CIS 187 Multilayer Switched Networks Inter-VLAN Routing CIS 187 Multilayer Switched Networks CCNP version 7 Rick Graziani Spring 2016

Inter-VLAN Routing

Internetwork Communications C:>ping 172.16.30.100 Can two hosts on different subnets communicate without a router? What would happen if a host tried to ping another host? No they cannot communicate. Would it send an ARP Request? Why or why not? The host would not send an ARP Request because there is no default-gateway. Even though hosts on different VLANs may be physically connected to the same switch, logically the are on separate networks. Remember, a host determines if it can communicate directly with another host by ANDing its own source IP address and subnet mask, determines its network address, and then ANDing the destination IP address of the packet and its own subnet mask. Rick Graziani graziani@cabrillo.edu

Trunking with Default Gateway C:>ping 172.16.30.100 What difference would it make if these hosts were on different VLANs? The Broadcasts would not be forwarded out all ports by the switch. Why does the host send the ARP Request to the router and not the destination host? After all they’re on the same switch. The host doesn’t know where the destination host is, just that it’s not on its’ network. Rick Graziani graziani@cabrillo.edu

Internetwork Communications Then Destination MAC Address is that of the same device as the Destination IP Address. Check ARP cache for entry of Destination IP Address and its MAC Address. If no entry, ARP Request Destination IP Address asking for MAC Address. Then Destination MAC Address is that of the same device as the Destination IP Address. Check ARP cache for entry of Destination IP Address and its MAC Address. If no entry, ARP Request Destination IP Address asking for MAC Address. Then Destination MAC Address will be that of the Default Gateway. Check ARP cache for entry of Default Gateway’s IP Address and its MAC Address. If no entry, ARP Request Default Gateway’s IP Address asking for MAC Address. Then Destination MAC Address will be that of the Default Gateway. Check ARP cache for entry of Default Gateway’s IP Address and its MAC Address. If no entry, ARP Request Default Gateway’s IP Address asking for MAC Address. Rick Graziani graziani@cabrillo.edu

Legacy Inter-VLAN Routing 192.168.20.1 255.255.255.0 192.168.10.1 255.255.255.0 A B C D 192.168.10.10 255.255.255.0 GW 192.168.10.1 192.168.10.11 255.255.255.0 GW 192.168.10.1 192.168.20.12 255.255.255.0 GW 192.168.20.1 192.168.20.13 255.255.255.0 GW 192.168.20.1 Do not need VLANs for multiple subnets but…. Router is required to connect (route) between subnets/VLANs

Inter-VLAN Routing A VLAN is a logical group of ports, usually belonging to a single IP subnet to control the size of the broadcast domain. Even though devices in different VLANs may be “physically” connected, as shown in the previous slides, these devices cannot communicate without the services of a default gateway, a router. Because VLANs isolate traffic to a defined broadcast domain and subnet, network devices in different VLANs cannot communicate with each other without the use of a router. This is known as Inter-VLAN Routing. VLAN is a logical group of ports, usually belonging to a single IP subnet to control the size of the broadcast domain. Rick Graziani graziani@cabrillo.edu

Inter-VLAN Routing A VLAN is a logical group of ports, usually belonging to a single IP subnet to control the size of the broadcast domain. Even though devices in different VLANs may be “physically” connected, as shown in the previous slides, these devices cannot communicate without the services of a default gateway, a router. Because VLANs isolate traffic to a defined broadcast domain and subnet, network devices in different VLANs cannot communicate with each other without the use of a router. This is known as Inter-VLAN Routing. Even though devices in different VLANs may be “physically” connected, these devices cannot communicate without the services of a default gateway, a router. This is known as Inter-VLAN Routing. Rick Graziani graziani@cabrillo.edu

Inter-VLAN Routing The following devices are capable of providing inter-VLAN routing: Any external router or group of routers with a separate interface in each VLAN Any external router with an interface that supports trunking (router on a stick) Any Layer 3 multilayer Catalyst switch Or trunk port The following devices are capable of providing inter-VLAN routing: Any Layer 3 multilayer Catalyst switch Any external router with an interface that supports trunking (router on a stick) Any external router or group of routers with a separate interface in each VLAN Rick Graziani graziani@cabrillo.edu

Router with separate interfaces Not scalable S1(config)# vlan 10 S1(config-vlan)# exit S1(config)# vlan 30 S1(config)# interface f0/11 S1(config-if)# switchport access vlan 10 S1(config-if)# exit S1(config)# interface f0/4 S1(config)# interface f0/6 S1(config)# switchport access vlan 30 S1(config)# interface f0/5 S1(config-if)# switchport access vlan 30 5.1.2.2 Configure Legacy Inter-VLAN Routing: Switch Configuration R1(config)# interface g0/0 R1(config-if)# ip address 172.17.10.1 255.255.255.0 R1(config-if)# no shutdown R1(config)# exit R1(config-if)# interface g0/1 R1(config-if)# ip address 172.17.30.1 255.255.255.0

Router-on-a-Stick 172.17.10.1 172.17.30.1 VLAN 10 PC 2 172.17.10.30 172.17.30.55 The router-on-a-stick approach uses a different path to route between VLANs. One of the router’s physical interfaces is configured as a 802.1Q trunk port so it can understand VLAN tags. Logical subinterfaces are created; one subinterface per VLAN. Each subinterface is configured with an IP address from the VLAN it represents. VLAN members (hosts) are configured to use the subinterface address as a default gateway. Only one of the router’s physical interface is used.

S1(config)# vlan 10 S1(config-vlan)# vlan 30 S1(config-vlan)# exit S1(config)# interface f0/11 S1(config-if)# switchport mode access S1(config-if)# switchport access vlan 10 S1(config-if)# exit S1(config)# interface f0/6 S1(config-if)# switchport access vlan 30 S1(config-vlan)# interface f0/5 S1(config-if)# switchport mode trunk S1(config-if)# R1(config)# interface g0/0.10 R1(config-subif)# encapsulation dot1q 10 R1(config-subif)# ip address 172.17.10.1 255.255.255.0 R1(config-subif)# exit R1(config)# interface g0/0.30 R1(config-subif)# encapsulation dot1q 30 R1(config-subif)# ip address 172.17.30.1 255.255.255.0 R1(config)# interface g0/0 R1(config-if)# no shutdown

R1# show vlans <output omitted> Virtual LAN ID: 10 (IEEE 802.1Q Encapsulation) vLAN Trunk Interface: GigabitEthernet0/0.10 Protocols Configured: Address: Received: Transmitted: IP 172.17.10.1 11 18 Virtual LAN ID: 30 (IEEE 802.1Q Encapsulation) vLAN Trunk Interface: GigabitEthernet0/0.30 IP 172.17.30.1 11 8

