ccnp3 v5.0 bcmsn mod04 implementing intervlan routing.pptx
TRANSCRIPT
1
CCNP 3 (V50)
Building Cisco Multilayer
Switched Networks
(BCMSN) v30
Module 5 Implementing Inter-VALN routing
Origin Cisco Academic Press
Update 이훈재(李焄宰) HoonJae Lee 동서대학교
e-mail hjleedongseoackr
Homepage httpkowondongseoackr~hjlee
httpcryptodongseoackr
Module 4 Implementing Inter-VLAN
routing
- cisco flash v50 -
MCMSN v50
module 4
Cisco flash v50
Dongseo University
HoonJae Lee
2
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
4
Inter-VLAN Routing
A VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected as shown in the previous slides these devices cannot
communicate without the services of a default gateway a router
Because VLANs isolate traffic to a defined broadcast domain and
subnet network devices in different VLANs cannot communicate
with each other without the use of a router
This is known as Inter-VLAN Routing
3
5
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
1 Any Layer 3
multilayer Catalyst
switch
2 Any external router
with an interface that
supports trunking
(ldquorouter-on-a-stickrdquo)
3 Any external router or
group of routers with a
separate interface in
each VLAN
Or trunk port
Inter-VLAN Routing with External Router
bull a single trunk link between the
switch and the router that can
carry the traffic of multiple VLANs
and which in turn can be routed
by the router
6
4
The advantages are as follows
Implementation is simple
Layer 3 services are not required on the switch
The router provides communications between VLANs
The disadvantages are as follows
The router is a single point of failure
The single traffic path between the switch and the router may
become congested
Latency is higher than on a Layer 3 switch
Inter-VLAN Routing with External Router
7
8
Router On a Stick
Router on a stick is very simple to implement because routers are
usually available in every network
Most enterprise networks use multilayer switches to achieve high
packet-processing rates using hardware switching
Multilayer (layer 3) switches usually have packet-switching
throughputs in the millions of packets per second (pps) whereas
traditional general-purpose routers provide packet switching in the
range of 100000 pps to just over 1 million pps 110 speed down
5
9
Connecting VLANs with Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Describing Inter-VLAN Routing Using External
Router Configuration Commands
10
6
Inter-VLAN Routing on External Router
8021Q Trunk Link
switch(config)interface FastEthernet 00switch(config-if)switchport trunk encapsulation dot1qswitch(config-if)switchport mode trunk
11
Inter-VLAN Routing on External Router ISL
Trunk Link switch(config)interface FastEthernet 00switch(config-if)switchport trunk encapsulation islswitch(config-if)switchport mode trunk
12
7
Verifying Inter-VLAN Routing
13
MLS(multilayer switch) = Switch + Router
into one device
A multilayer switch combines the functionality of a
switch and a router into one device therefore
enabling the device to switch traffic when the
source and destination are in the same VLAN and
to route traffic when the source and destination are
in different VLANs (that is different subnets)
The same VLAN switching
Different VLANs routing
ASIC wire speed
Routing table access control list (ACL)
store in CAM TCAM
Explaining Multilayer Switching
14
8
Layer 2 Switch Forwarding process ndash In MLS
15
Logical Flow for a Multilayer Switch
16
9
Frame Rewrite
17
The source MAC address changes from the sender MAC address to the
router MAC address
The destination MAC address changes from the router MAC to the next-hop
MAC address
The TTL is decremented by one and as a result the IP header checksum
is recalculated
The frame checksum is recalculated
Routing switching ACL and QoS tables are stored in a high-speed table memory so that forwarding decisions and restrictions can be made in high-speed hardware
Cisco Catalyst switches create and use two primary table architectures
CAM (content addressable memory)
two results 0 (true) or 1 (false)
MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
three results 0 (donrsquot care) 1 (true) 2 (false)
IP tables routing ACL QoS
Switching Table Architectures - Details
CAM TCAM
18
10
CAM Application
Key
VLAN ID
Key
19
The information a switch uses to perform a lookup in a CAM table is
called a key
For example a Layer 2 lookup would use a destination MAC address
and a VLAN ID as a key
In specific high-end switch platforms the TCAM
is a portion of memory designed for rapid
hardware-based table lookups of Layer 3 and
Layer 4 information In the TCAM a single
lookup provides all Layer 2 and Layer 3
forwarding information for frames including CAM
and ACL information
How the values are stored in the TCAM
access-list 101 permit ip host 10111 any
access-list 101 deny ip 10110 000255 any
Longest match region
Each longest match region consists of groups of
Layer 3 address entries (ldquobucketsrdquo) organized in
decreasing order by mask length All entries
within a bucket share the same mask value and
key size The buckets can change their size
dynamically by borrowing address entries from
neighboring buckets Although the size of the
whole protocol region is fixed you can
reconfigure it The reconfigured size of the
protocol region takes effect only after the next
system reboot
First-Match region
The first-match region consists of ACL entries
Lookup stops after the first match of the entry
TCAM
20
11
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
22
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI) mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI) mdash A Layer 3 virtual bridging interface (Not discussed)
12
23
MLS Layer 3 Interface Routed Port
MLS Layer 3 Interface Routed Port A routed switch port is a physical switch port on a multilayer switch that is
capable of Layer 3 packet processing A routed port is not associated with a
particular VLAN as contrasted with an access port or SVI The switch port
functionality is removed from the interface A routed port behaves like a
regular router interface except that it does not support VLAN subinterfaces
Routed switch ports can be configured using most commands applied to a
physical router interface including the assignment of an IP address and the
configuration of Layer 3 routing protocols
A routed switch port is a standalone port that is not associated with a VLAN
whereas an SVI is a virtual interface that is associated with a VLAN SVIs
generally provide Layer 3 services for devices connected to the ports of the
switch where the SVI is configured Routed switch ports can provide a Layer
3 path into the switch for a number of devices on a specific subnet all of
which are accessible from a single physical switch port
The number of routed ports and SVIs that can be configured on a switch is
not limited by software However the interrelationship between these
interfaces and other features configured on the switch may overload the
CPU because of hardware limitations
24
13
A routed port has the following characteristics and functions
Physical switch port with Layer 3 capability
Not associated with any VLAN
Serves as the default gateway for devices out that switch port
Layer 2 port functionality must be removed before it can be
configured
MLS Layer 3 Interface Routed Port
25
Configuration of Routed Ports on a Multilayer
Switch
26
14
27
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI) are Layer 3 interfaces that are configured on multilayer Layer 3 Catalyst switches that are used for inter-VLAN routing
An SVI is a virtual VLAN interface that is associated with the VLAN-ID to enable routing capability on that VLAN
Note These are virtual interfaces
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
28
MLS Layer 3 Interface SVI
To configure communication between VLANs you must configure each
SVI with an IP address and subnet mask in the chosen address
range for that subnet
The IP address associated with the VLAN interface is the default
gateway of the workstation
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
15
Layer 3 SVI
To provide a default
gateway for a VLAN so
that traffic can be routed
between VLANs
To provide fallback
bridging if it is required for
non-routable protocols
To provide Layer 3 IP
connectivity to the switch
To support routing protocol
and bridging configurations
29
Configuring Inter-VLAN Routing on a Multilayer Switch
30
16
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
32
MLS and CEF
One of the bottlenecks in high-speed networking is the
decision-making process within the router
Two of the methods used by Cisco devices to speed
up this process are
1 Multilayer Switching (MLS)
2 Cisco Express Forwarding (CEF)
17
33
Internal route processors
Route Processors include
Route Switch Module (RSM) ndash 4000 5000 6000 7000
Route Switch Feature Card (RSFC) - 5000
Multilayer Switch Module (MSM) - 6000
Multilayer Switch Feature Card (MSFC) - 6000
Other terms used
Layer-3 Card or Layer-3 ldquoBladerdquo
MultiLayer Switch Route Processor (MLS-RP)
The router in the network (handles the first packet in every
flow)
34
Introduction to MLS
MLS is a technology used by a small number of older
Catalyst switches to provide wire-speed routing
MLS is sometimes known as Route once switch
many
The first packet of a flow is routed by the router in
software and the remaining packets are forwarded in
hardware by the switch
18
35
Introduction to CEF
CEF is the technology used by newer Cisco devices to provide wire-speed routing
Unlike MLS which requires the route processor to route the first packet of a flow CEF enables packet switching to circumvent the route processor altogether
This is accomplished by the communication process between the route processor and the switch processor to create the shortcut info before the first packet arrives
ldquoRoute never switch alwaysrdquo
36
Multilayer Switching
Multilayer switching refers to the ability of a Catalyst switch to
support switching and routing of packets in hardware with optional
support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must
download software-based routing switching access lists QoS and
other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
19
37
Traditional and CEF-based MLS
To accomplish multilayer switching (packet processing in hardware)
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
Cisco Express Forwarding (CEF)-based MLS architecture
Traditional MLS is a legacy feature whereas all leading-edge
Catalyst switches support CEF-based multilayer switching (CEF-based
MLS)
38
Multilayer Switching
The term multilayer switching (MLS) is a general networking term
that refers to hardware-based PDU header rewriting and forwarding
based on information specific to one or more OSI layers
When used in the context of this class MLS refers to Cisco MLS
20
39
Traditional MLS
MLS enables specialized
application-specific integrated
circuits (ASICs) to perform
Layer 2 rewrite operations of
routed packets
Layer 2 rewrites include
rewriting the source and
destination MAC addresses
and writing a recalculated cyclic
redundancy check (CRC)
Because the source and
destination MAC addresses
change during Layer 3 rewrites
the switch must recalculate the
CRC for these new MAC
addresses
40
Traditional MLS
For Catalyst switches that support traditional MLS the switch learns
Layer 2 rewrite information from an MLS router via an MLS protocol
Also known as netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry contains a source a source and destination or full flow
information including Layer 4 protocol information
21
41
Traditional MLS
With traditional MLS the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
MLS-SE
MLS-RPMLS-RP The Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as
a candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
Traditional MLS
42
22
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-
0C-22-22-22
S-IP =
101110
D-IP =
101220
Traditional MLS
43
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-
22-22
00-00-
0C-22-
22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
Traditional MLS
44
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
2
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
4
Inter-VLAN Routing
A VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected as shown in the previous slides these devices cannot
communicate without the services of a default gateway a router
Because VLANs isolate traffic to a defined broadcast domain and
subnet network devices in different VLANs cannot communicate
with each other without the use of a router
This is known as Inter-VLAN Routing
3
5
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
1 Any Layer 3
multilayer Catalyst
switch
2 Any external router
with an interface that
supports trunking
(ldquorouter-on-a-stickrdquo)
3 Any external router or
group of routers with a
separate interface in
each VLAN
Or trunk port
Inter-VLAN Routing with External Router
bull a single trunk link between the
switch and the router that can
carry the traffic of multiple VLANs
and which in turn can be routed
by the router
6
4
The advantages are as follows
Implementation is simple
Layer 3 services are not required on the switch
The router provides communications between VLANs
The disadvantages are as follows
The router is a single point of failure
The single traffic path between the switch and the router may
become congested
Latency is higher than on a Layer 3 switch
Inter-VLAN Routing with External Router
7
8
Router On a Stick
Router on a stick is very simple to implement because routers are
usually available in every network
Most enterprise networks use multilayer switches to achieve high
packet-processing rates using hardware switching
Multilayer (layer 3) switches usually have packet-switching
throughputs in the millions of packets per second (pps) whereas
traditional general-purpose routers provide packet switching in the
range of 100000 pps to just over 1 million pps 110 speed down
5
9
Connecting VLANs with Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Describing Inter-VLAN Routing Using External
Router Configuration Commands
10
6
Inter-VLAN Routing on External Router
8021Q Trunk Link
switch(config)interface FastEthernet 00switch(config-if)switchport trunk encapsulation dot1qswitch(config-if)switchport mode trunk
11
Inter-VLAN Routing on External Router ISL
Trunk Link switch(config)interface FastEthernet 00switch(config-if)switchport trunk encapsulation islswitch(config-if)switchport mode trunk
12
7
Verifying Inter-VLAN Routing
13
MLS(multilayer switch) = Switch + Router
into one device
A multilayer switch combines the functionality of a
switch and a router into one device therefore
enabling the device to switch traffic when the
source and destination are in the same VLAN and
to route traffic when the source and destination are
in different VLANs (that is different subnets)
The same VLAN switching
Different VLANs routing
ASIC wire speed
Routing table access control list (ACL)
store in CAM TCAM
Explaining Multilayer Switching
14
8
Layer 2 Switch Forwarding process ndash In MLS
15
Logical Flow for a Multilayer Switch
16
9
Frame Rewrite
17
The source MAC address changes from the sender MAC address to the
router MAC address
The destination MAC address changes from the router MAC to the next-hop
MAC address
The TTL is decremented by one and as a result the IP header checksum
is recalculated
The frame checksum is recalculated
Routing switching ACL and QoS tables are stored in a high-speed table memory so that forwarding decisions and restrictions can be made in high-speed hardware
Cisco Catalyst switches create and use two primary table architectures
CAM (content addressable memory)
two results 0 (true) or 1 (false)
MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
three results 0 (donrsquot care) 1 (true) 2 (false)
IP tables routing ACL QoS
Switching Table Architectures - Details
CAM TCAM
18
10
CAM Application
Key
VLAN ID
Key
19
The information a switch uses to perform a lookup in a CAM table is
called a key
For example a Layer 2 lookup would use a destination MAC address
and a VLAN ID as a key
In specific high-end switch platforms the TCAM
is a portion of memory designed for rapid
hardware-based table lookups of Layer 3 and
Layer 4 information In the TCAM a single
lookup provides all Layer 2 and Layer 3
forwarding information for frames including CAM
and ACL information
How the values are stored in the TCAM
access-list 101 permit ip host 10111 any
access-list 101 deny ip 10110 000255 any
Longest match region
Each longest match region consists of groups of
Layer 3 address entries (ldquobucketsrdquo) organized in
decreasing order by mask length All entries
within a bucket share the same mask value and
key size The buckets can change their size
dynamically by borrowing address entries from
neighboring buckets Although the size of the
whole protocol region is fixed you can
reconfigure it The reconfigured size of the
protocol region takes effect only after the next
system reboot
First-Match region
The first-match region consists of ACL entries
Lookup stops after the first match of the entry
TCAM
20
11
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
22
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI) mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI) mdash A Layer 3 virtual bridging interface (Not discussed)
12
23
MLS Layer 3 Interface Routed Port
MLS Layer 3 Interface Routed Port A routed switch port is a physical switch port on a multilayer switch that is
capable of Layer 3 packet processing A routed port is not associated with a
particular VLAN as contrasted with an access port or SVI The switch port
functionality is removed from the interface A routed port behaves like a
regular router interface except that it does not support VLAN subinterfaces
Routed switch ports can be configured using most commands applied to a
physical router interface including the assignment of an IP address and the
configuration of Layer 3 routing protocols
A routed switch port is a standalone port that is not associated with a VLAN
whereas an SVI is a virtual interface that is associated with a VLAN SVIs
generally provide Layer 3 services for devices connected to the ports of the
switch where the SVI is configured Routed switch ports can provide a Layer
3 path into the switch for a number of devices on a specific subnet all of
which are accessible from a single physical switch port
The number of routed ports and SVIs that can be configured on a switch is
not limited by software However the interrelationship between these
interfaces and other features configured on the switch may overload the
CPU because of hardware limitations
24
13
A routed port has the following characteristics and functions
Physical switch port with Layer 3 capability
Not associated with any VLAN
Serves as the default gateway for devices out that switch port
Layer 2 port functionality must be removed before it can be
configured
MLS Layer 3 Interface Routed Port
25
Configuration of Routed Ports on a Multilayer
Switch
26
14
27
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI) are Layer 3 interfaces that are configured on multilayer Layer 3 Catalyst switches that are used for inter-VLAN routing
An SVI is a virtual VLAN interface that is associated with the VLAN-ID to enable routing capability on that VLAN
Note These are virtual interfaces
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
28
MLS Layer 3 Interface SVI
To configure communication between VLANs you must configure each
SVI with an IP address and subnet mask in the chosen address
range for that subnet
The IP address associated with the VLAN interface is the default
gateway of the workstation
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
15
Layer 3 SVI
To provide a default
gateway for a VLAN so
that traffic can be routed
between VLANs
To provide fallback
bridging if it is required for
non-routable protocols
To provide Layer 3 IP
connectivity to the switch
To support routing protocol
and bridging configurations
29
Configuring Inter-VLAN Routing on a Multilayer Switch
30
16
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
32
MLS and CEF
One of the bottlenecks in high-speed networking is the
decision-making process within the router
Two of the methods used by Cisco devices to speed
up this process are
1 Multilayer Switching (MLS)
2 Cisco Express Forwarding (CEF)
17
33
Internal route processors
Route Processors include
Route Switch Module (RSM) ndash 4000 5000 6000 7000
Route Switch Feature Card (RSFC) - 5000
Multilayer Switch Module (MSM) - 6000
Multilayer Switch Feature Card (MSFC) - 6000
Other terms used
Layer-3 Card or Layer-3 ldquoBladerdquo
MultiLayer Switch Route Processor (MLS-RP)
The router in the network (handles the first packet in every
flow)
34
Introduction to MLS
MLS is a technology used by a small number of older
Catalyst switches to provide wire-speed routing
MLS is sometimes known as Route once switch
many
The first packet of a flow is routed by the router in
software and the remaining packets are forwarded in
hardware by the switch
18
35
Introduction to CEF
CEF is the technology used by newer Cisco devices to provide wire-speed routing
Unlike MLS which requires the route processor to route the first packet of a flow CEF enables packet switching to circumvent the route processor altogether
This is accomplished by the communication process between the route processor and the switch processor to create the shortcut info before the first packet arrives
ldquoRoute never switch alwaysrdquo
36
Multilayer Switching
Multilayer switching refers to the ability of a Catalyst switch to
support switching and routing of packets in hardware with optional
support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must
download software-based routing switching access lists QoS and
other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
19
37
Traditional and CEF-based MLS
To accomplish multilayer switching (packet processing in hardware)
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
Cisco Express Forwarding (CEF)-based MLS architecture
Traditional MLS is a legacy feature whereas all leading-edge
Catalyst switches support CEF-based multilayer switching (CEF-based
MLS)
38
Multilayer Switching
The term multilayer switching (MLS) is a general networking term
that refers to hardware-based PDU header rewriting and forwarding
based on information specific to one or more OSI layers
When used in the context of this class MLS refers to Cisco MLS
20
39
Traditional MLS
MLS enables specialized
application-specific integrated
circuits (ASICs) to perform
Layer 2 rewrite operations of
routed packets
Layer 2 rewrites include
rewriting the source and
destination MAC addresses
and writing a recalculated cyclic
redundancy check (CRC)
Because the source and
destination MAC addresses
change during Layer 3 rewrites
the switch must recalculate the
CRC for these new MAC
addresses
40
Traditional MLS
For Catalyst switches that support traditional MLS the switch learns
