Module 5. Implementing Multi-Layer Switching _MLS_

Document Sample
Module 5. Implementing Multi-Layer Switching _MLS_ Powered By Docstoc
					    Module 5. Implementing Multi-Layer
             Switching (MLS)

        Multilayer Switched Networks - CCNP 3 (Ver.4)
                    Rick Graziani, Fall 2006
                 Revised:


                 hjlee@dongseo.ac.kr
                 http://kowon.dongseo.ac.kr/~hjlee
                 http://crypto.dongseo.ac.kr




Review to Ver 3.0



•   Go to the CCNP3 Ver.3.0 Presentation (inter-VLAN
    Routing)


•   Go to the CCNP3 Ver.3.0 Presentation (MLS switching)




                                                           2




                                                               1
                     Part I.
           Inter-VLAN Routing (ver 4.0)


      Go to the CCNP3 Ver.3.0 Presentation (inter-VLAN
                         Routing)




Internetwork Communications

                                            Direct to host or via
• Even though hosts on different VLANs      Gateway?
    may be physically connected to the
    same switch, logically the are on
    separate networks.
•   Remember, a host determines if it can
    communicate directly with another
    host by ANDing its own source IP
    address and subnet mask, determines
    its network address, and then ANDing
    the destination IP address of the
    packet and its own subnet mask.




                                                                    4




                                                                        2
    Internetwork Communications




•       Then Destination MAC Address is that of the same device as the Destination IP
        Address.
•       Check ARP cache for entry of Destination IP Address and its MAC Address.
         – If no entry, ARP Request Destination IP Address asking for MAC Address.




•       Then Destination MAC Address will be that of the Default Gateway.
•       Check ARP cache for entry of Default Gateway’s IP Address and its MAC
        Address.
         – If no entry, ARP Request Default Gateway’s IP Address asking for MAC
           Address.
                                                                                        5




    Internetwork Communications

                                                                Direct to host or via
    • If the addresses match, the two hosts                     Gateway?
          are on the same network and the IP
          packet can be encapsulated in an
          Ethernet frame with the destination
          MAC address of the same host with
          that destination IP Address.
    •     If the addresses do not match, the two
          hosts are on different networks.
            – The packet must be encapsulated
               in an Ethernet frame with the
               destination MAC address that of
               the default gateway.




                                                                                        6




                                                                                            3
Inter-VLAN Routing




• A VLAN is a logical group of ports, usually belonging to a single IP
    subnet to control the size of the broadcast domain.
• Even though devices in different VLANs may be “physically”
    connected, as shown in the previous slides, these devices cannot
    communicate without the services of a default gateway, a router.
•   Because VLANs isolate traffic to a defined broadcast domain and
    subnet, network devices in different VLANs cannot communicate
    with each other without the use of a router.
•   This is known as Inter-VLAN Routing.
                                                                          7




Inter-VLAN Routing

• The following devices are                               Or trunk port
    capable of providing inter-
    VLAN routing:
     – Any Layer 3 multilayer
       Catalyst switch
     – Any external router with
       an interface that
       supports trunking
       (router on a stick)
     – Any external router or
       group of routers with a
       separate interface in
       each VLAN




                                                                          8




                                                                              4
Inter-VLAN Routing with External Router




   • Single trunk link carries traffic for multiple VLANs to and
     from router.

                                                                              9




Router On A Stick: 802.1Q Trunk Link

switch(config)#interface FastEthernet 0/0
switch(config-if)#switchport trunk encapsulation dot1q
switch(config-if)#switchport mode trunk




                        Router(config)#interface FastEthernet0/0
                        Router(config-if)no shutdown

                        Router(config)#interface FastEthernet 0/0.1
                        Router(config-subif) description VLAN 1
                        Router(config-subif)#encapsulation dot1Q 1 native
                        Router(config-subif)#ip address 10.10.1.1 255.255.255.0

                        Router(config)#interface FastEthernet 0/0.10
                        Router(config-subif) description VLAN 10
                        Router(config-subif)#encapsulation dot1Q 10
                        Router(config-subif)#ip address 10.10.10.1 255.255.255.0

                        Router(config)#interface FastEthernet 0/0.20
                        Router(config-subif)# description VLAN 20
                        Router(config-subif)#encapsulation dot1Q 20
                        Router(config-subif)#ip address 10.10.20.1 255.255.255.0
                                                                             10




                                                                                   5
Router On a Stick




• Router on a stick is very simple to implement because routers are
    usually available in every network.
• Most enterprise networks use multilayer switches to achieve high
    packet-processing rates using hardware switching.
•   Multilayer (layer 3) switches usually have packet-switching
    throughputs in the millions of packets per second (pps), whereas
    traditional general-purpose routers provide packet switching in the
    range of 100,000 pps to just over 1 million pps.   1/10 speed down!
                                                                      11




Connecting VLANs with Multilayer Switches

Layer 2 Interfaces:
• Access port—
  Carries traffic for a
  single VLAN
• Trunk port—
  Carries traffic for
  multiple VLANs
  using Inter-Switch
  Link (ISL)
  encapsulation or
  802.1Q tagging



                                                                      12




                                                                           6
Connecting VLANs with Multilayer Switches

Layer 2 Interfaces
DLSwitchA(config)#interface range fa 0/11 - 15
DLSwitchA(config-if-range)#switchport mode access
DLSwitchA(config-if-range)#switchport access vlan 10

DLSwitchA(config)#interface range fastethernet 0/1 - 4, gigabitethernet 0/2
DLSwitchA(config-if-range)#switchport trunk encapsulation dot1q
DLSwitchA(config-if-range)#switchport mode trunk


•   Cisco IOS Switchport command
     – The switchport command configures an interface as a Layer 2 interface.
     – The no switchport command configures an interface as a Layer 3
        interface.

•   Different models of Catalyst switches use different default settings for interfaces.
     – Catalyst 3550 and 4500 switches use Layer 2 interfaces by default
     – Catalyst 6500 family of switches (IOS) use Layer 3 interfaces by default.
     – Recall that default interface configurations do not appear in the configuration.

                                                                                     13




Layer 3 Interfaces




The Catalyst multilayer switches support three different types of Layer 3
  interfaces:
• Routed port— A pure Layer 3 interface similar to a routed port on a
  Cisco IOS router.
• Switch virtual interface (SVI) — A virtual VLAN interface for inter-
  VLAN routing. In other words, SVIs are the virtual routed VLAN
  interfaces.
• Bridge virtual interface (BVI) — A Layer 3 virtual bridging interface.
  (Not discussed)

                                                                                     14




                                                                                           7
MLS Layer 3 Interface: Routed Port




 • A routed port is a physical port that acts similarly to a port on a
     traditional router with Layer 3 addresses configured.
 • Unlike an access port, a routed port is not associated with a
     particular VLAN.
 •   A routed port behaves like a regular router interface, except that it
     does not support subinterfaces as with Cisco IOS routers.

                                                                             15




MLS Layer 3 Interface:
Routed Port




Core-Left(config)#interface GigabitEthernet 1/1
Core-Left(config-if)#no switchport
Core-Left(config-if)#ip address 10.168.5.254 255.255.255.252

Core-Right(config)#interface GigabitEthernet 1/2
Core-Right(config-if)#ip address 10.168.6.254 255.255.255.252
% IP addresses may not be configured on L2 links.
Core-Right(config-if)#no switchport
Core-Right(config-if)#ip address 10.168.6.254 255.255.255.252


                                                                             16




                                                                                  8
MLS Layer 3 Interface: SVI
                          DLSwitch(config)#interface vlan 1
                          DLSwitch(config-if)#ip address 172.16.1.1 255.255.255.0
                          DLSwitch(config)#interface vlan 10
                          DLSwitch(config-if)#ip address 172.16.10.1 255.255.255.0
                          DLSwitch(config)#interface vlan 20
                          DLSwitch(config-if)#ip address 172.16.20.1 255.255.255.0
                          DLSwitch(config)#interface vlan 30
                          DLSwitch(config-if)#ip address 172.16.30.1 255.255.255.0




• Switch virtual interfaces (SVI) are Layer 3 interfaces that are
    configured on multilayer Layer 3 Catalyst switches that are used for
    inter-VLAN routing.
•   An SVI is a virtual VLAN interface that is associated with the VLAN-
    ID to enable routing capability on that VLAN.
•   Note: These are virtual interfaces!


                                                                                     17




MLS Layer 3 Interface: SVI

                          DLSwitch(config)#interface vlan 1
                          DLSwitch(config-if)#ip address 172.16.1.1 255.255.255.0
                          DLSwitch(config)#interface vlan 10
                          DLSwitch(config-if)#ip address 172.16.10.1 255.255.255.0
                          DLSwitch(config)#interface vlan 20
                          DLSwitch(config-if)#ip address 172.16.20.1 255.255.255.0
                          DLSwitch(config)#interface vlan 30
                          DLSwitch(config-if)#ip address 172.16.30.1 255.255.255.0




• To configure communication between VLANs, you must configure each
    SVI with an IP address and subnet mask in the chosen address
    range for that subnet.
•   The IP address associated with the VLAN interface is the default
    gateway of the workstation.


                                                                                     18




                                                                                          9
MLS Layer 3
Interface: SVI



DLSwitch(config)#interface vlan 1
DLSwitch(config-if)#ip address 172.16.1.1 255.255.255.0
DLSwitch(config)#interface vlan 10
DLSwitch(config-if)#ip address 172.16.10.1 255.255.255.0
DLSwitch(config)#interface vlan 20
DLSwitch(config-if)#ip address 172.16.20.1 255.255.255.0
DLSwitch(config)#interface vlan 30
DLSwitch(config-if)#ip address 172.16.30.1 255.255.255.0


• In this case, the switch routes frames from host on VLAN 10 to a host
    on VLAN 20 directly on the switch via hardware switching without
    requiring an external router.
•   An SVI is mostly implemented to interconnect the VLANs on the
    Building Distribution submodules or the Building Access submodules in
    the multilayer switched network.
                                                                                19




MLS Layer 3 Interface: BVI

• http://www.cisco.com/en/US/tech/tk389/tk689/technologies_tech_note0
    9186a0080094663.shtml
• BVI.PDF
• A bridge virtual interface (BVI) is a Layer 3 virtual interface that acts
    like a normal SVI to route packets across bridged or routed domains.
    Bridging Layer 2 packets across Layer 3 interfaces is a legacy method
    of moving frames in a network. To configure a BVI to route, use the
    integrated routing and bridging (IRB) feature, which makes it possible
    to route a given protocol between routed interfaces and bridge groups
    within the same device. Specifically, routable traffic is routed to other
    routed interfaces and bridge groups, while local or unroutable traffic is
    bridged among the bridged interfaces in the same bridge group. As a
    result, bridging creates a single instance of spanning tree in multiple
    VLANs or routed subnets. This type of configuration complicates
    spanning tree and the behavior of other protocols, which in turn makes
    troubleshooting difficult.
•   In today's network, however, bridging across routed domains is highly
    discouraged.

                                                                                20




                                                                                     10
IP Broadcast Forwarding

• IP broadcast forwarding is necessary when using VLANs to centrally
    locate DHCP or other servers where clients rely on broadcasts to
    locate or communicate with the services running on the server.
•   For example, DHCP requests are IP subnet broadcasts to the
    255.255.255.255 address.
•   Routers do not route these packets by default.
•   However, Cisco routers and Layer 3 switches can be configured to
    forward these DHCP and other UDP broadcast packets to a unicast
    or directed broadcast address.
•   The broadcast-forwarding features support more than DHCP and can
    forward any UDP broadcast.
•   The following list summarizes the solutions that Cisco IOS IP
    broadcast forwarding features provide:
     – DHCP relay agent
     – UDP broadcast forwarding

                                                                         21




DHCP Relay Agent



MLS(config)#interface vlan 1
MLS(configif)#description DHCP Server VLAN
MLS(config-if)#ip address 10.1.1.1 255.255.255.0
MLS(config-if)#no ip directed-broadcast

MLS(config)#interface vlan 2
MLS(config-ig)#description DHCP clients
MLS(config-if)#ip address 10.2.1.1 255.255.255.0
MLS(config-if)#no shutdown
MLS(config-if)#no ip directed-broadcast
MLS(config-if)#ip helper-address 10.1.1.254

• Because Layer 3 devices do not pass broadcasts by default, each subnet
    requires a DHCP server unless the routers are configured to forward the
    DHCP broadcast using the DHCP relay agent feature.
•   To enable the DHCP relay agent feature, configure the ip helper-
    address command with the DHCP server IP address on the client
    VLAN interfaces. (For multiple DHCP servers, use multiple commands.)
                                                                         22




                                                                              11
DHCP Relay Agent (FYI)




•   From Cisco.com:
•   http://www.cisco.com/en/US/products/ps6350/products_configuration_guide_chapter09186a0080441
    2bf.html
•   The DHCP client broadcasts a request for an IP address and additional configuration parameters on
    its local LAN. Router B, acting as a DHCP relay agent, picks up the broadcast and generates a new
    DHCP message to send out on another interface. As part of this DHCP message, the relay agent
    inserts the IP address of the interface containing the ip helper-address command into the gateway IP
    address (giaddr) field of the DHCP packet. This IP address enables the DHCP server to determine
    which subnet should receive the offer and identify the appropriate IP address range to offer. The
    DHCP relay agent sends the local broadcast, via IP unicast, to the DHCP server address 172.16.1.2
    specified by the ip helper-address interface configuration command.
                                                                                                       23




DHCP Relay Agent

The ip helper-address command not only forwards DHCP UDP packets but also
forwards TFTP, DNS, Time, NetBIOS, name server, and BOOTP packets by
default.
By default, the ip helper-address command forwards the eight UDPs services.