R1# show ip route Codes: L - local, C - connected, S - static, R - RIP, M - mobile, B – BGP <output omitted> 172.17.0.0/16 is variably subnetted, 4 subnets, 2 masks C 172.17.10.0/24 is directly connected, GigabitEthernet0/0.10 L 172.17.10.1/32 is directly connected, GigabitEthernet0/0.10 C 172.17.30.0/24 is directly connected, GigabitEthernet0/0.30 L 172.17.30.1/32 is directly connected, GigabitEthernet0/0.30

External Routers: Advantages Disadvantages Advantages of external router usage: Works with any switch because Layer 3 services are not required on the switch. Many switches do not contain Layer 3 forwarding capability, especially switches that are used at the access layer of a hierarchical network. Simple implementation. Only one switch port and one router interface require configuration. The router provides communication between VLANs. The design and also the process for troubleshooting traffic flow become very simple because there is only one place in the network where VLANs interconnect.

External Routers: Advantages Disadvantages Disadvantages of external router usage: The router is a single point of failure. A single traffic path may become congested. Latency may be introduced as frames leave and reenter the switch chassis multiple times and as the router makes software-based routing decisions. Any time that traffic must flow between devices, latency is introduced. In addition, routers make routing decisions in software, which always incur a greater latency penalty than switching with hardware. (??? Routers with line cards) Physical limitations such as link congestions, latency and speed, it is not recommended to use it in large deployments.

Layer 3 Interfaces The Catalyst multilayer switches support three different types of Layer 3 interfaces: Routed port— A pure Layer 3 interface similar to a routed port on a Cisco IOS router. Switch virtual interface (SVI)— A virtual VLAN interface for inter-VLAN routing. In other words, SVIs are the virtual routed VLAN interfaces. Bridge virtual interface (BVI)— A Layer 3 virtual bridging interface. (Not discussed) The Catalyst multilayer switches support three different types of Layer 3 interfaces: Routed port— A pure Layer 3 interface similar to a routed port on a Cisco IOS router. Switch virtual interface (SVI)— A virtual VLAN interface for inter-VLAN routing. In other words, SVIs are the virtual routed VLAN interfaces. Bridge virtual interface (BVI)— A Layer 3 virtual bridging interface. (Not discussed) Rick Graziani graziani@cabrillo.edu

Routed Ports versus Switched Virtual Interfaces Routed Ports – Just like a router, the port has an IP address/mask that makes it a member of that subnet. SVI – The switch is a member of that IP subnet/VLAN. All switch ports that are a member of that VLAN can communicate with the switch

Multilayer Switch Interfaces Layer 2: Access or Trunk Ports Physical Interface Logical Interface (SVI) Performs both Layer 2 switching and interVLAN routing. Layer 2 Interface: Access or Trunk ports Layer 3 Interface: Has an IP address assigned to it. The Default Gateway for any hosts connected to that interface or VLAN. Physical interface Same as a router Aka “Routed Port” Example: interface gigabit 0/1 Logical Interface Represents an entire VLAN Switched Virtual Interface (SVI) Example: interface vlan 10

Multilayer Switch Interfaces Is it a “switch” port? DLS1(config)# interface gig 0/2 DLS1(config-if)# no switchport DLS1(config-if)# end DLS1# show interface gig 0/2 switchport Name: Gig0/2 Switchport: Disabled <output omitted> DLS1# config t DLS1(config-if)# switchport Switchport: Enabled Converts interface to Layer 3 Layer 3 Converts interface to Layer 2 Layer 2 If in Layer 3 mode switchport interface command puts the port into Layer 2 mode.

SVI VLAN 10 192.168.10.1 255.255.255.0 SVI VLAN 20 192.168.20.1 255.255.255.0 A B C D 192.168.10.10 255.255.255.0 GW 192.168.10.1 192.168.10.11 255.255.255.0 GW 192.168.10.1 192.168.20.12 255.255.255.0 GW 192.168.20.1 192.168.20.13 255.255.255.0 GW 192.168.20.1 Layer 3 functionality can also be enabled for an entire VLAN. The IP address is assigned to the logical interface – the VLAN. This is needed when routing is required between VLANs. SVI (Switched Virtual Interface) No physical connection VLANs must be created before the SVI can be used. The IP address associated of the VLAN interface is the default gateway of the workstation.

SVI VLAN 10 192.168.10.1 255.255.255.0 SVI VLAN 20 192.168.20.1 255.255.255.0 A B C D 192.168.10.10 255.255.255.0 GW 192.168.10.1 192.168.10.11 255.255.255.0 GW 192.168.10.1 192.168.20.12 255.255.255.0 GW 192.168.20.1 192.168.20.13 255.255.255.0 GW 192.168.20.1 <VLANs have been created or will be created when configured on the interface> S1(config)# interface range fastethernet 0/1 - 12 S1(config-if-range)# switchport mode access S1(config-if-range)# switchport access vlan 10 S1(config-if-range)# exit S1(config)# interface range fastethernet 0/12 - 24 S1(config-if-range)# switchport access vlan 20 S1(config-if-range)# end

SVI VLAN 10 192.168.10.1 255.255.255.0 SVI VLAN 20 192.168.20.1 255.255.255.0 A B C D 192.168.10.10 255.255.255.0 GW 192.168.10.1 192.168.10.11 255.255.255.0 GW 192.168.10.1 192.168.20.12 255.255.255.0 GW 192.168.20.1 192.168.20.13 255.255.255.0 GW 192.168.20.1 DLS1(config)# inter vlan 10 DLS1(config-if)# description Engineering VLAN DLS1(config-if)# ip address 192.168.10.1 255.255.255.0 DLS1(config-if)# no shutdown DLS1(config)# inter vlan 20 DLS1(config-if)# description IT VLAN DLS1(config-if)# ip address 192.168.20.1 255.255.255.0

Alternative Configuration SVI VLAN 10 192.168.10.1 255.255.255.0 SVI VLAN 20 192.168.20.1 255.255.255.0 A B C D 192.168.10.10 255.255.255.0 GW 192.168.10.1 192.168.10.11 255.255.255.0 GW 192.168.10.1 192.168.20.12 255.255.255.0 GW 192.168.20.1 192.168.20.13 255.255.255.0 GW 192.168.20.1 Alternative Configuration