Layer 2 rewrite information from an MLS router via an MLS protocol
Also known as netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry contains a source a source and destination or full flow
information including Layer 4 protocol information
21
41
Traditional MLS
With traditional MLS the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
MLS-SE
MLS-RPMLS-RP The Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as
a candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
Traditional MLS
42
22
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-
0C-22-22-22
S-IP =
101110
D-IP =
101220
Traditional MLS
43
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-
22-22
00-00-
0C-22-
22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
Traditional MLS
44
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
3
5
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
1 Any Layer 3
multilayer Catalyst
switch
2 Any external router
with an interface that
supports trunking
(ldquorouter-on-a-stickrdquo)
3 Any external router or
group of routers with a
separate interface in
each VLAN
Or trunk port
Inter-VLAN Routing with External Router
bull a single trunk link between the
switch and the router that can
carry the traffic of multiple VLANs
and which in turn can be routed
by the router
6
4
The advantages are as follows
Implementation is simple
Layer 3 services are not required on the switch
The router provides communications between VLANs
The disadvantages are as follows
The router is a single point of failure
The single traffic path between the switch and the router may
become congested
Latency is higher than on a Layer 3 switch
Inter-VLAN Routing with External Router
7
8
Router On a Stick
Router on a stick is very simple to implement because routers are
usually available in every network
Most enterprise networks use multilayer switches to achieve high
packet-processing rates using hardware switching
Multilayer (layer 3) switches usually have packet-switching
throughputs in the millions of packets per second (pps) whereas
traditional general-purpose routers provide packet switching in the
range of 100000 pps to just over 1 million pps 110 speed down
5
9
Connecting VLANs with Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Describing Inter-VLAN Routing Using External
Router Configuration Commands
10
6
Inter-VLAN Routing on External Router
8021Q Trunk Link
switch(config)interface FastEthernet 00switch(config-if)switchport trunk encapsulation dot1qswitch(config-if)switchport mode trunk
11
Inter-VLAN Routing on External Router ISL
Trunk Link switch(config)interface FastEthernet 00switch(config-if)switchport trunk encapsulation islswitch(config-if)switchport mode trunk
12
7
Verifying Inter-VLAN Routing
13
MLS(multilayer switch) = Switch + Router
into one device
A multilayer switch combines the functionality of a
switch and a router into one device therefore
enabling the device to switch traffic when the
source and destination are in the same VLAN and
to route traffic when the source and destination are
in different VLANs (that is different subnets)
The same VLAN switching
Different VLANs routing
ASIC wire speed
Routing table access control list (ACL)
store in CAM TCAM
Explaining Multilayer Switching
14
8
Layer 2 Switch Forwarding process ndash In MLS
15
Logical Flow for a Multilayer Switch
16
9
Frame Rewrite
17
The source MAC address changes from the sender MAC address to the
router MAC address
The destination MAC address changes from the router MAC to the next-hop
MAC address
The TTL is decremented by one and as a result the IP header checksum
is recalculated
The frame checksum is recalculated
Routing switching ACL and QoS tables are stored in a high-speed table memory so that forwarding decisions and restrictions can be made in high-speed hardware
Cisco Catalyst switches create and use two primary table architectures
CAM (content addressable memory)
two results 0 (true) or 1 (false)
MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
three results 0 (donrsquot care) 1 (true) 2 (false)
IP tables routing ACL QoS
Switching Table Architectures - Details
CAM TCAM
18
10
CAM Application
Key
VLAN ID
Key
19
The information a switch uses to perform a lookup in a CAM table is
called a key
For example a Layer 2 lookup would use a destination MAC address
and a VLAN ID as a key
In specific high-end switch platforms the TCAM
is a portion of memory designed for rapid
hardware-based table lookups of Layer 3 and
Layer 4 information In the TCAM a single
lookup provides all Layer 2 and Layer 3
forwarding information for frames including CAM
and ACL information
How the values are stored in the TCAM
access-list 101 permit ip host 10111 any
access-list 101 deny ip 10110 000255 any
Longest match region
Each longest match region consists of groups of
Layer 3 address entries (ldquobucketsrdquo) organized in
decreasing order by mask length All entries
within a bucket share the same mask value and
key size The buckets can change their size
dynamically by borrowing address entries from
neighboring buckets Although the size of the
whole protocol region is fixed you can
reconfigure it The reconfigured size of the
protocol region takes effect only after the next
system reboot
First-Match region
The first-match region consists of ACL entries
Lookup stops after the first match of the entry
TCAM
20
11
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
22
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI) mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI) mdash A Layer 3 virtual bridging interface (Not discussed)
12
23
MLS Layer 3 Interface Routed Port
MLS Layer 3 Interface Routed Port A routed switch port is a physical switch port on a multilayer switch that is
capable of Layer 3 packet processing A routed port is not associated with a
particular VLAN as contrasted with an access port or SVI The switch port
functionality is removed from the interface A routed port behaves like a
regular router interface except that it does not support VLAN subinterfaces
Routed switch ports can be configured using most commands applied to a
physical router interface including the assignment of an IP address and the
configuration of Layer 3 routing protocols
A routed switch port is a standalone port that is not associated with a VLAN
whereas an SVI is a virtual interface that is associated with a VLAN SVIs
generally provide Layer 3 services for devices connected to the ports of the
switch where the SVI is configured Routed switch ports can provide a Layer
3 path into the switch for a number of devices on a specific subnet all of
which are accessible from a single physical switch port
The number of routed ports and SVIs that can be configured on a switch is
not limited by software However the interrelationship between these
interfaces and other features configured on the switch may overload the
CPU because of hardware limitations
24
13
A routed port has the following characteristics and functions
Physical switch port with Layer 3 capability
Not associated with any VLAN
Serves as the default gateway for devices out that switch port
Layer 2 port functionality must be removed before it can be
configured
MLS Layer 3 Interface Routed Port
25
Configuration of Routed Ports on a Multilayer
Switch
26
14
27
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI) are Layer 3 interfaces that are configured on multilayer Layer 3 Catalyst switches that are used for inter-VLAN routing
An SVI is a virtual VLAN interface that is associated with the VLAN-ID to enable routing capability on that VLAN
Note These are virtual interfaces
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
28
MLS Layer 3 Interface SVI
To configure communication between VLANs you must configure each
SVI with an IP address and subnet mask in the chosen address
range for that subnet
The IP address associated with the VLAN interface is the default
gateway of the workstation
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
15
Layer 3 SVI
To provide a default
gateway for a VLAN so
that traffic can be routed
between VLANs
To provide fallback
bridging if it is required for
non-routable protocols
To provide Layer 3 IP
connectivity to the switch
To support routing protocol
and bridging configurations
29
Configuring Inter-VLAN Routing on a Multilayer Switch
30
16
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
32
MLS and CEF
One of the bottlenecks in high-speed networking is the
decision-making process within the router
Two of the methods used by Cisco devices to speed
up this process are
1 Multilayer Switching (MLS)
2 Cisco Express Forwarding (CEF)
17
33
Internal route processors
Route Processors include
Route Switch Module (RSM) ndash 4000 5000 6000 7000
Route Switch Feature Card (RSFC) - 5000
Multilayer Switch Module (MSM) - 6000
Multilayer Switch Feature Card (MSFC) - 6000
Other terms used
Layer-3 Card or Layer-3 ldquoBladerdquo
MultiLayer Switch Route Processor (MLS-RP)
The router in the network (handles the first packet in every
flow)
34
Introduction to MLS
MLS is a technology used by a small number of older
Catalyst switches to provide wire-speed routing
MLS is sometimes known as Route once switch
many
The first packet of a flow is routed by the router in
software and the remaining packets are forwarded in
hardware by the switch
18
35
Introduction to CEF
CEF is the technology used by newer Cisco devices to provide wire-speed routing
Unlike MLS which requires the route processor to route the first packet of a flow CEF enables packet switching to circumvent the route processor altogether
This is accomplished by the communication process between the route processor and the switch processor to create the shortcut info before the first packet arrives
ldquoRoute never switch alwaysrdquo
36
Multilayer Switching
Multilayer switching refers to the ability of a Catalyst switch to
support switching and routing of packets in hardware with optional
support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must
download software-based routing switching access lists QoS and
other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
19
37
Traditional and CEF-based MLS
To accomplish multilayer switching (packet processing in hardware)
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
Cisco Express Forwarding (CEF)-based MLS architecture
Traditional MLS is a legacy feature whereas all leading-edge
Catalyst switches support CEF-based multilayer switching (CEF-based
MLS)
38
Multilayer Switching
The term multilayer switching (MLS) is a general networking term
that refers to hardware-based PDU header rewriting and forwarding
based on information specific to one or more OSI layers
When used in the context of this class MLS refers to Cisco MLS
20
39
Traditional MLS
MLS enables specialized
application-specific integrated
circuits (ASICs) to perform
Layer 2 rewrite operations of
routed packets
Layer 2 rewrites include
rewriting the source and
destination MAC addresses
and writing a recalculated cyclic
redundancy check (CRC)
Because the source and
destination MAC addresses
change during Layer 3 rewrites
the switch must recalculate the
CRC for these new MAC
addresses
40
Traditional MLS
For Catalyst switches that support traditional MLS the switch learns
Layer 2 rewrite information from an MLS router via an MLS protocol
Also known as netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry contains a source a source and destination or full flow
information including Layer 4 protocol information
21
41
Traditional MLS
With traditional MLS the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
MLS-SE
MLS-RPMLS-RP The Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as
a candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
Traditional MLS
42
22
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-
0C-22-22-22
S-IP =
101110
D-IP =
101220
Traditional MLS
43
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-
22-22
00-00-
0C-22-
22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
Traditional MLS
44
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
4
The advantages are as follows
Implementation is simple
Layer 3 services are not required on the switch
The router provides communications between VLANs
The disadvantages are as follows
The router is a single point of failure
The single traffic path between the switch and the router may
become congested
Latency is higher than on a Layer 3 switch
Inter-VLAN Routing with External Router
7
8
Router On a Stick
Router on a stick is very simple to implement because routers are
usually available in every network
Most enterprise networks use multilayer switches to achieve high
packet-processing rates using hardware switching
Multilayer (layer 3) switches usually have packet-switching
throughputs in the millions of packets per second (pps) whereas
traditional general-purpose routers provide packet switching in the
range of 100000 pps to just over 1 million pps 110 speed down
5
9
Connecting VLANs with Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Describing Inter-VLAN Routing Using External
Router Configuration Commands
10
6
Inter-VLAN Routing on External Router
8021Q Trunk Link
switch(config)interface FastEthernet 00switch(config-if)switchport trunk encapsulation dot1qswitch(config-if)switchport mode trunk
11
Inter-VLAN Routing on External Router ISL
Trunk Link switch(config)interface FastEthernet 00switch(config-if)switchport trunk encapsulation islswitch(config-if)switchport mode trunk
12
7
Verifying Inter-VLAN Routing
13
MLS(multilayer switch) = Switch + Router
into one device
A multilayer switch combines the functionality of a
switch and a router into one device therefore
enabling the device to switch traffic when the
source and destination are in the same VLAN and
to route traffic when the source and destination are
in different VLANs (that is different subnets)
The same VLAN switching
Different VLANs routing
ASIC wire speed
Routing table access control list (ACL)
store in CAM TCAM
Explaining Multilayer Switching
14
8
Layer 2 Switch Forwarding process ndash In MLS
15
Logical Flow for a Multilayer Switch
16
9
Frame Rewrite
17
The source MAC address changes from the sender MAC address to the
router MAC address
The destination MAC address changes from the router MAC to the next-hop
MAC address
The TTL is decremented by one and as a result the IP header checksum
is recalculated
The frame checksum is recalculated
Routing switching ACL and QoS tables are stored in a high-speed table memory so that forwarding decisions and restrictions can be made in high-speed hardware
Cisco Catalyst switches create and use two primary table architectures
CAM (content addressable memory)
two results 0 (true) or 1 (false)
MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
three results 0 (donrsquot care) 1 (true) 2 (false)
IP tables routing ACL QoS
Switching Table Architectures - Details
CAM TCAM
18
10
CAM Application
Key
VLAN ID
Key
19
The information a switch uses to perform a lookup in a CAM table is
called a key
For example a Layer 2 lookup would use a destination MAC address
and a VLAN ID as a key
In specific high-end switch platforms the TCAM
is a portion of memory designed for rapid
hardware-based table lookups of Layer 3 and
Layer 4 information In the TCAM a single
lookup provides all Layer 2 and Layer 3
forwarding information for frames including CAM
and ACL information
How the values are stored in the TCAM
access-list 101 permit ip host 10111 any
access-list 101 deny ip 10110 000255 any
Longest match region
Each longest match region consists of groups of
Layer 3 address entries (ldquobucketsrdquo) organized in
decreasing order by mask length All entries
within a bucket share the same mask value and
key size The buckets can change their size
dynamically by borrowing address entries from
neighboring buckets Although the size of the
whole protocol region is fixed you can
reconfigure it The reconfigured size of the
protocol region takes effect only after the next
system reboot
First-Match region
The first-match region consists of ACL entries
Lookup stops after the first match of the entry
TCAM
20
11
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
22
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI) mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI) mdash A Layer 3 virtual bridging interface (Not discussed)
12
23
MLS Layer 3 Interface Routed Port
MLS Layer 3 Interface Routed Port A routed switch port is a physical switch port on a multilayer switch that is
capable of Layer 3 packet processing A routed port is not associated with a
particular VLAN as contrasted with an access port or SVI The switch port
functionality is removed from the interface A routed port behaves like a
regular router interface except that it does not support VLAN subinterfaces
Routed switch ports can be configured using most commands applied to a
physical router interface including the assignment of an IP address and the
configuration of Layer 3 routing protocols
A routed switch port is a standalone port that is not associated with a VLAN
whereas an SVI is a virtual interface that is associated with a VLAN SVIs
generally provide Layer 3 services for devices connected to the ports of the
switch where the SVI is configured Routed switch ports can provide a Layer
3 path into the switch for a number of devices on a specific subnet all of
which are accessible from a single physical switch port
The number of routed ports and SVIs that can be configured on a switch is
not limited by software However the interrelationship between these
interfaces and other features configured on the switch may overload the
CPU because of hardware limitations
24
13
A routed port has the following characteristics and functions
Physical switch port with Layer 3 capability
Not associated with any VLAN
Serves as the default gateway for devices out that switch port
Layer 2 port functionality must be removed before it can be
configured
MLS Layer 3 Interface Routed Port
25
Configuration of Routed Ports on a Multilayer
Switch
26
14
27
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI) are Layer 3 interfaces that are configured on multilayer Layer 3 Catalyst switches that are used for inter-VLAN routing
An SVI is a virtual VLAN interface that is associated with the VLAN-ID to enable routing capability on that VLAN
Note These are virtual interfaces
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
28
MLS Layer 3 Interface SVI
To configure communication between VLANs you must configure each
SVI with an IP address and subnet mask in the chosen address
range for that subnet
The IP address associated with the VLAN interface is the default
gateway of the workstation
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
15
Layer 3 SVI
To provide a default
gateway for a VLAN so
that traffic can be routed
between VLANs
To provide fallback
bridging if it is required for
non-routable protocols
To provide Layer 3 IP
connectivity to the switch
To support routing protocol
and bridging configurations
29
Configuring Inter-VLAN Routing on a Multilayer Switch
30
16
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
32
MLS and CEF
One of the bottlenecks in high-speed networking is the
decision-making process within the router
Two of the methods used by Cisco devices to speed
up this process are
1 Multilayer Switching (MLS)
2 Cisco Express Forwarding (CEF)
17
33
Internal route processors
Route Processors include
Route Switch Module (RSM) ndash 4000 5000 6000 7000
Route Switch Feature Card (RSFC) - 5000
Multilayer Switch Module (MSM) - 6000
Multilayer Switch Feature Card (MSFC) - 6000
Other terms used
Layer-3 Card or Layer-3 ldquoBladerdquo
MultiLayer Switch Route Processor (MLS-RP)
The router in the network (handles the first packet in every
flow)
34
Introduction to MLS
MLS is a technology used by a small number of older
Catalyst switches to provide wire-speed routing
MLS is sometimes known as Route once switch
many
The first packet of a flow is routed by the router in
software and the remaining packets are forwarded in
hardware by the switch
18
35
Introduction to CEF
CEF is the technology used by newer Cisco devices to provide wire-speed routing
Unlike MLS which requires the route processor to route the first packet of a flow CEF enables packet switching to circumvent the route processor altogether
This is accomplished by the communication process between the route processor and the switch processor to create the shortcut info before the first packet arrives
ldquoRoute never switch alwaysrdquo
36
Multilayer Switching
Multilayer switching refers to the ability of a Catalyst switch to
support switching and routing of packets in hardware with optional
support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must
download software-based routing switching access lists QoS and
other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
19
37
Traditional and CEF-based MLS
To accomplish multilayer switching (packet processing in hardware)
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
Cisco Express Forwarding (CEF)-based MLS architecture
Traditional MLS is a legacy feature whereas all leading-edge
Catalyst switches support CEF-based multilayer switching (CEF-based
MLS)
38
Multilayer Switching
The term multilayer switching (MLS) is a general networking term
that refers to hardware-based PDU header rewriting and forwarding
based on information specific to one or more OSI layers
When used in the context of this class MLS refers to Cisco MLS
20
39
Traditional MLS
MLS enables specialized
application-specific integrated
circuits (ASICs) to perform
Layer 2 rewrite operations of
routed packets
Layer 2 rewrites include
rewriting the source and
destination MAC addresses
and writing a recalculated cyclic
redundancy check (CRC)
Because the source and
destination MAC addresses
change during Layer 3 rewrites
the switch must recalculate the
CRC for these new MAC
addresses
40
Traditional MLS
For Catalyst switches that support traditional MLS the switch learns
Layer 2 rewrite information from an MLS router via an MLS protocol
Also known as netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry contains a source a source and destination or full flow
information including Layer 4 protocol information
21
41
Traditional MLS
With traditional MLS the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
MLS-SE
MLS-RPMLS-RP The Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as
a candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
Traditional MLS
42
22
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-
0C-22-22-22
S-IP =
101110
D-IP =
101220
Traditional MLS
43
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-
22-22
00-00-
0C-22-
22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
Traditional MLS
44
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
5
9
Connecting VLANs with Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Describing Inter-VLAN Routing Using External
Router Configuration Commands
10
6
Inter-VLAN Routing on External Router
8021Q Trunk Link