                                                                                                       24




                                                                                                            12
DHCP Relay Agent



MLS(config)#interface vlan 1
MLS(configif)#description DHCP Server VLAN
MLS(config-if)#ip address 10.1.1.1 255.255.255.0
MLS(config-if)#no ip directed-broadcast

MLS(config)#interface vlan 2
MLS(config-ig)#description DHCP clients               See Improving Security on
MLS(config-if)#ip address 10.1.2.1 255.255.255.0      Routers:
MLS(config-if)#no shutdown                            http://www.cisco.com/warp/public/
MLS(config-if)#no ip directed-broadcast               707/21.html
MLS(config-if)#ip helper-address 10.1.1.254

•   When applying the ip helper-address command, make sure the ip
    directed-broadcast is not configured on any outbound interfaces that the
    UDP broadcast packets need to traverse.
•   The no ip directed-broadcast command configures the router or switch to
    prevent the translation of a directed broadcast to a physical broadcast (MAC FF).
•   This is a default behavior since Cisco IOS Release 12.0, implemented as a
    security measure.                                                             25




UDP Broadcast Forwarding
Router(config)#interface vlan 1
Router(config-if)#ip address 10.100.1.1 255.255.255.0
Router(config-if)#ip helper-address 10.200.1.254

Router(config)#no ip forward-protocol udp netbios-ns
Router(config)#ip forward-protocol udp mobile-ip




• To specify additional UDP broadcasts for forwarding by the router
    when configuring the ip helper-address interface command, use the
    following global command:
    ip forward protocol udp udp_ports

• This is the configuration of not forwarding UDP broadcasts for the
    NetBIOS name service, a default behavior when configuring the ip
    helper-address command.
•   This example also shows the configuration of forwarding UDP packets
    for mobile-ip and the other default UDP forwarded ports.
                                                                                    26




                                                                                          13
                    Part II.
          Traditional and CEF Based
             Multilayer Switching



    Go to the CCNP3 Ver.3.0 Presentation (MLS switching)




Multilayer Switching




        Traditional MLS                       CEF-Based MLS

• Multilayer switching refers to the ability of a Catalyst switch to
    support switching and routing of packets in hardware, with optional
    support for Layers 4 through 7 switching in hardware as well.
•   Hardware switching: A route processor (Layer 3 engine) must
    download software-based routing, switching, access lists, QoS, and
    other information to the hardware for packet processing.

                                                                          28




                                                                               14
Traditional and CEF-based MLS




• To accomplish multilayer switching (packet processing in hardware),
    Cisco Catalyst switches use either:
     – Traditional multilayer switching (traditional MLS)
     – Cisco Express Forwarding (CEF)-based MLS architecture.
•   Traditional MLS is a legacy feature, whereas all leading-edge
    Catalyst switches support CEF-based multilayer switching (CEF-based
    MLS).
                                                                        29




Traditional MLS

• MLS enables specialized
    application-specific integrated
    circuits (ASICs) to perform
    Layer 2 rewrite operations of
    routed packets.
•   Layer 2 rewrites include
    rewriting the source and
    destination MAC addresses
    and writing a recalculated cyclic
    redundancy check (CRC).
•   Because the source and
    destination MAC addresses
    change during Layer 3 rewrites,
    the switch must recalculate the
    CRC for these new MAC
    addresses.

                                                                        30




                                                                             15
Traditional MLS




• For Catalyst switches that support traditional MLS, the switch learns
    Layer 2 rewrite information from an MLS router via an MLS protocol.
     – Also known as netflow-based switching.
•   With traditional MLS, the Layer 3 engine (route processor) and
    switching ASICs work together to build Layer 3 entries on the switch.
•   Each entry contains a source, a source and destination, or full flow
    information including Layer 4 protocol information.

                                                                                            31




Traditional MLS




        dot1q Tag              Ethernet Header               IP Header                IP
     (inside Eth. Hdr)                                                               Data
         VLAN            D-MAC= 00-00-     S-MAC= 00-AA-   S-IP =        D-IP =
           1             0C-11-11-11       00-11-11-11     10.1.1.10     10.1.2.20




• With traditional MLS, the switch forwards the first packet in any flow to
    the Layer 3 engine for processing using software switching.
• After the routing of the first packet in the flow, the Layer 3 engine
    programs the hardware-switching components for routing for
    subsequent packets.
                                                                                            32




                                                                                                 16
                                                    MLS-RP
Candidate Packet Info                                                           The Destination MAC
Layer 3 Info                                                                    Address is one of the
S-IP 10.1.1.10                                                                  router’s interfaces.
D-IP 10.1.2.20                                                                  There is not an existing
Layer 2 Info                                                                    flow, so I will flag this as
S-MAC 00-AA-00-11-11-11                                                         a candidate packet.
D-MAC 00-00-0C-11-11-11


                                                MLS-SE



              dot1q Tag                Ethernet Header                 IP Header                 IP
           (inside Eth. Hdr)                                                                    Data
                  VLAN          D-MAC= 00-00-      S-MAC= 00-AA-    S-IP =         D-IP =
                    1           0C-11-11-11        00-11-11-11      10.1.1.10      10.1.2.20


    •   When workstation A sends a packet to workstation B, workstation A sends the
        packet to its default gateway.
         – In the default gateway is the RSM.
    •   The switch (MLS-SE) recognizes this packet as an MLS candidate packet
        because the destination MAC address matches the MAC address of the MLS
        router (MLS-RP).
    •   As a result, the switch creates a candidate entry for this flow.
                                                                                                          33




                                                    MLS-RP




                                                MLS-SE




            dot1q Tag                Ethernet Header                 IP Header                  IP
         (inside Eth. Hdr)                                                                     Data
                 VLAN          D-MAC= 00-AA-      S-MAC= 00-00-    S-IP =        D-IP =
                   2           00-22-22-22        0C-22-22-22      10.1.1.10     10.1.2.20



    • Next, the router accepts the packets from workstation A, rewrites the
        Layer 2 destination MAC address and CRC, and forwards the packet to
        workstation B.
    •   The switch refers to the routed packet from the RSM as the enabler
        packet.
                                                                                                          34




                                                                                                               17
                                                           MLS-RP
Candidate Packet Info
Layer 3 Info
S-IP 10.1.1.10
D-IP 10.1.2.20
Layer 2 Info
S-MAC 00-AA-00-11-11-11
D-MAC 00-00-0C-11-11-11


                                                     MLS-SE




               dot1q Tag                        Ethernet Header                        IP Header                IP
            (inside Eth. Hdr)                                                                                  Data
                 VLAN                     D-MAC= 00-AA-     S-MAC= 00-00-            S-IP =        D-IP =
                   2                      00-22-22-22       0C-22-22-22              10.1.1.10     10.1.2.20



    •   MLS-SE recognizes various matches including CAM, details not included.
    •   Basically, the MLS-SE recognizes that the packet going out of VLAN 2
        was the same one that came in on VLAN 1.
    •   The switch, upon seeing both the candidate and enabler packets, creates an
        MLS entry in hardware (MLS Cache) such that the switch rewrites and
        forwards all future packets matching this flow.                                                                     35




                                                           MLS-RP
Candidate Packet Info
                                                                                            Found match in MLS
Layer 3 Info                                                                              Cache, rewrite Ethernet
S-IP 10.1.1.10
D-IP 10.1.2.20                                                                                Header and send
Layer 2 Info
                                                                                          directly to Host B, forget
S-MAC 00-AA-00-11-11-11                                                                           the router!
D-MAC 00-00-0C-11-11-11


                                                     MLS-SE

 Future Packets



                    Dst IP       Src IP          Port      Dst       Src    Dst             Src         VLAN    Interface
   MLS                                                     Port      Port   MAC             MAC
                  10.1.2.20     10.1.1.10        TCP       23        1238   00-AA-        00-00-          2           3/1
   Cache                                                                    00-22-        0C-22-
                                                                            22-22         22-22

    •   As future packets from the “flow” arrive, the MLS-SE uses the destination IP address
        to look up the entry in the MLS cache.
    •   Finding a match, it uses a rewrite engine to modify the necessary header information
        and then sends the packet directly to the destination (the packet is not forwarded to the
        router).
    •   The rewrite operation modifies all the same fields initially modified by the router for the
        first packet, including the source MAC and destination MAC addresses.
                                                                                                                            36




                                                                                                                                 18
CEF-based MLS




                                                                          37




CEF




• CEF-based MLS forwarding model is used to download the control
    plane information such as the access lists to the data plane on the
    supervisor, port, or line card for hardware switching of packets.
     – Control plane represents the Layer 3 engine (route processor)
     – Data plane represents the hardware components such as ASICs
        used by the switch for hardware switching.
•   CEF is a topology-based forwarding model in which all routing
    information is prepopulated into a forwarding information base
    (FIB).
•   As a result of the prepopulation of routing information, Catalyst
    switches can quickly look up routing information such as IP
    adjacencies and next-hop IP and MAC addresses.
                                                                          38




                                                                               19
                        Routing Table
CEF




The two main components of CEF are FIB and Adjacency Table
• Forwarding information base (FIB)
    – Used make IP destination prefix-based switching decisions.
    – Similar to a routing table or information base.
    – It maintains a mirror image of the forwarding information contained in the
      IP routing table.
    – When routing or topology changes occur in the network, the IP routing
      table is updated, and those changes are reflected in the FIB.
    – The FIB maintains next-hop address information based on the
      information in the IP routing table.
    – In the context of CEF-based MLS, both the Layer 3 engine and the
      hardware-switching components maintain an FIB.
                                                                                   39




CEF




• Adjacency tables
    – Network nodes in the network are said to be adjacent if they can
      reach each other with a single hop across a link layer. (OSPF,
      EIGRP)
    – A router normally maintains:
        • Routing table containing Layer 3 network and next-hop
          information
        • ARP table containing Layer 3 to Layer 2 address mapping.
        • These tables are kept independently.

                                                                                   40




                                                                                        20
            Layer 2 MAC Addresses,
CEF         Next Hop Information




• Adjacency tables
   – Recall that the FIB keeps the Layer 3 next-hop address for each
     entry.
   – To streamline packet forwarding even more, the FIB has
     corresponding Layer 2 information for every next-hop entry.
   – This portion of the FIB is called the adjacency table, consisting of
     the MAC addresses of nodes that can be reached in a single Layer
     2 hop.


                                                                             41




                       No ARP entry,
CEF                     L3 forwarding
                         engine can’t
                       forward packet
                        in hardware,
                       must send to L3
                           Engine.                         I’ll generate the ARP
                                                            Request and get an
                                                                 ARP Reply.




• Adjacency tables (summary, more detail coming)
   – The adjacency table information is built from the ARP table.
   – As a next-hop address receives a valid ARP entry, the adjacency
     table is updated.
   – If an ARP entry does not exist, the FIB entry is marked as “CEF
     glean.”
   – This means that the Layer 3 forwarding engine can't forward the
     packet in hardware, due to the missing Layer 2 next-hop address.
   – The packet is sent to the Layer 3 engine so that it can generate an
     ARP request and receive an ARP reply.
   – This is known as the “CEF glean” state, where the Layer 3 engine
     must glean the next-hop destination's MAC address.
                                                                             42




                                                                                   21
CEF




• Adjacency tables
     – During the time that a FIB entry is in the CEF glean state waiting for
       the ARP resolution, subsequent packets to that host are
       immediately dropped so that the input queues do not fill and the
       Layer 3 engine does not become too busy worrying about the need
       for duplicate ARP requests.
     – This is called ARP throttling or throttling adjacency.
     – If an ARP reply is not received in two seconds, the throttling is
       released so that another ARP request can be triggered.
     – Otherwise, after an ARP reply is received, the throttling is released,
       the FIB entry can be completed, and packets can be forwarded
       completely in hardware.
                                                                              43




ARP
Throttling




•   When a router is directly connected to a multiaccess segment
    (Ethernet), the router maintains an additional prefix for the subnet..
•   This subnet prefix points to a glean adjacency.
•   When a router receives a packets that needs to be forwarded to a
    specific host, the adjacency database is gleaned for a specific prefix.
•   If the prefix does not exist, the subnet prefix is consulted.
•   The glean adjacency indicates that any address with this range
    should be forwarded to the Layer 3 engine ARP processing.
                                                                              44




                                                                                   22
    ARP
    Throttling




    1. Host A sends a packet to Host B.
    • CEF lookup shows glean adjacency (ARP entry does not exist so
       no entry in adjacency table).
    • No rewrite information exists.
    2. Packet passed to Layer 3 Engine for processing.
                                                                               45




    ARP
    Throttling
Throttling Adjacency is
removed when no ARP
Reply is received in 2
seconds. This allows
for another packet to to                                             ARP
initiate a new ARP         Drop packets until ARP
                           Reply received                            Request
Request.
                           (Throttling Adjacency)
Throttling Adjacency
relieves the Layer 3
Engine of excessive
ARP processing or
ARP-based DoS
attacks.

  3. Obtaining rewrite information.
  • L3 Engine sends an ARP Request for Host B and waits for ARP Reply.
  • Throttling Adjacency: While in glean state, subsequent packets to that
     host are dropped, so that input queues do not fill and so the Layer 3
     engine isn’t busy with duplicate ARP Requests. (Note: Cisco’s routers
     drop the first packet when there is no ARP entry, while sending the ARP
     Request.)                                                               46




                                                                                    23
ARP
Throttling



                       Drop packets until ARP
                       Reply received
                       (Throttling Adjacency)         ARP
                                                      Reply




4. Host B sends ARP Reply.



                                                                      47




ARP
Throttling                      10.20.10.2




                       Drop packets until ARP
                       Reply received
                       (Throttling Adjacency)




5. The Layer 3 Engine installs Adjacency for Host B and removes the
   throttling (drop) adjacency.
Next: Packet Rewrite (Coming!)


                                                                      48




                                                                           24
Packet Rewrite




                                                          Egress
                                                          Packet




                                                                         49




                                                                    Host B’s
Packet Rewrite                              10.20.10.2              MAC
                                                                    Address


          L2 Checksum   L3 Checksum




                                      TTL
Default   Host A
Gateway



The switch receives another packet:
• After a multilayer switch finds valid entries in the FIB and adjacency
  tables, a packet is almost ready to be forwarded.
• One step remains—the packet header information must be rewritten.
• Keep in mind that multilayer switching occurs as quick table lookups,
  to find the next-hop address and the outbound switch port.
   – The packet is untouched, still having the original destination MAC
      address of the switch (Router interface) itself.
   – The IP header must also be adjusted, as if a traditional router had
      done the forwarding (TTL).
                                                                         50




                                                                               25
                                                                          Host B’s
Packet Rewrite                               10.20.10.2                   MAC
                                                                          Address


          L2 Checksum   L3 Checksum




                                      TTL
Default
Host B    L3 switch
          Host A
                                      -1
Gateway
MAC Add   outbound
          interface


The packet rewrite engine makes the following changes to the packet just prior
   to forwarding:
• Layer 2 destination address— Changed to the next-hop device's MAC address
• Layer 2 source address— Changed to the outbound Layer 3 switch interface's
   MAC address
• Layer 3 IP Time To Live (TTL)— Decremented by one, as one router hop has
   just occurred
• Layer 3 IP checksum— Recalculated to include changes to the IP header
• Layer 2 frame checksum— Recalculated to include changes to the Layer 2 and
   Layer 3 headers
                                                                               51




                                                                          Host B’s
Packet Rewrite                               10.20.10.2                   MAC
                                                                          Address


          L2 Checksum   L3 Checksum




                                      TTL
Host B
Default   Host A
          L3 switch
                                      -1
MAC Add
Gateway   outbound
          interface


• A traditional router would normally make the same changes to each
    packet.
• The multilayer switch must act as if a traditional router were being used,
    making identical changes.
•   However, the multilayer switch can do this very efficiently with
    dedicated packet rewrite hardware and address information obtained
    from table lookups.


