Objectives • Describing Routing Between VLANs • Deploying Cisco Express Forwarding (CEF) • Enabling Routing Between VLANs on a Multilayer Switch
Overview • A switch with multiple VLANs requires a means of passing Layer 3 traffic between those VLANs. • A router that is external to the Layer 2 switch hosting the VLANs can provide the Inter-VLAN routing or it can be done using a Catalyst Multilayer Switch. • When routing occurs within a Catalyst Multilayer Switch, Cisco Express Forwarding (CEF) is used. • Routing on a Multilayer Switch is achieved via Switched Virtual Interfaces (SVIs) that act as gateways for an individual VLAN/subnet.
Inter-VLAN Routing • Configuring VLANs allows a network administrator to create smaller broadcast domains and improve security • However, VLANs require a Layer 3 device to allow for inter-VLAN communication
Inter-VLAN Routing • If a switch supports multiple VLANs but has no Layer 3 capability to route packets between those VLANs, the switch must be connected to an external router. • An external router can route between VLANs by either: • Attaching the router’s physical interfaces to each VLAN with no VLAN tagging • Using a single physical interface and a VLAN trunking protocol. • The use of the VLAN trunking protocol enables us to create additional logical subinterfaces each associated with a particular VLAN. • The two VLAN trunking protocols are ISL and 802.1Q
One physical interface per VLAN One physical trunking interface with logical subinterfaces External Router Options
External Router with Multiple Phys. Interfaces External Router with Logical Subinterfaces Advantages and Disadvantages of Each
Logical subif ExtRouter(config)#int fa0/0 ExtRouter(config-if)#no shut ExtRouter(config-if)#int fa0/0.1 ExtRouter(config-subif)#encapsulation dot1q 1 native ExtRouter(config-subif)#ip addr 192.168.1.1 255.255.255.0 ExtRouter(config-subif)#int fa0/0.10 ExtRouter(config-subif)#encapsulation dot1q 10 ExtRouter(config-subif)#ip addr 192.168.10.1 255.255.255.0 ExtRouter(config-subif)#int fa0/0.20 ExtRouter(config-subif)#encapsulation dot1q 20 ExtRouter(config-subif)#ip addr 192.168.20.1 255.255.255.0 802.1Q protocol VLAN ID Using a Single Trunk • In order for traffic to be routed from VLAN to VLAN the router needs a separate logical interface for every VLAN. • To do this we can use either the ISL or 802.1Q trunking protocol.
Inter-VLAN Routing Scalability • For networks with more than a few VLANs, virtual/logical subinterfaces is the best strategy. • Both an external and an internal router can be used with subinterfaces • The difference between the internal vs. external solutions involves a tradeoff between cost and performance. • An entry level external router (1721) is generally cheaper than a switch with Layer 3 functionality (Cat 3550) • However, the Layer 3 switch provides higher efficiency and performance
Layer 2 Switching • Layer 2 switching forwards frames based on information in the Layer 2 Frame header. • Switch hardware utilizes specialized chips, called application-specific integrated circuits (ASICs), to handle frame manipulation and forwarding. • By using ASICs, Layer 2 switching can provide wire speed performance.
Layer 2 Switching Tables • Cisco Catalysts have two primary table architectures: • CAM Table (Content Addressable Memory) • TCAM Table (Ternary CAM)
CAM Table • The CAM table is the primary table used to make Layer 2 forwarding decisions. • The CAM is built by recording the source MAC address of inbound frames on a switchport. • This way frames are forwarded out only the switchport associated with that MAC addr. • This allows for unicast transmission • The MAC address table lists MAC and VLAN pairs with associated interfaces.
TCAM Table • The TCAM table stores ACL, QoS and other information generally associated with upper layer processing. • In a Layer 2 table, all bits of all information are significant for frame forwarding (for example, VLANs, destination MAC addresses, and destination protocol types). • The TCAM table allows forwarding decisions to ignore parts of the source and destination fields by way of the access list entry’s wildcard mask.
Multilayer Switching • Multilayer switching includes the ability to switch data based on information at multiple layers. • Multilayer switching also refers to routers that can forward packets at wire-speed through switching hardware. • -if)# ip route-cache • Layer 3 switch processing forwards packets at wire-speed by using ASIC hardware instead of CPU based lookups found on a traditional router. • Specific Layer 3 components such as routing tables or ACLs can be cached into hardware.