switch(config)interface FastEthernet 00switch(config-if)switchport trunk encapsulation dot1qswitch(config-if)switchport mode trunk
11
Inter-VLAN Routing on External Router ISL
Trunk Link switch(config)interface FastEthernet 00switch(config-if)switchport trunk encapsulation islswitch(config-if)switchport mode trunk
12
7
Verifying Inter-VLAN Routing
13
MLS(multilayer switch) = Switch + Router
into one device
A multilayer switch combines the functionality of a
switch and a router into one device therefore
enabling the device to switch traffic when the
source and destination are in the same VLAN and
to route traffic when the source and destination are
in different VLANs (that is different subnets)
The same VLAN switching
Different VLANs routing
ASIC wire speed
Routing table access control list (ACL)
store in CAM TCAM
Explaining Multilayer Switching
14
8
Layer 2 Switch Forwarding process ndash In MLS
15
Logical Flow for a Multilayer Switch
16
9
Frame Rewrite
17
The source MAC address changes from the sender MAC address to the
router MAC address
The destination MAC address changes from the router MAC to the next-hop
MAC address
The TTL is decremented by one and as a result the IP header checksum
is recalculated
The frame checksum is recalculated
Routing switching ACL and QoS tables are stored in a high-speed table memory so that forwarding decisions and restrictions can be made in high-speed hardware
Cisco Catalyst switches create and use two primary table architectures
CAM (content addressable memory)
two results 0 (true) or 1 (false)
MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
three results 0 (donrsquot care) 1 (true) 2 (false)
IP tables routing ACL QoS
Switching Table Architectures - Details
CAM TCAM
18
10
CAM Application
Key
VLAN ID
Key
19
The information a switch uses to perform a lookup in a CAM table is
called a key
For example a Layer 2 lookup would use a destination MAC address
and a VLAN ID as a key
In specific high-end switch platforms the TCAM
is a portion of memory designed for rapid
hardware-based table lookups of Layer 3 and
Layer 4 information In the TCAM a single
lookup provides all Layer 2 and Layer 3
forwarding information for frames including CAM
and ACL information
How the values are stored in the TCAM
access-list 101 permit ip host 10111 any
access-list 101 deny ip 10110 000255 any
Longest match region
Each longest match region consists of groups of
Layer 3 address entries (ldquobucketsrdquo) organized in
decreasing order by mask length All entries
within a bucket share the same mask value and
key size The buckets can change their size
dynamically by borrowing address entries from
neighboring buckets Although the size of the
whole protocol region is fixed you can
reconfigure it The reconfigured size of the
protocol region takes effect only after the next
system reboot
First-Match region
The first-match region consists of ACL entries
Lookup stops after the first match of the entry
TCAM
20
11
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
22
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI) mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI) mdash A Layer 3 virtual bridging interface (Not discussed)
12
23
MLS Layer 3 Interface Routed Port
MLS Layer 3 Interface Routed Port A routed switch port is a physical switch port on a multilayer switch that is
capable of Layer 3 packet processing A routed port is not associated with a
particular VLAN as contrasted with an access port or SVI The switch port
functionality is removed from the interface A routed port behaves like a
regular router interface except that it does not support VLAN subinterfaces
Routed switch ports can be configured using most commands applied to a
physical router interface including the assignment of an IP address and the
configuration of Layer 3 routing protocols
A routed switch port is a standalone port that is not associated with a VLAN
whereas an SVI is a virtual interface that is associated with a VLAN SVIs
generally provide Layer 3 services for devices connected to the ports of the
switch where the SVI is configured Routed switch ports can provide a Layer
3 path into the switch for a number of devices on a specific subnet all of
which are accessible from a single physical switch port
The number of routed ports and SVIs that can be configured on a switch is
not limited by software However the interrelationship between these
interfaces and other features configured on the switch may overload the
CPU because of hardware limitations
24
13
A routed port has the following characteristics and functions
Physical switch port with Layer 3 capability
Not associated with any VLAN
Serves as the default gateway for devices out that switch port
Layer 2 port functionality must be removed before it can be
configured
MLS Layer 3 Interface Routed Port
25
Configuration of Routed Ports on a Multilayer
Switch
26
14
27
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI) are Layer 3 interfaces that are configured on multilayer Layer 3 Catalyst switches that are used for inter-VLAN routing
An SVI is a virtual VLAN interface that is associated with the VLAN-ID to enable routing capability on that VLAN
Note These are virtual interfaces
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
28
MLS Layer 3 Interface SVI
To configure communication between VLANs you must configure each
SVI with an IP address and subnet mask in the chosen address
range for that subnet
The IP address associated with the VLAN interface is the default
gateway of the workstation
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
15
Layer 3 SVI
To provide a default
gateway for a VLAN so
that traffic can be routed
between VLANs
To provide fallback
bridging if it is required for
non-routable protocols
To provide Layer 3 IP
connectivity to the switch
To support routing protocol
and bridging configurations
29
Configuring Inter-VLAN Routing on a Multilayer Switch
30
16
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
32
MLS and CEF
One of the bottlenecks in high-speed networking is the
decision-making process within the router
Two of the methods used by Cisco devices to speed
up this process are
1 Multilayer Switching (MLS)
2 Cisco Express Forwarding (CEF)
17
33
Internal route processors
Route Processors include
Route Switch Module (RSM) ndash 4000 5000 6000 7000
Route Switch Feature Card (RSFC) - 5000
Multilayer Switch Module (MSM) - 6000
Multilayer Switch Feature Card (MSFC) - 6000
Other terms used
Layer-3 Card or Layer-3 ldquoBladerdquo
MultiLayer Switch Route Processor (MLS-RP)
The router in the network (handles the first packet in every
flow)
34
Introduction to MLS
MLS is a technology used by a small number of older
Catalyst switches to provide wire-speed routing
MLS is sometimes known as Route once switch
many
The first packet of a flow is routed by the router in
software and the remaining packets are forwarded in
hardware by the switch
18
35
Introduction to CEF
CEF is the technology used by newer Cisco devices to provide wire-speed routing
Unlike MLS which requires the route processor to route the first packet of a flow CEF enables packet switching to circumvent the route processor altogether
This is accomplished by the communication process between the route processor and the switch processor to create the shortcut info before the first packet arrives
ldquoRoute never switch alwaysrdquo
36
Multilayer Switching
Multilayer switching refers to the ability of a Catalyst switch to
support switching and routing of packets in hardware with optional
support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must
download software-based routing switching access lists QoS and
other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
19
37
Traditional and CEF-based MLS
To accomplish multilayer switching (packet processing in hardware)
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
Cisco Express Forwarding (CEF)-based MLS architecture
Traditional MLS is a legacy feature whereas all leading-edge
Catalyst switches support CEF-based multilayer switching (CEF-based
MLS)
38
Multilayer Switching
The term multilayer switching (MLS) is a general networking term
that refers to hardware-based PDU header rewriting and forwarding
based on information specific to one or more OSI layers
When used in the context of this class MLS refers to Cisco MLS
20
39
Traditional MLS
MLS enables specialized
application-specific integrated
circuits (ASICs) to perform
Layer 2 rewrite operations of
routed packets
Layer 2 rewrites include
rewriting the source and
destination MAC addresses
and writing a recalculated cyclic
redundancy check (CRC)
Because the source and
destination MAC addresses
change during Layer 3 rewrites
the switch must recalculate the
CRC for these new MAC
addresses
40
Traditional MLS
For Catalyst switches that support traditional MLS the switch learns
Layer 2 rewrite information from an MLS router via an MLS protocol
Also known as netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry contains a source a source and destination or full flow
information including Layer 4 protocol information
21
41
Traditional MLS
With traditional MLS the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
MLS-SE
MLS-RPMLS-RP The Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as
a candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
Traditional MLS
42
22
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-
0C-22-22-22
S-IP =
101110
D-IP =
101220
Traditional MLS
43
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-
22-22
00-00-
0C-22-
22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
Traditional MLS
44
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
6
Inter-VLAN Routing on External Router
8021Q Trunk Link
switch(config)interface FastEthernet 00switch(config-if)switchport trunk encapsulation dot1qswitch(config-if)switchport mode trunk
11
Inter-VLAN Routing on External Router ISL
Trunk Link switch(config)interface FastEthernet 00switch(config-if)switchport trunk encapsulation islswitch(config-if)switchport mode trunk
12
7
Verifying Inter-VLAN Routing
13
MLS(multilayer switch) = Switch + Router
into one device
A multilayer switch combines the functionality of a
switch and a router into one device therefore
enabling the device to switch traffic when the
source and destination are in the same VLAN and
to route traffic when the source and destination are
in different VLANs (that is different subnets)
The same VLAN switching
Different VLANs routing
ASIC wire speed
Routing table access control list (ACL)
store in CAM TCAM
Explaining Multilayer Switching
14
8
Layer 2 Switch Forwarding process ndash In MLS
15
Logical Flow for a Multilayer Switch
16
9
Frame Rewrite
17
The source MAC address changes from the sender MAC address to the
router MAC address
The destination MAC address changes from the router MAC to the next-hop
MAC address
The TTL is decremented by one and as a result the IP header checksum
is recalculated
The frame checksum is recalculated
Routing switching ACL and QoS tables are stored in a high-speed table memory so that forwarding decisions and restrictions can be made in high-speed hardware
Cisco Catalyst switches create and use two primary table architectures
CAM (content addressable memory)
two results 0 (true) or 1 (false)
MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
three results 0 (donrsquot care) 1 (true) 2 (false)
IP tables routing ACL QoS
Switching Table Architectures - Details
CAM TCAM
18
10
CAM Application
Key
VLAN ID
Key
19
The information a switch uses to perform a lookup in a CAM table is
called a key
For example a Layer 2 lookup would use a destination MAC address
and a VLAN ID as a key
In specific high-end switch platforms the TCAM
is a portion of memory designed for rapid
hardware-based table lookups of Layer 3 and
Layer 4 information In the TCAM a single
lookup provides all Layer 2 and Layer 3
forwarding information for frames including CAM
and ACL information
How the values are stored in the TCAM
access-list 101 permit ip host 10111 any
access-list 101 deny ip 10110 000255 any
Longest match region
Each longest match region consists of groups of
Layer 3 address entries (ldquobucketsrdquo) organized in
decreasing order by mask length All entries
within a bucket share the same mask value and
key size The buckets can change their size
dynamically by borrowing address entries from
neighboring buckets Although the size of the
whole protocol region is fixed you can
reconfigure it The reconfigured size of the
protocol region takes effect only after the next
system reboot
First-Match region
The first-match region consists of ACL entries
Lookup stops after the first match of the entry
TCAM
20
11
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
22
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI) mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI) mdash A Layer 3 virtual bridging interface (Not discussed)
12
23
MLS Layer 3 Interface Routed Port
MLS Layer 3 Interface Routed Port A routed switch port is a physical switch port on a multilayer switch that is
capable of Layer 3 packet processing A routed port is not associated with a
particular VLAN as contrasted with an access port or SVI The switch port
functionality is removed from the interface A routed port behaves like a
regular router interface except that it does not support VLAN subinterfaces
Routed switch ports can be configured using most commands applied to a
physical router interface including the assignment of an IP address and the
configuration of Layer 3 routing protocols
A routed switch port is a standalone port that is not associated with a VLAN
whereas an SVI is a virtual interface that is associated with a VLAN SVIs
generally provide Layer 3 services for devices connected to the ports of the
switch where the SVI is configured Routed switch ports can provide a Layer
3 path into the switch for a number of devices on a specific subnet all of
which are accessible from a single physical switch port
The number of routed ports and SVIs that can be configured on a switch is
not limited by software However the interrelationship between these
interfaces and other features configured on the switch may overload the
CPU because of hardware limitations
24
13
A routed port has the following characteristics and functions
Physical switch port with Layer 3 capability
Not associated with any VLAN
Serves as the default gateway for devices out that switch port
Layer 2 port functionality must be removed before it can be
configured
MLS Layer 3 Interface Routed Port
25
Configuration of Routed Ports on a Multilayer
Switch
26
14
27
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI) are Layer 3 interfaces that are configured on multilayer Layer 3 Catalyst switches that are used for inter-VLAN routing
An SVI is a virtual VLAN interface that is associated with the VLAN-ID to enable routing capability on that VLAN
Note These are virtual interfaces
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
28
MLS Layer 3 Interface SVI
To configure communication between VLANs you must configure each
SVI with an IP address and subnet mask in the chosen address
range for that subnet
The IP address associated with the VLAN interface is the default
gateway of the workstation
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
15
Layer 3 SVI
To provide a default
gateway for a VLAN so
that traffic can be routed
between VLANs
To provide fallback
bridging if it is required for
non-routable protocols
To provide Layer 3 IP
connectivity to the switch
To support routing protocol
and bridging configurations
29
Configuring Inter-VLAN Routing on a Multilayer Switch
30
16
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
32
MLS and CEF
One of the bottlenecks in high-speed networking is the
decision-making process within the router
Two of the methods used by Cisco devices to speed
up this process are
1 Multilayer Switching (MLS)
2 Cisco Express Forwarding (CEF)
17
33
Internal route processors
Route Processors include
Route Switch Module (RSM) ndash 4000 5000 6000 7000
Route Switch Feature Card (RSFC) - 5000
Multilayer Switch Module (MSM) - 6000
Multilayer Switch Feature Card (MSFC) - 6000
Other terms used
Layer-3 Card or Layer-3 ldquoBladerdquo
MultiLayer Switch Route Processor (MLS-RP)
The router in the network (handles the first packet in every
flow)
34
Introduction to MLS
MLS is a technology used by a small number of older
Catalyst switches to provide wire-speed routing
MLS is sometimes known as Route once switch
many
The first packet of a flow is routed by the router in
software and the remaining packets are forwarded in
hardware by the switch
18
35
Introduction to CEF
CEF is the technology used by newer Cisco devices to provide wire-speed routing
Unlike MLS which requires the route processor to route the first packet of a flow CEF enables packet switching to circumvent the route processor altogether
This is accomplished by the communication process between the route processor and the switch processor to create the shortcut info before the first packet arrives
ldquoRoute never switch alwaysrdquo
36
Multilayer Switching
Multilayer switching refers to the ability of a Catalyst switch to
support switching and routing of packets in hardware with optional
support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must
download software-based routing switching access lists QoS and
other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
19
37
Traditional and CEF-based MLS
To accomplish multilayer switching (packet processing in hardware)
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
Cisco Express Forwarding (CEF)-based MLS architecture
Traditional MLS is a legacy feature whereas all leading-edge
Catalyst switches support CEF-based multilayer switching (CEF-based
MLS)
38
Multilayer Switching
The term multilayer switching (MLS) is a general networking term
that refers to hardware-based PDU header rewriting and forwarding
based on information specific to one or more OSI layers
When used in the context of this class MLS refers to Cisco MLS
20
39
Traditional MLS
MLS enables specialized
application-specific integrated
circuits (ASICs) to perform
Layer 2 rewrite operations of
routed packets
Layer 2 rewrites include
rewriting the source and
destination MAC addresses
and writing a recalculated cyclic
redundancy check (CRC)
Because the source and
destination MAC addresses
change during Layer 3 rewrites
the switch must recalculate the
CRC for these new MAC
addresses
40
Traditional MLS
For Catalyst switches that support traditional MLS the switch learns
Layer 2 rewrite information from an MLS router via an MLS protocol
Also known as netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry contains a source a source and destination or full flow
information including Layer 4 protocol information
21
41
Traditional MLS
With traditional MLS the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
MLS-SE
MLS-RPMLS-RP The Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as
a candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
Traditional MLS
42
22
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-
0C-22-22-22
S-IP =
101110
D-IP =
101220
Traditional MLS
43
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-
22-22
00-00-
0C-22-
22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
Traditional MLS
44
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
7
Verifying Inter-VLAN Routing
13
MLS(multilayer switch) = Switch + Router
into one device
A multilayer switch combines the functionality of a
switch and a router into one device therefore
enabling the device to switch traffic when the
source and destination are in the same VLAN and
to route traffic when the source and destination are
in different VLANs (that is different subnets)
The same VLAN switching
Different VLANs routing
ASIC wire speed
Routing table access control list (ACL)
store in CAM TCAM
Explaining Multilayer Switching
14
8
Layer 2 Switch Forwarding process ndash In MLS
15
Logical Flow for a Multilayer Switch
16
9
Frame Rewrite
17
The source MAC address changes from the sender MAC address to the
router MAC address
The destination MAC address changes from the router MAC to the next-hop
MAC address
The TTL is decremented by one and as a result the IP header checksum
is recalculated
The frame checksum is recalculated
Routing switching ACL and QoS tables are stored in a high-speed table memory so that forwarding decisions and restrictions can be made in high-speed hardware
Cisco Catalyst switches create and use two primary table architectures
CAM (content addressable memory)
two results 0 (true) or 1 (false)
MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
three results 0 (donrsquot care) 1 (true) 2 (false)
IP tables routing ACL QoS
Switching Table Architectures - Details
CAM TCAM
18
10
CAM Application
Key
VLAN ID
Key
19
The information a switch uses to perform a lookup in a CAM table is
called a key
For example a Layer 2 lookup would use a destination MAC address
and a VLAN ID as a key
In specific high-end switch platforms the TCAM
is a portion of memory designed for rapid
hardware-based table lookups of Layer 3 and
Layer 4 information In the TCAM a single
lookup provides all Layer 2 and Layer 3
forwarding information for frames including CAM
and ACL information
How the values are stored in the TCAM
access-list 101 permit ip host 10111 any
access-list 101 deny ip 10110 000255 any
Longest match region
Each longest match region consists of groups of
Layer 3 address entries (ldquobucketsrdquo) organized in
decreasing order by mask length All entries
within a bucket share the same mask value and
key size The buckets can change their size
dynamically by borrowing address entries from
neighboring buckets Although the size of the
whole protocol region is fixed you can
reconfigure it The reconfigured size of the
protocol region takes effect only after the next
system reboot
First-Match region
The first-match region consists of ACL entries
Lookup stops after the first match of the entry
TCAM
20
11
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
22
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI) mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI) mdash A Layer 3 virtual bridging interface (Not discussed)
12
23
MLS Layer 3 Interface Routed Port
MLS Layer 3 Interface Routed Port A routed switch port is a physical switch port on a multilayer switch that is
capable of Layer 3 packet processing A routed port is not associated with a
particular VLAN as contrasted with an access port or SVI The switch port
functionality is removed from the interface A routed port behaves like a
regular router interface except that it does not support VLAN subinterfaces
Routed switch ports can be configured using most commands applied to a
physical router interface including the assignment of an IP address and the
configuration of Layer 3 routing protocols
A routed switch port is a standalone port that is not associated with a VLAN
whereas an SVI is a virtual interface that is associated with a VLAN SVIs