                                                                               52




                                                                                     26
                                                                         Host B’s
 Packet Rewrite                               10.20.10.2                 MAC
                                                                         Address


            L2 Checksum   L3 Checksum




                                        TTL
Default
Host B      L3 switch
            Host A
                                        -1
Gateway
MAC Add     outbound
            interface


• The switch performs a Layer 3 lookup and finds a CEF entry for Host B.
• The switch rewrites packets per the adjacency information and forwards
     the packet to Host B on its VLAN.




                                                                                53




 CEF




 • Catalyst switches do not support routing of all types of frames in
      hardware.
 •    For example, the following list details common frame types that are not
      supported by hardware switching:
       – Packets with IP header options
       – Packets sourced from or destined to tunnel interfaces
       – Packets using Ethernet encapsulation types other than ARPA
       – Packets that require fragmentation

                                                                                54




                                                                                     27
Switching Table Architectures - Details




• Multilayer switches build routing (CEF FIB and adjacency), bridging,
    QoS, and access control list (ACL) tables for centralized or distributed
    switching in hardware using high-speed memory tables.
•   Switches perform lookups in these tables for result information, such
    as to determine whether a packet with a specific destination IP address
    is supposed to be dropped according to an ACL.
•   These tables support high-performance lookups and search algorithms
    such that multilayer switches maintain line-rate performance.
                                                                           55




Layer 2 Switch Forwarding Process




                                                                           56




                                                                                28
Logical Packet Flow for a Multilayer Switch




                                                                             57




Switching Table Architectures - Details




    CAM                              TCAM



Multilayer switches deploy memory tables using specialized memory
  architectures:
• CAM (content addressable memory)
    – Provides only two results: 0 (true) or 1 (false).
    – CAM is most useful for building tables that search on exact
       matches such as MAC address tables.
• TCAM (ternary content addressable memory ) – Ternary Logic
    – Provides three results: 0 (don’t care), 1 (true), 2 (false); Ternary
       Logic; Ternary number system (Base 3) - trits
    – TCAM is most useful for building tables for searching on longest
       matches such as IP routing tables organized by IP prefixes.
                                                                             58




                                                                                  29
CAM




• Catalyst switches use CAM tables to house, Layer 2 switching tables.
• Switches match results in CAM tables in binary (0 or 1 operations).
• With CAM tables, switches must find exact matches or the switches
    use a default behavior.
•   For example, in the case of Layer 2 switching tables, the switch must
    find an exact match to a destination MAC address or the switch
    floods the packet out all ports in the VLAN.
                                                                         59




CAM



                   VLAN ID




      Key         Key



•   The information a switch uses to perform a lookup in a
    CAM table is called a key.
•   For example, a Layer 2 lookup would use a destination
    MAC address and a VLAN ID as a key.



                                                                         60




                                                                              30
TCAM

• TCAM is a specialized CAM designed for
    rapid table lookups. For example, the
    Catalyst 2950, 3550, 4500, and 6500
    families of switches use TCAM to handle
    ACL lookups at line rate.
•   As a result of using TCAM, applying ACLs
    does not affect the performance of the
    switch.




                                                       61




TCAM

•   VMR (value, mask, and result) refers to the
    format of entries in TCAM.
•   The “value” in VMR refers to the pattern that
    is to be matched:
     – Examples include IP addresses and
         protocol ports
•   The “mask” refers to the mask bits
    associated with the pattern and determines
    the prefix.
•   The “result” refers to the result or action that
    occurs in the case where a lookup returns a
    hit for the pattern and mask.
     – This result might be a “permit” or “deny”
         in the case of a TCAM for ACLs.
     – Another example of a result is a pointer to
         an entry in the hardware adjacency table
         that contains the next-hop MAC rewrite
         information in the case of a TCAM used
         for IP routing.

                                                       62




                                                            31
CEF-Based MLS Lookups




     1. Layer 3 packets initiate TCAM lookup.
     2. The longest match returns adjacency with rewrite information.
     3. The packet is rewritten per adjacency information and forwarded.


                                                                           63




Inter-VLAN Routing Summary

•   A router on a stick can be used to route between VLANs
    using either ISL or 802.1Q as the trunking protocol.
•   A router on a stick requires subinterfaces, one for
    each VLAN.
•   Verify inter-VLAN routing by generating IP packets
    between two subnets.
•   Multilayer switches can forward traffic both at Layer 2 and
    at Layer 3.
•   Multilayer switches rewrite the Layer 2 and Layer 3 header
    using tables held in hardware.




                                                                           64




                                                                                32
Configuring Inter-VLAN Routing
Through an SVI

    Step 1 : Configure IP routing.

    Switch(config)#ip routing

    Step 2 : Create an SVI interface.
    Switch(config)#interface vlan vlan-id

    Step 3 : Assign an IP address to the SVI.
    Switch(config-if)#ip address ip-address mask

    Step 4 : Configure the IP routing protocol if needed.

    Switch(config)#router ip_routing_protocol <options>



                                                                  65




Configuring Inter-VLAN Routing Summary

•    SVI is a VLAN of switch ports represented by one interface
     to the routing system.
•    Specific commands are used to configure and verify
     routing on multilayer switch interfaces.
•    The interface vlan command creates the SVI.
•    A routed port has Layer 3 attributes.
•    A routed port requires the removal of Layer 2 port
     functionality with the no switchport command.
•    To receive dynamic updates, a routing protocol is
     required.




                                                                  66




                                                                       33
Configuring a Routed Port


    Step 1 : Configure IP routing.

    Switch(config)#ip routing

    Step 2 : Create a routed port.
    Switch(config-if)#no switchport

    Step 3 : Assign an IP address to the routed port.
    Switch(config-if)#ip address ip-address mask

    Step 4 : Configure the IP routing protocol if needed.

    Switch(config)#router ip_routing_protocol <options>



                                                            67




Configuring and Verifying CEF

      Configuring CEF
      – ip cef (enabled by default)
      – ip route-cache cef (only on VLAN interface)
•    Verifying CEF
      – show ip cef fa 0/1 detail
      – show adjacency fa 0/1 detail




                                                            68




                                                                 34
 Enabling CEF


The commands required to enable CEF are platform
dependent:
   – On the Cisco Catalyst 4000 switch
Switch(config-if)#ip cef


   – On the Cisco Catalyst 3550 switch
Switch(config-if)#ip route-cache cef




                                                                  69




 Verifying CEF


 Switch#show ip cef [type mod/port | vlan_interface] [detail]

Switch# show ip cef vlan 11 detail

IP CEF with switching (Table Version 11), flags=0x0
  10 routes, 0 reresolve, 0 unresolved (0 old, 0 new), peak 0
  13 leaves, 12 nodes, 14248 bytes, 14 inserts, 1 invalidations
  0 load sharing elements, 0 bytes, 0 references
  universal per-destination load sharing algorithm, id 4B936A24
  2(0) CEF resets, 0 revisions of existing leaves
  Resolution Timer: Exponential (currently 1s, peak 1s)
  0 in-place/0 aborted modifications
  refcounts: 1061 leaf, 1052 node

  Table epoch: 0 (13 entries at this epoch)

172.16.11.0/24, version 6, epoch 0, attached, connected
0 packets, 0 bytes
  via Vlan11, 0 dependencies
    valid glean adjacency




                                                                  70




                                                                       35
Common CEF Problems

    – Is ideal switching method (CEF, DCEF) in use?
    – Are CEF tables complete and accurate?




                                                                           71




Verify Layer 3 Switching



Switch#show interface {{type mod/port} | {port-channel
number}} | begin L3



Switch#show interface fastethernet 3/3 | begin L3
  L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 12 pkt, 778 bytes mcast
  L3 out Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes
     4046399 packets input, 349370039 bytes, 0 no buffer
     Received 3795255 broadcasts, 2 runts, 0 giants, 0 throttles
     .....
Switch#




                                                                           72




                                                                                36
Displaying Hardware Layer 3 Switching Statistics




Switch#show interfaces {{type mod/port} | {port-channel
number}} include switched



Switch#show interfaces gigabitethernet 9/5 | include switched
L2 Switched: ucast: 8199 pkt, 1362060 bytes - mcast: 6980 pkt, 371952 bytes
L3 in Switched: ucast: 3045 pkt, 742761 bytes - mcast: 0 pkt, 0 bytes mcast
L3 out Switched: ucast: 2975 pkt, 693411 bytes - mcast: 0 pkt, 0 bytes




                                                                              73




Adjacency Information



Switch#show adjacency [{{type mod/port} |
{port-channel number}} | detail | internal | summary]


Switch#show adjacency gigabitethernet 9/5 detail
Protocol Interface                 Address
IP       GigabitEthernet9/5        172.20.53.206(11)
                                   504 packets, 6110 bytes
                                   00605C865B82
                                   000164F83FA50800
                                   ARP        03:49:31




                                                                              74




                                                                                   37
Debugging CEF Operations


Switch#debug ip cef {drops | access-list | receive |
events | prefix-ipc | table}

• Displays debug information for CEF


 Switch#debug ip cef {ipc | interface-ipc}

• Displays debug information related to IPC in CEF


    Switch#ping ip

• Performs an extended ping



                                                            75




CEF Summary

•    Layer 3 switching is high-performance packet
     switching in hardware.
•    MLS functionality can be implemented through CEF.
•    CEF uses tables in hardware to forward packets.
•    Specific commands are used to enable and verify
     CEF operations.
•    Commands to enable CEF are platform dependent.
•    CEF problems can be matched to specific solutions.
•    Specific commands are used to troubleshoot and solve
     CEF problems.
•    Ordered steps assist in troubleshooting CEF-based
     problems.

                                                            76




                                                                 38
Return to Ver 4.0




•   Go to the CCNP3 Ver.4.0 Presentation (inter-VLAN
    Routing)




                                                       77




Chapter 4 (Ver 3.0)


        Cisco Networking Academy
                Inter-VLAN Routing

                Revised:


                hjlee@dongseo.ac.kr
                http://kowon.dongseo.ac.kr/~hjlee
                http://crypto.dongseo.ac.kr

                                                       78




                                                            39
.
         VLAN introduction




     •   VLANs provide segmentation based on broadcast domains.
     •   VLANs logically segment switched networks based on the functions, project teams, or
         applications of the organization regardless of the physical location or connections to
         the network.
     •   All workstations and servers used by a particular workgroup share the same VLAN,
         regardless of the physical connection or location.




                                                                                                             79




.
    VLAN operation




             1 2 3 4 5 6 . Port
             1 2 1 2 2 1 . VLAN


Important notes on VLANs:
1. VLANs are assigned on the switch port. There is no “VLAN” assignment done on the host (usually).
2. In order for a host to be a part of that VLAN, it must be assigned an IP address that belongs to the proper
     subnet.
     Remember: VLAN = Subnet




                                                                                                             80




                                                                                                                  40
VLAN Definition


– Issues to consider:

   • Sharing resources between VLANs

   • Load balancing

   • Redundant links

   • Logical addressing

   • How to segment the network using VLANs



                                                                81




Routing Importance


– Routers prevent broadcast propagation and use more
  intelligent forwarding algorithms than bridges and switches
    • provide much more efficient use of bandwidth.
        – allows easy implementation of load balancing across
          multiple paths
    • can be used to implement designs that utilize route
      summarization
        – reduces routing protocol overhead
        – increases table lookup performance
        – improves network stability
    • can provide important policy controls
                                                                82




                                                                     41
      Routing Importance




                                                                                     83




      Routing Importance


  The core is a crucial component of every network. A failure of a core device
or link can isolate large sections of a network from one another. For this
reason both core links and devices should be designed with adequate
redundancy.
  In a LAN environment it is possible to implement the core as a switched or
routed layer. Although both methods provide redundancy they differ
significantly in operation.
  The Layer 2 or switched core manages its redundant links using the
Spanning-Tree Protocol.        This means that some links are not used
because one or more ports will be in a Blocking state. Not only does this
underutilize the available bandwidth, it also often results in inefficient traffic
paths.
  The Layer 3, or routed, core manages its redundant links using a routing
protocol.     The routing protocol has the ability to select the optimal path for
traffic and can make use of redundant links through load balancing.
Furthermore, implementing the core using Layer 3 allows more flexibility and
control over packet flows, permitting additional benefits such as Quality of
Service (QoS) to be implemented.
                                                                                     84




                                                                                          42
Inter-VLAN Routing

•   Configuring VLANs allows a network administrator to
    create smaller broadcast domains and improve security
•   However, VLANs require a Layer 3 device to allow for
    inter-VLAN communication




                                                              85




Components of Inter-VLAN Routing

    •    In order to provide routing between VLANs, three
         key components must be present:
        1. VLAN capable switch
        2. Router (route processor)
        3. Communication between the route processor
             and switch
            • If the route processor is an external router
               then trunking must be configured between the
               router and switch
            • An alternative is a Layer2/3 device




                                                              86




                                                                   43
 Router Options


   •   External Router (stand alone)
   •   Internal (integrated within the switch hardware – Layer
       2/3 Switch)
   •   Common names used to describe routers that are
       integrated within the switch itself include:
        – Route Switch Module (RSM)
        – Route Processor (RP)
        – Layer 3 Services Module
        – Layer 3 switch




                                                                 87




 External Router Options




One physical interface per VLAN


                               One physical trunking interface
                               with logical subinterfaces
                                                                 88




                                                                      44
Inter-VLAN Issues/Solutions


– Issues with Inter-VLAN connectivity

       Problem                            Resolution
       Isolated collision domains         Route Processors




       Need of end-user devices to send   Default routes
       nonlocal packets


       Supporting multiple VLAN           Inter-Switch Link (ISL)
       traffic across VLAN boundaries




                                                                                   89




                                                                     172.16.20.4

          VLAN10                                                    VLAN20



                               VLAN30




                                                                                   90




                                                                                        45
           I need to send this packet to 172.16.20.4.
           That address is not on my local segment.
           => I will send the packet to my default router.
                            VLAN10                                        VLAN20


            172.16.10.3
                                                                                172.16.20.4

                Network                                                   Network
              172.16.10.0                                                 172.16.20.0


                                                             II know where
                                                                know where
                                                                 network
                                                                 network
                                                             172.16.20.0 is!
                                                              172.16.20.0 is!