A B C D Distribution Layer Switch Trunk Access Layer Switch SVI VLAN 10 192.168.10.1 255.255.255.0 SVI VLAN 20 192.168.20.1 255.255.255.0 Distribution Layer Switch Trunk Access Layer Switch A B C D 192.168.10.10 255.255.255.0 GW 192.168.10.1 192.168.10.11 255.255.255.0 GW 192.168.10.1 192.168.20.12 255.255.255.0 GW 192.168.20.1 192.168.20.13 255.255.255.0 GW 192.168.20.1 DLS1(config)# inter gig 0/2 DLS1(config-if)# switchport mode trunk ALS1(config)# inter fa 0/9 ALS1(config-if)# switchport mode trunk

Multilayer Switch Interfaces Layer 2: Access or Trunk Ports Physical Interface (L3) Logical Interface (SVI – L3) DLS1# show interface gig 0/2 switchport Name: Gig0/2 Switchport: Enabled <output omitted> Layer 2 or Layer 3 Interface? Is it a “switch” port? Default on most Catalyst switches: Layer 2 Default on Catalyst 6500: Layer 3 Verify mode: Switch# show interface type mod/num switchport Switchport: Think Layer 2 Enabled: Layer 2 Disabled: Layer 3

Default Gateway (SVI) Configure DLS1 to be the default gateway for VLANs 10 and 11. All hosts on these VLANs will use these addresses as their default gateway addresses. DLS1(config)# inter vlan 99 DLS1(config-if)# description Management VLAN DLS1(config-if)# ip address 172.16.99.1 255.255.255.0 DLS1(config-if)# no shutdown DLS1(config)# inter vlan 10 DLS1(config-if)# description Engineering VLAN DLS1(config-if)# ip address 172.16.10.1 255.255.255.0 DLS1(config)# inter vlan 11 DLS1(config-if)# description IT VLAN DLS1(config-if)# ip address 172.16.11.1 255.255.255.0

Default Gateway (SVI) Configure DLS2 to be the default gateway for VLANs 20 and 21. All hosts on these VLANs will use these addresses as their default gateway addresses. DLS2(config)# inter vlan 20 DLS2(config-if)# description Sales VLAN DLS2(config-if)# ip address 172.16.20.1 255.255.255.0 DLS2(config-if)# no shut DLS2(config)# inter vlan 21 DLS2(config-if)# description Administration VLAN DLS2(config-if)# ip address 172.16.21.1 255.255.255.0

Default Gateway (SVI) 172.16.10.10 255.255.255.0 Statically or Dynamically assigned 172.16.10.1

Routed Port – Physical Interfaces DLS1(config)# interface gig 0/1 DLS1(config-if)# no switchport DLS1(config-if)# ip address 192.168.1.1 255.255.255.252 DLS2(config)# interface gig 0/1 DLS2(config-if)# no switchport DLS2(config-if)# ip address 192.168.1.2 255.255.255.252 Physical switch ports can operate as Layer 3 interfaces using the interface command: Switch(config)# interface type mod/num Switch(config-if)# no switchport Switch(config-if)# ip address ip-address mask

G0/0 10.10.10.1/24 G0/0 192.168.1.1/24 10.10.10.100/24 DF 10.10.10.1

interface vlan 10 172.16.10.1/24 interface vlan 11 172.16.11.1/24 interface vlan 20 172.16.20.1/24 interface vlan 21 172.16.21.1/24 Trunk =

Management VLAN (SVI) For each device in the network we configured it to be a member of the management VLAN. On each switch Switch(config)# inter vlan 98 Switch(config-if)# description Management VLAN Switch(config-if)# ip address 172.16.98.x 255.255.255.0 Switch(config-if)# no shutdown Switch(config-if)# exit If you want to reach the management VLAN from other VLANs, assign this address to one of the multilayer switches (DLS1 and DLS2): ALS10(config)# ip default-gateway 172.16.98.1

Management VLAN (SVI) For each device in the network we configured it to be a member of the management VLAN. On each switch Switch(config)# inter vlan 99 Switch(config-if)# description Management VLAN Switch(config-if)# ip address 172.16.99.x 255.255.255.0 Switch(config-if)# no shutdown Switch(config-if)# exit If you want to reach the management VLAN from other VLANs, assign this address to one of the multilayer switches (DLS1 and DLS2): ALS20(config)# ip default-gateway 172.16.99.1

interface vlan 98 172.16.98.1/24 On each switch DLS1(config)# inter vlan 98 DLS1(config-if)# ip address 172.16.98.1 255.255.255.0 DLS1(config-if)# no shutdown ALS10(config)# inter vlan 98 ALS10(config-if)# ip address 172.16.98.10 255.255.255.0 ALS10(config-if)# no shutdown ALS10(config)# ip default-gateway 172.16.98.1

interface vlan 98 172.16.98.1/24 interface vlan 99 172.16.99.1/24

SVI Autostate exclude The SVI interface is brought up when one Layer 2 port in the VLAN has had time to converge (transition from STP listening-learning state to forwarding state). The default action when a VLAN has multiple ports is that the SVI goes down when all ports in the VLAN go down. This action prevents features such as routing protocols from using the VLAN interface as if it were fully operational and minimizes other problems, such as routing black holes. You can use the SVI autostate exclude command to configure a port so that it is not included in the SVI line-state up-and-down calculation. One example is the use of a network analyzer, where the traffic capture is being made without the device being an active participant in the VLAN that is assigned to the interface. When the excluded port is in the up state, and all other ports in the VLAN are in the down state, the SVI state is changed to down. Switch(config)# interface fastethernet 0/1 Switch(config-if)# switchport autostate exclude

SVI: Advantages Disadvantages Advantages of SVI: It is much faster than router-on-a-stick because everything is hardware switched and routed. No need for external links from the switch to the router for routing. Not limited to one link. Layer 2 EtherChannels can be used between the switches to get more bandwidth. Latency is much lower because it does not need to leave the switch. Disadvantages of SVI: It needs a Layer 3 switch to perform inter-VLAN routing, which is more expensive (for example, Catalyst 3500 series).

Routed Ports: Advantages Disadvantages Advantages of Routed Ports: A multilayer switch can have SVI and routed ports in a single switch. How is this an advantage of a routed port? Multilayer switches forward either Layer 2 or Layer 3 traffic in hardware, so it helps to do routing faster.

