CIS 187 Multilayer Switched Networks CCNP Switch Inter-VLAN Routing, Multilayer Switching and CEF

Rick Graziani Cabrillo College graziani@cabrillo.edu Spring 2010

Inter-VLAN Routing

Internetwork Communications
C:>ping 172.16.30.100

 Can two hosts on different subnets communicate without a router? No  What would happen if a host tried to ping another host? They could not communicate.  Would it send an ARP Request? Why or why not? The host would not send an ARP Request because there is no default-gateway.
3

Internetwork Communications

 Then Destination MAC Address is that of the same device as the Destination IP Address.  Check ARP cache for entry of Destination IP Address and its MAC Address. If no entry, ARP Request Destination IP Address asking for MAC Address.

 Then Destination MAC Address will be that of the Default Gateway.  Check ARP cache for entry of Default Gateways IP Address and its MAC Address. If no entry, ARP Request Default Gateways IP Address asking for MAC Address.
4

InterVLAN Routing
VLAN 1

External Router

VLAN 2 VLAN 3

Router on a stick

VLANs 1, 2, 3 Trunk

VLAN 1

Multilayer Switch

VLAN 2 VLAN 3

Or Trunk

 External Router Router(config)# inter fa 0/1 Router(config-if) ip address 172.16.1.1 255.255.255.0 Router(config)# inter fa 0/2 Router(config-if) ip address 172.16.2.1 255.255.255.0 Router(config)# inter fa 0/3 Router(config-if) ip address 172.16.3.1 255.255.255.0

Configure Router On A Stick: 802.1Q Trunk Link

interface GigabitEthernet5/0 no shutdown ! Does not show in config ! interface GigabitEthernet5/0.2 description VLAN 2 encapsulation dot1Q 2 native ip address 172.16.1.2 255.255.255.0 ! interface GigabitEthernet5/0.10 description VLAN 10 encapsulation dot1Q 10 ip address 172.16.10.1 255.255.255.0 ! interface GigabitEthernet5/0.20 description VLAN 20 encapsulation dot1Q 20 ip address 172.16.20.1 255.255.255.0 ! interface GigabitEthernet5/0.30 description VLAN 30 encapsulation dot1Q 30 ip address 172.16.30.1 255.255.255.0 ! interface GigabitEthernet5/0.40 description VLAN 40 encapsulation dot1Q 40 ip address 172.16.40.1 255.255.255.0

172.16.10.100/ 24

172.16.20.100/ 24

interface GigabitEthernet1/1 switchport mode trunk

 Router on a stick is very simple to implement.

Multilayer Switches

Multilayer Switch Interfaces

Layer 2: Access or Trunk Ports

Logical Interface (SVI)

Physical Interface

 Performs both Layer 2 switching and interVLAN routing.  Layer 2 Interface: Access or Trunk ports  Layer 3 Interface Has an IP address assigned to it. The Default Gateway for any hosts connected to that interface or VLAN. Physical interface Same as a router Aka Routed Port Example: interface gigabit 0/1 Logical Interface Represents an entire VLAN Switched Virtual Interface (SVI) Example: interface vlan 10

Multilayer Switch Interfaces

Layer 2: Access or Trunk Ports

Logical Interface (SVI L3)

DLS1# show interface gig 0/2 switchport Name: Gig0/2 Switchport: Enabled <output omitted>

Physical Interface (L3)

 Layer 2 or Layer 3 Interface? Default on most Catalyst switches: Layer 2 Default on Catalyst 6500: Layer 3  Verify mode: Switch# show interface type mod/num switchport Switchport: Think Layer 2 Enabled: Layer 2 Disabled: Layer 3

Multilayer Switch Interfaces

DLS1# show interface gig 0/2 switchport Name: Gig0/2 Switchport: Disabled Layer 3 <output omitted> DLS1# config t DLS1(config)# interface gig 0/2 DLS1(config-if)# switchport Converts interface to Layer 2 DLS1(config-if)# end DLS1# show interface gig 0/2 switchport Name: Gig0/2 Switchport: Enabled Layer 2 <output omitted>

 If in Layer 3 mode switchport interface command puts the port into Layer 2 mode.

10

Layer 3 Port Configuration Physical Interfaces

DLS1(config)# interface gig 0/1 DLS1(config-if)# no switchport DLS1(config-if)# ip address 192.168.1.1 255.255.255.252 DLS2(config)# interface gig 0/1 DLS2(config-if)# no switchport DLS2(config-if)# ip address 192.168.1.2 255.255.255.252

 Physical switch ports can operate as Layer 3 interfaces using the interface command:
Switch(config)# interface type mod/num Switch(config-if)# no switchport Switch(config-if)# ip address ip-address mask
11

Try it
 Download: PT-TopologySwitchBlockMLS.pkt  Configure the appropriate interfaces in DLS1 and DLS2 as physical layer 3 addresses.  Note: Core has the first host addresses.