                                                                                                        91




                        II need information
                           need information
                        from File Server A.   II need information
                                                 need information
II need information
   need information     from File Server A.                                         II have three
                                                                                       have three
                                              from File Server A.
                                              from File Server A.
from File Server A.
from File Server A.                                                             distinct streams of
                                                                                distinct streams of
                                                                                traffic destined for
                                                                                 traffic destined for
                                                                                  the same place!
                                                                ?                  the same place!
                                                               ???




                                                                                         File Server A
                      VLAN10   VLAN20    VLAN30                                          172.16.3.127




                                                                                                        92




                                                                                                             46
       VLAN10 VLAN20 VLAN30




                                       VLAN60




                                                93




VLAN10 VLAN20 VLAN30




                              VLAN60




           Eth 3/0.1
               3/0.2
               3/0.3


                  Eth 3/1.1
                      3/1.2
                      3/1.3




                                                94




                                                     47
Communication between VLANs


 – In switched networks, Route Processors are used to provide
   communications between VLANs.

      • provide VLAN access to shared resources and connect to
        other parts of the network that are either logically
        segmented with the more traditional subnet approach or
        require access to remote sites across wide-area links.

 – Before you can configure routing between VLANs, you must
   have defined the VLANs on the switches in your network.



                                                                                                 95




Routing between VLANs


 – Each end device does not have to manage its own routing
   tables

      • configured with the IP address of a designated Route
        Processor

            – the default router (gateway) to which all nonlocal
              network packets are sent

            – forwards the packets toward the appropriate
              destination
A network device's default router IP address depends on which IP subnet contains that network device.


                                                                                                 96




                                                                                                        48
Routing between VLANs (Cont.)


– A Layer 3 device must be used to route between the VLANs.
     • Either an internal or external Route Processor can be used
     • Additional determinations:


     Have an individual router interface per VLAN
     •as the number of VLANs per switch increases, so does the requirement for the
     number of interfaces on the Route Processor
     •can create a situation where interfaces on the Route Processor are underutilized
     Use VLAN trunking to assign multiple VLANs to a single router interface
     •a mechanism is required to identify the packet of each VLAN


                                                                                         97




Inter-VLAN Routing Scalability

 • For networks with more than a few VLANs, virtual/logical
      subinterfaces is the best strategy
       – Both an external and an internal router can be used with
          subinterfaces
 •     The difference between the internal vs. external solutions
      involves a tradeoff between cost and performance
       – An entry level external router (1721) is generally cheaper
          than a switch with Layer 3 functionality (Cat 3550)
       – However, the Layer 3 provides higher efficiency and
          performance




                                                                                         98




                                                                                              49
    Inter-VLAN Routing Methods




                                                                     99




STP and Inter-VLAN Routing
•   If using a Layer 3 switch, then care should be taken to
    ensure that this distribution layer switch is the root of the
    spanning tree
     – The distribution layer switch is responsible for the inter-
        vlan routing




                                                                     100




                                                                           50
VLAN Types

•   There are various types of VLANS including:
     – VLAN 1
     – The default VLAN
     – The user VLANs
     – The native VLAN
     – The management VLAN
•   By default, all Ethernet interfaces on Cisco switches are on
    VLAN 1




                                                               101




VLAN Trunk Example




                                                               102




                                                                     51
VLAN 1

•   Many Layer 2 protocols such as CDP(Cisco Discovery
    Protocol), PAgP(Port Aggregation Protocol), and VTP
    needed to be sent on a specific VLAN on trunk links, VLAN
    1 was chosen for this purpose
     – Cisco recommends that VLAN 1 be used only for these
       protocols
     – The management VLAN and user VLANs should all be
       configured to use VLANs other than VLAN 1




                                                                 103




User VLANs

•   A user VLAN is a VLAN that is created to segment a group
    of users, either geographically or logically, from the rest of
    the network
•   The ‘switchport access vlan [vlan-id]’ interface
    command is used to assign interfaces to these various
    user VLANs




                                                                 104




                                                                       52
Native VLAN

• Native VLAN is a term used with interfaces that are configured as
   VLAN trunks
• When a switch port is configured as a trunk, it tags frames with the
   appropriate VLAN number
• The ‘native VLAN’ is the VLAN whose frames are not
   tagged(tagged=IEEE 802.1q) as they traverse the trunk link
    – By default, VLAN 1 is the native VLAN
    – The native VLAN can be changed with the interface command:
    ‘switchport trunk native vlan [vlan-id]’




                                                                                    105




     Native VLAN not on VLAN 1




  It is fine to leave VLAN 1 as the default native VLAN, as long as VLAN 1 is not
  used as a user VLAN or as the management VLAN. Control traffic should be the
  only information carried across VLAN 1. However, it is also common practice to
  change the native VLAN to some dummy VLAN (other than VLAN 1) that is not
  used for any data or management traffic.
                                                                                    106




                                                                                          53
IEEE 802.1q Native VLAN

•   The native VLAN allows 802.1Q capable ports to talk to old
    802.3 ports directly by sending and receiving untagged
    traffic
•   It is recommended that the native VLAN not be used to
    send data traffic
     – Control traffic (CDP, VTP, PAgP, and DTP) should be
         the only information carried across VLAN 1




                                                                       107




Management VLAN

• Networking devices can be configured and managed remotely by telnet
    or ssh by the devices’ IP address
     – It is recommended that these devices be in their own VLAN
     – This a VLAN, independent of any user VLANs, the native VLAN,
        and VLAN 1
•   This keeps the management VLAN unaffected by broadcast storms or
    STP issues in user VLANs as well as prying eyes




                                                                       108




                                                                             54
Configuring the ‘native’ VLAN

    • The router's subinterface that receives the native VLAN traffic
       must be configured to expect those frames to be untagged.
        – By default this is VLAN 1 and is usually not a problem
        – However, if a VLAN other than VLAN 1 is the native VLAN
          then it must be configured at the router’s subinterface for that
          VLAN

        encap [dot1q|isl] vlan [vlan-id] native




                                                                             109




IOS Support for the ‘native’ VLAN

•   Prior to IOS 12.1(3)T the router had to be configured with
    the native VLAN on the physical interface and non-native
    VLANs were configured on the subinterface with the ISL or
    802.1Q tag.
•   Don’t forget that the IOS has to be at least IP Plus




                                                                             110




                                                                                   55
Default Gateway Configuration


– To define a gateway on a Cisco IOS Software-based series
  switch

   Switch(config)#ip default-gateway ip-address
   • ip-address is the IP address of the default Route Processor
– To configure a default route on a set command-based system



   Switch> (enable) set ip route destination gateway metric


                                                              111




Trunking Protocols


– The ISL protocol

    a proprietary frame-tagging protocol that
    contains a standard Ethernet frame and the
    VLAN information associated with that frame


– The IEEE 802.1Q


    a standards-based protocol that is supported
    between multiple vendors

                                                              112




                                                                    56
Distribution Layer




                      Where inter-VLAN routing often occurs
                                                                                    113




 External Route Processor
     VLAN41                                                        VLAN41
Network 172.16.41.3                                           Network 172.16.41.4




             Switch A                              Switch B



                                                   Switch C        VLAN42
                                                              Network 172.16.42.5




                                                                                    114




                                                                                          57
External Route Processor




                                                               115




External Route Processor


– High-end routers supporting multilayer switching:

   • 7500, 7200, 4500, and 4700 Series Routers.

   • must have to provide the Layer 3 services to the switch

          » MultiLayer Switch Protocol (MLSP) software

          » Cisco IOS® 11.3.4 software or later




                                                               116




                                                                     58
    Internal Route Processors (RSM)

     VLAN41                            VLAN41
Network 172.16.41.3               Network 172.16.41.4




                                       VLAN42
                                  Network 172.16.42.5




                                                   117




Internal Route Processors (RSM)




                                                   118




                                                         59
Internal Route Processors (RSM)


– The switch internal route switch module (RSM)
   • traffic flow uses the switch backplane (the high-speed
     switching path used inside the switch chassis).
   • allows the router to be much more tightly integrated with
     the switching process
      – provides two key benefits:
          » speed – improved performance
          » integration - eases configuration tasks to provides
            intelligent communication between the Layer 2 and
            Layer 3 portions of the network
                                                              119




  Internal Route Processors (RSM)




                                                              120




                                                                    60
    Internal Route Processors (RSM)



    RSFC



•




       RSM




                                      121




    Internal Route Processors (RSM)




                                      122




                                            61
Route Switch Processors

 • The highest performing Inter-VLAN routing option utilizes an
     internal route switch processor.
 • A route switch processor is a router card that can be plugged into
     a modular switch (4006, 6509) or is part of the switches internal
     hardware and architecture (3550)
 •   Supervisor III and Sup720 Engines have integrated route
     processors

 See the below website: ‘Requirements for MLS’
 http://www.cisco.com/en/US/products/hw/switches/ps700/products_tech_note09186a0
     080133fc5.shtml




                                                                                     123




“Router-on-a-Stick”

                                                    •   One-Armed-Router
                                                        (OAR)
                                                    •   Saves switchports
                                                    •   10/100Mb interface
                                                    •   Min. 1721 router
                                                    •   2610XM will do on a 10Mb
                                                        interface
                                                    •   Each subif shows up as a
                                                        directly connected network
                                                    •   Interface must support
                                                        trunking encapsulation




                                                                                     124




                                                                                           62
When to Route on-a-stick

                                 •   Router-on-a-stick should be used when an
                                     internal route processor (RSM, MSFC or 3550)
                                     is not available
                                 •   Traffic flows up to and back from the router




                                                                                                 125




Router on a Stick


–   Early VLAN designs relied on external routers connected via
    one or more links to VLAN-capable switches
    •   Inter-VLAN traffic must cross the Layer 2 backbone to
        reach the router where it can move between VLANs.
        – travels back to the desired end station using normal
          Layer 2 forwarding

          "out-to-the-router-and-back" flow is characteristic of all router-on-a-stick designs




                                                                                                 126




                                                                                                       63
When to use Router on a Stick

–   The router-on-a-stick technique functions as if the router
    were sitting on the edge of the network (as far as the Layer 2
    network is concerned)
    •   tends to be less tightly integrated with the rest of the
        campus network
        – most appropriate when other options are not available
           » other options tend to provide higher throughput
             and functionality.
           »    newer approaches, such as MLS, seek to place
               routing in the middle of the network where it can
               have a greater influence on the overall scalability
               and stability of the network
                                                                   127




Trunk-Connected Routers

–   The primary advantage of using a trunk link is a reduction
    in router and switch ports.
    •   can save money
    •   can also reduce configuration complexity
    •   can scale to a much larger number of VLANs than a one-
        link-per-VLAN design.
        – Disadvantages:
          » there is a possibility of inadequate bandwidth for
             each VLAN
          » additional overhead on the router can occur
          » older versions of the Cisco IOS Software support
             only a limited set of features on ISL interfaces
                                                                   128




                                                                         64
       Layer 3 Feature Cards




                                            The Policy Feature Card (PFC) contains all
The Multilayer Switch Feature Card          the Application-Specific Integrated Circuits
(MSFC) provides layer 3 functionality and   (ASICs) for Layer 2 and 3 look-ups and
enables the use of Cisco Express            performs many Cisco IOS® features in
Forwarding for increased routing            hardware. It performs IP Unicast and
performance.                                Multicast forwarding, QoS, and Access
                                            Control List (ACL) lookups in hardware. The
                                            PFC scales central forwarding to 30 Mbps.
                                                                                     129




Methods of Inter-VLAN Routing

•   Inter-VLAN routing in a switched network
•   Inter-VLAN routing via the switch virtual interface
•   Inter-VLAN routing via the routed port
•   Routing between an external router and an internal route
    processor




                                                                                     130




                                                                                           65
Switch Virtual Interface (SVI)

    •    Most common method of inter-VLAN routing is to
         configure the SVI
    •    Router has a virtual interface in every VLAN created
         on the switch
          – Rather than configuring a physical interface for
            each VLAN, the router uses a virtual or VLAN
            interface


          Switch(config)# interface vlan 55
          Switch(config-if)# ip address 10.1.55.1 255.255.255.0

          ‘no shutdown’ command is required for int VLAN
          1                                                              131




Using the Routed Port


•       It is also possible to configure a physical
        switchport/interface as a router (Layer 3) interface – all
        switchports are Layer 2 by default
        – Through this process, it is possible to turn a 12 or 24 port
          Ethernet switch into a 12 or 24 interface Ethernet router
        – Turn off the switchport functionality and configure an IP
          address:

            Switch(config)# interface fa 0/1
            Switch(config-if)# no switchport
            Switch(config-if)# ip address 10.0.1.1 255.255.255.0




                                                                         132




                                                                               66
Routing between an Internal and External Router



 •   It is often necessary to connect an external router to
     an internal route switch processor for WAN access
      – To do this, configure a routed port on the multi-
          layer switch and connect to the external router’s
          Ethernet interface
      – The routed port and Ethernet interface of the
          router have to be on the same subnet




                                                                        133




Internal and External Config




                                        It would also be possible
                                        to run a routing protocol
                                        between the two devices
            RouteSwitch(config)# interface fa 0/1
            RouteSwitch(config-if)# no switchport
            RouteSwitch(config-if)# ip address 10.0.1.1 255.255.255.0

            ExtRouter(config)# interface fa 0/0
            ExtRouter(config-if)# ip address 10.0.1.2 255.255.255.0
                                                                        134




                                                                              67
Config ‘native’ VLAN on the Router

• With IOS 12.1(3)T and later, the subinterface of the router can be
   configured as part of the native VLAN.
    – The native option tells the router to accept any frames coming in
      untagged on fastethernet 0/0 as belonging to VLAN 1.


        interface Fastethernet0/0.1 encapsulation dot1q 1 native
        ip address 10.1.1.1 255.255.255.0
        interface Fastethernet0/0.10
        encapsulation dot1q 10
        ip address 10.1.10.1 255.255.255.0
        interface Fastethernet0/0.20
        encapsulation dot1q 20
        ip address 10.1.20.1 255.255.255.0




                                                                          135




Router and Switch ‘native’ Config




                                                                          136




                                                                                68
    Verifying Inter-VLAN Routing

• To verify that Inter-VLAN routing functionality is available use the
    command ‘show ip route’
     – If a routing table is not displayed then IP routing is not available
     – Use the global configuration command ‘ip routing’ to turn
       routing on
•   To verify the functionality of a switchport use:
     – ‘show interface FastEthernet [mod/port]’
     – ‘show ip interface brief’
     – This will tell you if the switchport is a Layer 2 or 3 interface




                                                                               137




    Verifying Inter-VLAN Routing


                                                              no routing table




                                                       Layer 2 only



                                                            not a switchport


       Layer 3

                                                                               138




                                                                                     69
Multimodule Systems


– Many switches are multimodule systems
   • Entering the show module command without specifying a
     module number displays information on all modules
     installed in the system.