Layer 3 Switching • Layer 3 switching can occur at two different locations on the switch: • Centralized Switching • Distributed Switching
Centralized Switching • Centralized switching decisions are made on the route processor by a central forwarding table, typically controlled by an ASIC.
Distributed Switching • Distributed switching decisions can be made on a port or line card level rather than on a central route processor. • Each line card maintains its own FIB table. • Cached tables are distributed and synchronized to various hardware components so processing can be distributed throughout the switch chassis.
Layer 3 Forwarding • Layer 3 switching takes place using one of two methods: • Route caching • Flow-based or demand-based switching, a Layer 3 route cache is built in hardware as the switch sees traffic flows into the switch. • Topology-based • Information from the routing table is used to populate the route cache regardless of traffic flow. • The populated route cache is called the Forwarding Information Base (FIB). • Cisco Express Forwarding (CEF) is the facility that builds the FIB.
Process Switching • Process switching is the most basic method of switching packets. • Process switching moves packets between interfaces, based on information in the routing table and the ARP cache. • As packets arrive, they are moved into a queue to wait for further processing. • When the scheduler runs, the outbound interface will be determined and the packet will be switched. • Waiting for the scheduler introduces latency.
CEF Based Multilayer Switching • To speed this process up, CEF caches information generated by the Layer 3 Routing Engine. • CEF caches routing information in the forwarding information base (FIB) and caches Layer 2 next-hop addresses for all FIB entries in an Adjacency Table. • CEF operates in two modes: • Central • Distributed
FIB and Adjacency Tables The FIB is derived from the IP routing table with the longest match first. The adjacency table is derived from the ARP table, and contains Layer 2 rewrite (MAC) information for the next hop.
Central CEF Mode • In Central CEF, the FIB and adjacency tables reside on the route processor, and the route processor performs the express forwarding. • This CEF mode is used when line cards are not available for CEF switching, or when features not compatible with Distributed CEF.
Distributed CEF Mode (dCEF) • When dCEF is enabled, line cards maintain identical copies of the FIB and adjacency tables. • The line cards can perform the express forwarding by themselves, relieving the main processor of involvement in the switching operation. • dCEF uses an Inter-Process Communication (IPC) mechanism to ensure synchronization of FIBs and adjacency tables on the route processor and line cards.
The CEF Control Plane and Data Plane • CEF breaks the forwarding process into two parts: • The control plane and the data plane • The control plane is responsible for building the FIB table and adjacency tables in software. • The data plane is responsible for forwarding IP unicast traffic using hardware.
FIB Table Updates • The FIB table is updated when the following occurs: • An ARP entry for the destination next hop changes, ages out, or is removed. • The routing table entry for a prefix changes. • The routing table entry for the next hop changes.
TCAM and ACL Entries • The Ternary Content Addressable Memory (TCAM) is a specialized piece of memory designed for rapid, hardware based table lookups of Layer 3 and 4 information. • The TCAM is used to match incoming packets to existing ACLs. • The TCAM table examines the source and destination wildcard mask of an ACE and creates a “mask” entry for the pair. • Each mask has eight value patterns that can be associated with that mask. • The values are the source and destination IP addresses and port numbers that match the mask entry. http://www.ciscopress.com/articles/article.asp?p=101629&seqNum=4&rl=1
Value, Mask and Result Table (VMR) access-list 101 permit ip host 10.1.1.1 any access-list 101 deny ip 10.1.1.0 0.0.0.255 any
ARP Throttling • Only the first few packets for a connected destination reach the Layer 3 engine so that the Layer 3 engine can use Address Resolution Protocol (ARP) to locate the host. • This allows the FIB table to have a corresponding adjacency entry for Layer 2. • If the Layer 2 address is unknown then the Layer 3 engine generates an ARP request. • While the Layer 3 engine is waiting for the ARP reply, subsequent packets to the destination host are dropped. • This is known as ARP throttling. • The throttling adjacency is removed when an ARP reply is received.
