Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
CCNP Switch
Inter-VLAN Routing, Multilayer Switching and CEF
Rick Graziani
Cabrillo College
graziani@cabrillo.edu
Spring 2010
Inter-VLAN Routing
Internetwork Communications
C:>ping 172.16.30.100
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address.
Check ARP cache for entry of Destination IP Address and its MAC Address.
If no entry, ARP Request Destination IP Address asking for MAC Address.
InterVLAN Routing
VLAN 1
External Router
VLAN 2
VLAN 3
Router on a stick
VLANs 1, 2, 3
Trunk
VLAN 1
Multilayer Switch
VLAN 2
Or Trunk
VLAN 3
External Router
Router(config)# inter fa 0/1
Router(config-if) ip address 172.16.1.1 255.255.255.0
Router(config)# inter fa 0/2
Router(config-if) ip address 172.16.2.1 255.255.255.0
Router(config)# inter fa 0/3
Router(config-if) ip address 172.16.3.1 255.255.255.0
172.16.10.100/
24
172.16.20.100/
24
interface GigabitEthernet1/1
switchport mode trunk
interface GigabitEthernet5/0
no shutdown ! Does not show in config
!
interface GigabitEthernet5/0.2
description VLAN 2
encapsulation dot1Q 2 native
ip address 172.16.1.2 255.255.255.0
!
interface GigabitEthernet5/0.10
description VLAN 10
encapsulation dot1Q 10
ip address 172.16.10.1 255.255.255.0
!
interface GigabitEthernet5/0.20
description VLAN 20
encapsulation dot1Q 20
ip address 172.16.20.1 255.255.255.0
!
interface GigabitEthernet5/0.30
description VLAN 30
encapsulation dot1Q 30
ip address 172.16.30.1 255.255.255.0
!
interface GigabitEthernet5/0.40
description VLAN 40
encapsulation dot1Q 40
ip address 172.16.40.1 255.255.255.0
Multilayer Switches
Physical Interface
10
Try it
Download:
PT-TopologySwitchBlockMLS.pkt
Configure the
appropriate interfaces
in DLS1 and DLS2 as
physical layer 3
addresses.
Note: Core has the first
host addresses.
12
192.168.2.1
192.168.2.2
14
Fa 0/11
Port-channel 5
192.168.2.1
Port-channel 5
Fa 0/12
Fa 0/12
192.168.2.2
15
192.168.2.1
SwitchA# show ip inter brief
Port-channel5
192.168.1.1
YES manual up
SwitchA# ping 192.168.1.2
!!!!!
SwitchA# show ether summ
Flags: D - down
P - in port-channel
I - stand-alone s - suspended
H - Hot-standby (LACP only)
R - Layer3
S - Layer2
U - in use
f - failed to allocate aggregator
u - unsuitable for bundling
w - waiting to be aggregated
d - default port
192.168.2.2
up
16
SVI Interfaces
- Logical Interfaces
17
18
Creating VLANs
DLS1: Create and name the user VLANs: 10,
11, 20 and 21.
DLS1: Create and name a Management VLAN
(used to telnet into switches)
DLS1: Create and name a NATIVE VLAN other
than VLAN 1 (default)
DLS1: Create and name a Garbage VLAN
(assigned to all unused ports.)
All ports that are not used (trunks and
access) will be assigned as an access
port to this VLAN.
DLS1
vlan 2
name NATIVE
vlan 10
name Engineering
vlan 11
name IT
vlan 20
name Sales
vlan 21
name Administration
vlan 99
name ManagementVLAN
vlan 222
name GarbageVLAN
19
Management VLAN
For each device in the network
we configured it to be a member
of the management VLAN.
On each switch
Switch(config)# inter vlan 99
Switch(config-if)# description Management VLAN
Switch(config-if)# ip address 172.16.99.x 255.255.255.0
Switch(config-if)# no shutdown
20
Default Gateway
Configure DLS1 to be the
default gateway for VLANs 10
and 11.
All hosts on these VLANs will
use these addresses as their
default gateway addresses.