      Switch>(enable) show module

   • Specifying a particular module number displays
     information on that module

      Switch>(enable) show module mod_num


                                                                139




Accessing the RSM


– The RSM is configured almost exactly like any other router.
   • can be accessed in two ways:
      – connect a terminal directly to the RSM console port
      – access the RSM from the switch.


         Switch> session mod_num




                                                                140




                                                                      70
Catalyst 5000 Configuration


– Configuring inter-VLAN routing on the RSM consists of two
  main procedures:

    • Creating and configuring VLANs on the switch and
      assigning VLAN membership to switch ports.

    • Creating and configuring VLAN interfaces for inter-VLAN
      routing on the RSM; a VLAN interface must be configured
      for each VLAN with traffic to be routed.



                                                               141




RSM Configuration

–   The RSM can route up to 256 VLANs.
–   Each VLAN that the RSM is routing appears as a separate
    virtual interface
    1. specify a VLAN interface on the RSM
       – The interface number configured on the Route
         Processor corresponds to the VLAN number
         configured on the Catalyst 5000 Series Switch
    2. assign a unique IP address to that interface
       – one global MAC address applies to all interfaces on
         that device
           » can specify a unique MAC address per interface
                                                               142




                                                                     71
RSM Configuration (Cont.)


– To specify a VLAN interface on the RSM

    Router(config)#interface vlan vlan-interface -number

– To assign a unique IP address to that interface


    Router(config-if)#ip address ip-address subnet-mask




                                                               143




Catalyst 4000 Configuration

–    The Catalyst 4000 Family Layer 3 engine uses Cisco Express
     Forwarding (CEF)
    • The Layer 3 module looks like a router (referred to as a
       Layer 3 service module rather than a RSM)
       – provides Layer 3 switching based on a topology map of
          the entire network that is distributed to multiple
          application-specific integrated circuits (ASICs)
       – allows autonomous-switching decisions without the
          involvement of a centralized CPU
       – Inter-VLAN traffic is run through the Gigabit
          Ethernet ports (both on the front panel and on
          backplane gigabit ports that you can't see)
           » you configure subinterfaces on IEEE 802.1q gigabit
              ports and the subinterfaces are assigned to a VLAN
                                                               144




                                                                     72
    Channel Configuration

•    To configure the interfaces as a channel:
           Step 1 - Use the set port channel mod/ports command to configure a Gigabit EtherChannel
         •     Before you create the channel, ensure that the ports you intend to channel belong to the
               same VLAN:
                    Cat4000> (enable) set port channel 2/1-2 on
           Step 2 - Use the set trunk mod_num/port_num command to enable trunking and specify an
           encapsulation type on the EtherChannel ports
         •     By specifying the encapsulation type on one of the EtherChannel ports, trunking and
               the specified encapsulation are enabled on all ports in the channel
                    Cat4000> (enable) set trunk 2/1 on dot1Q 1-10
           Step 3 - Use the session mod_num command to access the Layer 3 services module console
           prompt
                    Cat4000> (enable) session 2
                    Trying Router...
                    Connected to Router.
                    Escape character is \Q^]'.
                    router>


                                                                                                  145




    Channel Configuration (Cont.)


           Step 3a. At the EXEC prompt, enter privileged mode
                 router> enable
                 router#
           Step 3b. At the privileged EXEC prompt, enter global configuration mode
                 router#configure terminal
                 router(config)#
       Step 4 - Create an EtherChannel (portchannel) interface
         • channel number can be from 1 to 64
                 router(config)#interface port-channel channel_number

       Step 5 - Assign the g3 and g4 interfaces to the port channel
                 router(config)#interface g3
                 router(config-if)#channel-group channel_number
                 router(config-if)#exit
                 router(config)#

    – Repeat this step on the g4 interface

                                                                                                  146




                                                                                                          73
Channel Configuration (Cont.)


  Step 6 - Configure subinterfaces on the port channel interface
    • one for each allowed VLAN configured on the Layer 3 service module trunk over which
      you want to route (specify the same type of encapsulation as in Step 2)
            router(config)#interface port-channel channel_number.vlan_id
            router(config-subif)#encapsulation dot1Q vlan_id
            router(config-subif)#ip address ip_address subnet_mask
            router(config-subif)#exit
– Repeat this step to create and configure additional subinterfaces on the port channel.
  Step 7 - Configure a subinterface for the native VLAN by specifying the native keyword in the
  encapsulation command:
            router(config)#interface port-channel channel_number.vlan_id
            router(config-subif)#encapsulation dot1Q vlan_id native
            router(config-subif)#ip address ip_address subnet_mask
            router(config-subif)#exit




                                                                                                     147




Configuring External Routers

– On an external router, an interface can be logically divided
  into multiple, virtual subinterfaces.
    • provides a flexible solution for routing multiple data
      streams through a single physical interface.
        – To define subinterfaces on a physical interface, perform
          the following tasks:
               » Identify the interface.
                Router(config)#interface FastEthernet slot-number/port-number. subinterface-number


               » Define the VLAN encapsulation.
                Router(config-if)#encapsulation isl vlan-number


               » Assign an IP address to the interface.
                Router(config-if)#ip address ip-address subnet-mask

                                                                                                     148




                                                                                                           74
Return to Ver 4.0




•   Go to the CCNP3 Ver.4.0 Presentation (Inter-VLAN
    Routing)




                                                       149




Chapter 5 (Ver3.0)


       Cisco Networking Academy
             Multilayer Switching(MLS)

               Revised:


               hjlee@dongseo.ac.kr
               http://kowon.dongseo.ac.kr/~hjlee
               http://crypto.dongseo.ac.kr

                                                       150




                                                             75
MLS and CEF

•    One of the bottlenecks in high-speed networking is the
     decision-making process within the router.
•    Two of the methods used by Cisco devices to speed up
     this process are:
    1. Multilayer Switching (MLS)
    2. Cisco Express Forwarding (CEF)




                                                               151




      Internal route processors
     Route Processors include:
        – Route Switch Module (RSM) – 4000, 5000, 6000, 7000
        – Route Switch Feature Card (RSFC) - 5000
        – Multilayer Switch Module (MSM) - 6000
        – Multilayer Switch Feature Card (MSFC) - 6000
     Other terms used
        – Layer-3 Card, or Layer-3 “Blade”
        – MultiLayer Switch Route Processor (MLS-RP)
            • The router in the network (handles the first
              packet in every flow)




                                                               152




                                                                     76
Introduction to MLS

•   MLS is a technology used by a small number of older
    Catalyst switches to provide wire-speed routing.
•   MLS is sometimes known as "Route once, switch many"
     – The first packet of a flow is routed by the router in
       software and the remaining packets are forwarded in
       hardware by the switch




                                                                           153




Introduction to CEF
• CEF is the technology used by newer Cisco devices to provide wire-
    speed routing.
•   Unlike MLS, which requires the route processor to route the first packet
    of a flow, CEF enables packet switching to circumvent the route
    processor altogether
     – This is accomplished by the communication process between the
        route processor and the switch processor to create the shortcut info
        before the first packet arrives
     – “Route never, switch always”




                                                                           154




                                                                                 77
Multilayer Switching

•   The term multilayer switching (MLS) is a general
    networking term that refers to hardware-based PDU
    header rewriting and forwarding, based on information
    specific to one or more OSI layers
     – When used in the context of this class, MLS refers to
       Cisco MLS




                                                                155




Multilayer Switching (MLS)

    – MLS is a technique used to increase IP routing performance
      by handling the packet-switching and rewrite functions in
      hardware.

       • moves the packet-forwarding function traditionally
         handled by the router to Layer 3 switches whenever a
         switched path exists.

       • can be implemented by using a Layer 3 switch or an
         external router topology.




                                                                156




                                                                      78
                                                       Multilayer Switched Environment
          p3       p2       p1


Host A                           Host B

   Conventional Environment                                             First
                                                                    1
                                                                        Packet



                                          Host A                                 Host B
                                                                  2 Subsequent Packets




                        ”                          ”




                                                                                          157




         MLS – Multilayer Switching
         • MLS (Multilayer Switching) is Cisco’s Ethernet-based routing
               switch technology (but standards compliant).
         • MLS (hardware-assisted routing) is currently supported on two
               platforms:
                – Catalyst 5000
                    • Uses the NetFlow Feature Card (NFFC)
                      I or II
                – Catalyst 6000
                    • Uses the Multilayer Switch Feature Card
                      (MSFC)



                                                                                          158




                                                                                                79
Catalyst 5000 MLS Requirments


•   Supervisor Engine III or II/IIIG with NetFlow Feature Card
    (NFFC) or NFFC II
     – Supervisor Engine IIG and IIIG have integrated
       NFFCs (MLS support)
     – The only NFFCs still available for purchase are the
       NFFC-A and NFFC II-A
•   With Route Switch Module (RSM) or Route Switch
    Feature Card (RSFC).
     – RSFC is a daughter card that sits on the Sup to
       replace the need for the RSM (routing)




                                                                 159




Catalyst 5000 IOS Requirements

      •   Cisco IOS Software Release 12.0(3c)W5(8a) or
          later on the RSFC.
      •   Cisco IOS Software Release 11.3(2)WA4(4) or
          later on the RSM.




                                                                 160




                                                                       80
Catalyst 6000 MLS Requirments

•   Supervisor Engine I a or II a
•   With a Policy Feature Card (PFC/PFC2)
•   With a Multilayer Switch Feature Card
    MSFC-1 or MSFC-2
     – Cat6000 Supervisor Engine 2, PFC2, and MSFC2
       provide Layer 3 switching with Cisco Express
       Forwarding(CEF) support.
     – The Sup I does not support CEF.




                                                             161




Requirements for MLS using an External Router


    •   Cisco 3600, 4500, 4700, 7200, or 7500 router or
        Catalyst 8500
    •   The connection between the external router and the
        Catalyst 5000 must be:
         – Fast or Gigabit Ethernet link
         – ISL or IEEE 802.1Q trunk
         – Fast or Gigabit EtherChannel.




                                                             162




                                                                   81
Requirements for CEF

•   Catalyst 6000:
     – Supervisor Engine 2, Policy Feature Card 2 (PFC2),
       and Multilayer Switch Feature Card 2 (MSFC2)
•   Catalyst 4000:
     – Layer 3 Services Module or the Supervisor Engine III
•   Catalyst 3550 and newer
     – Support CEF by default                CCNP Lab!!!




                                                                        163




         NFFC – NetFlow Feature Card

     • NFFC is a pattern-matching engine.
     • Allows the switch to recognize a wide variety of different
         patterns, including addresses and port numbers.
     •   We will discuss only the switching aspects of the NFFC, but
         other capabilities include multicast and broadcast services.
     •   It is important to remember that the NFFC does not run any
         routing protocol.
     •                                     MLS-
         The NFFC is known also as the MLS-SE (MLS-Switch Engine)
         component of MLS.




                                                                        164




                                                                              82
NFFC – Pattern Matching




      •   NFFC is not a router, but a pattern-matching engine.
      •   When the NFFC notices that a particular packet sent to the router, only
          to have the router send it right back, it says to itself:

      •   The NFFC then starts short-cutting the remain packets (or flow).
               –“Wow, what a waste of time that was!”



                                                                               165




MLS Equipment Requirements


– IP MLS requires the following software/hardware:

  Catalyst 2926G, 5000 or 6000 series switch
  Supervisor Engine software release 4.1(1) or later
  IOS 11.3(2)WA4(4) or later
  Supervisor Engine III with NFFC II or Supervisor Engine II/III G
  RSM
  If using an external router: 8500, 7500, 7200, 4700, or 4500 series router


IP MLS with an external router and IPX MLS have additional requirements

                                                                               166




                                                                                     83
MLS Operations

 –    MLS makes use of three components:
     1. MLS Route Processor (MLS-RP)
     2. MLS Switching Engine (MLS-SE)
     3. MultiLayer Switching Protocol (MLSP)
         – uses a four-step process:
            1. The MLS-RP sends MLSP hello packets
            2. The MLS-SE identifies candidate packets
            3. The MLS-SE identifies enable packets
            4. The MLS-SE shortcuts future packets
                                                            167




     MLS Components

     • MLS Route Processor (MLS-RP)
        – The router in the network (handles the first packet
          in every flow)
     • MLS Switching Engine (MLS-SE)
        – AKA Netflow Feature Card (NFFC): builds shortcut
          entries in a Layer 3 content-addressable memory
          (CAM) table.
     • MultiLayer Switching Protocol (MLSP)
        – The MLSP is a lightweight protocol used by the
          MLS-RP to initialize the MLS-SE and notify it of
          changes in the Layer 3 topology or security
          requirements.



                                                            168




                                                                  84
             MLS Four-step Process

     Step 1
           The MLS-RP (L3 router) sends MLSP hello packets.
     Step 2
           The MLS-SE (NFFC) identifies candidate packets.
     Step 3
           The MLS-SE (NFFC) identifies enable packets.
     Step 4
           The MLS-SE (NFFC) shortcuts future packets.




                                                                                                                169




             1. The MLS-RP sends MLSP hello packets.

                                                       MLS-RP
                Fa 1/0.1                                              Fa 1/0.2
                IP Address: 10.1.1.1/24                               IP Address: 10.1.2.1/24
                MAC Address: 00-00-0C-11-11-11                        MAC Address: 00-00-0C-22-22-22
                VLAN: 1 (Red)                                         VLAN: 2 (Blue)




            MLSP Hello Packets


                                                          1/1

IP Address: 10.1.1.10/24                                                             IP Address: 10.1.2.20/24
MAC Address: 00-AA-00-11-11-11                   2/1            3/1                  MAC Address: 00-AA-00-22-22-22
VLAN: 1 (Red)                                                                        VLAN: 2 (Blue)
                                                       MLS-SE
                                                       (NFFC)

                           Now I know about the MLS-RP!


                                                                                                                170




                                                                                                                      85
               1. The MLS-RP sends MLSP hello packets.