Switched Network Design Core – Route/Switch packets quickly across between distribution multilayer switches. Distribution – Route between VLANs/Subnets, ACLs Access – Provide access to end devices and provide port security. L3 = Routed Ports, over IP, separate subnets L2 = SVI, VLANs over Trunks OR individual VLANs

Switched Network Design As network technologies evolved, routing became faster and cheaper. Today, routing can be performed at hardware speed. One consequence of this evolution is that routing can be brought down to the core and the distribution layers without impacting network performance. Because many users are in separate VLANs, and because each VLAN is usually a separate subnet, it is logical to configure the distribution switches as Layer 3 gateways for the users of each access switch VLAN. This implies that each distribution switch must have IP addresses matching each access switch VLAN.

Verifying Verify IP addresses DLS1#show ip inter brief Interface IP-Address OK? Method Status Protocol FastEthernet0/1 192.168.4.6 YES manual up up GigabitEthernet0/1 192.168.1.1 YES manual up up Vlan10 172.16.10.1 YES manual up up Vlan11 172.16.11.1 YES manual up up

InterVLAN Routing External Router No VLANs External Router VLANs Router on a stick VLANs or No VLANs VLANs 1, 2, 3 Trunk VLAN 1 VLAN 2 Multilayer Switch VLAN 3 Trunk Multilayer Switch

Layer 3 EtherChannel IP broadcast forwarding is necessary when using VLANs to centrally locate DHCP or other servers where clients rely on broadcasts to locate or communicate with the services running on the server. For example, DHCP requests are IP subnet broadcasts to the 255.255.255.255 address. Routers do not route these packets by default. However, Cisco routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a unicast or directed broadcast address. The broadcast-forwarding features support more than DHCP and can forward any UDP broadcast. The following list summarizes the solutions that Cisco IOS IP broadcast forwarding features provide: DHCP relay agent UDP broadcast forwarding On Layer 3 switches, switched ports can be converted to routed ports. These ports do not perform switching at Layer 2 anymore, but become Layer 3 ports that are similar to those that are found on router platforms. EtherChannel links can also be created on Layer 3 links. Rick Graziani graziani@cabrillo.edu

DHCP Similar to CCNA DHCP configuration. See Lab! DSW1(config)# ip dhcp excluded-address 10.0.10.1 DSW1(config)# ip dhcp pool VLAN10POOL DSW1(config-dhcp)# network 10.0.10.0 255.255.255.0 DSW1(config-dhcp)# default-router 10.0.10.1 DSW1(config-dhcp)# lease 2 IP broadcast forwarding is necessary when using VLANs to centrally locate DHCP or other servers where clients rely on broadcasts to locate or communicate with the services running on the server. For example, DHCP requests are IP subnet broadcasts to the 255.255.255.255 address. Routers do not route these packets by default. However, Cisco routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a unicast or directed broadcast address. The broadcast-forwarding features support more than DHCP and can forward any UDP broadcast. The following list summarizes the solutions that Cisco IOS IP broadcast forwarding features provide: DHCP relay agent UDP broadcast forwarding Similar to CCNA DHCP configuration. See Lab! Rick Graziani graziani@cabrillo.edu

Traditional and CEF Based Multilayer Switching

Multilayer Switching CEF-Based MLS Traditional MLS Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware. Optional support for Layers 4 through 7 switching in hardware as well. Hardware switching: A route processor (Layer 3 engine) must download software-based routing, switching, access lists, QoS, and other information to the hardware for packet processing. Multilayer switching refers to the ability of a Catalyst switch to support switching and routing of packets in hardware, with optional support for Layers 4 through 7 switching in hardware as well. Hardware switching: A route processor (Layer 3 engine) must download software-based routing, switching, access lists, QoS, and other information to the hardware for packet processing. Most enterprise networks use multilayer switches to achieve high packet-processing rates using hardware switching. Multilayer (layer 3) switches usually have packet-switching throughputs in the millions of packets per second (pps), whereas traditional general-purpose routers provide packet switching in the range of 100,000 pps to just over 1 million pps. Rick Graziani graziani@cabrillo.edu

Traditional and CEF-based MLS Traditional MLS Cisco Catalyst switches use either: Traditional multilayer switching (traditional MLS) A legacy feature Cisco Express Forwarding (CEF)-based MLS architecture. All leading-edge Catalyst switches support CEF-based multilayer switching To accomplish multilayer switching (packet processing in hardware), Cisco Catalyst switches use either: Traditional multilayer switching (traditional MLS) Cisco Express Forwarding (CEF)-based MLS architecture. Traditional MLS is a legacy feature, whereas all leading-edge Catalyst switches support CEF-based multilayer switching (CEF-based MLS). Rick Graziani graziani@cabrillo.edu

Traditional MLS Specialized application-specific integrated circuits (ASICs) perform Layer 2 rewrite operations of routed packets: Source MAC address Destination MAC address Cyclic redundancy check (CRC). Because the source and destination MAC addresses change during Layer 3 rewrites, the switch must recalculate the CRC for these new MAC addresses. MLS enables specialized application-specific integrated circuits (ASICs) to perform Layer 2 rewrite operations of routed packets. Layer 2 rewrites include rewriting the source and destination MAC addresses and writing a recalculated cyclic redundancy check (CRC). Because the source and destination MAC addresses change during Layer 3 rewrites, the switch must recalculate the CRC for these new MAC addresses. Rick Graziani graziani@cabrillo.edu

Traditional MLS Switch learns Layer 2 rewrite information from an MLS router via an MLS protocol. netflow-based switching. With traditional MLS, the Layer 3 engine (route processor) and switching ASICs work together to build Layer 3 entries on the switch. Each entry can be populated in one of three ways: Source IP address only Source and destination IP addresses Full Flow Information with Layer 4 protocol information. For Catalyst switches that support traditional MLS, the switch learns Layer 2 rewrite information from an MLS router via an MLS protocol. Also known as netflow-based switching. With traditional MLS, the Layer 3 engine (route processor) and switching ASICs work together to build Layer 3 entries on the switch. Each entry contains a source, a source and destination, or full flow information including Layer 4 protocol information. Rick Graziani graziani@cabrillo.edu

Traditional MLS dot1q Tag (inside Eth. Hdr) Ethernet Header IP Header IP Data   VLAN 1 D-MAC= 00-00-0C-11-11-11 S-MAC= 00-AA-00-11-11-11 S-IP = 10.1.1.10 D-IP = 10.1.2.20 S-MAC= 00-AA-00-11-11-11 With traditional MLS, the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching. After the routing of the first packet in the flow, the Layer 3 engine programs the hardware-switching components for routing for subsequent packets. The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching. After the routing of the first packet in the flow, the Layer 3 engine programs the hardware-switching components for routing for subsequent packets. Rick Graziani graziani@cabrillo.edu