 What happens if you configure the IP address BEFORE issuing the no switchport command?

12

DLS1(config)# interface gig 0/1 DLS1(config-if)# no switchport DLS1(config-if)# ip address 192.168.1.1 255.255.255.252 DLS1(config-if)# no shutdown DLS1(config)# interface fa 0/1 DLS1(config-if)# no switchport DLS1(config-if)# ip address 192.168.1.5 255.255.255.252 DLS1(config-if)# no shutdown DLS2(config)# interface gig 0/1 DLS2(config-if)# no switchport DLS2(config-if)# ip address 192.168.1.2 255.255.255.252 DLS2(config-if)# no shutdown DLS2(config)# interface fa 0/2 DLS2(config-if)# no switchport DLS2(config-if)# ip address 192.168.1.10 255.255.255.252 DLS2(config-if)# no shutdown

 Verify by pinging neighbor interface.

13

Physical Interfaces and EtherChannel

192.168.2.1

192.168.2.2

SwitchA(config)# interface port-channel 5 SwitchA(config-if)# no switchport SwitchA(config-if)# ip address 192.168.2.1 255.255.255.252 SwitchB(config)# interface port-channel 5 SwitchB(config-if)# no switchport SwitchB(config-if)# ip address 192.168.2.2 255.255.255.252

 If several interfaces are bundled together using EtherChannel the IP address is assigned to the port-channel interface, not the individual physical links.  To configure Layer 3 EtherChannels,: First you must create the port-channel logical interface Then you add the Ethernet ports into the port-channel

14

What about EtherChannel Interfaces?

Fa 0/11 Fa 0/11

Port-channel 5
192.168.2.1 Fa 0/12 Fa 0/12

Port-channel 5
192.168.2.2

SwitchA(config)# interface port-channel 5 SwitchA(config-if)# no switchport SwitchA(config-if)# ip address 192.168.2.1 255.255.255.252 SwitchA(config)# interface range fa 0/11 - 12 SwitchA(config-if-range)# no ip address SwitchA(config-if-range)# no switchport SwitchA(config-if-range)# channel-group 5 mode active SwitchB(config)# interface port-channel 5 SwitchB(config-if)# no switchport SwitchB(config-if)# ip address 192.168.2.2 255.255.255.252 SwitchB(config)# interface range fa 0/11 - 12 SwitchB(config-if-range)# no ip address SwitchB(config-if-range)# no switchport SwitchB(config-if-range)# channel-group 5 mode active

   

First you must create the port-channel logical interface Then you add the Ethernet ports into the port-channel Using LACP in this example. Remember, the channel-group number is associated with the port-channel interface.

15

192.168.2.1 SwitchA# show ip inter brief Port-channel5 192.168.1.1 YES manual up SwitchA# ping 192.168.1.2 !!!!! SwitchA# show ether summ Flags: D - down P - in port-channel I - stand-alone s - suspended H - Hot-standby (LACP only) R - Layer3 S - Layer2 U - in use f - failed to allocate aggregator u - unsuitable for bundling w - waiting to be aggregated d - default port Number of channel-groups in use: 1 Number of aggregators: 1

192.168.2.2 up

Group Port-channel Protocol Ports ------+-------------+-----------+----------------------------------------------5 Po5(RU) LACP Fa0/11(P) Fa0/12(P) DLS1# 16

SVI Interfaces - Logical Interfaces

Switch(config)# vlan vlan-number Switch(config-vlan)# name vlan-name SwitchA(config)# interface vlan vlan-number SwitchA(config-if)# ip address ip-address mask SwitchA(config-if)# no shutdown

   

Layer 3 functionality can also be enabled for an entire VLAN. The IP address is assigned to the logical interface the VLAN. This is needed when routing is required between VLANs. SVI (Switched Virtual Interface) No physical connection VLANs must be created before the SVI can be used. The IP address associated of the VLAN interface is the default gateway of 17 the workstation.

Remember our Switch Block

 We created the SVI interfaces!  I will have you recreate some of them

18

Creating VLANs
DLS1: Create and name the user VLANs: 10, 11, 20 and 21.  DLS1: Create and name a Management VLAN (used to telnet into switches)  DLS1: Create and name a NATIVE VLAN other than VLAN 1 (default)  DLS1: Create and name a Garbage VLAN (assigned to all unused ports.) All ports that are not used (trunks and access) will be assigned as an access port to this VLAN. DLS1 vlan 2 name NATIVE vlan 10 name Engineering vlan 11 name IT vlan 20 name Sales vlan 21 name Administration vlan 99 name ManagementVLAN vlan 222 name GarbageVLAN 

19

Management VLAN
 For each device in the network we configured it to be a member of the management VLAN.

