port} | {port-channel
number}} include switched
Switch#show interfaces gigabitethernet 9/5 | include switched

L2 Switched: ucast: 8199 pkt, 1362060 bytes - mcast: 6980 pkt, 371952 bytes
L3 in Switched: ucast: 3045 pkt, 742761 bytes - mcast: 0 pkt, 0 bytes mcast
L3 out Switched: ucast: 2975 pkt, 693411 bytes - mcast: 0 pkt, 0 bytes
62
Adjacency Information
Switch#show adjacency [{{type mod/port} |
{port-channel number}} | detail | internal | summary]
Switch#show adjacency gigabitethernet 9/5 detail

Protocol Interface
Address
IP
GigabitEthernet9/5
172.20.53.206(11)
504 packets, 6110 bytes
00605C865B82
000164F83FA50800
ARP
03:49:31
63
Debugging CEF Operations

Switch#debug ip cef {drops | access-list | receive |
events | prefix-ipc | table}
Displays debug information for CEF
Switch#debug ip cef {ipc | interface-ipc}
Displays debug information related to IPC in CEF

Switch#ping ip
Performs an extended ping
64
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware.
MLS functionality can be implemented through CEF.
CEF uses tables in hardware to forward packets.
Specific commands are used to enable and verify
CEF operations.
Commands to enable CEF are platform dependent.
CEF problems can be matched to specific solutions.
Specific commands are used to troubleshoot and solve CEF
problems.
Ordered steps assist in troubleshooting CEF-based problems.
65
DHCP
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255.255.255.255 address.

Routers do not route these packets by default.
Routers and Layer 3 switches can be configured to forward these
DHCP and other UDP broadcast packets to a unicast address
67
DHCP Relay Agent
MLS(config)#interface vlan 1
MLS(configif)#description DHCP Server VLAN
MLS(config-if)#ip address 10.1.1.1 255.255.255.0
MLS(config-if)#no ip directed-broadcast
MLS(config-ig)#description DHCP clients
MLS(config-if)#no shutdown
MLS(config-if)#ip helper-address 10.1.1.254
Layer 3 devices do not forward broadcasts.

What issue does this cause for DHCP Servers?
Each subnet requires a DHCP server.
To enable the DHCP relay agent feature, configure the ip helper-address command
with the DHCP server IP address(es) on the client VLAN interfaces.
68
DHCP Relay Agent

The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP, DNS, Time, NetBIOS, name server, and BOOTP packets by
default.
By default, the ip helper-address command forwards the eight UDPs services.
69
DHCP Relay Agent
MLS(configif)#description DHCP Server VLAN
MLS(config-ig)#description DHCP clients
MLS(config-if)#no shutdown
MLS(config-if)#ip helper-address 10.1.1.254
See Improving Security on

Routers:
http://www.cisco.com/warp/public/
707/21.html
ip helper-address - make sure the ip directed-broadcast is not configured on

any outbound interfaces that the UDP broadcast packets need to traverse.
The no ip directed-broadcast command configures the router or switch to prevent
the translation of a directed broadcast to a physical broadcast (MAC FF).
This is a default behavior since Cisco IOS Release 12.0, implemented as a security
measure.
70
UDP Broadcast Forwarding

Router(config)#interface vlan 1
Router(config-if)#ip address 10.100.1.1 255.255.255.0
Router(config-if)#ip helper-address 10.200.1.254
Router(config)#ip forward-protocol udp mobile-ip
Router(config)#no ip forward-protocol udp netbios-ns
To specify additional UDP broadcasts for forwarding by the router

when configuring the ip helper-address interface command, use the
following global command:
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications.
71
Enterprise Network Design
Hierarchical approach
Hierarchical approach to network design enables the network to be:

Efficient
Connect users with resources they need regardless of location
Predictable behavior
High availability
Intelligent
Recover from failures and topology changes quickly in a predetermined
manner.
Scalable
Supports future expansions and upgrades
Easily Managed
Low maintenance
73
Layers
Core
Distribution
Access
Distribution
Access
Access Layer
Provides
End users connect to the network
Layer 2 (VLAN) connectivity
Capabilities
Low cost per switch port
High port density
Scalable uplinks to higher layers
VLAN membership, QoS
Resiliency through multiple links
74
Layers
Core
Distribution
Access
Distribution
Access
Distribution Layer
Provides
Interconnection between access and core layers
Sometimes called building distribution switches
VLANs and broadcast domains converge (end) here
Where switching (VLANs) meet routing
Capabilities
Aggregation of multiple access-layer devices
High Layer 3 throughput for packet handling (routing)
Security and policy based connectivity functions through access lists or
packet filters
QoS
Scalable and resilient high-speed links to core and access layers
75
Layers
Core
Distribution
Access
Distribution
Access
Core Layer (Backbone)

Provides
Connectivity of all distribution layer devices to the backbone
Efficient packet switching
Capabilities
High Layer 3 throughput
No costly or unnecessary packet manipulations (ACLs)
Redundancy and resiliency for high availability
Advanced QoS
76
Switch Block
Distribution
Access
Distribution
Access
Switch Block consists of:

Two distribution switches that aggregate one or more access
layer switches.
Each access layer switch has a pair of uplinks, one to each
distribution switch.
Distribution switches may or may not have a link between them.
Many different options!
77
Switch Block
Distribution
Access
Distribution
Access
Switch Block
Contains switching devices from access and distribution layers.
All switch blocks connect to the core block (campus backbone).
Contains both Layer 2 and Layer 3 functionality
Distribution Layer
Confines STP, VLAN
Access Layer
Supports individual VLANs
78
Switch Block and Core Block