The default gateway is the RSM. MLS-RP MLS-RP The Destination MAC Address is one of the router’s interfaces. There is not an existing flow, so I will flag this as a candidate packet. Candidate Packet Info Layer 3 Info S-IP 10.1.1.10 D-IP 10.1.2.20 Layer 2 Info S-MAC 00-AA-00-11-11-11 D-MAC 00-00-0C-11-11-11 MLS-SE dot1q Tag (inside Eth. Hdr) Ethernet Header IP Header IP Data   VLAN 1 D-MAC= 00-00-0C-11-11-11 S-MAC= 00-AA-00-11-11-11 S-IP = 10.1.1.10 D-IP = 10.1.2.20 When workstation A sends a packet to workstation B, workstation A sends the packet to its default gateway. In the default gateway is the RSM. The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP). As a result, the switch creates a candidate entry for this flow. When workstation A sends a packet to workstation B, workstation A sends the packet to its default gateway. The default gateway is the RSM. The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP). As a result, the switch creates a candidate entry for this flow. Rick Graziani graziani@cabrillo.edu

MLS-RP MLS-SE dot1q Tag (inside Eth. Hdr) Ethernet Header IP Header IP Data   VLAN 2 D-MAC= 00-AA-00-22-22-22 S-MAC= 00-00-0C-22-22-22 S-IP = 10.1.1.10 D-IP = 10.1.2.20 Next, the router accepts the packets from workstation A, rewrites the Layer 2 destination MAC address and CRC, and forwards the packet to workstation B. The switch refers to the routed packet from the RSM as the enabler packet. Next, the router accepts the packets from workstation A, rewrites the Layer 2 MAC addresses and CRC, and forwards the packet to workstation B. The switch refers to the routed packet from the RSM as the enabler packet. Rick Graziani graziani@cabrillo.edu

MLS-SE recognizes various matches including CAM, details not included. MLS-RP Candidate Packet Info Layer 3 Info S-IP 10.1.1.10 D-IP 10.1.2.20 Layer 2 Info S-MAC 00-AA-00-11-11-11 D-MAC 00-00-0C-11-11-11 MLS-SE dot1q Tag (inside Eth. Hdr) Ethernet Header IP Header IP Data   VLAN 2 D-MAC= 00-AA-00-22-22-22 S-MAC= 00-00-0C-22-22-22 S-IP = 10.1.1.10 D-IP = 10.1.2.20 MLS-SE recognizes various matches including CAM, details not included. Basically, the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1. The switch, upon seeing both the candidate and enabler packets, creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow. MLS-SE recognizes various matches including CAM, details not included. Basically, the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1. The switch, upon seeing both the candidate and enabler packets, creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow. Rick Graziani graziani@cabrillo.edu

MLS Cache MLS-RP MLS-SE Candidate Packet Info Layer 3 Info S-IP 10.1.1.10 D-IP 10.1.2.20 Layer 2 Info S-MAC 00-AA-00-11-11-11 D-MAC 00-00-0C-11-11-11 Found match in MLS Cache, rewrite Ethernet Header and send directly to Host B, forget the router! MLS-SE Future Packets Dst IP Src IP Port Dst Port Src Port Dst MAC Src MAC VLAN Interface 10.1.2.20 10.1.1.10 TCP 23 1238 00-AA-00-22-22-22 00-00-0C-22-22-22 2 3/1 MLS Cache As future packets from the “flow” arrive, the MLS-SE uses the destination IP address to look up the entry in the MLS cache. Finding a match, it uses a rewrite engine to modify the necessary header information and then sends the packet directly to the destination (the packet is not forwarded to the router). The rewrite operation modifies all the same fields initially modified by the router for the first packet, including the source MAC and destination MAC addresses. As future packets from the “flow” arrive, the MLS-SE uses the destination IP address to look up the entry in the MLS cache. Finding a match, rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router). The rewrite operation modifies all the same fields initially modified by the router for the first packet, including the source MAC and destination MAC addresses. Rick Graziani graziani@cabrillo.edu

CEF-based MLS Rick Graziani graziani@cabrillo.edu

CEF CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor, port, or line card for hardware switching of packets. Control plane represents the Layer 3 engine (route processor) Data plane represents the hardware components such as ASICs used by the switch for hardware switching. CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB). Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses. CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor, port, or line card for hardware switching of packets. Control plane represents the Layer 3 engine (route processor) Data plane represents the hardware components such as ASICs used by the switch for hardware switching. CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB). As a result of the prepopulation of routing information, Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses. Rick Graziani graziani@cabrillo.edu

CEF The two main components of CEF are : FIB Adjacency Table Routing Table The two main components of CEF are : FIB Adjacency Table Forwarding information base Make IP destination switching decisions. Similar to a routing table Mirror image of the forwarding information contained in the IP routing table. When routing or topology changes occur in the network, the IP routing table is updated, and those changes are reflected in the FIB. Maintains next-hop address information based on the information in the IP routing table. Both the Layer 3 engine and the hardware-switching components maintain a FIB. The two main components of CEF are FIB and Adjacency Table Forwarding information base Used make IP destination prefix-based switching decisions. Similar to a routing table or information base. It maintains a mirror image of the forwarding information contained in the IP routing table. When routing or topology changes occur in the network, the IP routing table is updated, and those changes are reflected in the FIB. The FIB maintains next-hop address information based on the information in the IP routing table. In the context of CEF-based MLS, both the Layer 3 engine and the hardware-switching components maintain an FIB. Rick Graziani graziani@cabrillo.edu

CEF Adjacency tables Network nodes in the network are said to be adjacent if they can reach each other with a single hop across a link layer. (OSPF, EIGRP) A router normally maintains: Routing table containing Layer 3 network and next-hop information ARP table containing Layer 3 to Layer 2 address mapping. These tables are kept independently. Adjacency tables Network nodes in the network are said to be adjacent if they can reach each other with a single hop across a link layer. (OSPF, EIGRP) A router normally maintains: Routing table containing Layer 3 network and next-hop information ARP table containing Layer 3 to Layer 2 address mapping. These tables are kept independently. Rick Graziani graziani@cabrillo.edu

CEF Next hop? Adjacency tables Layer 2 MAC Addresses, Next Hop Information CEF Next hop? Adjacency tables The FIB keeps the Layer 3 next-hop address for each entry. To streamline packet forwarding even more, the FIB has corresponding Layer 2 information for every next-hop entry. This portion of the FIB is called the adjacency table, consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop. Adjacency tables Recall that the FIB keeps the Layer 3 next-hop address for each entry. To streamline packet forwarding even more, the FIB has corresponding Layer 2 information for every next-hop entry. This portion of the FIB is called the adjacency table, consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop. Rick Graziani graziani@cabrillo.edu