generally provide Layer 3 services for devices connected to the ports of the
switch where the SVI is configured Routed switch ports can provide a Layer
3 path into the switch for a number of devices on a specific subnet all of
which are accessible from a single physical switch port
The number of routed ports and SVIs that can be configured on a switch is
not limited by software However the interrelationship between these
interfaces and other features configured on the switch may overload the
CPU because of hardware limitations
24
13
A routed port has the following characteristics and functions
Physical switch port with Layer 3 capability
Not associated with any VLAN
Serves as the default gateway for devices out that switch port
Layer 2 port functionality must be removed before it can be
configured
MLS Layer 3 Interface Routed Port
25
Configuration of Routed Ports on a Multilayer
Switch
26
14
27
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI) are Layer 3 interfaces that are configured on multilayer Layer 3 Catalyst switches that are used for inter-VLAN routing
An SVI is a virtual VLAN interface that is associated with the VLAN-ID to enable routing capability on that VLAN
Note These are virtual interfaces
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
28
MLS Layer 3 Interface SVI
To configure communication between VLANs you must configure each
SVI with an IP address and subnet mask in the chosen address
range for that subnet
The IP address associated with the VLAN interface is the default
gateway of the workstation
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
15
Layer 3 SVI
To provide a default
gateway for a VLAN so
that traffic can be routed
between VLANs
To provide fallback
bridging if it is required for
non-routable protocols
To provide Layer 3 IP
connectivity to the switch
To support routing protocol
and bridging configurations
29
Configuring Inter-VLAN Routing on a Multilayer Switch
30
16
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
32
MLS and CEF
One of the bottlenecks in high-speed networking is the
decision-making process within the router
Two of the methods used by Cisco devices to speed
up this process are
1 Multilayer Switching (MLS)
2 Cisco Express Forwarding (CEF)
17
33
Internal route processors
Route Processors include
Route Switch Module (RSM) ndash 4000 5000 6000 7000
Route Switch Feature Card (RSFC) - 5000
Multilayer Switch Module (MSM) - 6000
Multilayer Switch Feature Card (MSFC) - 6000
Other terms used
Layer-3 Card or Layer-3 ldquoBladerdquo
MultiLayer Switch Route Processor (MLS-RP)
The router in the network (handles the first packet in every
flow)
34
Introduction to MLS
MLS is a technology used by a small number of older
Catalyst switches to provide wire-speed routing
MLS is sometimes known as Route once switch
many
The first packet of a flow is routed by the router in
software and the remaining packets are forwarded in
hardware by the switch
18
35
Introduction to CEF
CEF is the technology used by newer Cisco devices to provide wire-speed routing
Unlike MLS which requires the route processor to route the first packet of a flow CEF enables packet switching to circumvent the route processor altogether
This is accomplished by the communication process between the route processor and the switch processor to create the shortcut info before the first packet arrives
ldquoRoute never switch alwaysrdquo
36
Multilayer Switching
Multilayer switching refers to the ability of a Catalyst switch to
support switching and routing of packets in hardware with optional
support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must
download software-based routing switching access lists QoS and
other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
19
37
Traditional and CEF-based MLS
To accomplish multilayer switching (packet processing in hardware)
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
Cisco Express Forwarding (CEF)-based MLS architecture
Traditional MLS is a legacy feature whereas all leading-edge
Catalyst switches support CEF-based multilayer switching (CEF-based
MLS)
38
Multilayer Switching
The term multilayer switching (MLS) is a general networking term
that refers to hardware-based PDU header rewriting and forwarding
based on information specific to one or more OSI layers
When used in the context of this class MLS refers to Cisco MLS
20
39
Traditional MLS
MLS enables specialized
application-specific integrated
circuits (ASICs) to perform
Layer 2 rewrite operations of
routed packets
Layer 2 rewrites include
rewriting the source and
destination MAC addresses
and writing a recalculated cyclic
redundancy check (CRC)
Because the source and
destination MAC addresses
change during Layer 3 rewrites
the switch must recalculate the
CRC for these new MAC
addresses
40
Traditional MLS
For Catalyst switches that support traditional MLS the switch learns
Layer 2 rewrite information from an MLS router via an MLS protocol
Also known as netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry contains a source a source and destination or full flow
information including Layer 4 protocol information
21
41
Traditional MLS
With traditional MLS the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
MLS-SE
MLS-RPMLS-RP The Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as
a candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
Traditional MLS
42
22
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-
0C-22-22-22
S-IP =
101110
D-IP =
101220
Traditional MLS
43
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-
22-22
00-00-
0C-22-
22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
Traditional MLS
44
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
8
Layer 2 Switch Forwarding process ndash In MLS
15
Logical Flow for a Multilayer Switch
16
9
Frame Rewrite
17
The source MAC address changes from the sender MAC address to the
router MAC address
The destination MAC address changes from the router MAC to the next-hop
MAC address
The TTL is decremented by one and as a result the IP header checksum
is recalculated
The frame checksum is recalculated
Routing switching ACL and QoS tables are stored in a high-speed table memory so that forwarding decisions and restrictions can be made in high-speed hardware
Cisco Catalyst switches create and use two primary table architectures
CAM (content addressable memory)
two results 0 (true) or 1 (false)
MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
three results 0 (donrsquot care) 1 (true) 2 (false)
IP tables routing ACL QoS
Switching Table Architectures - Details
CAM TCAM
18
10
CAM Application
Key
VLAN ID
Key
19
The information a switch uses to perform a lookup in a CAM table is
called a key
For example a Layer 2 lookup would use a destination MAC address
and a VLAN ID as a key
In specific high-end switch platforms the TCAM
is a portion of memory designed for rapid
hardware-based table lookups of Layer 3 and
Layer 4 information In the TCAM a single
lookup provides all Layer 2 and Layer 3
forwarding information for frames including CAM
and ACL information
How the values are stored in the TCAM
access-list 101 permit ip host 10111 any
access-list 101 deny ip 10110 000255 any
Longest match region
Each longest match region consists of groups of
Layer 3 address entries (ldquobucketsrdquo) organized in
decreasing order by mask length All entries
within a bucket share the same mask value and
key size The buckets can change their size
dynamically by borrowing address entries from
neighboring buckets Although the size of the
whole protocol region is fixed you can
reconfigure it The reconfigured size of the
protocol region takes effect only after the next
system reboot
First-Match region
The first-match region consists of ACL entries
Lookup stops after the first match of the entry
TCAM
20
11
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
22
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI) mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI) mdash A Layer 3 virtual bridging interface (Not discussed)
12
23
MLS Layer 3 Interface Routed Port
MLS Layer 3 Interface Routed Port A routed switch port is a physical switch port on a multilayer switch that is
capable of Layer 3 packet processing A routed port is not associated with a
particular VLAN as contrasted with an access port or SVI The switch port
functionality is removed from the interface A routed port behaves like a
regular router interface except that it does not support VLAN subinterfaces
Routed switch ports can be configured using most commands applied to a
physical router interface including the assignment of an IP address and the
configuration of Layer 3 routing protocols
A routed switch port is a standalone port that is not associated with a VLAN
whereas an SVI is a virtual interface that is associated with a VLAN SVIs
generally provide Layer 3 services for devices connected to the ports of the
switch where the SVI is configured Routed switch ports can provide a Layer
3 path into the switch for a number of devices on a specific subnet all of
which are accessible from a single physical switch port
The number of routed ports and SVIs that can be configured on a switch is
not limited by software However the interrelationship between these
interfaces and other features configured on the switch may overload the
CPU because of hardware limitations
24
13
A routed port has the following characteristics and functions
Physical switch port with Layer 3 capability
Not associated with any VLAN
Serves as the default gateway for devices out that switch port
Layer 2 port functionality must be removed before it can be
configured
MLS Layer 3 Interface Routed Port
25
Configuration of Routed Ports on a Multilayer
Switch
26
14
27
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI) are Layer 3 interfaces that are configured on multilayer Layer 3 Catalyst switches that are used for inter-VLAN routing
An SVI is a virtual VLAN interface that is associated with the VLAN-ID to enable routing capability on that VLAN
Note These are virtual interfaces
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
28
MLS Layer 3 Interface SVI
To configure communication between VLANs you must configure each
SVI with an IP address and subnet mask in the chosen address
range for that subnet
The IP address associated with the VLAN interface is the default
gateway of the workstation
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
15
Layer 3 SVI
To provide a default
gateway for a VLAN so
that traffic can be routed
between VLANs
To provide fallback
bridging if it is required for
non-routable protocols
To provide Layer 3 IP
connectivity to the switch
To support routing protocol
and bridging configurations
29
Configuring Inter-VLAN Routing on a Multilayer Switch
30
16
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
32
MLS and CEF
One of the bottlenecks in high-speed networking is the
decision-making process within the router
Two of the methods used by Cisco devices to speed
up this process are
1 Multilayer Switching (MLS)
2 Cisco Express Forwarding (CEF)
17
33
Internal route processors
Route Processors include
Route Switch Module (RSM) ndash 4000 5000 6000 7000
Route Switch Feature Card (RSFC) - 5000
Multilayer Switch Module (MSM) - 6000
Multilayer Switch Feature Card (MSFC) - 6000
Other terms used
Layer-3 Card or Layer-3 ldquoBladerdquo
MultiLayer Switch Route Processor (MLS-RP)
The router in the network (handles the first packet in every
flow)
34
Introduction to MLS
MLS is a technology used by a small number of older
Catalyst switches to provide wire-speed routing
MLS is sometimes known as Route once switch
many
The first packet of a flow is routed by the router in
software and the remaining packets are forwarded in
hardware by the switch
18
35
Introduction to CEF
CEF is the technology used by newer Cisco devices to provide wire-speed routing
Unlike MLS which requires the route processor to route the first packet of a flow CEF enables packet switching to circumvent the route processor altogether
This is accomplished by the communication process between the route processor and the switch processor to create the shortcut info before the first packet arrives
ldquoRoute never switch alwaysrdquo
36
Multilayer Switching
Multilayer switching refers to the ability of a Catalyst switch to
support switching and routing of packets in hardware with optional
support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must
download software-based routing switching access lists QoS and
other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
19
37
Traditional and CEF-based MLS
To accomplish multilayer switching (packet processing in hardware)
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
Cisco Express Forwarding (CEF)-based MLS architecture
Traditional MLS is a legacy feature whereas all leading-edge
Catalyst switches support CEF-based multilayer switching (CEF-based
MLS)
38
Multilayer Switching
The term multilayer switching (MLS) is a general networking term
that refers to hardware-based PDU header rewriting and forwarding
based on information specific to one or more OSI layers
When used in the context of this class MLS refers to Cisco MLS
20
39
Traditional MLS
MLS enables specialized
application-specific integrated
circuits (ASICs) to perform
Layer 2 rewrite operations of
routed packets
Layer 2 rewrites include
rewriting the source and
destination MAC addresses
and writing a recalculated cyclic
redundancy check (CRC)
Because the source and
destination MAC addresses
change during Layer 3 rewrites
the switch must recalculate the
CRC for these new MAC
addresses
40
Traditional MLS
For Catalyst switches that support traditional MLS the switch learns
Layer 2 rewrite information from an MLS router via an MLS protocol
Also known as netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry contains a source a source and destination or full flow
information including Layer 4 protocol information
21
41
Traditional MLS
With traditional MLS the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
MLS-SE
MLS-RPMLS-RP The Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as
a candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
Traditional MLS
42
22
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-
0C-22-22-22
S-IP =
101110
D-IP =
101220
Traditional MLS
43
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-
22-22
00-00-
0C-22-
22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
Traditional MLS
44
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
9
Frame Rewrite
17
The source MAC address changes from the sender MAC address to the
router MAC address
The destination MAC address changes from the router MAC to the next-hop
MAC address
The TTL is decremented by one and as a result the IP header checksum
is recalculated
The frame checksum is recalculated
Routing switching ACL and QoS tables are stored in a high-speed table memory so that forwarding decisions and restrictions can be made in high-speed hardware
Cisco Catalyst switches create and use two primary table architectures
CAM (content addressable memory)
two results 0 (true) or 1 (false)
MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
three results 0 (donrsquot care) 1 (true) 2 (false)
IP tables routing ACL QoS
Switching Table Architectures - Details
CAM TCAM
18
10
CAM Application
Key
VLAN ID
Key
19
The information a switch uses to perform a lookup in a CAM table is
called a key
For example a Layer 2 lookup would use a destination MAC address
and a VLAN ID as a key
In specific high-end switch platforms the TCAM
is a portion of memory designed for rapid
hardware-based table lookups of Layer 3 and
Layer 4 information In the TCAM a single
lookup provides all Layer 2 and Layer 3
forwarding information for frames including CAM
and ACL information
How the values are stored in the TCAM
access-list 101 permit ip host 10111 any
access-list 101 deny ip 10110 000255 any
Longest match region
Each longest match region consists of groups of
Layer 3 address entries (ldquobucketsrdquo) organized in
decreasing order by mask length All entries
within a bucket share the same mask value and
key size The buckets can change their size
dynamically by borrowing address entries from
neighboring buckets Although the size of the
whole protocol region is fixed you can
reconfigure it The reconfigured size of the
protocol region takes effect only after the next
system reboot
First-Match region
The first-match region consists of ACL entries
Lookup stops after the first match of the entry
TCAM
20
11
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
22
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI) mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI) mdash A Layer 3 virtual bridging interface (Not discussed)
12
23
MLS Layer 3 Interface Routed Port
MLS Layer 3 Interface Routed Port A routed switch port is a physical switch port on a multilayer switch that is
capable of Layer 3 packet processing A routed port is not associated with a
particular VLAN as contrasted with an access port or SVI The switch port
functionality is removed from the interface A routed port behaves like a
regular router interface except that it does not support VLAN subinterfaces
Routed switch ports can be configured using most commands applied to a
physical router interface including the assignment of an IP address and the
configuration of Layer 3 routing protocols
A routed switch port is a standalone port that is not associated with a VLAN
whereas an SVI is a virtual interface that is associated with a VLAN SVIs
generally provide Layer 3 services for devices connected to the ports of the
switch where the SVI is configured Routed switch ports can provide a Layer
3 path into the switch for a number of devices on a specific subnet all of
which are accessible from a single physical switch port
The number of routed ports and SVIs that can be configured on a switch is
not limited by software However the interrelationship between these
interfaces and other features configured on the switch may overload the
CPU because of hardware limitations
24
13
A routed port has the following characteristics and functions
Physical switch port with Layer 3 capability
Not associated with any VLAN
Serves as the default gateway for devices out that switch port
Layer 2 port functionality must be removed before it can be
configured
MLS Layer 3 Interface Routed Port
25
Configuration of Routed Ports on a Multilayer
Switch
26
14
27
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI) are Layer 3 interfaces that are configured on multilayer Layer 3 Catalyst switches that are used for inter-VLAN routing
An SVI is a virtual VLAN interface that is associated with the VLAN-ID to enable routing capability on that VLAN
Note These are virtual interfaces
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
28
MLS Layer 3 Interface SVI
To configure communication between VLANs you must configure each
SVI with an IP address and subnet mask in the chosen address
range for that subnet
The IP address associated with the VLAN interface is the default
gateway of the workstation
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
15
Layer 3 SVI
To provide a default
gateway for a VLAN so
that traffic can be routed
between VLANs
To provide fallback
bridging if it is required for
non-routable protocols
To provide Layer 3 IP
connectivity to the switch
To support routing protocol
and bridging configurations
29
Configuring Inter-VLAN Routing on a Multilayer Switch
30
16
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
32
MLS and CEF
One of the bottlenecks in high-speed networking is the
decision-making process within the router
Two of the methods used by Cisco devices to speed
up this process are
1 Multilayer Switching (MLS)
2 Cisco Express Forwarding (CEF)
17
33
Internal route processors
Route Processors include
Route Switch Module (RSM) ndash 4000 5000 6000 7000
Route Switch Feature Card (RSFC) - 5000
Multilayer Switch Module (MSM) - 6000
Multilayer Switch Feature Card (MSFC) - 6000
Other terms used
Layer-3 Card or Layer-3 ldquoBladerdquo
MultiLayer Switch Route Processor (MLS-RP)
The router in the network (handles the first packet in every
flow)
34
Introduction to MLS
MLS is a technology used by a small number of older
Catalyst switches to provide wire-speed routing
MLS is sometimes known as Route once switch
many
The first packet of a flow is routed by the router in
software and the remaining packets are forwarded in
hardware by the switch
18
35
Introduction to CEF
CEF is the technology used by newer Cisco devices to provide wire-speed routing
Unlike MLS which requires the route processor to route the first packet of a flow CEF enables packet switching to circumvent the route processor altogether
This is accomplished by the communication process between the route processor and the switch processor to create the shortcut info before the first packet arrives
ldquoRoute never switch alwaysrdquo
36
Multilayer Switching
Multilayer switching refers to the ability of a Catalyst switch to
support switching and routing of packets in hardware with optional
support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must
download software-based routing switching access lists QoS and
other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
19
37
Traditional and CEF-based MLS
To accomplish multilayer switching (packet processing in hardware)
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
Cisco Express Forwarding (CEF)-based MLS architecture
Traditional MLS is a legacy feature whereas all leading-edge
Catalyst switches support CEF-based multilayer switching (CEF-based
MLS)
38
Multilayer Switching
The term multilayer switching (MLS) is a general networking term
that refers to hardware-based PDU header rewriting and forwarding
based on information specific to one or more OSI layers
When used in the context of this class MLS refers to Cisco MLS
20
39
Traditional MLS
MLS enables specialized
application-specific integrated
circuits (ASICs) to perform
Layer 2 rewrite operations of
routed packets
Layer 2 rewrites include
rewriting the source and
destination MAC addresses
and writing a recalculated cyclic
redundancy check (CRC)
Because the source and
destination MAC addresses
change during Layer 3 rewrites
the switch must recalculate the
CRC for these new MAC
addresses
40
Traditional MLS
For Catalyst switches that support traditional MLS the switch learns
Layer 2 rewrite information from an MLS router via an MLS protocol
Also known as netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry contains a source a source and destination or full flow
information including Layer 4 protocol information
21
41
Traditional MLS
With traditional MLS the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
MLS-SE
MLS-RPMLS-RP The Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as
a candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
Traditional MLS
42
22
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-
0C-22-22-22
S-IP =
101110
D-IP =
101220
Traditional MLS
43