On each switch Switch(config)# inter vlan 99 Switch(config-if)# description Management VLAN Switch(config-if)# ip address 172.16.99.x 255.255.255.0 Switch(config-if)# no shutdown

20

Default Gateway
 Configure DLS1 to be the default gateway for VLANs 10 and 11.  All hosts on these VLANs will use these addresses as their default gateway addresses.
DLS1(config)# inter vlan 10 DLS1(config-if)# description Engineering VLAN DLS1(config-if)# ip address 172.16.10.1 255.255.255.0 DLS1(config-if)# no shutdown DLS1(config)# inter vlan 11 DLS1(config-if)# description IT VLAN DLS1(config-if)# ip address 172.16.11.1 255.255.255.0 DLS1(config-if)# no shutdown
21

Default Gateway
 Configure DLS2 to be the default gateway for VLANs 20 and 21.  All hosts on these VLANs will use these addresses as their default gateway addresses.
DLS2(config)# inter vlan 20 DLS2(config-if)# description Sales VLAN DLS2(config-if)# ip address 172.16.20.1 255.255.255.0 DLS2(config-if)# no shut DLS2(config)# inter vlan 21 DLS2(config-if)# description Administration VLAN DLS2(config-if)# ip address 172.16.21.1 255.255.255.0 DLS2(config-if)# no shut
22

Verifying
 Verify IP addresses

DLS1#show ip inter brief Interface IP-Address FastEthernet0/1 GigabitEthernet0/1 Vlan10 Vlan11 Port-channel 1 DLS1# 192.168.4.6 192.168.1.1 172.16.10.1 172.16.11.1 unassigned

OK? Method Status YES manual up YES manual up YES manual up YES manual up YES manual up

Protocol up up up up up

23

Configuring a Routed Port

Step 1 : Configure IP routing.
Switch(config)#ip routing

Step 2 : Create a routed port.

Switch(config-if)#no switchport

Step 3 : Assign an IP address to the routed port.

Switch(config-if)#ip address ip-address mask

Step 4 : Configure the IP routing protocol if needed.

Switch(config)#router ip_routing_protocol <options>
24

Configuring Inter-VLAN Routing Through an SVI

Step 1 : Configure IP routing.
Switch(config)#ip routing

Step 2 : Create an SVI interface.

Switch(config)#interface vlan vlan-id

Step 3 : Assign an IP address to the SVI.

Switch(config-if)#ip address ip-address mask

Step 4 : Configure the IP routing protocol if needed.

Switch(config)#router ip_routing_protocol <options>
25

Enabling CEF (Cisco Express Forwarding)

The commands required to enable CEF are platform dependent:
On the Cisco Catalyst 3550 switch (enabled by default)
Switch(config-if)#ip route-cache cef

 We are going to discuss CEF and Multilayer Switching next.  By default the 3550/3560 has CEF enabled by default.  The only thing left is to configure routing on the two distribution layer switches.

26

Routing
 Enable routing on DLS1 and DLS2.  Configure EIGRP DLS1 and DLS2. Turn off auto-summarization

DLS1(config)# ip routing DLS1(config)# router eigrp 1 DLS1(config-router)# network 172.16.0.0 DLS1(config-router)# network 192.168.1.0 DLS1(config-router)# no auto-summary DLS2(config)# ip routing DLS2(config)# router eigrp 1 DLS2(config-router)# network 172.16.0.0 DLS2(config-router)# network 192.168.1.0 DLS2(config-router)# no auto-summary

27

Verifying
 Verify routing

DLS1#show ip route Core Network 1.0.0.0/24 is subnetted, 1 subnets D 1.1.1.0 [90/25628160] via 192.168.1.5, 00:00:07, FastEthernet0/1 172.16.0.0/24 is subnetted, 5 subnets C 172.16.10.0 is directly connected, Vlan10 C 172.16.11.0 is directly connected, Vlan11 D 172.16.20.0 [90/25625856] via 192.168.1.2, 01:29:41, GigabitEthernet0/1 DLS2 Networks (VLANs) D 172.16.21.0 [90/25625856] via 192.168.1.2, 01:29:41, GigabitEthernet0/1 C 172.16.99.0 is directly connected, Vlan99 192.168.1.0/30 is subnetted, 3 subnets C 192.168.1.0 is directly connected, GigabitEthernet0/1 C 192.168.1.4 is directly connected, FastEthernet0/1 D 192.168.1.8 [90/28416] via 192.168.1.2, 01:17:18, GigabitEthernet0/1 DLS1# Network between DLS2 and Core 28

Traditional and CEF Based Multilayer Switching

Multilayer Switching

Traditional MLS

CEF-Based MLS

 Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware. Optional support for Layers 4 through 7 switching in hardware as well. A route processor (or Layer 3 engine) must download software-based routing, switching, access lists, QoS, and other information to the hardware for packet processing.
30

Traditional and CEF-based MLS

Traditional MLS

CEF-Based MLS

 Cisco Catalyst switches use either: Traditional multilayer switching (traditional MLS) A legacy feature Cisco Express Forwarding (CEF)-based MLS architecture. All leading-edge Catalyst switches support CEF-based multilayer switching
31

Traditional MLS

RP

SE
 Dual effort between: Route Processor (RP) Switching Engine (SE)  Traditional MLS: Route once, switch many  Specialized Application-Specific Integrated Circuits (ASICs) perform Layer 2 rewrite operations of routed packets: Source MAC address Destination MAC address Cyclic redundancy check (CRC). Because the source and destination MAC addresses change during Layer 3 rewrites, the switch must recalculate the CRC for these new MAC addresses.