I’ll generate the ARP Request and get an ARP Reply. No ARP entry, L3 forwarding engine can’t forward packet in hardware, must send to L3 Engine. CEF I’ll generate the ARP Request and get an ARP Reply. Adjacency tables (summary, more detail coming) Built from the ARP table. As a next-hop address receives a valid ARP entry, the adjacency table is updated. If an ARP entry does not exist, the FIB entry is marked as “CEF glean.” This means that the Layer 3 forwarding engine can't forward the packet in hardware, due to the missing Layer 2 next-hop address. The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply. This is known as the “CEF glean” state, where the Layer 3 engine must glean the next-hop destination's MAC address. Adjacency tables (summary, more detail coming) The adjacency table information is built from the ARP table. As a next-hop address receives a valid ARP entry, the adjacency table is updated. If an ARP entry does not exist, the FIB entry is marked as “CEF glean.” This means that the Layer 3 forwarding engine can't forward the packet in hardware, due to the missing Layer 2 next-hop address. The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply. This is known as the “CEF glean” state, where the Layer 3 engine must glean the next-hop destination's MAC address. Rick Graziani graziani@cabrillo.edu

CEF Adjacency tables What happens to subsequent packets while FIB entry is in glean state? (L3 engine is sending ARP Request.) These packets are dropped. So input queues do not fill. So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests. This is called ARP throttling or throttling adjacency. If an ARP reply is not received in two seconds, the throttling is released so that another ARP request can be triggered. After ARP reply is received: Throttling is released FIB entry can be completed Subsequent packets can be forwarded in hardware Adjacency tables During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution, subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests. This is called ARP throttling or throttling adjacency. If an ARP reply is not received in two seconds, the throttling is released so that another ARP request can be triggered. Otherwise, after an ARP reply is received, the throttling is released, the FIB entry can be completed, and packets can be forwarded completely in hardware. When a router is directly connected to a multiaccess segment (Ethernet), the router maintains an additional prefix for the subnet.. This subnet prefix points to a glean adjacency. When a router receives a packets that needs to be forwarded to a specific host, the adjacency database is gleaned for a specific prefix. If the prefix does not exist, the subnet prefix is consulted. The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing. Rick Graziani graziani@cabrillo.edu

ARP Throttling 1. Host A sends a packet to Host B. CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table). No rewrite information exists. 2. Packet passed to Layer 3 Engine for processing. 1. Host A sends a packet to Host B. CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table). No rewrite information exists. 2. Packet passed to Layer 3 Engine for processing. Rick Graziani graziani@cabrillo.edu

ARP Throttling X X X 3. Obtaining rewrite information. Throttling Adjacency is removed when no ARP Reply is received in 2 seconds. This allows for another packet to to initiate a new ARP Request. Throttling Adjacency relieves the Layer 3 Engine of excessive ARP processing or ARP-based DoS attacks. ARP Request Drop packets until ARP Reply received (Throttling Adjacency) X X X 3. Obtaining rewrite information. L3 Engine sends an ARP Request for Host B and waits for ARP Reply. Throttling Adjacency: While in glean state, subsequent packets to that host are dropped, so that input queues do not fill and so the Layer 3 engine isn’t busy with duplicate ARP Requests. (Note: Cisco’s routers drop the first packet when there is no ARP entry, while sending the ARP Request.) Throttling Adjacency is removed when no ARP Reply is received in 2 seconds. This allows for another packet to to initiate a new ARP Request. Throttling Adjacency relieves the Layer 3 Engine of excessive ARP processing or ARP-based DoS attacks. 3. Obtaining rewrite information. L3 Engine sends an ARP Request for Host B and waits for ARP Reply. Throttling Adjacency: While in glean state, subsequent packets to that host are dropped, so that input queues do not fill and so the Layer 3 engine isn’t busy with duplicate ARP Requests. (Note: Cisco’s routers drop the first packet when there is no ARP entry, while sending the ARP Request.) Rick Graziani graziani@cabrillo.edu

ARP Throttling X X X 4. Host B sends ARP Reply. Drop packets until ARP Reply received (Throttling Adjacency) ARP Reply X X X 4. Host B sends ARP Reply 4. Host B sends ARP Reply. Rick Graziani graziani@cabrillo.edu

ARP Throttling Host B’s MAC Address 10.20.10.2 Drop packets until ARP Reply received (Throttling Adjacency) 5. The Layer 3 Engine installs Adjacency for Host B and removes the throttling (drop) adjacency. Next: Packet Rewrite (Coming!) 5. The Layer 3 Engine installs Adjacency for Host B and removes the throttling (drop) adjacency. Next: Packet Rewrite (Coming!) Rick Graziani graziani@cabrillo.edu

Packet Rewrite Egress Packet Rick Graziani graziani@cabrillo.edu

Packet Rewrite The switch receives another packet: Host B’s MAC Address 10.20.10.2 L2 Checksum L3 Checksum TTL Default Gateway Host A The switch receives another packet: After a multilayer switch finds valid entries in the FIB and adjacency tables, a packet is almost ready to be forwarded. One step remains—the packet header information must be rewritten. Multilayer switching occurs as quick table lookups: Find the next-hop address Outbound switch port. The IP header must also be adjusted, as if a traditional router had done the forwarding (TTL). The switch receives another packet: After a multilayer switch finds valid entries in the FIB and adjacency tables, a packet is almost ready to be forwarded. One step remains—the packet header information must be rewritten. Keep in mind that multilayer switching occurs as quick table lookups, to find the next-hop address and the outbound switch port. The packet is untouched, still having the original destination MAC address of the switch (Router interface) itself. The IP header must also be adjusted, as if a traditional router had done the forwarding (TTL). Rick Graziani graziani@cabrillo.edu