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-
22-22
00-00-
0C-22-
22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
Traditional MLS
44
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
10
CAM Application
Key
VLAN ID
Key
19
The information a switch uses to perform a lookup in a CAM table is
called a key
For example a Layer 2 lookup would use a destination MAC address
and a VLAN ID as a key
In specific high-end switch platforms the TCAM
is a portion of memory designed for rapid
hardware-based table lookups of Layer 3 and
Layer 4 information In the TCAM a single
lookup provides all Layer 2 and Layer 3
forwarding information for frames including CAM
and ACL information
How the values are stored in the TCAM
access-list 101 permit ip host 10111 any
access-list 101 deny ip 10110 000255 any
Longest match region
Each longest match region consists of groups of
Layer 3 address entries (ldquobucketsrdquo) organized in
decreasing order by mask length All entries
within a bucket share the same mask value and
key size The buckets can change their size
dynamically by borrowing address entries from
neighboring buckets Although the size of the
whole protocol region is fixed you can
reconfigure it The reconfigured size of the
protocol region takes effect only after the next
system reboot
First-Match region
The first-match region consists of ACL entries
Lookup stops after the first match of the entry
TCAM
20
11
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
22
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI) mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI) mdash A Layer 3 virtual bridging interface (Not discussed)
12
23
MLS Layer 3 Interface Routed Port
MLS Layer 3 Interface Routed Port A routed switch port is a physical switch port on a multilayer switch that is
capable of Layer 3 packet processing A routed port is not associated with a
particular VLAN as contrasted with an access port or SVI The switch port
functionality is removed from the interface A routed port behaves like a
regular router interface except that it does not support VLAN subinterfaces
Routed switch ports can be configured using most commands applied to a
physical router interface including the assignment of an IP address and the
configuration of Layer 3 routing protocols
A routed switch port is a standalone port that is not associated with a VLAN
whereas an SVI is a virtual interface that is associated with a VLAN SVIs
generally provide Layer 3 services for devices connected to the ports of the
switch where the SVI is configured Routed switch ports can provide a Layer
3 path into the switch for a number of devices on a specific subnet all of
which are accessible from a single physical switch port
The number of routed ports and SVIs that can be configured on a switch is
not limited by software However the interrelationship between these
interfaces and other features configured on the switch may overload the
CPU because of hardware limitations
24
13
A routed port has the following characteristics and functions
Physical switch port with Layer 3 capability
Not associated with any VLAN
Serves as the default gateway for devices out that switch port
Layer 2 port functionality must be removed before it can be
configured
MLS Layer 3 Interface Routed Port
25
Configuration of Routed Ports on a Multilayer
Switch
26
14
27
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI) are Layer 3 interfaces that are configured on multilayer Layer 3 Catalyst switches that are used for inter-VLAN routing
An SVI is a virtual VLAN interface that is associated with the VLAN-ID to enable routing capability on that VLAN
Note These are virtual interfaces
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
28
MLS Layer 3 Interface SVI
To configure communication between VLANs you must configure each
SVI with an IP address and subnet mask in the chosen address
range for that subnet
The IP address associated with the VLAN interface is the default
gateway of the workstation
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
15
Layer 3 SVI
To provide a default
gateway for a VLAN so
that traffic can be routed
between VLANs
To provide fallback
bridging if it is required for
non-routable protocols
To provide Layer 3 IP
connectivity to the switch
To support routing protocol
and bridging configurations
29
Configuring Inter-VLAN Routing on a Multilayer Switch
30
16
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
32
MLS and CEF
One of the bottlenecks in high-speed networking is the
decision-making process within the router
Two of the methods used by Cisco devices to speed
up this process are
1 Multilayer Switching (MLS)
2 Cisco Express Forwarding (CEF)
17
33
Internal route processors
Route Processors include
Route Switch Module (RSM) ndash 4000 5000 6000 7000
Route Switch Feature Card (RSFC) - 5000
Multilayer Switch Module (MSM) - 6000
Multilayer Switch Feature Card (MSFC) - 6000
Other terms used
Layer-3 Card or Layer-3 ldquoBladerdquo
MultiLayer Switch Route Processor (MLS-RP)
The router in the network (handles the first packet in every
flow)
34
Introduction to MLS
MLS is a technology used by a small number of older
Catalyst switches to provide wire-speed routing
MLS is sometimes known as Route once switch
many
The first packet of a flow is routed by the router in
software and the remaining packets are forwarded in
hardware by the switch
18
35
Introduction to CEF
CEF is the technology used by newer Cisco devices to provide wire-speed routing
Unlike MLS which requires the route processor to route the first packet of a flow CEF enables packet switching to circumvent the route processor altogether
This is accomplished by the communication process between the route processor and the switch processor to create the shortcut info before the first packet arrives
ldquoRoute never switch alwaysrdquo
36
Multilayer Switching
Multilayer switching refers to the ability of a Catalyst switch to
support switching and routing of packets in hardware with optional
support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must
download software-based routing switching access lists QoS and
other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
19
37
Traditional and CEF-based MLS
To accomplish multilayer switching (packet processing in hardware)
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
Cisco Express Forwarding (CEF)-based MLS architecture
Traditional MLS is a legacy feature whereas all leading-edge
Catalyst switches support CEF-based multilayer switching (CEF-based
MLS)
38
Multilayer Switching
The term multilayer switching (MLS) is a general networking term
that refers to hardware-based PDU header rewriting and forwarding
based on information specific to one or more OSI layers
When used in the context of this class MLS refers to Cisco MLS
20
39
Traditional MLS
MLS enables specialized
application-specific integrated
circuits (ASICs) to perform
Layer 2 rewrite operations of
routed packets
Layer 2 rewrites include
rewriting the source and
destination MAC addresses
and writing a recalculated cyclic
redundancy check (CRC)
Because the source and
destination MAC addresses
change during Layer 3 rewrites
the switch must recalculate the
CRC for these new MAC
addresses
40
Traditional MLS
For Catalyst switches that support traditional MLS the switch learns
Layer 2 rewrite information from an MLS router via an MLS protocol
Also known as netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry contains a source a source and destination or full flow
information including Layer 4 protocol information
21
41
Traditional MLS
With traditional MLS the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
MLS-SE
MLS-RPMLS-RP The Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as
a candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
Traditional MLS
42
22
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-
0C-22-22-22
S-IP =
101110
D-IP =
101220
Traditional MLS
43
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-
22-22
00-00-
0C-22-
22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
Traditional MLS
44
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
11
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
22
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI) mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI) mdash A Layer 3 virtual bridging interface (Not discussed)
12
23
MLS Layer 3 Interface Routed Port
MLS Layer 3 Interface Routed Port A routed switch port is a physical switch port on a multilayer switch that is
capable of Layer 3 packet processing A routed port is not associated with a
particular VLAN as contrasted with an access port or SVI The switch port
functionality is removed from the interface A routed port behaves like a
regular router interface except that it does not support VLAN subinterfaces
Routed switch ports can be configured using most commands applied to a
physical router interface including the assignment of an IP address and the
configuration of Layer 3 routing protocols
A routed switch port is a standalone port that is not associated with a VLAN
whereas an SVI is a virtual interface that is associated with a VLAN SVIs
generally provide Layer 3 services for devices connected to the ports of the
switch where the SVI is configured Routed switch ports can provide a Layer
3 path into the switch for a number of devices on a specific subnet all of
which are accessible from a single physical switch port
The number of routed ports and SVIs that can be configured on a switch is
not limited by software However the interrelationship between these
interfaces and other features configured on the switch may overload the
CPU because of hardware limitations
24
13
A routed port has the following characteristics and functions
Physical switch port with Layer 3 capability
Not associated with any VLAN
Serves as the default gateway for devices out that switch port
Layer 2 port functionality must be removed before it can be
configured
MLS Layer 3 Interface Routed Port
25
Configuration of Routed Ports on a Multilayer
Switch
26
14
27
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI) are Layer 3 interfaces that are configured on multilayer Layer 3 Catalyst switches that are used for inter-VLAN routing
An SVI is a virtual VLAN interface that is associated with the VLAN-ID to enable routing capability on that VLAN
Note These are virtual interfaces
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
28
MLS Layer 3 Interface SVI
To configure communication between VLANs you must configure each
SVI with an IP address and subnet mask in the chosen address
range for that subnet
The IP address associated with the VLAN interface is the default
gateway of the workstation
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
15
Layer 3 SVI
To provide a default
gateway for a VLAN so
that traffic can be routed
between VLANs
To provide fallback
bridging if it is required for
non-routable protocols
To provide Layer 3 IP
connectivity to the switch
To support routing protocol
and bridging configurations
29
Configuring Inter-VLAN Routing on a Multilayer Switch
30
16
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
32
MLS and CEF
One of the bottlenecks in high-speed networking is the
decision-making process within the router
Two of the methods used by Cisco devices to speed
up this process are
1 Multilayer Switching (MLS)
2 Cisco Express Forwarding (CEF)
17
33
Internal route processors
Route Processors include
Route Switch Module (RSM) ndash 4000 5000 6000 7000
Route Switch Feature Card (RSFC) - 5000
Multilayer Switch Module (MSM) - 6000
Multilayer Switch Feature Card (MSFC) - 6000
Other terms used
Layer-3 Card or Layer-3 ldquoBladerdquo
MultiLayer Switch Route Processor (MLS-RP)
The router in the network (handles the first packet in every
flow)
34
Introduction to MLS
MLS is a technology used by a small number of older
Catalyst switches to provide wire-speed routing
MLS is sometimes known as Route once switch
many
The first packet of a flow is routed by the router in
software and the remaining packets are forwarded in
hardware by the switch
18
35
Introduction to CEF
CEF is the technology used by newer Cisco devices to provide wire-speed routing
Unlike MLS which requires the route processor to route the first packet of a flow CEF enables packet switching to circumvent the route processor altogether
This is accomplished by the communication process between the route processor and the switch processor to create the shortcut info before the first packet arrives
ldquoRoute never switch alwaysrdquo
36
Multilayer Switching
Multilayer switching refers to the ability of a Catalyst switch to
support switching and routing of packets in hardware with optional
support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must
download software-based routing switching access lists QoS and
other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
19
37
Traditional and CEF-based MLS
To accomplish multilayer switching (packet processing in hardware)
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
Cisco Express Forwarding (CEF)-based MLS architecture
Traditional MLS is a legacy feature whereas all leading-edge
Catalyst switches support CEF-based multilayer switching (CEF-based
MLS)
38
Multilayer Switching
The term multilayer switching (MLS) is a general networking term
that refers to hardware-based PDU header rewriting and forwarding
based on information specific to one or more OSI layers
When used in the context of this class MLS refers to Cisco MLS
20
39
Traditional MLS
MLS enables specialized
application-specific integrated
circuits (ASICs) to perform
Layer 2 rewrite operations of
routed packets
Layer 2 rewrites include
rewriting the source and
destination MAC addresses
and writing a recalculated cyclic
redundancy check (CRC)
Because the source and
destination MAC addresses
change during Layer 3 rewrites
the switch must recalculate the
CRC for these new MAC
addresses
40
Traditional MLS
For Catalyst switches that support traditional MLS the switch learns
Layer 2 rewrite information from an MLS router via an MLS protocol
Also known as netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry contains a source a source and destination or full flow
information including Layer 4 protocol information
21
41
Traditional MLS
With traditional MLS the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
MLS-SE
MLS-RPMLS-RP The Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as
a candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
Traditional MLS
42
22
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-
0C-22-22-22
S-IP =
101110
D-IP =
101220
Traditional MLS
43
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-
22-22
00-00-
0C-22-
22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
Traditional MLS
44
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
12
23
MLS Layer 3 Interface Routed Port
MLS Layer 3 Interface Routed Port A routed switch port is a physical switch port on a multilayer switch that is
capable of Layer 3 packet processing A routed port is not associated with a
particular VLAN as contrasted with an access port or SVI The switch port
functionality is removed from the interface A routed port behaves like a
regular router interface except that it does not support VLAN subinterfaces
Routed switch ports can be configured using most commands applied to a
physical router interface including the assignment of an IP address and the
configuration of Layer 3 routing protocols
A routed switch port is a standalone port that is not associated with a VLAN
whereas an SVI is a virtual interface that is associated with a VLAN SVIs
generally provide Layer 3 services for devices connected to the ports of the
switch where the SVI is configured Routed switch ports can provide a Layer
3 path into the switch for a number of devices on a specific subnet all of
which are accessible from a single physical switch port
The number of routed ports and SVIs that can be configured on a switch is
not limited by software However the interrelationship between these
interfaces and other features configured on the switch may overload the
CPU because of hardware limitations
24
13
A routed port has the following characteristics and functions
Physical switch port with Layer 3 capability
Not associated with any VLAN
Serves as the default gateway for devices out that switch port
Layer 2 port functionality must be removed before it can be
configured
MLS Layer 3 Interface Routed Port
25
Configuration of Routed Ports on a Multilayer
Switch
26
14
27
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI) are Layer 3 interfaces that are configured on multilayer Layer 3 Catalyst switches that are used for inter-VLAN routing
An SVI is a virtual VLAN interface that is associated with the VLAN-ID to enable routing capability on that VLAN
Note These are virtual interfaces
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
28
MLS Layer 3 Interface SVI
To configure communication between VLANs you must configure each
SVI with an IP address and subnet mask in the chosen address
range for that subnet
The IP address associated with the VLAN interface is the default
gateway of the workstation
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
15
Layer 3 SVI
To provide a default
gateway for a VLAN so
that traffic can be routed
between VLANs
To provide fallback
bridging if it is required for
non-routable protocols
To provide Layer 3 IP
connectivity to the switch
To support routing protocol
and bridging configurations
29
Configuring Inter-VLAN Routing on a Multilayer Switch
30
16
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
32
MLS and CEF
One of the bottlenecks in high-speed networking is the
decision-making process within the router
Two of the methods used by Cisco devices to speed
up this process are
1 Multilayer Switching (MLS)
2 Cisco Express Forwarding (CEF)
17
33
Internal route processors
Route Processors include
Route Switch Module (RSM) ndash 4000 5000 6000 7000
Route Switch Feature Card (RSFC) - 5000
Multilayer Switch Module (MSM) - 6000
Multilayer Switch Feature Card (MSFC) - 6000
Other terms used
Layer-3 Card or Layer-3 ldquoBladerdquo
MultiLayer Switch Route Processor (MLS-RP)
The router in the network (handles the first packet in every
flow)
34
Introduction to MLS
MLS is a technology used by a small number of older
Catalyst switches to provide wire-speed routing
MLS is sometimes known as Route once switch
many
The first packet of a flow is routed by the router in
software and the remaining packets are forwarded in
hardware by the switch
18
35
Introduction to CEF
CEF is the technology used by newer Cisco devices to provide wire-speed routing
Unlike MLS which requires the route processor to route the first packet of a flow CEF enables packet switching to circumvent the route processor altogether
This is accomplished by the communication process between the route processor and the switch processor to create the shortcut info before the first packet arrives
ldquoRoute never switch alwaysrdquo
36
Multilayer Switching
Multilayer switching refers to the ability of a Catalyst switch to
support switching and routing of packets in hardware with optional
support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must
download software-based routing switching access lists QoS and
other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
19
37
Traditional and CEF-based MLS
To accomplish multilayer switching (packet processing in hardware)
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
Cisco Express Forwarding (CEF)-based MLS architecture
Traditional MLS is a legacy feature whereas all leading-edge
Catalyst switches support CEF-based multilayer switching (CEF-based
MLS)
38
Multilayer Switching
The term multilayer switching (MLS) is a general networking term
that refers to hardware-based PDU header rewriting and forwarding
based on information specific to one or more OSI layers
When used in the context of this class MLS refers to Cisco MLS
20
39
Traditional MLS
MLS enables specialized
application-specific integrated
circuits (ASICs) to perform
Layer 2 rewrite operations of
routed packets
Layer 2 rewrites include
rewriting the source and
destination MAC addresses
and writing a recalculated cyclic
redundancy check (CRC)
Because the source and
destination MAC addresses
change during Layer 3 rewrites
the switch must recalculate the
CRC for these new MAC
addresses
40
Traditional MLS
For Catalyst switches that support traditional MLS the switch learns
Layer 2 rewrite information from an MLS router via an MLS protocol
Also known as netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry contains a source a source and destination or full flow
information including Layer 4 protocol information
21
41
Traditional MLS
With traditional MLS the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
MLS-SE
MLS-RPMLS-RP The Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as
a candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
Traditional MLS
42
22
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-
0C-22-22-22
S-IP =
101110
D-IP =
101220
Traditional MLS
43
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-
22-22
00-00-
0C-22-
22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
Traditional MLS
44
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
13
A routed port has the following characteristics and functions
Physical switch port with Layer 3 capability
Not associated with any VLAN
Serves as the default gateway for devices out that switch port
Layer 2 port functionality must be removed before it can be
configured
MLS Layer 3 Interface Routed Port
25
Configuration of Routed Ports on a Multilayer
Switch
26
14
27
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI) are Layer 3 interfaces that are configured on multilayer Layer 3 Catalyst switches that are used for inter-VLAN routing
An SVI is a virtual VLAN interface that is associated with the VLAN-ID to enable routing capability on that VLAN
Note These are virtual interfaces
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
28
MLS Layer 3 Interface SVI
To configure communication between VLANs you must configure each
SVI with an IP address and subnet mask in the chosen address
range for that subnet
The IP address associated with the VLAN interface is the default
gateway of the workstation
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
15
Layer 3 SVI
To provide a default
gateway for a VLAN so
that traffic can be routed
between VLANs
To provide fallback
bridging if it is required for
non-routable protocols
To provide Layer 3 IP
connectivity to the switch
To support routing protocol
and bridging configurations
29
Configuring Inter-VLAN Routing on a Multilayer Switch
30
16
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
32
MLS and CEF
One of the bottlenecks in high-speed networking is the
decision-making process within the router
Two of the methods used by Cisco devices to speed
up this process are
1 Multilayer Switching (MLS)
2 Cisco Express Forwarding (CEF)
17
33