32

Traditional MLS

 SE: Listens in to the first packet going to the router (RP) and going from the router (RP). If the SE can switch the packet in both directions: It can learn a shortcut path for subsequent packets to use. Thus, bypassing the router (RP).  This technique is also known as: Netflow-based switching.  With traditional MLS, the Layer 3 engine (route processor) and switching ASICs work together to build Layer 3 entries on the switch.

33

Traditional MLS

MSFC

RSFC RSM

 Hardware consists of: Independent RP NetFlow-capable SE  Netflow switching (or route cache switching) performed on Cisco hardware such as: Catalyst 6000 Supervisor 1/1a and Multilayer Switch Feature Card (MSFC) Catalyst 550 with a Route Switch Module (RSM) Route Switch Feature Card (RSFC) External Router

34

Traditional MLS

dot1q Tag (inside Eth. Hdr) VLAN 1

Ethernet Header D-MAC= 00-000C-11-11-11

S-MAC= 00-AA-00-11S-MAC= 0011-11 AA-00-11-11-11

IP Header
S-IP = 10.1.1.10 D-IP = 10.1.2.20

IP Data

 The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching/routing.  After the routing of the first packet in the flow, the Layer 3 engine programs the hardware-switching components for routing for subsequent packets.
35

Candidate Packet Info Layer 3 Info S-IP 10.1.1.10 D-IP 10.1.2.20 Layer 2 Info S-MAC 00-AA-00-11-11-11 D-MAC 00-00-0C-11-11-11

MLS-RP

The Destination MAC Address is one of the routers interfaces. There is not an existing flow, so I will flag this as a candidate packet.

MLS-SE

dot1q Tag (inside Eth. Hdr)

VLAN 1

Ethernet Header
D-MAC= 00-000C-11-11-11 S-MAC= 00-AA00-11-11-11

IP Header
S-IP = 10.1.1.10 D-IP = 10.1.2.20

IP Data

 Workstation A sends a packet to workstation B, Workstation A sends the packet to its default gateway (which is the RSM).  Switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP).  As a result, the switch creates a candidate entry for this flow.
36

MLS-RP

MLS-SE

dot1q Tag (inside Eth. Hdr)

VLAN 2

Ethernet Header
D-MAC= 00-AA00-22-22-22 S-MAC= 00-000C-22-22-22

IP Header
S-IP = 10.1.1.10 D-IP = 10.1.2.20

IP Data

 Next, the router accepts the packets from workstation A, rewrites the Layer 2 MAC addresses and CRC, and forwards the packet to workstation B.  The switch refers to the routed packet from the RSM as the enabler packet.
37

Candidate Packet Info Layer 3 Info S-IP 10.1.1.10 D-IP 10.1.2.20 Layer 2 Info S-MAC 00-AA-00-11-11-11 D-MAC 00-00-0C-11-11-11

MLS-RP

MLS-SE

dot1q Tag (inside Eth. Hdr)

VLAN 2

Ethernet Header
D-MAC= 00-AA00-22-22-22 S-MAC= 00-000C-22-22-22

IP Header
S-IP = 10.1.1.10 D-IP = 10.1.2.20

IP Data

 MLS-SE recognizes various matches including CAM, details not included.  Basically, the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1.  The switch, upon seeing both the candidate and enabler packets, creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow. 38

Candidate Packet Info Layer 3 Info S-IP 10.1.1.10 D-IP 10.1.2.20 Layer 2 Info S-MAC 00-AA-00-11-11-11 D-MAC 00-00-0C-11-11-11

MLS-RP
Found match in MLS Cache, rewrite Ethernet Header and send directly to Host B, forget the router!

MLS-SE
Future Packets

Dst IP

Src IP 10.1.1.10

Port TCP

MLS Cache

Dst Port 23

Src Port 1238

Dst MAC
00-AA00-2222-22

Src MAC
00-000C-2222-22

VLAN 2

Interface 3/1

10.1.2.20

 As future packets from the flow arrive, the MLS-SE uses the destination IP address to look up the entry in the MLS cache.  Finding a match, rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router).  The rewrite operation modifies all the same fields initially modified by the router for the first packet, including the source MAC and destination MAC addresses.