DLS1(config)# inter vlan 10
DLS1(config-if)# description Engineering VLAN
DLS1(config-if)# ip address 172.16.10.1 255.255.255.0
DLS1(config-if)# no shutdown
DLS1(config)# inter vlan 11
DLS1(config-if)# description IT VLAN
DLS1(config-if)# ip address 172.16.11.1 255.255.255.0
DLS1(config-if)# no shutdown
21
Default Gateway
Configure DLS2 to be the
default gateway for VLANs 20
and 21.
All hosts on these VLANs will
use these addresses as their
default gateway addresses.
DLS2(config)# inter vlan 20
DLS2(config-if)# description Sales VLAN
DLS2(config-if)# ip address 172.16.20.1 255.255.255.0
DLS2(config-if)# no shut
DLS2(config)# inter vlan 21
DLS2(config-if)# description Administration VLAN
DLS2(config-if)# ip address 172.16.21.1 255.255.255.0
DLS2(config-if)# no shut
22
Verifying
Verify IP addresses
Protocol
FastEthernet0/1
192.168.4.6
YES manual up
up
GigabitEthernet0/1
192.168.1.1
YES manual up
up
Vlan10
172.16.10.1
YES manual up
up
Vlan11
172.16.11.1
YES manual up
up
Port-channel 1
DLS1#
unassigned
YES manual up
up
23
Configuring a Routed
Port
Step 1 : Configure IP routing.
Switch(config)#ip routing
Configuring Inter-VLAN
Routing Through an SVI
Step 1 : Configure IP routing.
Switch(config)#ip routing
26
Routing
Enable routing on DLS1 and
DLS2.
Configure EIGRP DLS1 and
DLS2.
Turn off auto-summarization
DLS1(config)# ip routing
DLS1(config)# router eigrp 1
DLS1(config-router)# network 172.16.0.0
DLS1(config-router)# network 192.168.1.0
DLS1(config-router)# no auto-summary
DLS2(config)# ip routing
DLS2(config)# router eigrp 1
DLS2(config-router)# network 172.16.0.0
DLS2(config-router)# network 192.168.1.0
DLS2(config-router)# no auto-summary
27
Verifying
Verify routing
DLS1#show ip route
Core Network
1.0.0.0/24 is subnetted, 1 subnets
D
1.1.1.0 [90/25628160] via 192.168.1.5, 00:00:07, FastEthernet0/1
172.16.0.0/24 is subnetted, 5 subnets
C
172.16.10.0 is directly connected, Vlan10
C
172.16.11.0 is directly connected, Vlan11
D
172.16.20.0 [90/25625856] via 192.168.1.2, 01:29:41, GigabitEthernet0/1
DLS2 Networks (VLANs)
D
172.16.21.0 [90/25625856] via 192.168.1.2, 01:29:41, GigabitEthernet0/1
C
172.16.99.0 is directly connected, Vlan99
192.168.1.0/30 is subnetted, 3 subnets
C
192.168.1.0 is directly connected, GigabitEthernet0/1
C
192.168.1.4 is directly connected, FastEthernet0/1
D
192.168.1.8 [90/28416] via 192.168.1.2, 01:17:18, GigabitEthernet0/1
Network between DLS2 and Core
DLS1#
28
Multilayer Switching
Traditional MLS
CEF-Based MLS
Traditional MLS
CEF-Based MLS
Traditional MLS
RP
SE
Dual effort between:
Route Processor (RP)
Switching Engine (SE)
Traditional MLS: Route once, switch many
Specialized Application-Specific Integrated Circuits (ASICs) perform Layer
2 rewrite operations of routed packets:
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC).
Because the source and destination MAC addresses change during
Layer 3 rewrites, the switch must recalculate the CRC for these new
MAC addresses.
32
Traditional MLS
SE:
Listens in to the first packet going to the router (RP) and going from the
router (RP).
If the SE can switch the packet in both directions:
It can learn a shortcut path for subsequent packets to use.
Thus, bypassing the router (RP).
This technique is also known as: Netflow-based switching.
With traditional MLS, the Layer 3 engine (route processor) and switching
ASICs work together to build Layer 3 entries on the switch.