Packet Rewrite Host B’s MAC Address 10.20.10.2 L2 Checksum L2 Checksum L3 Checksum L3 Checksum TTL - 1 TTL Host B MAC Add Default Gateway L3 switch outbound interface Host A The packet rewrite engine makes the following changes to the packet just prior to forwarding: Layer 2 destination address— Changed to the next-hop device's MAC address Layer 2 source address— Changed to the outbound Layer 3 switch interface's MAC address Layer 3 IP Time To Live (TTL)— Decremented by one, as one router hop has just occurred Layer 2 frame checksum— Recalculated to include changes to the Layer 2 and Layer 3 headers Layer 3 IP checksum— Recalculated to include changes to the IP header The packet rewrite engine makes the following changes to the packet just prior to forwarding: Layer 2 destination address— Changed to the next-hop device's MAC address Layer 2 source address— Changed to the outbound Layer 3 switch interface's MAC address Layer 3 IP Time To Live (TTL)— Decremented by one, as one router hop has just occurred Layer 3 IP checksum— Recalculated to include changes to the IP header Layer 2 frame checksum— Recalculated to include changes to the Layer 2 and Layer 3 headers Rick Graziani graziani@cabrillo.edu

Packet Rewrite Host B’s MAC Address 10.20.10.2 L2 Checksum L2 Checksum L3 Checksum L3 Checksum TTL - 1 TTL Host B MAC Add Default Gateway L3 switch outbound interface Host A A traditional router would normally make the same changes to each packet. The multilayer switch must act as if a traditional router were being used, making identical changes. The multilayer switch: Can do this very efficiently with dedicated packet rewrite hardware and with address information obtained from table lookups. A traditional router would normally make the same changes to each packet. The multilayer switch must act as if a traditional router were being used, making identical changes. However, the multilayer switch can do this very efficiently with dedicated packet rewrite hardware and address information obtained from table lookups. Rick Graziani graziani@cabrillo.edu

Packet Rewrite Host B’s MAC Address 10.20.10.2 L2 Checksum L2 Checksum L3 Checksum L3 Checksum TTL - 1 TTL Host B MAC Add Default Gateway L3 switch outbound interface Host A The switch performs a Layer 3 lookup and finds a CEF entry for Host B. The switch rewrites packets per the adjacency information and forwards the packet to Host B on its VLAN. The switch performs a Layer 3 lookup and finds a CEF entry for Host B. The switch rewrites packets per the adjacency information and forwards the packet to Host B on its VLAN. Rick Graziani graziani@cabrillo.edu

CEF Catalyst switches do not support routing of all types of frames in hardware. For example, the following list details common frame types that are not supported by hardware switching: Packets with IP header options Packets sourced from or destined to tunnel interfaces Packets using Ethernet encapsulation types other than ARPA Packets that require fragmentation (exceed MTU of the interface) Two types of CEF Central CEF – Forwarding decisions done by ASIC that is central to all interfaces. Distributed CEF (dCEF) – Forwarding decisions done on independently on interfaces or line modules (faster). Catalyst switches do not support routing of all types of frames in hardware. For example, the following list details common frame types that are not supported by hardware switching: Packets with IP header options Packets sourced from or destined to tunnel interfaces Packets using Ethernet encapsulation types other than ARPA Packets that require fragmentation Rick Graziani graziani@cabrillo.edu

Switching Table Architectures Multilayer switches build routing (CEF FIB and adjacency), bridging, QoS, and access control list (ACL) tables for centralized or distributed switching in hardware using high-speed memory tables. Switches perform lookups in these tables for result information, such as to determine whether a packet with a specific destination IP address is supposed to be dropped according to an ACL. These tables support high-performance lookups and search algorithms such that multilayer switches maintain line-rate performance. Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables : Routing (CEF FIB and adjacency) Bridging QoS Access Control :ist (ACL) tables. Rick Graziani graziani@cabrillo.edu

Switching Table Architectures - Details CAM TCAM Multilayer switches deploy memory tables using specialized memory architectures: CAM (content addressable memory) Provides only two results: 0 (true) or 1 (false). For exact matches such as MAC address tables. TCAM (ternary content addressable memory ) – Ternary Logic Provides three results: 0 (don’t care), 1 (true), 2 (false); Ternary Logic; Ternary number system (Base 3) - trits For longest matches such as IP routing tables organized by IP prefixes. Multilayer switches deploy memory tables using specialized memory architectures: CAM (content addressable memory) Provides only two results: 0 (true) or 1 (false). CAM is most useful for building tables that search on exact matches such as MAC address tables. TCAM (ternary content addressable memory ) – Ternary Logic Provides three results: 0 (don’t care), 1 (true), 2 (false); Ternary Logic; Ternary number system (Base 3) - trits TCAM is most useful for building tables for searching on longest matches such as IP routing tables organized by IP prefixes. Rick Graziani graziani@cabrillo.edu

CAM For Layer 2 switching tables. With CAM tables, switches must find exact matches or the switches use a default behavior. Switch must find an exact match to a destination MAC address or the switch floods the packet out all ports in the VLAN. Catalyst switches use CAM tables to house, Layer 2 switching tables. Switches match results in CAM tables in binary (0 or 1 operations). With CAM tables, switches must find exact matches or the switches use a default behavior. For example, in the case of Layer 2 switching tables, the switch must find an exact match to a destination MAC address or the switch floods the packet out all ports in the VLAN. Rick Graziani graziani@cabrillo.edu

CAM VLAN ID Key Key The information a switch uses to perform a lookup in a CAM table is called a key. Destination MAC address VLAN ID The information a switch uses to perform a lookup in a CAM table is called a key. For example, a Layer 2 lookup would use a destination MAC address and a VLAN ID as a key. Rick Graziani graziani@cabrillo.edu

TCAM TCAM is a specialized CAM designed for rapid table lookups. For example, the Catalyst 2950, 3550, 4500, and 6500 families of switches use TCAM to handle ACL lookups at line rate. Thus applying ACLs does not affect the performance of the switch. Single lookup provides the following information: Layer 2 Layer 3 ACL TCAM is a specialized CAM designed for rapid table lookups. For example, the Catalyst 2950, 3550, 4500, and 6500 families of switches use TCAM to handle ACL lookups at line rate. As a result of using TCAM, applying ACLs does not affect the performance of the switch. Rick Graziani graziani@cabrillo.edu

TCAM VMR (value, mask, and result) refers to the format of entries in TCAM. The “value” in VMR refers to the pattern that is to be matched: Examples include IP addresses and protocol ports The “mask” refers to the mask bits associated with the pattern and determines the prefix. The “result” refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask. This result might be a “permit” or “deny” in the case of a TCAM for ACLs. Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing. If TCAM becomes full the wildcard entry will force the packet to route via the routing table. VMR (value, mask, and result) refers to the format of entries in TCAM. The “value” in VMR refers to the pattern that is to be matched: Examples include IP addresses and protocol ports The “mask” refers to the mask bits associated with the pattern and determines the prefix. The “result” refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask. This result might be a “permit” or “deny” in the case of a TCAM for ACLs. Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing. Rick Graziani graziani@cabrillo.edu