39

CEF-based MLS

40

CEF

 CEF-based MLS forwarding model is used to: Download the control plane information (such as the access lists) to the data plane (on the supervisor, port, or line card) for hardware switching of packets. Control plane represents the Layer 3 engine (route processor) Data plane represents the hardware components such as ASICs used by the switch for hardware switching.  CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB).  Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses.
41

Routing Table

CEF
DLS1#show ip cef Prefix 0.0.0.0/0 0.0.0.0/32 1.1.1.0/24 172.16.10.0/24 172.16.10.0/32 172.16.10.1/32 172.16.10.255/32 172.16.11.0/24 172.16.11.0/32 172.16.11.1/32 172.16.11.255/32 172.16.20.0/24 172.16.21.0/24 172.16.99.0/24 172.16.99.0/32 172.16.99.1/32 172.16.99.255/32 192.168.1.0/30 192.168.1.0/32 192.168.1.1/32 192.168.1.2/32 192.168.1.3/32 192.168.1.4/30 192.168.1.4/32 192.168.1.5/32 192.168.1.6/32 192.168.1.7/32 192.168.1.8/30 224.0.0.0/4 224.0.0.0/24 255.255.255.255/32 DLS1# Next Hop no route receive 192.168.1.5 attached receive receive receive attached receive receive receive 192.168.1.2 192.168.1.2 attached receive receive receive attached receive receive 192.168.1.2 receive attached receive 192.168.1.5 receive receive 192.168.1.2 drop receive receive Interface

The two main components of CEF are : 1. FIB 2. Adjacency Table

Forwarding information base  Makes IP destination switching decisions.  Similar to a routing table: Reformatted into an ordered list with most specific route first for each IP network/subnet in the routing table. Ordered with most specific (longest match) first followed by less specific subnets.  Mirror image of the forwarding information contained in the IP routing table.  When routing or topology changes occur in the network, the IP routing table is updated, and those changes are reflected in the FIB.  Maintains next-hop address information based on the information in the IP routing table.

FastEthernet0/1 Vlan10 Vlan10 Vlan10 Vlan10 Vlan11 Vlan11 Vlan11 Vlan11 GigabitEthernet0/1 GigabitEthernet0/1 Vlan99 Vlan99 Vlan99 Vlan99 GigabitEthernet0/1 GigabitEthernet0/1 GigabitEthernet0/1 GigabitEthernet0/1 GigabitEthernet0/1 FastEthernet0/1 FastEthernet0/1 FastEthernet0/1 FastEthernet0/1 FastEthernet0/1 GigabitEthernet0/1

42

CEF

 Adjacency tables Network nodes in the network are said to be adjacent if they can reach each other with a single hop across a link layer. (OSPF, EIGRP) A router normally maintains: Routing table containing Layer 3 network and next-hop information ARP table containing Layer 3 to Layer 2 address mapping. These tables are kept independently.
43

CEF

Layer 2 MAC Addresses, Next Hop Information

Next hop?

DLS1# show adjacency detail Protocol Interface IP Vlan99

IP GigabitEthernet0/1  Adjacency tables The FIB keeps the Layer 3 next-hop address for each entry. To streamline packet forwarding even more, the FIB has corresponding Layer 2 information for every next-hop entry. IP FastEthernet0/1 This portion of the FIB is called the adjacency table, consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop. DLS1#

Address 172.16.99.2 0 packets, 0 bytes epoch 0 sourced in sev-epoch 3 Encap length 14 0000603E24584400055E6D393C0800 ARP 192.168.1.2 0 packets, 0 bytes epoch 0 sourced in sev-epoch 3 Encap length 14 0000902B293019000C85B044190800 ARP 192.168.1.5 0 packets, 0 bytes epoch 0 sourced in sev-epoch 3 Encap length 14 0000024A0A4301000C85B044010800 ARP

44

CEF

No ARP entry, L3 forwarding engine cant forward packet in hardware, must send to L3 Engine.

Ill generate the ARP Request and get an ARP Reply.

 Adjacency tables (summary, more detail coming) Built from the ARP table. As a next-hop address receives a valid ARP entry, the adjacency table is updated. If an ARP entry does not exist, the FIB entry is marked as CEF glean. This means that the Layer 3 forwarding engine can't forward the packet in hardware, due to the missing Layer 2 next-hop address. The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply. This is known as the CEF glean state, where the Layer 3 engine must glean the next-hop destination's MAC address.

45

CEF

 Adjacency tables What happens to subsequent packets while FIB entry is in glean state? (L3 engine is sending ARP Request.) These packets are dropped. So input queues do not fill. So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests. This is called ARP throttling or throttling adjacency. If an ARP reply is not received in two seconds, the throttling is released so that another ARP request can be triggered. After ARP reply is received: Throttling is released FIB entry can be completed Subsequent packets can be forwarded in hardware
46

ARP Throttling

1. Host A sends a packet to Host B.  CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table).  No rewrite information exists. 2. Packet passed to Layer 3 Engine for processing.
47

ARP Throttling
Throttling Adjacency is removed when no ARP Reply is received in 2 seconds. This allows for another packet to to initiate a new ARP Request. Throttling Adjacency relieves the Layer 3 Engine of excessive ARP processing or ARP-based DoS attacks.