                                                       MLS-RP
                Fa 1/0.1                                              Fa 1/0.2
                IP Address: 10.1.1.1/24                               IP Address: 10.1.2.1/24
                MAC Address: 00-00-0C-11-11-11                        MAC Address: 00-00-0C-22-22-22
                VLAN: 1 (Red)                                         VLAN: 2 (Blue)

                                                                                CAM Table
            MLSP Hello Packets                                  XTAG               MAC             VLAN
                                                                1       00-00-0C-11-11-11              1
                                                                1       00-00-0C-22-22-22              2
                                                          1/1

IP Address: 10.1.1.10/24                               CAM                           IP Address: 10.1.2.20/24
MAC Address: 00-AA-00-11-11-11                   2/1            3/1                  MAC Address: 00-AA-00-22-22-22
VLAN: 1 (Red)                                                                        VLAN: 2 (Blue)
                                                       MLS-SE
                                                       (NFFC)

                           Now I know about the MLS-RP!


                                                                                                                171




               1. The MLS-RP sends MLSP hello packets.


           •    When the router first boots, it begins sending MLSP hello packets
                every 15 seconds.
                  – These packets contain information on the VLANs and MAC
                    addresses in use on the router.
                  – Uses multicast address 01-00-0C-DD-DD-DD, same as
                    CGMP.
                  – Non-MLS aware switches flood these packets throughout
                    VLAN 1.
           •    By listening for these hello packets, the MLS-SE can learn the
                attributes of any MLS-capable routers in the Layer 2 network.
           •    MLS-SE (NFFC) identifies the MLS-capable router by assigning an
                XTAG value to each MLS-RP.
           •    This information is store in the Layer 2 CAM (Content Address
                Memory) Table.
                  – show cam - R next to these entries




                                                                                                                172




                                                                                                                      86
              2. The MLS-SE identifies candidate packets.



                                                           MLS-RP
                   Fa 1/0.1                                                     Fa 1/0.2
                   IP Address: 10.1.1.1/24                                      IP Address: 10.1.2.1/24
                   MAC Address: 00-00-0C-11-11-11                               MAC Address: 00-00-0C-22-22-22
                   VLAN: 1 (Red)                                                VLAN: 2 (Blue)

  Candidate Packet Info
                                                                           The Destination MAC Address is one of
  Layer 3 Info
  S-IP 10.1.1.10                    Candidate Packet                       the router’s interfaces.
  D-IP 10.1.2.20                         (Red)                             There is not an existing flow, so I will
  Layer 2 Info                                                             flag this as a candidate packet.
  S-MAC 00-AA-00-11-11-11
  D-MAC 00-00-0C-11-11-11                                       1/1

IP Address: 10.1.1.10/24                                                                        IP Address: 10.1.2.20/24
MAC Address: 00-AA-00-11-11-11                       2/1                 3/1                    MAC Address: 00-AA-00-22-22-22
VLAN: 1 (Red)                                                                                   VLAN: 2 (Blue)
                                                           MLS-SE
                                                           (NFFC)

               ISL Header                           Ethernet Header                          IP Header                IP
                                                                                                                     Data
                   VLAN                   D-MAC= 00-00-         S-MAC= 00-AA-              S-IP =        D-IP =
                   =1                     0C-11-11-11           00-11-11-11                10.1.1.10     10.1.2.20


                                                                                                                            173




               2. The MLS-SE identifies candidate packets.



          •    The MLS-SE (NFFC) starts using its pattern-matching
               capabilities to look for packets that are destined for
               MLS-RPs (routers).
          •    If a packet is headed to the router and does not have
               an existing shortcut entry it is classified as a
               candidate packet.
                           packet
          •    The packet uses the normal Catalyst Layer 2
               Forwarding (L2F) process and gets forwarded out the
               port connected to the router.
          •    Candidate packets must meet the following criteria:
                   – They have a destination MAC address equal to one of the
                     router MAC addresses learned via MLSP.
                   – They do not have an existing short-cut entry.


                                                                                                                            174




                                                                                                                                  87
             3. The MLS-SE identifies enable packets.



                                                       MLS-RP
                Fa 1/0.1                                                     Fa 1/0.2
                IP Address: 10.1.1.1/24                                      IP Address: 10.1.2.1/24
                MAC Address: 00-00-0C-11-11-11                               MAC Address: 00-00-0C-22-22-22
                VLAN: 1 (Red)                                                VLAN: 2 (Blue)


                                                                   Enable Packet (Blue)
                                                                   1. Destination MAC Address is used to
                                                                        switch the packet (frame) out port 3/1.


                                                             1/1

IP Address: 10.1.1.10/24                                                                     IP Address: 10.1.2.20/24
MAC Address: 00-AA-00-11-11-11                   2/1                  3/1                    MAC Address: 00-AA-00-22-22-22
VLAN: 1 (Red)                                                                                VLAN: 2 (Blue)
                                                        MLS-SE
                                                        (NFFC)
               ISL Header                        Ethernet Header                           IP Header                IP
                                                                                                                   Data
                VLAN                    D-MAC= 00-AA-        S-MAC= 00-00-               S-IP =        D-IP =
                =2                      00-22-22-22          0C-22-22-22                 10.1.1.10     10.1.2.20


                                                                                                                          175




             3. The MLS-SE identifies enable packets.



                                                       MLS-RP
                Fa 1/0.1                                                     Fa 1/0.2
                IP Address: 10.1.1.1/24                                      IP Address: 10.1.2.1/24
                MAC Address: 00-00-0C-11-11-11                               MAC Address: 00-00-0C-22-22-22
                VLAN: 1 (Red)                                                VLAN: 2 (Blue)


                                                                   Enable Packet (Blue)
                                                                   2. The MLS-SE (NFFC) recognizes the
                                                                        source MAC address as one of the
                                                                        entries create in Step 1 via the MLSP
                                                                        hello process.
                                                             1/1

IP Address: 10.1.1.10/24                                                                     IP Address: 10.1.2.20/24
MAC Address: 00-AA-00-11-11-11                   2/1                  3/1                    MAC Address: 00-AA-00-22-22-22
VLAN: 1 (Red)                                                                                VLAN: 2 (Blue)
                                                        MLS-SE
                                                        (NFFC)
               ISL Header                        Ethernet Header                           IP Header                IP
                                                                                                                   Data
                VLAN                    D-MAC= 00-AA-        S-MAC= 00-00-               S-IP =        D-IP =
                =2                      00-22-22-22          0C-22-22-22                 10.1.1.10     10.1.2.20


                                                                                                                          176




                                                                                                                                88
             3. The MLS-SE identifies enable packets.



                                                             MLS-RP
                   Fa 1/0.1                                                       Fa 1/0.2
                   IP Address: 10.1.1.1/24                                        IP Address: 10.1.2.1/24
                   MAC Address: 00-00-0C-11-11-11                                 MAC Address: 00-00-0C-22-22-22
                   VLAN: 1 (Red)                                                  VLAN: 2 (Blue)

  Candidate Packet Info
                                                                        Enable Packet (Blue)
  Layer 3 Info
  S-IP 10.1.1.10                                                        3. The MLS-SE (NFFC) uses the destination
  D-IP 10.1.2.20                                                             IP address to look up the existing
  Layer 2 Info
                                                                             partial shortcut entry created in Step 2
  S-MAC 00-AA-00-11-11-11                                                    (Candidate Packet)
  D-MAC 00-00-0C-11-11-11                                         1/1

IP Address: 10.1.1.10/24                                                                          IP Address: 10.1.2.20/24
MAC Address: 00-AA-00-11-11-11                      2/1                    3/1                    MAC Address: 00-AA-00-22-22-22
VLAN: 1 (Red)                                                                                     VLAN: 2 (Blue)
                                                             MLS-SE
                                                             (NFFC)
               ISL Header                           Ethernet Header                             IP Header                IP
                                                                                                                        Data
                   VLAN                    D-MAC= 00-AA-          S-MAC= 00-00-               S-IP =        D-IP =
                   =2                      00-22-22-22            0C-22-22-22                 10.1.1.10     10.1.2.20


                                                                                                                               177




             3. The MLS-SE identifies enable packets.



                                                             MLS-RP
                   Fa 1/0.1                                                       Fa 1/0.2
                   IP Address: 10.1.1.1/24                                        IP Address: 10.1.2.1/24
                   MAC Address: 00-00-0C-11-11-11                                 MAC Address: 00-00-0C-22-22-22
                   VLAN: 1 (Red)                                                  VLAN: 2 (Blue)

  Candidate Packet Info
                                                                        Enable Packet (Blue)
  Layer 3 Info                             CAM Table                     4. The MLS-SE (NFFC) compares the values
  S-IP 10.1.1.10                                                               associated with the source MAC address of
  D-IP 10.1.2.20                  XTAG       MAC          VLAN
                                                                               this packet and the partial shortcut entry.
                                  1      00-00-0C-11-11-11    1                Because they match, the it knows that this is
  Layer 2 Info
                                  1      00-00-0C-22-22-22    2                the enable packet coming from the same
  S-MAC 00-AA-00-11-11-11
                                                                               router targeted by the candidate packet.
  D-MAC 00-00-0C-11-11-11                                         1/1

IP Address: 10.1.1.10/24                                                                          IP Address: 10.1.2.20/24
MAC Address: 00-AA-00-11-11-11                      2/1                    3/1                    MAC Address: 00-AA-00-22-22-22
VLAN: 1 (Red)                                                                                     VLAN: 2 (Blue)
                                                             MLS-SE
                                                             (NFFC)
               ISL Header                           Ethernet Header                             IP Header                IP
                                                                                                                        Data
                   VLAN                    D-MAC= 00-AA-          S-MAC= 00-00-               S-IP =        D-IP =
                   =2                      00-22-22-22            0C-22-22-22                 10.1.1.10     10.1.2.20


                                                                                                                               178




                                                                                                                                     89
             3. The MLS-SE identifies enable packets.



                                                         MLS-RP
                Fa 1/0.1                                                       Fa 1/0.2
                IP Address: 10.1.1.1/24                                        IP Address: 10.1.2.1/24
                MAC Address: 00-00-0C-11-11-11                                 MAC Address: 00-00-0C-22-22-22
                VLAN: 1 (Red)                                                  VLAN: 2 (Blue)


                                                                     Enable Packet (Blue)
                                                                     5. The MLS-SE (NFFC) completes the
                                                                          shortcut entry. This entry will contain
                                                                          all of the information necessary to
                                                                          rewrite the header of future packets.
                                                               1/1

IP Address: 10.1.1.10/24                                                                         IP Address: 10.1.2.20/24
MAC Address: 00-AA-00-11-11-11                    2/1                   3/1                      MAC Address: 00-AA-00-22-22-22
VLAN: 1 (Red)                                                                                    VLAN: 2 (Blue)
                                                          MLS-SE
                                                          (NFFC)
     Future Packets
               ISL Header                        Ethernet Header                            IP Header                      IP
                                                                                                                          Data
                VLAN                   D-MAC= 00-00-           S-MAC= 00-AA-              S-IP =         D-IP =
                =1                     0C-11-11-11             00-11-11-11                10.1.1.10      10.1.2.20


                                                                                                                                 179




             3. The MLS-SE identifies enable packets.



                                                         MLS-RP
                Fa 1/0.1                                                       Fa 1/0.2
                IP Address: 10.1.1.1/24                                        IP Address: 10.1.2.1/24
                MAC Address: 00-00-0C-11-11-11                                 MAC Address: 00-00-0C-22-22-22
                VLAN: 1 (Red)                                                  VLAN: 2 (Blue)


                                                                     Enable Packet (Blue)
                                                                     The switch records this entry in the MLS
                                                                          cache.


                                                               1/1

IP Address: 10.1.1.10/24                                                                         IP Address: 10.1.2.20/24
MAC Address: 00-AA-00-11-11-11                    2/1                   3/1                      MAC Address: 00-AA-00-22-22-22
VLAN: 1 (Red)                                                                                    VLAN: 2 (Blue)
                                                          MLS-SE
                                                          (NFFC)
     MLS Cache
            Dst IP          Src IP      Port            Dst      Src           Dst       Src          VLAN           Interface
                                                        Port     Port          MAC       MAC
           10.1.2.20     10.1.1.10      TCP             23       1238         00-AA-    00-00-          2              3/1
                                                                              00-22-    0C-22-
                                                                              22-22     22-22
                                                                                                                                 180




                                                                                                                                       90
3. The MLS-SE identifies enable packets.



      The Router (MLS-RP)
      • In the example, the router receives and routes the packet as
          normal.
      • The router has rewritten the Layer 2 header.
      • Not only has the router changed the VLAN number in the ISL
          header, it has also modified both MAC addresses.
           – Although the IP addresses have not been
             changed, the router must modify the IP header by
             decrementing the Time-To-Live (TTL) field and
             update the IP checksum.




                                                                                       181




      3. The MLS-SE identifies enable packets.



    The Switch MLS-SE (NFFC)
    When the packet comes back to the switch:
    1.   Destination MAC Address is used to switch the packet (frame) out port 3/1.
    2.   The MLS-SE (NFFC) recognizes the source MAC address as one of the
         entries created in Step 1 via the MLSP hello process.
    3.   The MLS-SE (NFFC) uses the destination IP address to look up the existing
         partial shortcut entry created in Step 2 (Candidate Packet)
    4.   The MLS-SE (NFFC) compares the XTAG values associated with the source
         MAC address of this packet and the partial shortcut entry. Because they
         match, the MLS-SE knows that this is the enable packet coming from the
         same router targeted by the candidate packet.
    5.   The MLS-SE (NFFC) completes the shortcut entry. This entry will contain all
         of the information necessary to rewrite the header of future packets.




                                                                                       182




                                                                                             91
4. The MLS-SE shortcuts future packets.



    • As future packets from the “flow” arrive, the MLS-SE uses the
        destination IP address to look up the completed shortcut entry in
        the MLS cache created in Step 3.
    •   Finding a match, it uses a rewrite engine to modify the
        necessary header information and then sends the packet directly
        to the destination (the packet is not forwarded to the router).
    •   The rewrite operation modifies all the same fields initially modified
        by the router for the first packet.