Internal route processors
Route Processors include
Route Switch Module (RSM) ndash 4000 5000 6000 7000
Route Switch Feature Card (RSFC) - 5000
Multilayer Switch Module (MSM) - 6000
Multilayer Switch Feature Card (MSFC) - 6000
Other terms used
Layer-3 Card or Layer-3 ldquoBladerdquo
MultiLayer Switch Route Processor (MLS-RP)
The router in the network (handles the first packet in every
flow)
34
Introduction to MLS
MLS is a technology used by a small number of older
Catalyst switches to provide wire-speed routing
MLS is sometimes known as Route once switch
many
The first packet of a flow is routed by the router in
software and the remaining packets are forwarded in
hardware by the switch
18
35
Introduction to CEF
CEF is the technology used by newer Cisco devices to provide wire-speed routing
Unlike MLS which requires the route processor to route the first packet of a flow CEF enables packet switching to circumvent the route processor altogether
This is accomplished by the communication process between the route processor and the switch processor to create the shortcut info before the first packet arrives
ldquoRoute never switch alwaysrdquo
36
Multilayer Switching
Multilayer switching refers to the ability of a Catalyst switch to
support switching and routing of packets in hardware with optional
support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must
download software-based routing switching access lists QoS and
other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
19
37
Traditional and CEF-based MLS
To accomplish multilayer switching (packet processing in hardware)
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
Cisco Express Forwarding (CEF)-based MLS architecture
Traditional MLS is a legacy feature whereas all leading-edge
Catalyst switches support CEF-based multilayer switching (CEF-based
MLS)
38
Multilayer Switching
The term multilayer switching (MLS) is a general networking term
that refers to hardware-based PDU header rewriting and forwarding
based on information specific to one or more OSI layers
When used in the context of this class MLS refers to Cisco MLS
20
39
Traditional MLS
MLS enables specialized
application-specific integrated
circuits (ASICs) to perform
Layer 2 rewrite operations of
routed packets
Layer 2 rewrites include
rewriting the source and
destination MAC addresses
and writing a recalculated cyclic
redundancy check (CRC)
Because the source and
destination MAC addresses
change during Layer 3 rewrites
the switch must recalculate the
CRC for these new MAC
addresses
40
Traditional MLS
For Catalyst switches that support traditional MLS the switch learns
Layer 2 rewrite information from an MLS router via an MLS protocol
Also known as netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry contains a source a source and destination or full flow
information including Layer 4 protocol information
21
41
Traditional MLS
With traditional MLS the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
MLS-SE
MLS-RPMLS-RP The Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as
a candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
Traditional MLS
42
22
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-
0C-22-22-22
S-IP =
101110
D-IP =
101220
Traditional MLS
43
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-
22-22
00-00-
0C-22-
22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
Traditional MLS
44
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
14
27
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI) are Layer 3 interfaces that are configured on multilayer Layer 3 Catalyst switches that are used for inter-VLAN routing
An SVI is a virtual VLAN interface that is associated with the VLAN-ID to enable routing capability on that VLAN
Note These are virtual interfaces
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
28
MLS Layer 3 Interface SVI
To configure communication between VLANs you must configure each
SVI with an IP address and subnet mask in the chosen address
range for that subnet
The IP address associated with the VLAN interface is the default
gateway of the workstation
DLSwitch(config)interface vlan 1DLSwitch(config-if)ip address 1721611 2552552550DLSwitch(config)interface vlan 10DLSwitch(config-if)ip address 17216101 2552552550DLSwitch(config)interface vlan 20DLSwitch(config-if)ip address 17216201 2552552550DLSwitch(config)interface vlan 30DLSwitch(config-if)ip address 17216301 2552552550
15
Layer 3 SVI
To provide a default
gateway for a VLAN so
that traffic can be routed
between VLANs
To provide fallback
bridging if it is required for
non-routable protocols
To provide Layer 3 IP
connectivity to the switch
To support routing protocol
and bridging configurations
29
Configuring Inter-VLAN Routing on a Multilayer Switch
30
16
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
32
MLS and CEF
One of the bottlenecks in high-speed networking is the
decision-making process within the router
Two of the methods used by Cisco devices to speed
up this process are
1 Multilayer Switching (MLS)
2 Cisco Express Forwarding (CEF)
17
33
Internal route processors
Route Processors include
Route Switch Module (RSM) ndash 4000 5000 6000 7000
Route Switch Feature Card (RSFC) - 5000
Multilayer Switch Module (MSM) - 6000
Multilayer Switch Feature Card (MSFC) - 6000
Other terms used
Layer-3 Card or Layer-3 ldquoBladerdquo
MultiLayer Switch Route Processor (MLS-RP)
The router in the network (handles the first packet in every
flow)
34
Introduction to MLS
MLS is a technology used by a small number of older
Catalyst switches to provide wire-speed routing
MLS is sometimes known as Route once switch
many
The first packet of a flow is routed by the router in
software and the remaining packets are forwarded in
hardware by the switch
18
35
Introduction to CEF
CEF is the technology used by newer Cisco devices to provide wire-speed routing
Unlike MLS which requires the route processor to route the first packet of a flow CEF enables packet switching to circumvent the route processor altogether
This is accomplished by the communication process between the route processor and the switch processor to create the shortcut info before the first packet arrives
ldquoRoute never switch alwaysrdquo
36
Multilayer Switching
Multilayer switching refers to the ability of a Catalyst switch to
support switching and routing of packets in hardware with optional
support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must
download software-based routing switching access lists QoS and
other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
19
37
Traditional and CEF-based MLS
To accomplish multilayer switching (packet processing in hardware)
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
Cisco Express Forwarding (CEF)-based MLS architecture
Traditional MLS is a legacy feature whereas all leading-edge
Catalyst switches support CEF-based multilayer switching (CEF-based
MLS)
38
Multilayer Switching
The term multilayer switching (MLS) is a general networking term
that refers to hardware-based PDU header rewriting and forwarding
based on information specific to one or more OSI layers
When used in the context of this class MLS refers to Cisco MLS
20
39
Traditional MLS
MLS enables specialized
application-specific integrated
circuits (ASICs) to perform
Layer 2 rewrite operations of
routed packets
Layer 2 rewrites include
rewriting the source and
destination MAC addresses
and writing a recalculated cyclic
redundancy check (CRC)
Because the source and
destination MAC addresses
change during Layer 3 rewrites
the switch must recalculate the
CRC for these new MAC
addresses
40
Traditional MLS
For Catalyst switches that support traditional MLS the switch learns
Layer 2 rewrite information from an MLS router via an MLS protocol
Also known as netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry contains a source a source and destination or full flow
information including Layer 4 protocol information
21
41
Traditional MLS
With traditional MLS the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
MLS-SE
MLS-RPMLS-RP The Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as
a candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
Traditional MLS
42
22
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-
0C-22-22-22
S-IP =
101110
D-IP =
101220
Traditional MLS
43
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-
22-22
00-00-
0C-22-
22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
Traditional MLS
44
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
15
Layer 3 SVI
To provide a default
gateway for a VLAN so
that traffic can be routed
between VLANs
To provide fallback
bridging if it is required for
non-routable protocols
To provide Layer 3 IP
connectivity to the switch
To support routing protocol
and bridging configurations
29
Configuring Inter-VLAN Routing on a Multilayer Switch
30
16
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
32
MLS and CEF
One of the bottlenecks in high-speed networking is the
decision-making process within the router
Two of the methods used by Cisco devices to speed
up this process are
1 Multilayer Switching (MLS)
2 Cisco Express Forwarding (CEF)
17
33
Internal route processors
Route Processors include
Route Switch Module (RSM) ndash 4000 5000 6000 7000
Route Switch Feature Card (RSFC) - 5000
Multilayer Switch Module (MSM) - 6000
Multilayer Switch Feature Card (MSFC) - 6000
Other terms used
Layer-3 Card or Layer-3 ldquoBladerdquo
MultiLayer Switch Route Processor (MLS-RP)
The router in the network (handles the first packet in every
flow)
34
Introduction to MLS
MLS is a technology used by a small number of older
Catalyst switches to provide wire-speed routing
MLS is sometimes known as Route once switch
many
The first packet of a flow is routed by the router in
software and the remaining packets are forwarded in
hardware by the switch
18
35
Introduction to CEF
CEF is the technology used by newer Cisco devices to provide wire-speed routing
Unlike MLS which requires the route processor to route the first packet of a flow CEF enables packet switching to circumvent the route processor altogether
This is accomplished by the communication process between the route processor and the switch processor to create the shortcut info before the first packet arrives
ldquoRoute never switch alwaysrdquo
36
Multilayer Switching
Multilayer switching refers to the ability of a Catalyst switch to
support switching and routing of packets in hardware with optional
support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must
download software-based routing switching access lists QoS and
other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
19
37
Traditional and CEF-based MLS
To accomplish multilayer switching (packet processing in hardware)
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
Cisco Express Forwarding (CEF)-based MLS architecture
Traditional MLS is a legacy feature whereas all leading-edge
Catalyst switches support CEF-based multilayer switching (CEF-based
MLS)
38
Multilayer Switching
The term multilayer switching (MLS) is a general networking term
that refers to hardware-based PDU header rewriting and forwarding
based on information specific to one or more OSI layers
When used in the context of this class MLS refers to Cisco MLS
20
39
Traditional MLS
MLS enables specialized
application-specific integrated
circuits (ASICs) to perform
Layer 2 rewrite operations of
routed packets
Layer 2 rewrites include
rewriting the source and
destination MAC addresses
and writing a recalculated cyclic
redundancy check (CRC)
Because the source and
destination MAC addresses
change during Layer 3 rewrites
the switch must recalculate the
CRC for these new MAC
addresses
40
Traditional MLS
For Catalyst switches that support traditional MLS the switch learns
Layer 2 rewrite information from an MLS router via an MLS protocol
Also known as netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry contains a source a source and destination or full flow
information including Layer 4 protocol information
21
41
Traditional MLS
With traditional MLS the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
MLS-SE
MLS-RPMLS-RP The Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as
a candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
Traditional MLS
42
22
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-
0C-22-22-22
S-IP =
101110
D-IP =
101220
Traditional MLS
43
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-
22-22
00-00-
0C-22-
22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
Traditional MLS
44
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
16
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
32
MLS and CEF
One of the bottlenecks in high-speed networking is the
decision-making process within the router
Two of the methods used by Cisco devices to speed
up this process are
1 Multilayer Switching (MLS)
2 Cisco Express Forwarding (CEF)
17
33
Internal route processors
Route Processors include
Route Switch Module (RSM) ndash 4000 5000 6000 7000
Route Switch Feature Card (RSFC) - 5000
Multilayer Switch Module (MSM) - 6000
Multilayer Switch Feature Card (MSFC) - 6000
Other terms used
Layer-3 Card or Layer-3 ldquoBladerdquo
MultiLayer Switch Route Processor (MLS-RP)
The router in the network (handles the first packet in every
flow)
34
Introduction to MLS
MLS is a technology used by a small number of older
Catalyst switches to provide wire-speed routing
MLS is sometimes known as Route once switch
many
The first packet of a flow is routed by the router in
software and the remaining packets are forwarded in
hardware by the switch
18
35
Introduction to CEF
CEF is the technology used by newer Cisco devices to provide wire-speed routing
Unlike MLS which requires the route processor to route the first packet of a flow CEF enables packet switching to circumvent the route processor altogether
This is accomplished by the communication process between the route processor and the switch processor to create the shortcut info before the first packet arrives
ldquoRoute never switch alwaysrdquo
36
Multilayer Switching
Multilayer switching refers to the ability of a Catalyst switch to
support switching and routing of packets in hardware with optional
support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must
download software-based routing switching access lists QoS and
other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
19
37
Traditional and CEF-based MLS
To accomplish multilayer switching (packet processing in hardware)
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
Cisco Express Forwarding (CEF)-based MLS architecture
Traditional MLS is a legacy feature whereas all leading-edge
Catalyst switches support CEF-based multilayer switching (CEF-based
MLS)
38
Multilayer Switching
The term multilayer switching (MLS) is a general networking term
that refers to hardware-based PDU header rewriting and forwarding
based on information specific to one or more OSI layers
When used in the context of this class MLS refers to Cisco MLS
20
39
Traditional MLS
MLS enables specialized
application-specific integrated
circuits (ASICs) to perform
Layer 2 rewrite operations of
routed packets
Layer 2 rewrites include
rewriting the source and
destination MAC addresses
and writing a recalculated cyclic
redundancy check (CRC)
Because the source and
destination MAC addresses
change during Layer 3 rewrites
the switch must recalculate the
CRC for these new MAC
addresses
40
Traditional MLS
For Catalyst switches that support traditional MLS the switch learns
Layer 2 rewrite information from an MLS router via an MLS protocol
Also known as netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry contains a source a source and destination or full flow
information including Layer 4 protocol information
21
41
Traditional MLS
With traditional MLS the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
MLS-SE
MLS-RPMLS-RP The Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as
a candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
Traditional MLS
42
22
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-
0C-22-22-22
S-IP =
101110
D-IP =
101220
Traditional MLS
43
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-
22-22
00-00-
0C-22-
22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
Traditional MLS
44
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
17
33
Internal route processors
Route Processors include
Route Switch Module (RSM) ndash 4000 5000 6000 7000
Route Switch Feature Card (RSFC) - 5000
Multilayer Switch Module (MSM) - 6000
Multilayer Switch Feature Card (MSFC) - 6000
Other terms used
Layer-3 Card or Layer-3 ldquoBladerdquo
MultiLayer Switch Route Processor (MLS-RP)
The router in the network (handles the first packet in every
flow)
34
Introduction to MLS
MLS is a technology used by a small number of older
Catalyst switches to provide wire-speed routing
MLS is sometimes known as Route once switch
many
The first packet of a flow is routed by the router in
software and the remaining packets are forwarded in
hardware by the switch
18
35
Introduction to CEF
CEF is the technology used by newer Cisco devices to provide wire-speed routing
Unlike MLS which requires the route processor to route the first packet of a flow CEF enables packet switching to circumvent the route processor altogether
This is accomplished by the communication process between the route processor and the switch processor to create the shortcut info before the first packet arrives
ldquoRoute never switch alwaysrdquo
36
Multilayer Switching
Multilayer switching refers to the ability of a Catalyst switch to
support switching and routing of packets in hardware with optional
support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must
download software-based routing switching access lists QoS and
other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
19
37
Traditional and CEF-based MLS
To accomplish multilayer switching (packet processing in hardware)
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
Cisco Express Forwarding (CEF)-based MLS architecture
Traditional MLS is a legacy feature whereas all leading-edge
Catalyst switches support CEF-based multilayer switching (CEF-based
MLS)
38
Multilayer Switching
The term multilayer switching (MLS) is a general networking term
that refers to hardware-based PDU header rewriting and forwarding
based on information specific to one or more OSI layers
When used in the context of this class MLS refers to Cisco MLS
20
39
Traditional MLS
MLS enables specialized
application-specific integrated
circuits (ASICs) to perform
Layer 2 rewrite operations of
routed packets
Layer 2 rewrites include
rewriting the source and
destination MAC addresses
and writing a recalculated cyclic
redundancy check (CRC)
Because the source and
destination MAC addresses
change during Layer 3 rewrites
the switch must recalculate the
CRC for these new MAC
addresses
40
Traditional MLS
For Catalyst switches that support traditional MLS the switch learns
Layer 2 rewrite information from an MLS router via an MLS protocol
Also known as netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry contains a source a source and destination or full flow
information including Layer 4 protocol information
21
41
Traditional MLS
With traditional MLS the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
MLS-SE
MLS-RPMLS-RP The Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as
a candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
Traditional MLS
42
22
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-
0C-22-22-22
S-IP =
101110
D-IP =
101220
Traditional MLS
43
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-
22-22
00-00-
0C-22-
22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
Traditional MLS
44
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
18
35
Introduction to CEF
CEF is the technology used by newer Cisco devices to provide wire-speed routing
Unlike MLS which requires the route processor to route the first packet of a flow CEF enables packet switching to circumvent the route processor altogether
This is accomplished by the communication process between the route processor and the switch processor to create the shortcut info before the first packet arrives
ldquoRoute never switch alwaysrdquo
36
Multilayer Switching
Multilayer switching refers to the ability of a Catalyst switch to
support switching and routing of packets in hardware with optional
support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must
download software-based routing switching access lists QoS and
other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
19
37
Traditional and CEF-based MLS
To accomplish multilayer switching (packet processing in hardware)
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
Cisco Express Forwarding (CEF)-based MLS architecture
Traditional MLS is a legacy feature whereas all leading-edge
Catalyst switches support CEF-based multilayer switching (CEF-based
MLS)
38
Multilayer Switching
The term multilayer switching (MLS) is a general networking term
that refers to hardware-based PDU header rewriting and forwarding
based on information specific to one or more OSI layers
When used in the context of this class MLS refers to Cisco MLS
20
39
Traditional MLS
MLS enables specialized
application-specific integrated
circuits (ASICs) to perform
Layer 2 rewrite operations of
routed packets
Layer 2 rewrites include
rewriting the source and
destination MAC addresses
and writing a recalculated cyclic
redundancy check (CRC)
Because the source and
destination MAC addresses
change during Layer 3 rewrites
the switch must recalculate the
CRC for these new MAC
addresses
40
Traditional MLS
For Catalyst switches that support traditional MLS the switch learns
Layer 2 rewrite information from an MLS router via an MLS protocol
Also known as netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry contains a source a source and destination or full flow
information including Layer 4 protocol information
21
41
Traditional MLS
With traditional MLS the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
MLS-SE
MLS-RPMLS-RP The Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as
a candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
Traditional MLS
42
22
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-
0C-22-22-22
S-IP =
101110
D-IP =
101220
Traditional MLS
43
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-
22-22
00-00-
0C-22-
22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
Traditional MLS
44
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
19
37
Traditional and CEF-based MLS
To accomplish multilayer switching (packet processing in hardware)
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
Cisco Express Forwarding (CEF)-based MLS architecture
Traditional MLS is a legacy feature whereas all leading-edge
Catalyst switches support CEF-based multilayer switching (CEF-based
MLS)
38
Multilayer Switching
The term multilayer switching (MLS) is a general networking term
that refers to hardware-based PDU header rewriting and forwarding