33
Traditional MLS
MSFC
RSFC
RSM
34
Traditional MLS
dot1q Tag
(inside Eth. Hdr)
VLAN
Ethernet Header
D-MAC= 00-000C-11-11-11
S-MAC= 00-AA-00-11S-MAC=
00-AA11-11
00-11-11-11
IP Header
S-IP =
10.1.1.10
IP
Data
D-IP =
10.1.2.20
The switch forwards the first packet in any flow to the Layer 3 engine for
processing using software switching/routing.
After the routing of the first packet in the flow, the Layer 3 engine programs
the hardware-switching components for routing for subsequent packets.
35
MLS-RP
Layer 3 Info
S-IP 10.1.1.10
D-IP 10.1.2.20
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
MLS-SE
dot1q Tag
(inside Eth. Hdr)
VLAN
Ethernet Header
D-MAC= 00-000C-11-11-11
S-MAC= 00-AA00-11-11-11
IP Header
S-IP =
10.1.1.10
IP
Data
D-IP =
10.1.2.20
MLS-RP
MLS-SE
dot1q Tag
(inside Eth. Hdr)
VLAN 2
Ethernet Header
D-MAC= 00-AA00-22-22-22
S-MAC= 00-000C-22-22-22
IP Header
S-IP =
10.1.1.10
IP
Data
D-IP =
10.1.2.20
Next, the router accepts the packets from workstation A, rewrites the Layer 2
MAC addresses and CRC, and forwards the packet to workstation B.
The switch refers to the routed packet from the RSM as the enabler packet.
37
MLS-RP
MLS-SE
dot1q Tag
(inside Eth. Hdr)
VLAN
2
Ethernet Header
D-MAC= 00-AA00-22-22-22
S-MAC= 00-000C-22-22-22
IP Header
S-IP =
10.1.1.10
IP
Data
D-IP =
10.1.2.20
38
MLS-RP
Layer 3 Info
S-IP 10.1.1.10
D-IP 10.1.2.20
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
MLS-SE
Future Packets
MLS
Cache
Dst IP
Src IP
Port
Dst
Port
Src
Port
Dst
MAC
Src
MAC
10.1.2.20
10.1.1.10
TCP
23
1238
00-AA00-2222-22
00-000C-2222-22
VLAN
Interface
3/1
As future packets from the flow arrive, the MLS-SE uses the destination IP address to
look up the entry in the MLS cache.
Finding a match, rewrite engine modifies the necessary header information and
forwards the frame (the packet is not forwarded to the router).
The rewrite operation modifies all the same fields initially modified by the router for the
first packet, including the source MAC and destination MAC addresses.
39
CEF-based MLS
40
CEF
Routing Table
CEF
DLS1#show ip cef
Prefix
0.0.0.0/0
0.0.0.0/32
1.1.1.0/24
172.16.10.0/24
172.16.10.0/32
172.16.10.1/32
172.16.10.255/32
172.16.11.0/24
172.16.11.0/32
172.16.11.1/32
172.16.11.255/32
172.16.20.0/24
172.16.21.0/24
172.16.99.0/24
172.16.99.0/32
172.16.99.1/32
172.16.99.255/32
192.168.1.0/30
192.168.1.0/32
192.168.1.1/32
192.168.1.2/32
192.168.1.3/32
192.168.1.4/30
192.168.1.4/32
192.168.1.5/32
192.168.1.6/32
192.168.1.7/32
192.168.1.8/30
224.0.0.0/4
224.0.0.0/24
255.255.255.255/32
DLS1#
Next Hop
no route
receive
192.168.1.5
attached
receive
receive
receive
attached
receive
receive
receive
192.168.1.2
192.168.1.2
attached
receive
receive
receive
attached
receive
receive
192.168.1.2
receive
attached
receive
192.168.1.5
receive
receive
192.168.1.2
drop
receive
receive
Interface
FastEthernet0/1
Vlan10
Vlan10
Vlan10
Vlan10
Vlan11
Vlan11
Vlan11
Vlan11
GigabitEthernet0/1
GigabitEthernet0/1
Vlan99
Vlan99
Vlan99
Vlan99
GigabitEthernet0/1
GigabitEthernet0/1
GigabitEthernet0/1
GigabitEthernet0/1
GigabitEthernet0/1
FastEthernet0/1
FastEthernet0/1
FastEthernet0/1
FastEthernet0/1
FastEthernet0/1
GigabitEthernet0/1
42
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can reach
each other with a single hop across a link layer. (OSPF, EIGRP)
A router normally maintains:
Routing table containing Layer 3 network and next-hop information
ARP table containing Layer 3 to Layer 2 address mapping.