CEF-Based MLS Lookups 1. Layer 3 packets initiate TCAM lookup. 2. The longest match returns adjacency with rewrite information. 3. The packet is rewritten per adjacency information and forwarded. 1. Layer 3 packets initiate TCAM lookup. 2. The longest match returns adjacency with rewrite information. 3. The packet is rewritten per adjacency information and forwarded. Rick Graziani graziani@cabrillo.edu

Inter-VLAN Routing Summary A router on a stick can be used to route between VLANs using either ISL or 802.1Q as the trunking protocol. A router on a stick requires subinterfaces, one for each VLAN. Verify inter-VLAN routing by generating IP packets between two subnets. Multilayer switches can forward traffic both at Layer 2 and at Layer 3. Multilayer switches rewrite the Layer 2 and Layer 3 header using tables held in hardware. A router on a stick can be used to route between VLANs using either ISL or 802.1Q as the trunking protocol. A router on a stick requires subinterfaces, one for each VLAN. Verify inter-VLAN routing by generating IP packets between two subnets. Multilayer switches can forward traffic both at Layer 2 and at Layer 3. Multilayer switches rewrite the Layer 2 and Layer 3 header using tables held in hardware. Rick Graziani graziani@cabrillo.edu

Configuring Inter-VLAN Routing Through an SVI Step 1 : Configure IP routing. Switch(config)#ip routing Step 2 : Create an SVI interface. Switch(config)#interface vlan vlan-id Step 3 : Assign an IP address to the SVI. Switch(config-if)#ip address ip-address mask SVI is a VLAN of switch ports represented by one interface to the routing system. Specific commands are used to configure and verify routing on multilayer switch interfaces. The interface vlan command creates the SVI. A routed port has Layer 3 attributes. A routed port requires the removal of Layer 2 port functionality with the no switchport command. To receive dynamic updates, a routing protocol is required. Step 4 : Configure the IP routing protocol if needed. Switch(config)#router ip_routing_protocol <options> Rick Graziani graziani@cabrillo.edu

Configuring a Routed Port Step 1 : Configure IP routing. Switch(config)#ip routing Step 2 : Create a routed port. Switch(config-if)#no switchport Step 3 : Assign an IP address to the routed port. Switch(config-if)#ip address ip-address mask Step 4 : Configure the IP routing protocol if needed. Switch(config)#router ip_routing_protocol <options> Rick Graziani graziani@cabrillo.edu

Enabling CEF The commands required to enable CEF are platform dependent: On the Cisco Catalyst 4000 switch Switch(config-if)#ip cef On the Cisco Catalyst 3550 switch Switch(config-if)#ip route-cache cef Configuring CEF ip cef (enabled by default) ip route-cache cef (only on VLAN interface) Verifying CEF show ip cef fa 0/1 detail show adjacency fa 0/1 detail Rick Graziani graziani@cabrillo.edu

Verifying CEF Switch#show ip cef [type mod/port | vlan_interface] [detail] Switch# show ip cef vlan 11 detail IP CEF with switching (Table Version 11), flags=0x0   10 routes, 0 reresolve, 0 unresolved (0 old, 0 new), peak 0   13 leaves, 12 nodes, 14248 bytes, 14 inserts, 1 invalidations   0 load sharing elements, 0 bytes, 0 references   universal per-destination load sharing algorithm, id 4B936A24   2(0) CEF resets, 0 revisions of existing leaves   Resolution Timer: Exponential (currently 1s, peak 1s)   0 in-place/0 aborted modifications   refcounts:  1061 leaf, 1052 node   Table epoch: 0 (13 entries at this epoch) 172.16.11.0/24, version 6, epoch 0, attached, connected 0 packets, 0 bytes   via Vlan11, 0 dependencies     valid glean adjacency Rick Graziani graziani@cabrillo.edu

Verify Layer 3 Switching Switch#show interface {{type mod/port} | {port-channel number}} | begin L3 Switch#show interface fastethernet 3/3 | begin L3 L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 12 pkt, 778 bytes mcast L3 out Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes 4046399 packets input, 349370039 bytes, 0 no buffer Received 3795255 broadcasts, 2 runts, 0 giants, 0 throttles ..... Switch# Rick Graziani graziani@cabrillo.edu

Displaying Hardware Layer 3 Switching Statistics Switch#show interfaces {{type mod/port} | {port-channel number}} include switched Switch#show interfaces gigabitethernet 9/5 | include switched L2 Switched: ucast: 8199 pkt, 1362060 bytes - mcast: 6980 pkt, 371952 bytes L3 in Switched: ucast: 3045 pkt, 742761 bytes - mcast: 0 pkt, 0 bytes mcast L3 out Switched: ucast: 2975 pkt, 693411 bytes - mcast: 0 pkt, 0 bytes Rick Graziani graziani@cabrillo.edu

Adjacency Information Switch#show adjacency [{{type mod/port} | {port-channel number}} | detail | internal | summary] Switch#show adjacency gigabitethernet 9/5 detail Protocol Interface Address IP GigabitEthernet9/5 172.20.53.206(11) 504 packets, 6110 bytes 00605C865B82 000164F83FA50800 ARP 03:49:31 Rick Graziani graziani@cabrillo.edu

Debugging CEF Operations Switch#debug ip cef {drops | access-list | receive | events | prefix-ipc | table} Displays debug information for CEF Switch#debug ip cef {ipc | interface-ipc} Displays debug information related to IPC in CEF Switch#ping ip Performs an extended ping Rick Graziani graziani@cabrillo.edu

CEF Summary Layer 3 switching is high-performance packet switching in hardware. MLS functionality can be implemented through CEF. CEF uses tables in hardware to forward packets. Specific commands are used to enable and verify CEF operations. Commands to enable CEF are platform dependent. CEF problems can be matched to specific solutions. Specific commands are used to troubleshoot and solve CEF problems. Ordered steps assist in troubleshooting CEF-based problems. Layer 3 switching is high-performance packet switching in hardware. MLS functionality can be implemented through CEF. CEF uses tables in hardware to forward packets. Specific commands are used to enable and verify CEF operations. Commands to enable CEF are platform dependent. CEF problems can be matched to specific solutions. Specific commands are used to troubleshoot and solve CEF problems. Ordered steps assist in troubleshooting CEF-based problems. Rick Graziani graziani@cabrillo.edu

Traditional and CEF Based Multilayer Switching CIS 187 Multilayer Switched Networks CCNP Rick Graziani Spring 2009