                                                                            183




Rewrite Engine


          The rewrite mechanism can modify the following fields:
           – Source and (Destination MAC Address )
           – VLAN ID
           – TTL
           – IP Encapsulation (for example, ARPA [DEFINE] to
             Subnetwork Access Protocol [SNAP])
           – Checksums
           – Type of Service/Class of Service (ToS/CoS)




                                                                            184




                                                                                  92
             The shortcut packet
                                                                                No soup for
                                                                                you!
                                                          MLS-RP
                Fa 1/0.1                                                     Fa 1/0.2
                IP Address: 10.1.1.1/24                                      IP Address: 10.1.2.1/24
                MAC Address: 00-00-0C-11-11-11                               MAC Address: 00-00-0C-22-22-22
                VLAN: 1 (Red)                                                VLAN: 2 (Blue)

    MLS Cache
          Dst IP           Src IP     Port         Dst       Src        Dst          Src          VLAN           Interface
                                                   Port      Port       MAC          MAC
         10.1.2.20        10.1.1.10   TCP           23       1238      00-AA-       00-00-           2                 3/1
                                                                       00-22-       0C-22-
                                                                       22-22        22-22

                                 Packet Sent                 1/1    Switch Packet
Rewrite Header
Check MLS Cache
IP Address: 10.1.1.10/24                                                                      IP Address: 10.1.2.20/24
MAC Address: 00-AA-00-11-11-11                    2/1                 3/1                     MAC Address: 00-AA-00-22-22-22
VLAN: 1 (Red)                                                                                 VLAN: 2 (Blue)
                                                          MLS-SE
                                                          (NFFC)
 Future Packets
               ISL Header                        Ethernet Header                              IP Header                        IP
               ISL Header                        Ethernet Header                             IP Header                        IP
                                                                                                                             Data
                                                                                                                             Data
                   VLAN
                   VLAN                D-MAC= 00-AA-
                                       D-MAC= 00-00-         S-MAC= 00-00-
                                                             S-MAC= 00-AA-               S-IP =
                                                                                        S-IP =             D-IP =
                                                                                                          D-IP =
                   =2
                   =1                  00-22-22-22
                                       0C-11-11-11           0C-22-22-22
                                                             00-11-11-11                 10.1.1.10
                                                                                        10.1.1.10          10.1.2.20
                                                                                                          10.1.2.20


                                                                                                                                    185




   When to use MLS?




                                                                                                                                    186




                                                                                                                                          93
                MLSP(Multilayer Switching Protocol)

 MLS-RP(Route Processor)               MLS-SE(Switch Engine)

 RSM                 Cisco
                     85xx
                OR
                     75XX
                     72XX
                     4XXX




                                                               187




Hello Message




                                                               188




                                                                     94
                                                     I am not a
                                                   Layer 3 Switch
                                                    but I will still
                   Hello Message   Hello Message    pass on the
                                                      message.




                                                                       189




MLS-RP Advertisements


– When the MLS-RP first boots, it begins sending MLSP hello
  packets every 15 seconds.
   • contains information on:
      – MAC addresses in use on the router
      – VLANs
      – Access list information
      – Additions and deletions of routes
   • sent using a multicast address (01-00-0C-DD-DD-DD)



                                                                       190




                                                                             95
MLSP Hello Messages


– When a MLS-SE receives a hello message, it will perform the
  following:

   • extract all the MAC addresses received in the frame and the
     associated interface or VLAN ID for that address

   • Record the addresses of the MLS-RPs in the content
     addressable memory (CAM)




                                                                                          191




                        MLS-RP A                         MLS-RP B




                                                                 MLS-RP C
                  MLS-RP A = XTAG34
                  MLS-RP B = XTAG11
                  MLS-RP C = XTAG28


                  MLS-RP IP      MLS-RP ID    XTAG MLS-RP MAC       Vlans
                  172.16.68.13   001006795800 28   00-10-06-79-58-00 1,41,42

          MLS-RP                              , MLS-SE              MLS-R P    MAC
Address         XTAG                              .
XTAG        MLS-SE    MLSP Frame                         MAC address             1 byte
       . MLS-RP                           .
MLS-RP    Fail                                    ,            Layer 3 entry
              .


                                                                                          192




                                                                                                96
Assigning XTAGs


– If there are multiple MLS-RPs attached to the switch, the
  MLS-SE distinguishes the MAC addresses of each MLS-RP by
  assigning an XTAG value to these addresses
   • locally generated one-byte value that the MLS-SE attaches
     to all the MAC addresses learned from the same MLS-RP
     via the MLSP frames
   • useful in deleting a specific set of Layer 3 entries from the
     Layer 3 table when a MLS-RP fails or exits the network




                                                                 193




MLS Cache


– Multilayer switching is based on individual flows.
   • The MLS-SE maintains a cache for MLS flows and stores
     statistics for each flow.
       – All packets in a flow are compared to the cache.
          » If the MLS cache contains an entry that matches the
            packet in the flow, the MLS-SE switches the packet
            and bypasses the router.
          » If the MLS does not contain an entry that matches
            the packet, a cache entry must be established for
            that flow.
                                                                 194




                                                                       97
                                                      MLS-RP IP      MLS-RP ID    XTAG MLS-RP MAC       Vlans
    Candidate Packet                                  172.16.68.13   001006795800 28   00-10-06-79-58-00 1,41,42

                                                           0010.0679.5800
    L3 Information
                                                            172.16.68.13
    Source IP = 172.16.10.123
    Destination IP = 172.16.22.57
    L2 Information
                                          2                                                 3
    Source MAC = 0010.f663.d000
    Destination MAC = 0010.0679.5800                     4            Cache Entry?

                                                  1
                                              A                                                    0090.b133.7000
                                                                                           B
                                                                                                    172.16.22.57
                                    0010.f663.d000
                                     172.16.10.123

1

2

3

4

                                                                                                                   195




Enable Packet
L3 Information                                             0010.0679.5800
Source IP = 172.16.10.123             7                     172.16.68.13
Destination IP = 172.16.22.57                     5
L2 Information
                                      6                                8
Source MAC = 0010.0679.5800
Destination MAC = 0090.b133.7000


                                          A                                                     0090.b133.7000
                                                                                       B
                                                                                                 172.16.22.57
                                0010.f663.d000
                                 172.16.10.123
    5
    6
    7

    8
                                                                                                                   196




                                                                                                                         98
                                     0010.0679.5800                    Candidate Packet XTAG = 28
                                      172.16.68.13
                                                                       Enable Packet XTAG = 28                      10
                                                     MLS Cache

                                             9     MLS-RP IP      MLS-RP ID    XTAG MLS-RP MAC       Vlans
                                                   172.16.68.13   001006795800 28   00-10-06-79-58-00 1,41,42


  0010.f663.d000                                                    0090.b133.7000
   172.16.10.123          A                          12       B     172.16.22.57

                                        11          MLS Cache Entry
         Destination IP Source IP   Port DstPrt SrcPrt Destination Mac Vlan Port
         172.16.22.57 172.16.10.123 UDP 1238 60224 00-90-b1-33-70-00 45 2/9



   9
   •


  10
   •


  11
   •
  12
   •                                                                                                                 197




Incoming Frame
L3 Information
     Source IP = 172.16.10.123                                                     Rewritten Frame
     Destination IP = 172.16.22.57                                                 L3 Information
L2 Information                       13                                       15    Source IP = 172.16.10.123
                                                                                    Destination IP = 172.16.22.57
     Source MAC = 0010.f663.d000
     Destination MAC = 0010.0679.5800                                              L2 Information
                                          A                            B           Source MAC = 0010.0679.5800
                                                                             16    Destination MAC = 0090.b133.7000
                                0010.f663.d000                    0090.b133.7000
                                 172.16.10.123      14            172.16.22.57
                      Destination IP Source IP   Port DstPrt SrcPrt Destination Mac Vlan Port
                      172.16.22.57 172.16.10.123 UDP 1238 60224 00-90-b1-33-70-00 45 2/9
                                                 MLS Cache Entry


13

14

15                                                                       ’                     ’
16                                                                                                                   198




                                                                                                                           99
Establishing a MLS Cache Entry


– The following steps outline the process in establishing a MLS cache entry:

Step 1    A switch receives an incoming frame and looks at the frame’s destination MAC address.

Step 2    The switch recognizes the frame’s destination address as the address of the MLS-RP because the switch initially received this
          destination address in a Layer 3 hello message and programmed that MAC address in the CAM table.

Step 3    The MLS-SE checks the MLS cache to determine if an MLS flow already established for this flow. If the frame is the first in a flow,
          there will not be an entry in the cache.

Step 4    The switch forwards the frame to the addressed route processor.

          This process of sending the frame to the addresses route processor creates a candidate entry in the MLS cache.
Step 5    The route processor receives the frame and consults the routing table to determine if there is a route to the destination address.


Step 6    If the route processor finds the destination address in the routing table, the MLS-RP constructs a new Layer 2 header containing it’s
          own MAC address as the source MAC address.

Step 7    The route processor also enters the MAC address of the destination host or next-hop route processor in the destination MAC address
          field of the Layer 2 frame.




                                                                                                                                                  199




Establishing a Cache Entry (Cont.)



Step 8     The route processor forwards the frame back to the MLS-SE.

Step 9     The switch knows which port needs to forward the received frame based on the CAM table. The MLS-SE also recognized the MAC
           address in the source field belongs to the route processor.

Step 10    This recognition triggers the process of checking the MLS cache to see if there is an entry for this route processor. The switch
           compares the XTAGs for both the candidate entry in the MLS cache and the returned frame. If the two XTAGs match, the frame
           came from the same route processor for the same flow.
Step 11    The switch records the information from the returned frame in the MLS cache.


Step 12    The switch forwards the frame out the appropriate port using the destination MAC address.

           This second frame becomes the enable entry in the MLS cache and the partial entry for that flow is completed.




                                                                                                                                                  200




                                                                                                                                                        100
Switching Subsequent Frames


– The following steps take place when switching subsequent frames in a flow:

Step 1     A switch receives subsequent frames in the flow.


Step 2     The switch check the MLS cache and finds the entry matching the flow in question.


Step 3     The MLS-SE rewrites the Layer 2 frame header, changing the destination and the source MAC addresses. The Layer 3 IP address
           remain the same, but the IP header Time to Live (TTL) is decremented and the checksum is recomputed. The MLS-SE rewrites the
           switched Layer 3 packets so that they appear to have been routed by a route processor
Step 4     The switch forwards the rewritten frame to the destination MAC address.




                                                                                                                                          201




MLS Rewrite Options


– MLS can use two options to rewrite the packet:
         • central rewrite engines
             – the MLS-SE itself is used to rewrite the packet
                      » requires the packet to traverse the bus twice
         • inline rewrite
             – the rewrite operation can be performed on the output
               module itself

                      » allows the packet to cross the bus a single time.

                                                                                                                                          202




                                                                                                                                                101
MLS Rewrite Modifications


– The rewrite mechanism can modify the following fields:
    • Source and Destination MAC Address
    • VLAN ID
    • TTL
    • IP Encapsulation
    • Checksums
    • Type of Service/Class of Service (ToS/CoS)


                                                                                                           203




Cache Aging


– To prevent the MLS cache from overflowing, an aging process
  must be run.
   • MLS supports three separate aging times:

 Quick    Utilized to age out partial shortcut entries that never get completed by an enable packet.
          The aging period for these entries is fixed at 5 seconds
 Normal   used for the typical sort of data transfer flow. This is a user-configurable interval that can
          range from 64 to 1920 seconds with the set mls agingtime [agingtime] command. The
          default is 256 seconds
 Fast     used to age short-term data flows such as Domain Name System (DNS), ping, and Trivial
          File Transfer Protocol (TFTP). The fast aging time can be adjusted with the set mls
          agingtime fast [fastagingtime] [pkt_threshold] command




                                                                                                           204




                                                                                                                 102
MLS and CEF

    •    MLS relies on the first packet to create a forwarding cache for the
         MLS-SE
    •    With CEF, all packets including the first packet are handled in
         hardware
    •    CEF uses three additional tables
        1. Forwarding Information Base (FIB)
            • Layer 3 information
        2. Adjacency Table
            • Layer 2 next hops
        3. NetFlow Table
            • Accounting data




                                                                               205




CEF Support

• CEF is supported on:
     – Catalyst 8500 switch routers
     – Catalyst 3550 switches and newer
     – Catalyst 2948G-L3 switches
     – Catalyst 4000/4500 switches
     – Catalyst 6000/6500 switches
•   Cisco routers running Cisco IOS Software Release 12.2 or later
     – 7500 series supported CEF beginning IOS 12.0




                                                                               206




                                                                                     103
CEF Switch Hardware Requirements

•   The Catalyst 4000 switch supports CEF in the following
    combinations:
     – With the Layer 3 Services Module
     – With the Access Gateway Module
     – With Supervisor Engine III or the recently released
       Supervisor Engine IV and V
•   For Catalyst 6000 switches:
     – Supervisor Engine 2, MSFC2, and PFC2




                                                             207




CEF Operation and the 6000 Sup


•    Supervisor Engine 2 consists of three primary
     components:
    1. Supervisor base board provides connectors for
        attaching the PFC2 and MFSC2
    2. Policy Feature Card 2 (PFC2) factory installed
        daughter card which allows all hardware based
        forwarding (ASICs) and QoS
    3. Multilayer Switching Feature Card 2 (MSFC2)
        optional daughter card that provides a CPU for all
        route calculations and routing protocol support
       • Populates the FIB and adj. table



                                                             208




                                                                   104
CEF Forwarding Info Base (FIB)


• The forwarding information base (FIB) table consists of a four-level
    hierarchical tree made up of roots and leaves
     – Derived from IPv4 32-bit address and each level of the hierarchy is
        an octet
•   The FIB tree is represented hierarchically, with the least-specific
    address at the top (root) and most-specific address at bottom (leaves)
     – The leaves become more-specific addresses as you approach the
        bottom of the tree




                                                                                              209




CEF 256-way Radix Tree




                                         ?