These tables are kept independently.
43
CEF
Next hop?
Address
172.16.99.2
0 packets, 0 bytes
epoch 0
sourced in sev-epoch 3
Encap length 14
0000603E24584400055E6D393C0800
ARP
192.168.1.2
0 packets, 0 bytes
epoch 0
sourced in sev-epoch 3
Encap length 14
0000902B293019000C85B044190800
ARP
192.168.1.5
0 packets, 0 bytes
epoch 0
sourced in sev-epoch 3
Encap length 14
0000024A0A4301000C85B044010800
ARP
IP tables
GigabitEthernet0/1
Adjacency
The FIB keeps the Layer 3 next-hop address for each entry.
To streamline packet forwarding even more, the FIB has
corresponding Layer 2 information for every next-hop entry.
IP
FastEthernet0/1
This portion of the FIB is called the adjacency table,
consisting of the MAC addresses of nodes that can be reached
in a single Layer 2 hop.
DLS1#
44
CEF
No ARP entry,
L3 forwarding
engine cant
forward packet
in hardware,
must send to L3
Engine.
45
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state? (L3 engine is
sending ARP Request.)
These packets are dropped.
So input queues do not fill.
So Layer 3 engine does not become too busy worrying about the need for
duplicate ARP requests.
This is called ARP throttling or throttling adjacency.
If an ARP reply is not received in two seconds, the throttling is released so
that another ARP request can be triggered.
After ARP reply is received:
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
46
ARP
Throttling
ARP
Throttling
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds. This allows
for another packet to to
initiate a new ARP
Request.
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks.
ARP
Request
48
ARP
Throttling
ARP
Reply
49
ARP
Throttling
10.20.10.2
Host Bs
MAC
Address
5. The Layer 3 Engine installs Adjacency for Host B and removes the throttling
(drop) adjacency.
Next: Packet Rewrite (Coming!)
50
Packet Rewrite
Egress
Packet
51
10.20.10.2
Packet Rewrite
L2 Checksum
Default
Gateway
Host A
Host Bs
MAC
Address
L3 Checksum
TTL
10.20.10.2
Packet Rewrite
L2 Checksum
Host B
Default
Gateway
MAC
Add
L3 switch
Host
A
outbound
interface
Host Bs
MAC
Address
L3 Checksum
TTL
-1
The packet rewrite engine makes the following changes to the packet just prior to
forwarding:
Layer 2 destination address Changed to the next-hop device's MAC address
Layer 2 source address Changed to the outbound Layer 3 switch interface's MAC
address
Layer 3 IP Time To Live (TTL) Decremented by one, as one router hop has just
occurred
Layer 2 frame checksum Recalculated to include changes to the Layer 2 and Layer 3
headers
Layer 3 IP checksum Recalculated to include changes to the IP header
53
10.20.10.2
Packet Rewrite
L2 Checksum
Host B
Default
Gateway
MAC
Add
L3 switch
Host
A
outbound
interface
Host Bs
MAC
Address
L3 Checksum
TTL
-1
A traditional router would normally make the same changes to each packet.
The multilayer switch must act as if a traditional router were being used,
making identical changes.
The multilayer switch:
Can do this very efficiently with dedicated packet rewrite hardware
and with address information obtained from table lookups.
54
10.20.10.2
Packet Rewrite
L2 Checksum
Host B
Default
Gateway
MAC
Add
L3 switch
Host
A
outbound
interface
Host Bs
MAC
Address
L3 Checksum
TTL
-1
55
CEF
56
Configuring a Routed
Port
Step 1 : Configure IP routing.