Drop packets until ARP Reply received (Throttling Adjacency)

ARP Request

X X X

3. Obtaining rewrite information.  L3 Engine sends an ARP Request for Host B and waits for ARP Reply.  Throttling Adjacency: While in glean state, subsequent packets to that host are dropped, so that input queues do not fill and so the Layer 3 engine isnt busy with duplicate ARP Requests. (Note: Ciscos routers drop the first packet when there is no ARP entry, while sending the ARP Request.)
48

ARP Throttling

Drop packets until ARP Reply received (Throttling Adjacency)

ARP Reply

X X X

4. Host B sends ARP Reply.

49

ARP Throttling

10.20.10.2

Host Bs MAC Address

Drop packets until ARP Reply received (Throttling Adjacency)

5. The Layer 3 Engine installs Adjacency for Host B and removes the throttling (drop) adjacency. Next: Packet Rewrite (Coming!)
50

Packet Rewrite

Egress Packet

51

Packet Rewrite
L2 Checksum L3 Checksum

10.20.10.2

Host Bs MAC Address

Default Gateway

Host A

TTL

The switch receives another packet:  After a multilayer switch finds valid entries in the FIB and adjacency tables, a packet is almost ready to be forwarded.  One step remainsthe packet header information must be rewritten.  Multilayer switching occurs as quick table lookups: Find the next-hop address Outbound switch port.  The IP header must also be adjusted, as if a traditional router had done the forwarding (TTL).
52

Packet Rewrite
L2 Checksum L3 Checksum

10.20.10.2

Host Bs MAC Address

Host B Default MAC Add Gateway

L3 switch Host A outbound interface

TTL -1

The packet rewrite engine makes the following changes to the packet just prior to forwarding:  Layer 2 destination address Changed to the next-hop device's MAC address  Layer 2 source address Changed to the outbound Layer 3 switch interface's MAC address  Layer 3 IP Time To Live (TTL) Decremented by one, as one router hop has just occurred  Layer 2 frame checksum Recalculated to include changes to the Layer 2 and Layer 3 headers  Layer 3 IP checksum Recalculated to include changes to the IP header
53

Packet Rewrite
L2 Checksum L3 Checksum

10.20.10.2

Host Bs MAC Address

Host B Default MAC Add Gateway

L3 switch Host A outbound interface

TTL -1

 A traditional router would normally make the same changes to each packet.  The multilayer switch must act as if a traditional router were being used, making identical changes. The multilayer switch: Can do this very efficiently with dedicated packet rewrite hardware and with address information obtained from table lookups.

54

Packet Rewrite
L2 Checksum L3 Checksum

10.20.10.2

Host Bs MAC Address

Host B Default MAC Add Gateway

L3 switch Host A outbound interface

TTL -1

 The switch performs a Layer 3 lookup and finds a CEF entry for Host B.  The switch rewrites packets per the adjacency information and forwards the packet to Host B on its VLAN.

55

CEF

 Catalyst switches do not support routing of all types of frames in hardware.  For example, the following list details common frame types that are not supported by hardware switching and must punted (sent to the Layer 3 engine for processing): Packets with IP header options Packets sourced from or destined to tunnel interfaces Packets using Ethernet encapsulation types other than ARPA Packets that require fragmentation (exceed MTU of the interface)  Two types of CEF Central CEF or Accelerated CEF Forwarding decisions done by ASIC that is central to all interfaces. Distributed CEF (dCEF) Forwarding decisions done on independently on interfaces or line modules line cards (faster).

56

Configuring a Routed Port

Step 1 : Configure IP routing.
Switch(config)#ip routing

Step 2 : Create a routed port.

Switch(config-if)#no switchport

Step 3 : Assign an IP address to the routed port.

Switch(config-if)#ip address ip-address mask

Step 4 : Configure the IP routing protocol if needed.

Switch(config)#router ip_routing_protocol <options>
57

Configuring Inter-VLAN Routing Through an SVI

Step 1 : Configure IP routing.
Switch(config)#ip routing

Step 2 : Create an SVI interface.

Switch(config)#interface vlan vlan-id

Step 3 : Assign an IP address to the SVI.

Switch(config-if)#ip address ip-address mask

Step 4 : Configure the IP routing protocol if needed.