Core
Switch
Block
Switch
Block
Switch
Block
Switch Block
Group of access layer switches connected to their distribution
switches.
Core Block
Core switches that connect switch blocks.
The campus network backbone.
79
Typical Switch Block Design

Core
L3
Distribution
L3
Distribution
L2
L2
L2
L2
L2
Access
VLANs A,B
Access
VLANs A,B
Switch block becomes fully dependent upon STP convergence for paths and
loop free connectivity.
Should configure multiple Root bridges to take advantage of redundant
links
Redundant links unused unless load balancing with PVST+ (RSTP)
Various adaptations of this.
80
Best Practice Switch Block Design: Option A

Core
L3
Distribution
L3
Distribution
L3
L2
L2
L2
L2
Access
Access
VLAN A
VLAN B
Layer 2 connectivity contained at the access layer

Distribution Layer has only Layer 3 links.
VLANs do not span across switches at all.
Access Switches
VLANs contained within a single access layer switch, switch chassis or
stacked switch
Layer 2 uplinks to distribution switch
No dependence upon STP convergence
Layer 3 link between distribution switches
81
Best Practice Switch Block Design: Option B

Core
L3
Distribution
L3
Access
L3
L3
Distribution
L3
Access
Limit layer 2 VLANs o the access layer switches.

No dependence on STP convergence.
Network convergence and stability is offered by the routing protocol.
82
Core Block
Connect two or more switch blocks in a campus network.

Two basic core block designs:
Collapsed Core
Dual Core
83
Collapsed Core
Layer 3 Links
Collapsed Core: Hierarchy's core layer is collapsed into the

distribution layer switches.
Both distribution and core layer functions provided within the same
switch.
Found in smaller campus networks where the additional cost and
performance of separate core switches is not warranted.
84
Dual Core
Layer 3 Links
Dual Core: Connects two or more switch blocks in a redundant

fashion.
More scalable than collapsed cored.
85
For more information
Enterprise Campus 3.0 Architecture: Overview and Framework

http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/cam
pover.html
86
CIS 187 Multilayer Switched Networks

CCNP Switch
Inter-VLAN Routing, Multilayer Switching and CEF
Rick Graziani
Cabrillo College
graziani@cabrillo.edu
Spring 2010

Cis187 Switch 4 Intervlanrouting Mls Cef

Diunggah oleh

Informasi Dokumen

Deskripsi Asli:

Hak Cipta

Format Tersedia

Bagikan dokumen Ini

Bagikan atau Tanam Dokumen

Opsi Berbagi

Apakah menurut Anda dokumen ini bermanfaat?

Apakah konten ini tidak pantas?

Hak Cipta:

Format Tersedia

Cis187 Switch 4 Intervlanrouting Mls Cef

Diunggah oleh

Hak Cipta:

Format Tersedia

CIS 187 Multilayer Switched Networks

Can two hosts on different subnets communicate without a router?

Then Destination MAC Address will be that of the Default Gateway.

Configure Router On A Stick: 802.1Q Trunk Link

Router on a stick is very

Multilayer Switch Interfaces

Logical Interface (SVI)

Performs both Layer 2 switching and interVLAN routing.

Multilayer Switch Interfaces

Logical Interface (SVI L3)

Physical Interface (L3)

DLS1# show interface gig 0/2 switchport

Layer 2 or Layer 3 Interface?

Multilayer Switch Interfaces

DLS1# show interface gig 0/2 switchport

If in Layer 3 mode switchport interface command puts the port into

Layer 3 Port Configuration

DLS1(config)# interface gig 0/1

Physical switch ports can operate as Layer 3 interfaces using the

What happens if you configure the IP address BEFORE issuing the no

DLS1(config)# interface gig 0/1

Verify by pinging neighbor interface.

Physical Interfaces and EtherChannel

SwitchA(config)# interface port-channel 5

If several interfaces are bundled together using EtherChannel the IP

What about EtherChannel Interfaces?

SwitchA(config)# interface port-channel 5

First you must create the port-channel logical interface

Number of channel-groups in use: 1

Switch(config)# vlan vlan-number

Layer 3 functionality can also be enabled for an entire VLAN.

Remember our Switch Block

We created the SVI interfaces!

DLS1#show ip inter brief

OK? Method Status

Step 2 : Create a routed port.

Step 3 : Assign an IP address to the routed port.

Step 4 : Configure the IP routing protocol if needed.

Step 2 : Create an SVI interface.

Step 3 : Assign an IP address to the SVI.

Step 4 : Configure the IP routing protocol if needed.

Enabling CEF (Cisco Express Forwarding)

We are going to discuss CEF and Multilayer Switching next.

Traditional and CEF Based

Multilayer switching - ability of a Catalyst switch to support switching and

Traditional and CEF-based MLS

Cisco Catalyst switches use either:

Hardware consists of:

Candidate Packet Info

The Destination MAC

Workstation A sends a packet to workstation B,

Candidate Packet Info

MLS-SE recognizes various matches including CAM, details not included.

Candidate Packet Info

Found match in MLS

CEF-based MLS forwarding model is used to:

The two main components of CEF are :

Forwarding information base

Layer 2 MAC Addresses,

DLS1# show adjacency detail

Ill generate the ARP

Adjacency tables (summary, more detail coming)

1. Host A sends a packet to Host B.