Forwarding Example Step 1 Host A sends packet to host B. Step 2 The switch forwards the packet to the Layer 3 engine based on the "glean" entry in the FIB (because a Layer 2 request does not exist in the adj. table). Step 3 The Layer 3 engine sends an ARP request for host B and installs the drop adjacency for host B (ARP throttling). Step 4 Host B responds to the ARP request (ARP throttle removed). Step 5 Frame rewrite (not shown)
Other Adjacency Types • Null adjacency: Packets destined for a Null0 interface are dropped. This can be used as an effective form of access filtering. • Glean adjacency: When a router is connected directly to several hosts, the FIB table on the router maintains a prefix for the subnet rather than for the individual host prefixes. The subnet prefix points to a glean adjacency. When packets need to be forwarded to a specific host, the adjacency database is gleaned for the specific prefix. • Punt adjacency: Features that require special handling or features that are not yet supported in conjunction with CEF switching paths are forwarded to the next switching layer for handling. Features that are not supported are forwarded to the next higher switching level. • Discard adjacency: Packets are discarded. • Drop adjacency: Packets are dropped, but the prefix is checked.
CEF Based MLS Operation btwn VLANs • Step 1 Host A sends a packet to host B. The switch recognizes the frame as a Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3 engine MAC. • Step 2 The switch performs a CEF lookup based on the destination IP address (IP-B). The packet hits the CEF entry for the connected (VLAN20) network and is redirected to the Layer 3 engine using a "glean" adjacency. • Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for the host B IP address. • Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20.
CEF Based MLS Operation btwn VLANs • Step 5 Host B sends an ARP response to the Layer 3 engine. • Step 6 The Layer 3 engine installs the resolved adjacency in the switch (removing ARP throttling adjacency). • Step 7 The switch forwards the packet to host B. • Step 8 The switch receives a subsequent packet for host B (IP-B). • Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B. The entry points to the adjacency with rewrite information for host B. • The switch rewrites packets per the adjacency information and forwards the packet to host B on VLAN20.
Using Layer 3 Interfaces on a Multilayer Switch • There are two types of Layer 3 interfaces that you can create on a multilayer switch. • Logical switched virtual interfaces (SVIs) • Physical routed ports
Routing with a Layer 3 Switch • To route between VLANs on a Layer 3 switch, we use SVIs. • A switched virtual interface (SVI) is a virtual Layer 3 interface that can be configured for any VLAN that exists on a Layer 3 switch. • The SVI for the VLAN provides Layer 3 processing for packets from all switch ports associated with that VLAN. • Only one SVI can be associated with a VLAN. • By default, an SVI is created for the default VLAN (VLAN1) to permit remote switch administration. You must explicitly configure additional SVIs.
Layer 3 Switched Virtual Interface (SVI) • You configure an SVI for a VLAN for these reasons: • To provide a default gateway for a VLAN so traffic can be routed between VLANs • To provide fallback bridging if it is required for nonroutable protocols • To provide Layer 3 IP connectivity to the switch • This places the switch on that VLAN. • SVIs are created the first time interface configuration mode is entered for a particular VLAN SVI interface.
Routed Interfaces on a Multilayer Switch • A routed switch port is a physical switch port on a Multilayer switch that is capable of Layer 3 packet processing. • A routed port is not associated with a particular VLAN, as is an access port or SVI. • A routed port behaves like a regular router interface, except that it does not support VLAN subinterfaces. • The number of routed ports and SVIs that can be configured on a switch is not limited by software. Switch(config)#int fa0/1 Switch(config-if)#no switchport Switch(config-if)#ip addr 172.16.1.2 255.255.255.252 Switch(config-if)#exi Switch(config)#ip routing Switch(config)#ip route 0.0.0.0 0.0.0.0 172.16.1.1
Routed Switchports per Platform • On the lower end multilayer switches such as the 3550, 3560 and 3750, all ports are Layer 2 ports by default. • To create a Layer 3 routed port, you must use the ‘no switchport’ command • On the 6500, all ports are Layer 3 ports by default and you must use the ‘switchport’ interface config. command to change the port to a Layer 2 port. • I’m not sure about the 4500s but you get the idea
Optional for running a routing protocol with another device Inter-VLAN Routing using SVIs