Switch(config)#router ip_routing_protocol <options>
58

Enabling CEF
The commands required to enable CEF are platform dependent:
On the Cisco Catalyst 4000 switch
Switch(config-if)#ip cef

On the Cisco Catalyst 3550 switch

Switch(config-if)#ip route-cache cef

59

Verifying CEF
Switch#show ip cef [type mod/port | vlan_interface] [detail]

Switch# show ip cef vlan 11 detail IP CEF with switching (Table Version 11), flags=0x0 10 routes, 0 reresolve, 0 unresolved (0 old, 0 new), peak 0 13 leaves, 12 nodes, 14248 bytes, 14 inserts, 1 invalidations 0 load sharing elements, 0 bytes, 0 references universal per-destination load sharing algorithm, id 4B936A24 2(0) CEF resets, 0 revisions of existing leaves Resolution Timer: Exponential (currently 1s, peak 1s) 0 in-place/0 aborted modifications refcounts: 1061 leaf, 1052 node Table epoch: 0 (13 entries at this epoch) 172.16.11.0/24, version 6, epoch 0, attached, connected 0 packets, 0 bytes via Vlan11, 0 dependencies valid glean adjacency

60

Verify Layer 3 Switching

Switch#show interface {{type mod/port} | {port-channel number}} | begin L3

Switch#show interface fastethernet 3/3 | begin L3 L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 12 pkt, 778 bytes mcast L3 out Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes 4046399 packets input, 349370039 bytes, 0 no buffer Received 3795255 broadcasts, 2 runts, 0 giants, 0 throttles ..... Switch#

61

Displaying Hardware Layer 3 Switching Statistics

Switch#show interfaces {{type mod/port} | {port-channel number}} include switched

Switch#show interfaces gigabitethernet 9/5 | include switched L2 Switched: ucast: 8199 pkt, 1362060 bytes - mcast: 6980 pkt, 371952 bytes L3 in Switched: ucast: 3045 pkt, 742761 bytes - mcast: 0 pkt, 0 bytes mcast L3 out Switched: ucast: 2975 pkt, 693411 bytes - mcast: 0 pkt, 0 bytes

62

Adjacency Information
Switch#show adjacency [{{type mod/port} | {port-channel number}} | detail | internal | summary]

Switch#show adjacency gigabitethernet 9/5 detail Protocol Interface Address IP GigabitEthernet9/5 172.20.53.206(11) 504 packets, 6110 bytes 00605C865B82 000164F83FA50800 ARP 03:49:31

63

Debugging CEF Operations

Switch#debug ip cef {drops | access-list | receive | events | prefix-ipc | table}

Displays debug information for CEF

Switch#debug ip cef {ipc | interface-ipc}

Displays debug information related to IPC in CEF

Switch#ping ip

Performs an extended ping

64

CEF Summary
 Layer 3 switching is high-performance packet switching in hardware.  MLS functionality can be implemented through CEF.  CEF uses tables in hardware to forward packets.  Specific commands are used to enable and verify CEF operations.  Commands to enable CEF are platform dependent.  CEF problems can be matched to specific solutions.  Specific commands are used to troubleshoot and solve CEF problems.  Ordered steps assist in troubleshooting CEF-based problems.

65

DHCP

IP Broadcast Forwarding

 DHCP use IP subnet broadcasts to the 255.255.255.255 address.  Routers do not route these packets by default.  Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a unicast address

67

DHCP Relay Agent

MLS(config)#interface vlan 1 MLS(configif)#description DHCP Server VLAN MLS(config-if)#ip address 10.1.1.1 255.255.255.0 MLS(config-if)#no ip directed-broadcast MLS(config)#interface vlan 2 MLS(config-ig)#description DHCP clients MLS(config-if)#ip address 10.2.1.1 255.255.255.0 MLS(config-if)#no shutdown MLS(config-if)#no ip directed-broadcast MLS(config-if)#ip helper-address 10.1.1.254

 Layer 3 devices do not forward broadcasts.  What issue does this cause for DHCP Servers? Each subnet requires a DHCP server.  To enable the DHCP relay agent feature, configure the ip helper-address command with the DHCP server IP address(es) on the client VLAN interfaces.
68

DHCP Relay Agent

The ip helper-address command not only forwards DHCP UDP packets but also forwards TFTP, DNS, Time, NetBIOS, name server, and BOOTP packets by default. By default, the ip helper-address command forwards the eight UDPs services.