based on information specific to one or more OSI layers
When used in the context of this class MLS refers to Cisco MLS
20
39
Traditional MLS
MLS enables specialized
application-specific integrated
circuits (ASICs) to perform
Layer 2 rewrite operations of
routed packets
Layer 2 rewrites include
rewriting the source and
destination MAC addresses
and writing a recalculated cyclic
redundancy check (CRC)
Because the source and
destination MAC addresses
change during Layer 3 rewrites
the switch must recalculate the
CRC for these new MAC
addresses
40
Traditional MLS
For Catalyst switches that support traditional MLS the switch learns
Layer 2 rewrite information from an MLS router via an MLS protocol
Also known as netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry contains a source a source and destination or full flow
information including Layer 4 protocol information
21
41
Traditional MLS
With traditional MLS the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
MLS-SE
MLS-RPMLS-RP The Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as
a candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
Traditional MLS
42
22
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-
0C-22-22-22
S-IP =
101110
D-IP =
101220
Traditional MLS
43
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-
22-22
00-00-
0C-22-
22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
Traditional MLS
44
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
20
39
Traditional MLS
MLS enables specialized
application-specific integrated
circuits (ASICs) to perform
Layer 2 rewrite operations of
routed packets
Layer 2 rewrites include
rewriting the source and
destination MAC addresses
and writing a recalculated cyclic
redundancy check (CRC)
Because the source and
destination MAC addresses
change during Layer 3 rewrites
the switch must recalculate the
CRC for these new MAC
addresses
40
Traditional MLS
For Catalyst switches that support traditional MLS the switch learns
Layer 2 rewrite information from an MLS router via an MLS protocol
Also known as netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry contains a source a source and destination or full flow
information including Layer 4 protocol information
21
41
Traditional MLS
With traditional MLS the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
MLS-SE
MLS-RPMLS-RP The Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as
a candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
Traditional MLS
42
22
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-
0C-22-22-22
S-IP =
101110
D-IP =
101220
Traditional MLS
43
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-
22-22
00-00-
0C-22-
22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
Traditional MLS
44
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
21
41
Traditional MLS
With traditional MLS the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
MLS-SE
MLS-RPMLS-RP The Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as
a candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-
00-11-11-11
S-IP =
101110
D-IP =
101220
Traditional MLS
42
22
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-
0C-22-22-22
S-IP =
101110
D-IP =
101220
Traditional MLS
43
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-
22-22
00-00-
0C-22-
22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
Traditional MLS
44
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
22
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-
0C-22-22-22
S-IP =
101110
D-IP =
101220
Traditional MLS
43
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-
22-22
00-00-
0C-22-
22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
Traditional MLS
44
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
23
45
CEF-based MLS
46
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
As a result of the prepopulation of routing information Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
24
47
CEF
The two main components of CEF are FIB and Adjacency Tablebull Forwarding information base (FIB)
Used make IP destination prefix-based switching decisions
Similar to a routing table or information base
It maintains a mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
The FIB maintains next-hop address information based on the information in the IP routing table
In the context of CEF-based MLS both the Layer 3 engine and the hardware-switching components maintain an FIB
Routing Table
48
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
25
49
CEF
Adjacency tables
Recall that the FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
50
CEF
Adjacency tables (summary more detail coming)
The adjacency table information is built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF glean(이삭 줍기)rdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
26
51
CEF
Adjacency tables
During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling(목 조르기) or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
Otherwise after an ARP reply is received the throttling is released the FIB entry can be completed and packets can be forwarded completely in hardware
Explaining Layer 3 Switch Processing
52
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
27
Explaining Layer 3 Switch Processing
Layer 3 switching refers to a class of high performance routers
optimized for the campus LAN or intranet providing both wire-speed
Ethernet routing and switching services
A Layer 3 switch router performs the following three major functions
Packet switching
Route processing
Intelligent network services
Compared to other routers Layer 3 switch routers process more
packets faster by using ASIC hardware instead of microprocessor-
based engines Layer 3 switch routers also improve network
performance with two software functions route processing and
intelligent network services
Layer 3 switching software employs a distributed architecture in
which the control path and data path are relatively independent The
control path code such as routing protocols runs on the route
processor whereas most of the data packets are forwarded by the
Ethernet interface module and the switching fabric 53
Explaining Layer 3 Switch Processing
Each interface module includes a microcoded processor that
handles all packet forwarding The control layer functions between
the routing protocol and the with the firmware datapath microcode
following primary duties
Manages the internal data and control circuits for the packet-
forwarding and control functions
Extracts the other routing and packet forwarding-related control
information from the Layer 2 and Layer 3 bridging and routing
protocols and the configuration data and then conveys the
information to the interface module to control the datapath
Collects the datapath information such as traffic statistics from
the interface module to the route processor
Handles certain data packets sent from the Ethernet interface
modules to the route processor
54
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
28
Explaining Layer 3 Switch Processing
55
Explaining Layer 3 Switch Processing
Layer 3 switching can occur at two different locations on the switch
Centralized Switching decisions are made on the route
processor by a central forwarding table typically controlled by an
ASIC
Distributed Switching decisions are made on a port or line-card
level Cached tables are distributed and synchronized to various
hardware components so that processing can be distributed
throughout the switch chassis
Layer 3 switching uses one of these two methods depending on the
platform
Route caching Also known as flow-based or demand-based
switching a Layer 3 route cache is built in hardware since the
switch sees traffic flow into the switch
Topology-based Information from the routing table is used to
populate the route cache regardless of traffic flow The
populated route cache is called the forwarding information base
(FIB) CEF builds the FIB 56
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
29
Explaining CEF-based Multilayer Switches
bull CEF Operation modes
bull Central CEF
bull Distributed CEF
bull CEF-based Cisco MultiLayer SwitchesCatalyst 2970 Catalyst 3550Catalyst 3560
Catalyst 3750 Catalyst 4500Catalyst 4948
Catalyst 6500 two card modules of CP and DP
57
Explaining CEF-based Multilayer Switches
Cisco Layer 3 devices can use a variety of methods to switch packets from
one port to another The most basic method of switching packets between
interfaces is called process switching Process switching moves packets
between interfaces on a scheduled basis based on information in the
routing table and the Address Resolution Protocol (ARP) cache As packets
arrive they are put in a queue to wait for further processing When the
scheduler runs the outbound interface is determined and the packet is
switched Waiting for the scheduler introduces latency
To speed the switching process strategies exist to switch packets on
demand as they arrive and to cache the information necessary to make
packet-forwarding decisions
CEF uses these strategies to expediently switch data packets to their
destination It caches information generated by the Layer 3 routing engine
CEF caches routing information in one table (the FIB) and caches Layer 2
next-hop addresses for all FIB entries in an adjacency table Because CEF
maintains multiple tables for forwarding information parallel paths can exist
and enable CEF to load balance per packet
58
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
30
Explaining CEF-based Multilayer Switches
CEF operates in one of two modes
Central CEF The FIB and adjacency tables reside on the route
processor and the route processor performs the express forwarding
Use this mode when line cards are not available for CEF switching or
when features are not compatible with distributed CEF
Distributed CEF (dCEF) Supported only on Cisco Catalyst 6500
switches Line cards maintain identical copies of the FIB and adjacency
tables The line cards can perform the express forwarding by
themselves relieving the main processor of being involved in the
switching operation Distributed CEF uses an interprocess
communications (IPC) mechanism to ensure that the FIBs and
adjacency tables are synchronized on the route processor and line
cards
59
Identifying the Multilayer Switch Packet Forwarding Process
60
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
31
Identifying the Multilayer Switch Packet Forwarding Process
61
CEF separates the control plane hardware from the data plane hardware
and switching ASICs separate the control plane and data plane thereby
achieving higher data throughput
The control plane is responsible for building the FIB and adjacency
tables in software
The data plane is responsible for forwarding IP unicast traffic using
hardware
When traffic cannot be processed in hardware the traffic must receive
processing in software by the Layer 3 engine thereby not receiving the
benefit of expedited hardware-based forwarding A number of different
packet types may force the Layer 3 engine to process them Some
examples of IP exception packets are the following
IP packets that use IP header options (Packets that use TCP header options are
switched in hardware because they do not affect the forwarding decision)
Packets that have an expiring IP Time to Live (TTL) counter
Packets that are forwarded to a tunnel interface
Packets that arrive with non-supported encapsulation types
Packets that are routed to an interface with non-supported encapsulation types
Packets that exceed the maximum transmission unit (MTU) of an output interface
and must be fragmented
62
Identifying the Multilayer Switch Packet Forwarding Process
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
32
Identifying the Multilayer Switch Packet Forwarding Process
CEF-based tables are initially populated and used as follows
The FIB is derived from the IP routing table and is arranged for maximum lookup throughput
The adjacency table is derived from the ARP table and it contains Layer 2 rewrite (MAC) information for the
next hop
CEF IP destination prefixes are stored in the TCAM table from the most specific to the least specific entry
When the CEF TCAM table is full a wildcard entry redirects frames to the Layer 3 engine
When the adjacency table is full a CEF TCAM table entry points to the Layer 3 engine to redirect the
adjacency
The FIB lookup is based on the Layer 3 destination address prefix (longest match)
The FIB table is updated when the following occurs
An ARP entry for the destination next hop changes ages out or is removed
The routing table entry for a prefix changes
The routing table entry for the next hop changes
These are the basic steps for initially populating the adjacency table
Step 1 The Layer 3 engine queries the switch for a physical MAC address
Step 2 The switch selects a MAC address from the chassis MAC range and assigns it to the Layer 3 engine
This MAC address is assigned by the Layer 3 engine as a burned-in address for all VLANs and is used by
the switch to initiate Layer 3 packet lookups
Step 3 The switch installs wildcard CEF entries which point to drop adjacencies (for handling CEF table
lookup misses)
Step 4 The Layer 3 engine informs the switch of its interfaces participating in MLS (MAC address and
associated VLAN) The switch creates the (MAC VLAN) Layer 2 CAM entry for the Layer 3 engine
Step 5 The Layer 3 engine informs the switch about features for interfaces participating in MLS
Step 6 The Layer 3 engine informs the switch about all CEF entries related to its interfaces and connected
networks The switch populates the CEF entries and points them to Layer 3 engine redirect adjacencies
63
Identifying the Multilayer Switch Packet Forwarding Process
64
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
33
Identifying the Multilayer Switch Packet Forwarding Process
These are the steps that would occur when you use CEF to forward frames between
host A and host B on different VLANs
Step 1 Host A sends a packet to host B The switch recognizes the frame as a
Layer 3 packet because the destination MAC (MAC-M) matches the Layer 3
engine MAC
Step 2 The switch performs a CEF lookup based on the destination IP address
(IP-B) The packet hits the CEF entry for the connected (VLAN20) network and is
redirected to the Layer 3 engine using a glean adjacency
Step 3 The Layer 3 engine installs an ARP throttling adjacency in the switch for
the host B IP address
Step 4 The Layer 3 engine sends ARP requests for host B on VLAN20
Step 5 Host B sends an ARP response to the Layer 3 engine
Step 6 The Layer 3 engine installs the resolved adjacency in the switch
(removing the ARP throttling adjacency)
Step 7 The switch forwards the packet to host B
Step 8 The switch receives a subsequent packet for host B (IP-B)
Step 9 The switch performs a Layer 3 lookup and finds a CEF entry for host B
The entry points to the adjacency with rewrite information for host B
Step 10 The switch rewrites packets per the adjacency information and forwards
the packet to host B on VLAN20
65
Populating FIB and Adjacency Table
66
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
34
Identifying the Multilayer Switch Packet Forwarding Process
67
Identifying the Multilayer Switch Packet Forwarding Process
68
An example of ARP throttling which consists of these steps
Step 1 Host A sends a packet to host B
Step 2 The switch forwards the packet to the Layer 3 engine
based on the ldquogleanrdquo entry in the FIB A glean adjacency entry
indicates that a particular next hop should be directly connected
but there is no MAC header rewrite information available
Step 3 The Layer 3 engine sends an ARP request for host B and
installs the drop adjacency for host B At this point subsequent
frames destined for host B from host A are dropped (ARP
throttling)
Step 4 Host B responds to the ARP request The Layer 3 engine
installs an adjacency for host B and removes the drop
adjacency
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
35
69
ARP
Throttling
When a router is directly connected to a multiaccess segment(Ethernet) the router maintains an additional prefix for the subnet
This subnet prefix points to a glean adjacency
When a router receives a packets that needs to be forwarded to a specific host the adjacency database is gleaned for a specific prefix
If the prefix does not exist the subnet prefix is consulted
The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing
70
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
36
71
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
72
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
37
73
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Describing CEF Configuration Commands
74
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
38
Verifying CEF
75
Does the Ideal switching (CEF DCEF) used
CEF table is perfected or accuracy
Common CEF Problems
76
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
39
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
77
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
78
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
40
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
79
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
80
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
41
Things to check(1) Check Layer 3 operations
(2) Verify the FIB and adjacency table
Step 1 Verify CEF
show ip cef summary
show ip cef vlan 10
Step 2 Verify the running configuration
Step 3 Verify the routing
Switchshow ip route | include 1921681500
Step 4 Verify an ARP entry on the route processor
At Switch check ARP atable for 1921681993
Step5 Verify the CEF FIB table entry for the route
Switch show ip cef 1921681500
Step 6 Verify an adjacency table entry for the destination
Switchshow adjacency detail | begin 1921681993
Step 7 Verify CEF from the supervisor engine for
modular switch platforms
Troubleshooting Layer 3 CEF-Based MLS
81
Module 4 Implementing Inter-VLAN
routing (flash v50)
41 Describing Routing Between VLANs
42 Enabling Routing Between VLANS
43 Deploying CEF-Based Multilayer Switching
44 Inter-VLAN Routing Lab Exercises
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
42
Module 5 Implementing Inter-VLAN
routing
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
84
Internetwork Communications
Can two hosts on different subnets communicate without a router
What would happen if a host tried to ping another host
No they cannot communicate
Would it send an ARP Request Why or why not
The host would not send an ARP Request because there is no default-gateway
Cgtping 1721630100
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
43
85
Trunking with Default Gateway
What difference would it make if these hosts were on different VLANs
The Broadcasts would not be forwarded out all ports by the switch
Why does the host send the ARP Request to the router and not the
destination host After all theyrsquore on the same switch
The host doesnrsquot know where the destination host is just that itrsquos
not on itsrsquo network
Cgtping 1721630100
86
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address
Check ARP cache for entry of Destination IP Address and its MAC Address
If no entry ARP Request Destination IP Address asking for MAC Address
bull Then Destination MAC Address will be that of the Default Gateway
bull Check ARP cache for entry of Default Gatewayrsquos IP Address and its MAC Address
ndash If no entry ARP Request Default Gatewayrsquos IP Address asking for MAC Address
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
44
87
Inter-VLAN Routing
VLAN is a logical group of ports usually belonging to a single IP
subnet to control the size of the broadcast domain
Even though devices in different VLANs may be ldquophysicallyrdquo
connected these devices cannot communicate without the services of
a default gateway a router
This is known as Inter-VLAN Routing
88
Inter-VLAN Routing
The following devices are
capable of providing inter-
VLAN routing
Any external router or
group of routers with a
separate interface in
each VLAN
Any external router with
an interface that
supports trunking
(router on a stick)
Any Layer 3 multilayer
Catalyst switch
Or trunk port
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
45
89
External Router separate interface in each VLAN
Download PT-Topology-MLS-1
Configure the router to route between VLANs
Is a routing protocol necessary Why or why not
No because all of our networks are directly connected
90
Router-on-a-Stick
bull Download PT-Topology-MLS-2pkt
bull Single trunk link carries traffic for multiple VLANs to and from router
172161010024 172162010024
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
46
91
Configure Router On A Stick 8021Q Trunk Link
interface GigabitEthernet11switchport mode trunk
interface GigabitEthernet50no shutdown Does not show in configinterface GigabitEthernet501description VLAN 1encapsulation dot1Q 1 nativeip address 1721611 2552552550interface GigabitEthernet5010description VLAN 10encapsulation dot1Q 10ip address 17216101 2552552550interface GigabitEthernet5020description VLAN 20encapsulation dot1Q 20ip address 17216201 2552552550interface GigabitEthernet5030description VLAN 30encapsulation dot1Q 30ip address 17216301 2552552550interface GigabitEthernet5040description VLAN 40encapsulation dot1Q 40ip address 17216401 2552552550
1721610100
24
1721620100
24
bull Router on a stick is very
simple to implement
because routers are usually
available in every network
92
Multilayer Switches
Layer 2 Interfaces
Access portmdash Carries
traffic for a single VLAN
Which are the access
ports
Trunk portmdash Carries
traffic for multiple
VLANs using Inter-
Switch Link (ISL)
encapsulation or
8021Q tagging
Which are the trunk
ports
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
47
93
Connecting VLANs with Multilayer Switches
Cisco IOS Switchport command
The switchport command configures an interface as a Layer 2 interface
Note The no switchport command configures an interface as a Layer 3 interface
SwitchA(config)interface fa 01
SwitchA(config-if-range)switchport mode access
SwitchA(config-if-range)switchport access vlan 10
SwitchA(config)interface gigabitethernet 12
SwitchA(config-if-range)switchport trunk encapsulation dot1q
SwitchA(config-if-range)switchport mode trunk
Layer 2 Interfaces
94
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces
Routed portmdash A pure Layer 3 interface similar to a routed port on a Cisco IOS router
Switch virtual interface (SVI)mdash A virtual VLAN interface for inter-VLAN routing In other words SVIs are the virtual routed VLAN interfaces
Bridge virtual interface (BVI)mdash A Layer 3 virtual bridging interface (Not discussed)
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
48
95
MLS Layer 3 Interface Routed Port
Download PT-Topology-MLS-3pkt
A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured
Not associated with a particular VLAN
Like a regular router interface except that it does not support subinterfaces
96
Core1(config) interface GigabitEthernet01
Core1(config-if) no switchport