Switch(config)#ip routing
Configuring Inter-VLAN
Routing Through an SVI
Step 1 : Configure IP routing.
Switch(config)#ip routing
Enabling CEF
The commands required to enable CEF are platform
dependent:
On the Cisco Catalyst 4000 switch
Switch(config-if)#ip cef
59
Verifying CEF
Switch#show ip cef [type mod/port | vlan_interface] [detail]
60
61
62
Adjacency Information
Switch#show adjacency [{{type mod/port} |
{port-channel number}} | detail | internal | summary]
63
64
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware.
MLS functionality can be implemented through CEF.
CEF uses tables in hardware to forward packets.
Specific commands are used to enable and verify
CEF operations.
Commands to enable CEF are platform dependent.
CEF problems can be matched to specific solutions.
Specific commands are used to troubleshoot and solve CEF
problems.
Ordered steps assist in troubleshooting CEF-based problems.
65
DHCP
IP Broadcast
Forwarding
67
MLS(config)#interface vlan 1
MLS(configif)#description DHCP Server VLAN
MLS(config-if)#ip address 10.1.1.1 255.255.255.0
MLS(config-if)#no ip directed-broadcast
MLS(config)#interface vlan 2
MLS(config-ig)#description DHCP clients
MLS(config-if)#ip address 10.2.1.1 255.255.255.0
MLS(config-if)#no shutdown
MLS(config-if)#no ip directed-broadcast
MLS(config-if)#ip helper-address 10.1.1.254
69
MLS(config)#interface vlan 1
MLS(configif)#description DHCP Server VLAN
MLS(config-if)#ip address 10.1.1.1 255.255.255.0
MLS(config-if)#no ip directed-broadcast
MLS(config)#interface vlan 2
MLS(config-ig)#description DHCP clients
MLS(config-if)#ip address 10.1.2.1 255.255.255.0
MLS(config-if)#no shutdown
MLS(config-if)#no ip directed-broadcast
MLS(config-if)#ip helper-address 10.1.1.254
71
Hierarchical approach
73
Layers
Core
Distribution
Access
Distribution
Access
Access Layer
Provides
End users connect to the network
Layer 2 (VLAN) connectivity
Capabilities
Low cost per switch port
High port density
Scalable uplinks to higher layers
VLAN membership, QoS
Resiliency through multiple links
74
Layers
Core
Distribution
Access
Distribution
Access
Distribution Layer
Provides
Interconnection between access and core layers
Sometimes called building distribution switches
VLANs and broadcast domains converge (end) here
Where switching (VLANs) meet routing
Capabilities
Aggregation of multiple access-layer devices
High Layer 3 throughput for packet handling (routing)
Security and policy based connectivity functions through access lists or
packet filters
QoS
Scalable and resilient high-speed links to core and access layers
75
Layers
Core
Distribution
Access
Distribution
Access
Switch Block
Distribution
Access
Distribution
Access
Switch Block
Distribution
Access
Distribution
Access
Switch Block
Contains switching devices from access and distribution layers.
All switch blocks connect to the core block (campus backbone).
Contains both Layer 2 and Layer 3 functionality
Distribution Layer
Confines STP, VLAN
Access Layer
Supports individual VLANs
78
Switch
Block
Switch
Block
Switch
Block
Switch Block
Group of access layer switches connected to their distribution
switches.
Core Block
Core switches that connect switch blocks.
The campus network backbone.
79
L3
Distribution
L3
Distribution
L2
L2
L2
L2
L2
Access
VLANs A,B
Access
VLANs A,B
Switch block becomes fully dependent upon STP convergence for paths and
loop free connectivity.
Should configure multiple Root bridges to take advantage of redundant
links
Redundant links unused unless load balancing with PVST+ (RSTP)
Various adaptations of this.
80
L3
Distribution
L3
Distribution
L3
L2
L2
L2
L2
Access
Access
VLAN A
VLAN B
81
L3
Distribution
L3
Access
L3
L3
Distribution
L3
Access
82
Core Block
83
Collapsed Core
Layer 3 Links
Dual Core
Layer 3 Links
85
86