69

DHCP Relay Agent

MLS(config)#interface vlan 1 MLS(configif)#description DHCP Server VLAN MLS(config-if)#ip address 10.1.1.1 255.255.255.0 MLS(config-if)#no ip directed-broadcast MLS(config)#interface vlan 2 MLS(config-ig)#description DHCP clients MLS(config-if)#ip address 10.1.2.1 255.255.255.0 MLS(config-if)#no shutdown MLS(config-if)#no ip directed-broadcast MLS(config-if)#ip helper-address 10.1.1.254

See Improving Security on Routers: http://www.cisco.com/warp/public/ 707/21.html

 ip helper-address - make sure the ip directed-broadcast is not configured on any outbound interfaces that the UDP broadcast packets need to traverse.  The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF).  This is a default behavior since Cisco IOS Release 12.0, implemented as a security measure.
70

UDP Broadcast Forwarding

Router(config)#interface vlan 1 Router(config-if)#ip address 10.100.1.1 255.255.255.0 Router(config-if)#ip helper-address 10.200.1.254 Router(config)#ip forward-protocol udp mobile-ip Router(config)#no ip forward-protocol udp netbios-ns

 To specify additional UDP broadcasts for forwarding by the router when configuring the ip helper-address interface command, use the following global command: ip forward protocol udp udp_ports  Use the no option to remove default or configured applications.
71

Enterprise Network Design

Hierarchical approach

 Hierarchical approach to network design enables the network to be: Efficient Connect users with resources they need regardless of location Predictable behavior High availability Intelligent Recover from failures and topology changes quickly in a predetermined manner. Scalable Supports future expansions and upgrades Easily Managed Low maintenance

73

Layers
Distribution

Core Distribution

Access

Access

 Access Layer Provides End users connect to the network Layer 2 (VLAN) connectivity Capabilities Low cost per switch port High port density Scalable uplinks to higher layers VLAN membership, QoS Resiliency through multiple links
74

Layers
Distribution

Core Distribution

Access

Access

 Distribution Layer Provides Interconnection between access and core layers Sometimes called building distribution switches VLANs and broadcast domains converge (end) here Where switching (VLANs) meet routing Capabilities Aggregation of multiple access-layer devices High Layer 3 throughput for packet handling (routing) Security and policy based connectivity functions through access lists or packet filters QoS Scalable and resilient high-speed links to core and access layers

75

Layers
Distribution

Core Distribution

Access

Access

 Core Layer (Backbone) Provides Connectivity of all distribution layer devices to the backbone Efficient packet switching Capabilities High Layer 3 throughput No costly or unnecessary packet manipulations (ACLs) Redundancy and resiliency for high availability Advanced QoS
76

Switch Block
Distribution Distribution

Access

Access

 Switch Block consists of: Two distribution switches that aggregate one or more access layer switches. Each access layer switch has a pair of uplinks, one to each distribution switch. Distribution switches may or may not have a link between them. Many different options!
77

Switch Block
Distribution Distribution

Access

Access

 Switch Block Contains switching devices from access and distribution layers. All switch blocks connect to the core block (campus backbone). Contains both Layer 2 and Layer 3 functionality Distribution Layer Confines STP, VLAN Access Layer Supports individual VLANs

78

Switch Block and Core Block

Core

Switch Block

Switch Block

Switch Block

 Switch Block Group of access layer switches connected to their distribution switches.  Core Block Core switches that connect switch blocks. The campus network backbone.
79

Typical Switch Block Design

Core

L3
Distribution

L3 L2
Distribution

L2
Access

L2

L2

L2
Access

VLANs A,B

VLANs A,B

 Switch block becomes fully dependent upon STP convergence for paths and loop free connectivity. Should configure multiple Root bridges to take advantage of redundant links Redundant links unused unless load balancing with PVST+ (RSTP)  Various adaptations of this.

80

Best Practice Switch Block Design: Option A

Core

L3
Distribution

L3 L3
Distribution

L2
Access

L2

L2

L2
Access

VLAN A    

VLAN B

Layer 2 connectivity contained at the access layer Distribution Layer has only Layer 3 links. VLANs do not span across switches at all. Access Switches VLANs contained within a single access layer switch, switch chassis or stacked switch Layer 2 uplinks to distribution switch  No dependence upon STP convergence  Layer 3 link between distribution switches

81

Best Practice Switch Block Design: Option B

Core

L3
Distribution

L3 L3
Distribution

L3

L3
Access

Access

 Limit layer 2 VLANs o the access layer switches.  No dependence on STP convergence.  Network convergence and stability is offered by the routing protocol.

82

Core Block

 Connect two or more switch blocks in a campus network.  Two basic core block designs: Collapsed Core Dual Core

83

Collapsed Core

Layer 3 Links

 Collapsed Core: Hierarchy's core layer is collapsed into the distribution layer switches.  Both distribution and core layer functions provided within the same switch.  Found in smaller campus networks where the additional cost and performance of separate core switches is not warranted.

84

Dual Core
Layer 3 Links

 Dual Core: Connects two or more switch blocks in a redundant fashion.  More scalable than collapsed cored.

85

For more information

 Enterprise Campus 3.0 Architecture: Overview and Framework  http://www.cisco.com/en/US/docs/solutions/Enterprise/Campus/cam pover.html

86

CIS 187 Multilayer Switched Networks CCNP Switch Inter-VLAN Routing, Multilayer Switching and CEF
Rick Graziani Cabrillo College graziani@cabrillo.edu Spring 2010