Core1(config-if) ip address 19216815 255255255252
Core1(config) interface GigabitEthernet02
Core1(config-if) no switchport
Core1(config-if) ip address 19216811 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
bull Configure the other
Core and
Distribution switches
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
49
97
Core2(config) interface GigabitEthernet01
Core2(config-if) no switchport
Core2(config-if) ip address 19216816 255255255252
Core2(config) interface GigabitEthernet02
Core2(config-if) no switchport
Core2(config-if) ip address 19216819 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
98
DLS1(config) interface GigabitEthernet02
DLS1(config-if) no switchport
DLS1(config-if) ip address 19216812 255255255252
MLS Layer 3 Interface
Routed Port
1921681430
1921681030 1921681830
DLS2(config) interface GigabitEthernet02
DLS2(config-if) no switchport
DLS2(config-if) ip address 192168110 255255255252
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
50
99
MLS Layer 3 Interface SVI
Switch virtual interfaces (SVI)
Layer 3 interfaces that are configured on multilayer Layer 3 switches
Used for inter-VLAN routing
A virtual VLAN interface
Associated with the VLAN-ID
Enable routing capability on that VLAN
Note These are virtual interfaces
SVI
100
MLS Layer 3 Interface
SVI
To configure communication
between VLANs you must
configure each SVI with an IP
address and subnet mask in
the chosen address range for
that subnet
The IP address associated with
the VLAN interface is the default
gateway of the workstation
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
51
101
MLS Layer 3 Interface
SVI
bull The switch routes frames between VLANs directly on the switch via
hardware switching without requiring an external router
ndash An SVI is mostly implemented to interconnect the VLANs on the
Building Distribution submodules or the Building Access submodules in the
multilayer switched network
DLS1(config) interface vlan 1DLS1(config-if) ip address 1721611 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 10DLS1(config-if) ip address 17216101 2552552550DLS1(config-if) no shutdownDLS1(config) interface vlan 20DLS1(config-if) ip address 17216201 2552552550DLS1(config-if) no shutdown
102
MLS Layer 3 Interface BVI
httpwwwciscocomenUStechtk389tk689technologies_tech_note09186a0080094663shtml
BVIPDF
A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts like a normal SVI to route packets across bridged or routed domains Bridging Layer 2 packets across Layer 3 interfaces is a legacy method of moving frames in a network To configure a BVI to route use the integrated routing and bridging (IRB) feature which makes it possible to route a given protocol between routed interfaces and bridge groups within the same device Specifically routable traffic is routed to other routed interfaces and bridge groups while local or unroutable traffic is bridged among the bridged interfaces in the same bridge group As a result bridging creates a single instance of spanning tree in multiple VLANs or routed subnets This type of configuration complicates spanning tree and the behavior of other protocols which in turn makes troubleshooting difficult
In todays network however bridging across routed domains is highly discouraged
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
52
103
IP Broadcast
Forwarding
DHCP use IP subnet broadcasts to the 255255255255 address
Routers do not route these packets by default
Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a
unicast
directed broadcast address
104
DHCP Relay Agent
Layer 3 devices do not pass broadcasts
What issue does this cause for DHCP Servers
Each subnet requires a DHCP server
To enable the DHCP relay agent feature configure the ip helper-addresscommand with the DHCP server IP address(es) on the client VLAN interfaces
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10211 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
53
105
DHCP Relay Agent
The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP DNS Time NetBIOS name server and BOOTP packets by
default
By default the ip helper-address command forwards the eight UDPs services
106
DHCP Relay Agent
ip helper-address - make sure the ip directed-broadcast is notconfigured on any outbound interfaces that the UDP broadcast packets need to traverse
The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF)
This is a default behavior since Cisco IOS Release 120 implemented as a security measure
MLS(config)interface vlan 1
MLS(configif)description DHCP Server VLAN
MLS(config-if)ip address 10111 2552552550
MLS(config-if)no ip directed-broadcast
MLS(config)interface vlan 2
MLS(config-ig)description DHCP clients
MLS(config-if)ip address 10121 2552552550
MLS(config-if)no shutdown
MLS(config-if)no ip directed-broadcast
MLS(config-if)ip helper-address 1011254
See Improving Security on
Routers
httpwwwciscocomwarppublic
70721html
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
54
107
UDP Broadcast Forwarding
To specify additional UDP broadcasts for forwarding by the router
when configuring the ip helper-address interface command use the
following global command
ip forward protocol udp udp_ports
Use the no option to remove default or configured applications
Router(config)interface vlan 1
Router(config-if)ip address 1010011 2552552550
Router(config-if)ip helper-address 102001254
Router(config)ip forward-protocol udp mobile-ip
Router(config)no ip forward-protocol udp netbios-ns
Traditional and CEF Based
Multilayer Switching
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
55
109
Multilayer Switching
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware
Optional support for Layers 4 through 7 switching in hardware as well
Hardware switching A route processor (Layer 3 engine) must download software-based routing switching access lists QoS and other information to the hardware for packet processing
Traditional MLS CEF-Based MLS
110
Traditional and CEF-based MLS
Cisco Catalyst switches use either
Traditional multilayer switching (traditional MLS)
A legacy feature
Cisco Express Forwarding (CEF)-based MLS architecture
All leading-edge Catalyst switches support CEF-based
multilayer switching
Traditional MLS CEF-Based MLS
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
56
111
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform
Layer 2 rewrite operations of routed packets
Source MAC address
Destination MAC address
Cyclic redundancy check (CRC)
Because the source and destination MAC addresses change
during Layer 3 rewrites the switch must recalculate the CRC
for these new MAC addresses
112
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via
an MLS protocol
netflow-based switching
With traditional MLS the Layer 3 engine (route processor) and
switching ASICs work together to build Layer 3 entries on the switch
Each entry can be populated in one of three ways
Source IP address only
Source and destination IP addresses
Full Flow Information with Layer 4 protocol information
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
57
113
Traditional MLS
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching
After the routing of the first packet in the flow the Layer 3 engine programs the hardware-switching components for routing for subsequent packets
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN
1
D-MAC= 00-00-
0C-11-11-11
S-MAC= 00-AA-00-11-
11-11S-IP = 101110
D-IP = 101220
S-MAC= 00-
AA-00-11-11-11
114
When workstation A sends a packet to workstation B workstation A sends the packet to its default gateway
The default gateway is the RSM
The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP)
As a result the switch creates a candidate entry for this flow
MLS-SE
MLS-RPMLS-RPThe Destination MAC
Address is one of the
routerrsquos interfaces
There is not an existing
flow so I will flag this as a
candidate packet
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 1
D-MAC= 00-00-0C-11-11-11
S-MAC= 00-AA-00-11-11-11
S-IP = 101110
D-IP = 101220
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
58
115
Next the router accepts the packets from workstation A rewrites the
Layer 2 MAC addresses and CRC and forwards the packet to
workstation B
The switch refers to the routed packet from the RSM as the enabler
packet
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2 D-MAC= 00-AA-00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
116
MLS-SE recognizes various matches including CAM details not included
Basically the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1
The switch upon seeing both the candidate and enabler packets creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow
MLS-SE
MLS-RP
dot1q Tag
(inside Eth Hdr)
Ethernet Header IP Header IP
Data
VLAN 2
D-MAC= 00-AA-
00-22-22-22
S-MAC= 00-00-0C-22-22-22
S-IP = 101110
D-IP = 101220
Candidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
59
117
As future packets from the ldquoflowrdquo arrive the MLS-SE uses the destination IP address to look up the entry in the MLS cache
Finding a match rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router)
The rewrite operation modifies all the same fields initially modified by the router for the first packet including the source MAC and destination MAC addresses
MLS-SE
MLS-RPCandidate Packet Info
Layer 3 Info
S-IP 101110
D-IP 101220
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11
Dst IP Src IP Port Dst
Port
Src
Port
Dst
MAC
Src
MAC
VLAN Interface
101220 101110 TCP 23 1238 00-AA-
00-22-22-22
00-00-
0C-22-22-22
2 31
Future Packets
MLS
Cache
Found match in MLS
Cache rewrite Ethernet
Header and send directly
to Host B forget the
router
118
CEF-based MLS
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
60
119
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor port or line card for hardware switching of packets
Control plane represents the Layer 3 engine (route processor)
Data plane represents the hardware components such as ASICs used by the switch for hardware switching
CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB)
Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses
120
CEF
The two main components of CEF are FIB Adjacency Table
bull Forwarding information base
Make IP destination switching decisions
Similar to a routing table
Mirror image of the forwarding information contained in the IP routing table
When routing or topology changes occur in the network the IP routing table is updated and those changes are reflected in the FIB
Maintains next-hop address information based on the information in the IP routing table
Both the Layer 3 engine and the hardware-switching components maintain a FIB
Routing Table
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
61
121
CEF
Adjacency tables
Network nodes in the network are said to be adjacent if they can
reach each other with a single hop across a link layer (OSPF
EIGRP)
A router normally maintains
Routing table containing Layer 3 network and next-hop
information
ARP table containing Layer 3 to Layer 2 address mapping
These tables are kept independently
122
CEF
Adjacency tables
The FIB keeps the Layer 3 next-hop address for each entry
To streamline packet forwarding even more the FIB has corresponding Layer 2 information for every next-hop entry
This portion of the FIB is called the adjacency table consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop
Layer 2 MAC Addresses
Next Hop Information
Next hop
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
62
123
CEF
Adjacency tables (summary more detail coming)
Built from the ARP table
As a next-hop address receives a valid ARP entry the adjacency table is updated
If an ARP entry does not exist the FIB entry is marked as ldquoCEF gleanrdquo
This means that the Layer 3 forwarding engine cant forward the packet in hardware due to the missing Layer 2 next-hop address
The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply
This is known as the ldquoCEF gleanrdquo state where the Layer 3 engine must glean the next-hop destinations MAC address
No ARP entry
L3 forwarding
engine canrsquot
forward packet
in hardware
must send to L3
Engine Irsquoll generate the ARP
Request and get an
ARP Reply
124
CEF
Adjacency tables
What happens to subsequent packets while FIB entry is in glean state (L3 engine is sending ARP Request)
These packets are dropped
So input queues do not fill
So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests
This is called ARP throttling or throttling adjacency
If an ARP reply is not received in two seconds the throttling is released so that another ARP request can be triggered
After ARP reply is received
Throttling is released
FIB entry can be completed
Subsequent packets can be forwarded in hardware
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
63
125
ARP
Throttling
1 Host A sends a packet to Host B
CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table)
No rewrite information exists
2 Packet passed to Layer 3 Engine for processing
126
ARP
Throttling
3 Obtaining rewrite information
L3 Engine sends an ARP Request for Host B and waits for ARP Reply
Throttling Adjacency While in glean state subsequent packets to that host are dropped so that input queues do not fill and so the Layer 3 engine isnrsquot busy with duplicate ARP Requests (Note Ciscorsquos routers drop the first packet when there is no ARP entry while sending the ARP Request)
ARP
RequestDrop packets until ARP
Reply received
(Throttling Adjacency)
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds This allows
for another packet to to
initiate a new ARP
Request
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks
XX
X
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
64
127
ARP
Throttling
4 Host B sends ARP Reply
ARP
Reply
Drop packets until ARP
Reply received
(Throttling Adjacency)
XX
X
128
ARP
Throttling
5 The Layer 3 Engine installs Adjacency for Host B and removes the
throttling (drop) adjacency
Next Packet Rewrite (Coming)
Drop packets until ARP
Reply received
(Throttling Adjacency)
1020102
Host Brsquos
MAC
Address
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
65
129
Packet Rewrite
Egress
Packet
130
Packet Rewrite
The switch receives another packet
After a multilayer switch finds valid entries in the FIB and adjacency tables a packet is almost ready to be forwarded
One step remainsmdashthe packet header information must be rewritten
Multilayer switching occurs as quick table lookups
Find the next-hop address
Outbound switch port
The IP header must also be adjusted as if a traditional router had done the forwarding (TTL)
Default
Gateway
Host ATTL
L3 ChecksumL2 Checksum
1020102Host Brsquos
MAC
Address
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
66
131
Packet Rewrite
The packet rewrite engine makes the following changes to the packet just prior to forwarding
Layer 2 destination addressmdash Changed to the next-hop devices MAC address
Layer 2 source addressmdash Changed to the outbound Layer 3 switch interfaces MAC address
Layer 3 IP Time To Live (TTL)mdash Decremented by one as one router hop has just occurred
Layer 2 frame checksummdash Recalculated to include changes to the Layer 2 and Layer 3 headers
Layer 3 IP checksummdash Recalculated to include changes to the IP header
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
132
Packet Rewrite
A traditional router would normally make the same changes to each
packet
The multilayer switch must act as if a traditional router were being used
making identical changes
The multilayer switch
Can do this very efficiently with dedicated packet rewrite
hardware and with address information obtained from table
lookups
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
67
133
Packet Rewrite
The switch performs a Layer 3
lookup and finds a CEF entry for
Host B
The switch rewrites packets per
the adjacency information and
forwards the packet to Host B on
its VLAN
Default
Gateway
TTL
L3 ChecksumL2 Checksum
Host B
MAC Add
TTL
- 1
L2 Checksum L3 Checksum
Host AL3 switch
outbound
interface
1020102Host Brsquos
MAC
Address
134
CEF
Catalyst switches do not support routing of all types of frames in hardware
For example the following list details common frame types that are not supported by hardware switching
Packets with IP header options
Packets sourced from or destined to tunnel interfaces
Packets using Ethernet encapsulation types other than ARPA
Packets that require fragmentation (exceed MTU of the interface)
Two types of CEF
Central CEF ndash Forwarding decisions done by ASIC that is central to all interfaces
Distributed CEF (dCEF) ndash Forwarding decisions done on independently on interfaces or line modules (faster)
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
68
135
Switching Table Architectures
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables
Routing (CEF FIB and adjacency)
Bridging
QoS
Access Control ist (ACL) tables
136
Switching Table Architectures - Details
Multilayer switches deploy memory tables using specialized memory architectures
CAM (content addressable memory)
Provides only two results 0 (true) or 1 (false)
For exact matches such as MAC address tables
TCAM (ternary content addressable memory ) ndash Ternary Logic
Provides three results 0 (donrsquot care) 1 (true) 2 (false) Ternary Logic Ternary number system (Base 3) - trits
For longest matches such as IP routing tables organized by IP prefixes
CAM TCAM
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
69
137
CAM
For Layer 2 switching tables
With CAM tables switches must find exact matches or the switches
use a default behavior
Switch must find an exact match to a destination MAC address or
the switch floods the packet out all ports in the VLAN
138
CAM
The information a switch uses to perform a lookup in a CAM table is
called a key
Destination MAC address
VLAN ID
Key
VLAN ID
Key
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
70
139
TCAM
TCAM is a specialized CAM designed for
rapid table lookups
For example the Catalyst 2950 3550
4500 and 6500 families of switches use
TCAM to handle ACL lookups at line
rate
Thus applying ACLs does not affect the
performance of the switch
Single lookup provides the following
information
Layer 2
Layer 3
ACL
140
TCAM
VMR (value mask and result) refers to the format of entries in TCAM
The ldquovaluerdquo in VMR refers to the pattern that is to be matched
Examples include IP addresses and protocol ports
The ldquomaskrdquo refers to the mask bitsassociated with the pattern and determines the prefix
The ldquoresultrdquo refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask
This result might be a ldquopermitrdquo or ldquodenyrdquo in the case of a TCAM for ACLs
Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing
If TCAM becomes full the wildcard entry will force the packet to route via the routing table
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
71
141
CEF-Based MLS Lookups
1 Layer 3 packets initiate TCAM lookup
2 The longest match returns adjacency with rewrite information
3 The packet is rewritten per adjacency information and forwarded
142
Inter-VLAN Routing Summary
A router on a stick can be used to route between VLANs using either
ISL or 8021Q as the trunking protocol
A router on a stick requires subinterfaces one for
each VLAN
Verify inter-VLAN routing by generating IP packets between two
subnets
Multilayer switches can forward traffic both at Layer 2 and at Layer
3
Multilayer switches rewrite the Layer 2 and Layer 3 header using
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
72
143
Configuring Inter-VLAN Routing
Through an SVI
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config)interface vlan vlan-id
Step 2 Create an SVI interface
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the SVI
144
Configuring a Routed Port
Switch(config)ip routing
Step 1 Configure IP routing
Switch(config)router ip_routing_protocol ltoptionsgt
Step 4 Configure the IP routing protocol if needed
Switch(config-if)no switchport
Step 2 Create a routed port
Switch(config-if)ip address ip-address mask
Step 3 Assign an IP address to the routed port
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
73
145
Enabling CEF
Switch(config-if)ip cef
Switch(config-if)ip route-cache cef
The commands required to enable CEF are platform dependent
ndash On the Cisco Catalyst 4000 switch
ndash On the Cisco Catalyst 3550 switch
146
Verifying CEF
Switchshow ip cef [type modport | vlan_interface] [detail]
Switch show ip cef vlan 11 detail
IP CEF with switching (Table Version 11) flags=0x010 routes 0 reresolve 0 unresolved (0 old 0 new) peak 013 leaves 12 nodes 14248 bytes 14 inserts 1 invalidations0 load sharing elements 0 bytes 0 referencesuniversal per-destination load sharing algorithm id 4B936A242(0) CEF resets 0 revisions of existing leavesResolution Timer Exponential (currently 1s peak 1s)0 in-place0 aborted modificationsrefcounts 1061 leaf 1052 node
Table epoch 0 (13 entries at this epoch)
1721611024 version 6 epoch 0 attached connected0 packets 0 bytesvia Vlan11 0 dependencies
valid glean adjacency
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
74
147
Verify Layer 3 Switching
Switchshow interface type modport | port-channel number | begin L3
Switchshow interface fastethernet 33 | begin L3L3 in Switched ucast 0 pkt 0 bytes - mcast 12 pkt 778 bytes mcastL3 out Switched ucast 0 pkt 0 bytes - mcast 0 pkt 0 bytes
4046399 packets input 349370039 bytes 0 no bufferReceived 3795255 broadcasts 2 runts 0 giants 0 throttles
Switch
148
Displaying Hardware Layer 3 Switching
Statistics
Switchshow interfaces type modport | port-channel number include switched
Switchshow interfaces gigabitethernet 95 | include switchedL2 Switched ucast 8199 pkt 1362060 bytes - mcast 6980 pkt 371952 bytesL3 in Switched ucast 3045 pkt 742761 bytes - mcast 0 pkt 0 bytes mcastL3 out Switched ucast 2975 pkt 693411 bytes - mcast 0 pkt 0 bytes
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
75
149
Adjacency Information
Switchshow adjacency [type modport | port-channel number | detail | internal | summary]
Switchshow adjacency gigabitethernet 95 detailProtocol Interface AddressIP GigabitEthernet95 1722053206(11)
504 packets 6110 bytes00605C865B82000164F83FA50800ARP 034931
150
Debugging CEF Operations
Switchdebug ip cef drops | access-list | receive | events | prefix-ipc | table
bull Displays debug information for CEF
Switchdebug ip cef ipc | interface-ipc
bull Displays debug information related to IPC in CEF
Switchping ip
bull Performs an extended ping
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing
76
151
CEF Summary
Layer 3 switching is high-performance packet switching in
hardware
MLS functionality can be implemented through CEF
CEF uses tables in hardware to forward packets
Specific commands are used to enable and verify
CEF operations
Commands to enable CEF are platform dependent
CEF problems can be matched to specific solutions
Specific commands are used to troubleshoot and solve CEF
problems
Ordered steps assist in troubleshooting CEF-based problems
Multilayer Switched Networks
CCNP 3 version 5
Rick Graziani
Module 4 Implementing Inter-VLAN
routing