    If the FIB table becomes full, subsequent entries are compared to the existing entries,
    and the more-specific entries are maintained at the expense of less-specific entries.
                                                                                              210




                                                                                                    105
CEF Adjacency Table


• The adjacency table contents are fundamentally similar to the ARP
    process
     – When the router issues an ARP request, the reply received is
       used to add an entry to the adjacency table
•   The router can also glean next hop routers from routing updates
    and make entries in the adjacency table
     – This lets the router build the next hop rewrite information
       necessary for Layer 3 packet forwarding




                                                                      211




CEF Traffic Flow Example




                                                                      212




                                                                            106
MLS-RP Configuration


– The configuration of the MLS-RP can be completed in the
  following steps :

 Step 1   Globally enable MLS on the Route Processor for IP
          Router(config)#mls rp ip
 Step 2   Assign an MLS Virtual Trunking Protocol (VTP) domain to the interface
          Router(config-if)#mls rp vtp-domain domain-name
 Step 3   Enable MLS on the Route Processor for a specific interface
          Router(config-if)#mls rp ip
 Step 4   Specify an MLS management interface
          Router(config-if)#mls rp management-interface
 Step 5   Assign a VLAN ID to an interface
          Router(config-if)#mls rp vlan-id vlan-id-num




                                                                                  213




Null Domains

  – There are several ways in which a Route Processor and
    switch can end up in different VTP domains:
     • You can purposely place both devices in separate
       domains.
     • You can misname or mistype the VTP domain when
       configuring either the switch or the Route Processor.
     • You can enter the MLS interface command prior to
       putting the interface in a VTP domain.
         – enabling MLS on an interface before assigning the
           interface to a VTP domain places the interface in the
           null domain
             » cannot participate in MLS with the switch
             » to remove the MLS interface from a null VTP
               domain, disable MLS on the interface            214




                                                                                        107
Verifying MLS Configuration


– The following information is displayed by the show mls rp vtp-domain command.


 The name of the VTP domain(s) in which the MLS-RP interfaces reside

 Statistical information for each VTP domain

 The number of management interfaces defined for the MLS-RP

 The number of VLANs in this domain configured for MLS

 The ID of each VLAN configured for this domain MAC address

 The number of MLS-SEs of which the router or RSM has knowledge of in this domain

 The MAC address of each switch in this domain




                                                                                    215




Verifying MLS Configuration

   – The following information is displayed by the show mls rp command.

        Whether multilayer switching is globally enabled or disabled

        The MLS ID for this MLS-RP

        The MLS IP address for this MLS-RP

        The MLS flow mask

        The name of the VTP domain(s) in which the MLS-RP interfaces reside

        Statistical information for each VTP domain

        The number of management interfaces defined for the MLS-RP

        The number of VLANs configured for MLS

        The ID of each VLAN configured for this MAC address

        The number of MLS-SEs to which the router or RSM is connected

        The MAC address of each switch


                                                                                    216




                                                                                          108
MLS and Access Lists

 – MLS supports access lists
    • Relies on three mechanisms:
       – The assumption is made that if a candidate packet
         fails an access list, the router never sends an enable
         packet to complete the shortcut
       – The MLSP protocol notifies the MLS-SE to flush all
         shortcut entries if the access list is modified
       – A flow mask




                                                                  217




Applying Flow Masks

 – The MLS-SE uses flow mask modes to determine how
   packets are compared to MLS entries in the MLS cache
    • learns the flow mask through MLSP messages from
      each MLS-RP for which the MLS-SE is performing
      Layer 3 switching
        – based on the access lists configured on the MLS
          router interfaces
    • supports only one flow mask for all MLS-RPs that are
      serviced
    • supports three flow mask modes
        – Destination-IP, Source-Destination-IP, and IP-Flow


                                                                  218




                                                                        109
                                               ter
                                            in face Vlan41
                                                           .16 .
                                             ip address 172 .41 168 255.255.255.0
            MLS-RP A                            s
                                              ml rp vtp-domain bcmsn
                                                s              - nter
                                              ml rp management i face
                                                s
                                              ml rp ip




                                                                   No Access List




 Router#show mlsrp
      i
 mult layer swi        s loba ly enabled
               tching i g    l
         s    .
 mls id i 0010 f6b3.d000
                   .16 .168
 mls ip address 172 .41
 mls flow mask i des inat ip
                 s t ion-                                         Flow Mask
           f
 number o domains conf   igured for mls 1
 v                 :
  lan domain name bcmsn
   current f             t ion-
            low mask: des inat ip




                                                                                    219




Destination-IP Mode


– destination-ip mode
    • the default flow mask
    • also referred to as a destination flow mask
    • represents the least-specific flow mask
    • used if there are no access lists configured on any of the
      MLS router interfaces
– The MLS-SE maintains one MLS entry for each destination IP
  address. All flows to a given destination IP address use this
  MLS entry.

                                                                                    220




                                                                                          110
                                                 ter
                                              in face Vlan11
                                                             .16 .
                                               ip address 172 .11 113 255 .255.255.0
           MLS-RP B                                    s
                                               ip acces -group 2 out
                                                  s
                                                ml rp vtp-domain bcmsn
                                                  s                - nter
                                                ml rp management i face
                                                  s
                                                ml rp ip


                                                                        Standard Access List



 Router#show mls rp
      i
 mult layer swi         s loba ly enabled
               tching i g       l
         s    .
 mls id i 0010 f6b3.d000
                   .16 .113
 mls ip address 172 .31
 mls flow mask i s
                 s ource-dest ion-
                             inat ip                                   Flow Mask
           f
 number o domains conf     igured for mls 1
 v                  :
  lan domain name Eng     ineer ing
   current flow mask: source-dest ion-ip
                                  inat




                                                                                               221




Source-Destination-IP Mode


– source-destination-ip mode
    • also referred to as a destination-source flow mask
    • used if there is a standard access list on any of the MLS
      interfaces
– The MLS-SE maintains one MLS entry for each source and
  destination IP address pair. All flows between a given source
  and destination use this MLS entry regardless of the IP
  protocol ports.



                                                                                               222




                                                                                                     111
                                             ter
                                          in face Vlan11
                                                         .16 .
                                           ip address 172 .11 113 255.255.255.0
                                                   s
                                           ip acces -group 101 out
         MLS-RP C                             s
                                            ml rp vtp-domain bcmsn
                                              s               - nter
                                            ml rp management i face
                                              s
                                            ml rp ip


                                                                   Extended Access List




       i
  mult layer swi         s loba ly enabled
                tching i g      l
          s    .
  mls id i 0010 f6b3 .d000
                     .16 .113
  mls ip address 172 .31
  mls f           s p- low
       low mask i i f                                            Flow Mask
            f
  number o domains conf     igured for mls 1
  v                  :
   lan domain name Eng     ineering
    current flow mask: ip-f low




                                                                                          223




IP-Flow Mode


– ip-flow mode
   • also referred to as a full flow mask
   • represents the most specific flow mask
   • used if there is an extended access list on any MLS interface
– The MLS-SE creates and maintains a separate MLS cache
  entry for every IP flow. An ip-flow entry includes the source IP
  address, destination IP address, protocol, and protocol ports.




                                                                                          224




                                                                                                112
                                              0010.0679.5800
                                               172.16.10.13


                                                    s
                                            ip acces -group 101 out




                 0010.f663.d000                                               0090.b133.7000
                  172.16.10.123   A                                       B   172.16.22.57




                                  MLS Cache Entries for
                                   Flow AB Are Purged




                                                                                                   225




                                                                Enable Packet
                                                                L3 Information
Candidate Packet
L3 Information                                                  Source IP = 172.16.10.123
                                                                Destination IP = 172.16.22.57
Source IP = 172.16.10.123
Destination IP = 172.16.22.57               0010.0679.5800 L2 Information
                                             172.16.10.13
L2 Information                                                  Source MAC = 0010.0679.5800
                                                                Destination MAC = 0090.b133.7000
Source MAC = 0010.f663.d000
Destination MAC = 0010.0679.5800 ip access-group 101 out



             0010.f663.d000                                               0090.b133.7000
              172.16.10.123   A                                       B   172.16.22.57
                                      New MLS Cache Entry
                                          for Flow AB

          Destination IP Source IP   Port    DstPrt SrcPrt Destination Mac Vlan Port
          172.16.22.57 172.16.10.123 TCP      7001 7004 00-90-b1-33-70-00 68 2/9




                                                                                                   226




                                                                                                         113
Output ACLs and Flow Masks


– If an extended access list is applied to the router interface, the
  MLS-SE learns of the change from the MLS-RP through
  MLSP and immediately enforces security for the affected flow.
    • The MLS-SE enforces the output access list by purging any
      entries for flows on that interface from the MLS cache.
    • Subsequent entries are relearned by being sent first to the
      Route Processor as candidate packets and then being
      cached in the MLS cache when they return from the Route
      Processor.
    • If the packet is denied by the access list, it never makes it
      back to the switch as an enable packet and is never cached.

                                                                 227




Input ACL MLS Configuration


– Routers configured with Cisco IOS Release 11.3 or later will
  not automatically support input access lists on an interface
  configured for MLS.

   • To enable multilayer switching to cooperate with input
     access lists, enter the following command:

         Router(config)#mls rp ip input-acl




                                                                 228




                                                                       114
Enabling/Disabling MLS

– MLS is enabled by default on the Catalyst Series Switches that
  support Layer 3 switching.
   • If the MLS-RP is the RSM, RSFC, MSFC, or MSFC II, no
     configuration is needed for the switch for which the MLS-
     RP resides.
   • Configuring the switch is necessary when the following are
     true:
       – The MLS-RP is an external router.
       – The aging time for MLS cache entries is other than the
         default.
           » If a switch has been disabled for Layer 3 switching,
             enter the following command in privileged EXEC
             mode on the switch:
             Switch> (enable) set mls enable                    229




Adding an External Router


– The switch must be manually configured to recognize an
  externally attached MLS-RP.
   • To manually include an external MLS-RP, enter the
     following command:
         Switch> (enable) set mls include ip-addr
Note: Perform this command only for external routers




                                                                230




                                                                      115
Verifying MLS Configuration


– The following information is displayed by the show mls command on a MLS-SE:



    Whether multilayer switching is enabled on the switch
    The aging time, in seconds, for an MLS cache entry

    The fast aging time, in seconds, and the packet threshold for a flow

    The flow mask

    Total packets switched

    The number of active MLS entries in the cache

    Whether NetFlow data export is enabled and, if so, for which port and host

    The MLS-RP IP address, MAC address, XTAG, and supported VLANs




                                                                                                              231




Displaying MLS Cache Entries


                   Command                                                  Displays

Switch> (enable) show mls rp                        information about a specific MLS-RP

Switch> (enable) show mls entry                     MLS cache entries

Switch> (enable) show mls entry destination ip-     MLS cache entries for a specific destination IP address
address

Switch> (enable) show mls entry source ip-          MLS cache entries for a specific source IP address
address

Switch> (enable) show mls entry rp ip-address       MLS cache entries for a specific MLS_RP ID


Switch> (enable) show mls entry flow protocol       MLS cache entries for a specific IP flow
source-port destination-port




                                                                                                              232




                                                                                                                    116
Removing MLS Cache Entries


                   Command                                                  Displays

Switch> (enable) clear mls entry                     removes MLS cache entries

Switch> (enable) clear mls entry destination ip-     removes MLS cache entries for a specific destination IP
address                                              address

Switch> (enable) clear mls entry source ip-          removes MLS cache entries for a specific source IP
address                                              address

Switch> (enable) clear mls entry rp ip-address       removes MLS cache entries for a specific MLS_RP ID


Switch> (enable) clear mls entry flow protocol       removes MLS cache entries for a specific IP flow
source-port destination-port




                                                                                                               233




                                                              MLS-RP
                                                 3              R2

                                                            4
                            1            2                            5
                     A              R2                                           B
                                    R2
                                    R1             MLS-SE        6




                                                                                                               234




                                                                                                                     117
                                           MLS-RP



                                  4        5

                                           MLS-SE3
                                      10
                                  3        6
                                           MLS-SE2
                                      10

                                  2        7
                                           MLS-SE1
                        A     1
                                                     B
                                                 8


                                       9




                                                         235




                    MLS-RP
                         Port in
              S1
                         Blocking State
                    X
         S2                  S3



S4                                    S7
              S5   S6
     A                            B


              → → → →    → → →


                                                         236




                                                               118
                                       MLS-RP
                                            Port in
                               S1
                                            blocking state
                                       X
                    S2                          S3



           S4                                            S7
                               S5     S6
                A                                    B

                         → → → →                 → →          →

                                    → → →   →
                                                                         237




                —




   VLAN 41           VLAN 42

MLS-RP 1                                                      MLS-RP 2

ISL Link

MLS-SE 1                                                      MLS-SE 2




                A                                        B




                                                                         238




                                                                               119
                                —




        VLAN 41                       VLAN 42

    MLS-RP 1                                                                                          MLS-RP 2

      Link 1                             Link 2

    MLS-SE 1                                                                                          MLS-SE 2




                            A                                                               B

      ISL                             Interface               ,            Llink                    MLS           Enable
                .

                                                                                                                       239




                              MLS-RP                 C       172.16.10.0 is directly connected, VLAN41
                                                     C       172.16.22.0 is directly connected, VLAN 42


 Interface VLAN41                              Interface VLAN42


                                                                     B
                                             Port 2/4
                                                                                                    MLS Port
                                                               172.16.22.57
                                                                                                   Designation



    A
                    Destination IP Source IP        Port DstPrt SrcPrt Destination Mac Vlan Port
                    --------------- --------------- ------ -------- ------ ---------------------- ------ ------
172.16.10.123       172.16.22.57 172.16.10.123 TCP 7001 7003 00-90-b1-33-70-00 42 2/4




                                                                                                                       240




                                                                                                                             120
                          MLS-RP
                                             C      172.16.10.0 is directly connected, VLAN41
                                             C      172.16.22.0 is directly connected, VLAN 42

 Interface VLAN41                            Interface VLAN42
        Candidate                        Enabled Packet
           Packet
                                                                  B
                                          Port 2/7
                                                                                                   MLS Port
                                                            172.16.22.57
                                                                                                  Designation
                                     Flush Entry
                                     From MLS Cache
    A
                Destination IP Source IP          Port DstPrt SrcPrt Destination Mac              Vlan Port
                --------------- ---------------   ------ -------- ------ ----------------------   ------ ------
172.16.10.123




                                                                                                                  241




                          MLS-RP
                                            C      172.16.68.0 is directly connected, VLAN41
                                            C      172.16.22.0 is directly connected, VLAN 42

 Interface VLAN41                            Interface VLAN42


                                                                  B
                                          Port 2/7
                                                                                                   MLS Port
                                                            172.16.22.57
                                                                                                  Designation



    A                                           New MLS Cache Entry
                Destination IP Source IP        Port DstPrt SrcPrt Destination Mac Vlan Port
                --------------- --------------- ------ -------- ------ ---------------------- ------ ------
172.16.10.123   172.16.22.57 172.16.10.123 TCP 7001 7003 00-90-b1-33-70-00 41 2/7




                                                                                                                  242




                                                                                                                        121
Return to Ver 4.0




•   Go to the CCNP3 Ver.4.0 Presentation (MLS switching)




                                                       243




The End




      Cisco Networking Academy




                                                       244




                                                             122

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:6
posted:12/1/2011
language:English
pages:122