Beruflich Dokumente
Kultur Dokumente
Module 5 : Implementing Inter-VALN routing Origin : Cisco Academic Press Update : (2y ) HoonJae Lee, e-mail : hjlee@dongseo.ac.kr Homepage : http://kowon.dongseo.ac.kr/~hjlee http://crypto.dongseo.ac.kr
Module 4. Implementing Inter-VLAN routing - @ cisco flash v5.0 MCMSN v5.0 module 4 Cisco flash v5.0 Dongseo University HoonJae Lee
4.1 Describing Routing Between VLANs 4.2 Enabling Routing Between VLANS 4.3 Deploying CEF-Based Multilayer Switching 4.4 Inter-VLAN Routing Lab Exercises
Inter-VLAN Routing
A VLAN is a logical group of ports, usually belonging to a single IP subnet to control the size of the broadcast domain. Even though devices in different VLANs may be physically connected, as shown in the previous slides, these devices cannot communicate without the services of a default gateway, a router. Because VLANs isolate traffic to a defined broadcast domain and subnet, network devices in different VLANs cannot communicate with each other without the use of a router. This is known as Inter-VLAN Routing.
4
Inter-VLAN Routing
The following devices are capable of providing interVLAN routing: 1. Any Layer 3 multilayer Catalyst switch 2. Any external router with an interface that supports trunking (router-on-a-stick) 3. Any external router or group of routers with a separate interface in each VLAN
Or trunk port
a single trunk link between the switch and the router that can carry the traffic of multiple VLANs and which, in turn, can be routed by the router.
Router On a Stick
Router on a stick is very simple to implement because routers are usually available in every network. Most enterprise networks use multilayer switches to achieve high packet-processing rates using hardware switching. Multilayer (layer 3) switches usually have packet-switching throughputs in the millions of packets per second (pps), whereas traditional general-purpose routers provide packet switching in the 1/10 speed down! range of 100,000 pps to just over 1 million pps.
8
10
11
12
13
ASIC: wire speed Routing table, access control list (ACL) store in CAM, TCAM
14
15
16
Frame Rewrite
The source MAC address changes from the sender MAC address to the router MAC address. The destination MAC address changes from the router MAC to the next-hop MAC address. The TTL is decremented by one and, as a result, the IP header checksum is recalculated. The frame checksum is recalculated.
17
CAM
TCAM
Routing, switching, ACL, and QoS tables are stored in a high-speed table memory so that forwarding decisions and restrictions can be made in high-speed hardware. Cisco Catalyst switches create and use two primary table architectures: CAM (content addressable memory) two results: 0 (true) or 1 (false). MAC address tables. TCAM (ternary content addressable memory ) Ternary Logic three results: 0 (dont care), 1 (true), 2 (false) IP tables : routing, ACL, QoS
18
CAM Application
VLAN ID
Key
Key
The information a switch uses to perform a lookup in a CAM table is called a key. For example, a Layer 2 lookup would use a destination MAC address and a VLAN ID as a key.
19
TCAM
In specific high-end switch platforms, the TCAM is a portion of memory designed for rapid, hardware-based table lookups of Layer 3 and Layer 4 information. In the TCAM, a single lookup provides all Layer 2 and Layer 3 forwarding information for frames, including CAM and ACL information. How the values are stored in the TCAM: access-list 101 permit ip host 10.1.1.1 any access-list 101 deny ip 10.1.1.0 0.0.0.255 any Longest match region : Each longest match region consists of groups of Layer 3 address entries (buckets) organized in decreasing order by mask length. All entries within a bucket share the same mask value and key size. The buckets can change their size dynamically by borrowing address entries from neighboring buckets. Although the size of the whole protocol region is fixed, you can reconfigure it. The reconfigured size of the protocol region takes effect only after the next system reboot First-Match region : The first-match region consists of ACL entries. Lookup stops after the first match of the entry.
20
10
4.1 Describing Routing Between VLANs 4.2 Enabling Routing Between VLANS 4.3 Deploying CEF-Based Multilayer Switching 4.4 Inter-VLAN Routing Lab Exercises
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces: Routed port A pure Layer 3 interface similar to a routed port on a Cisco IOS router. Switch virtual interface (SVI) A virtual VLAN interface for interVLAN routing. In other words, SVIs are the virtual routed VLAN interfaces. Bridge virtual interface (BVI) A Layer 3 virtual bridging interface. (Not discussed)
22
11
23
12
A routed port has the following characteristics and functions: Physical switch port with Layer 3 capability Not associated with any VLAN Serves as the default gateway for devices out that switch port Layer 2 port functionality must be removed before it can be configured
25
26
13
Switch virtual interfaces (SVI) are Layer 3 interfaces that are configured on multilayer Layer 3 Catalyst switches that are used for inter-VLAN routing. An SVI is a virtual VLAN interface that is associated with the VLANID to enable routing capability on that VLAN. Note: These are virtual interfaces!
27
To configure communication between VLANs, you must configure each SVI with an IP address and subnet mask in the chosen address range for that subnet. The IP address associated with the VLAN interface is the default gateway of the workstation.
28
14
Layer 3 SVI
To provide a default gateway for a VLAN so that traffic can be routed between VLANs To provide fallback bridging if it is required for non-routable protocols To provide Layer 3 IP connectivity to the switch To support routing protocol and bridging configurations
29
30
15
4.1 Describing Routing Between VLANs 4.2 Enabling Routing Between VLANS 4.3 Deploying CEF-Based Multilayer Switching 4.4 Inter-VLAN Routing Lab Exercises
32
16
Route Processors include: Route Switch Module (RSM) 4000, 5000, 6000, 7000 Route Switch Feature Card (RSFC) - 5000 Multilayer Switch Module (MSM) - 6000 Multilayer Switch Feature Card (MSFC) - 6000 Other terms used Layer-3 Card, or Layer-3 Blade MultiLayer Switch Route Processor (MLS-RP) The router in the network (handles the first packet in every flow)
33
Introduction to MLS
MLS is a technology used by a small number of older Catalyst switches to provide wire-speed routing. MLS is sometimes known as "Route once, switch many" The first packet of a flow is routed by the router in software and the remaining packets are forwarded in hardware by the switch
34
17
Introduction to CEF
CEF is the technology used by newer Cisco devices to provide wire-speed routing. Unlike MLS, which requires the route processor to route the first packet of a flow, CEF enables packet switching to circumvent the route processor altogether This is accomplished by the communication process between the route processor and the switch processor to create the shortcut info before the first packet arrives Route never, switch always
35
Multilayer Switching
Traditional MLS
CEF-Based MLS
Multilayer switching refers to the ability of a Catalyst switch to support switching and routing of packets in hardware, with optional support for Layers 4 through 7 switching in hardware as well. Hardware switching: A route processor (Layer 3 engine) must download software-based routing, switching, access lists, QoS, and other information to the hardware for packet processing.
36
18
To accomplish multilayer switching (packet processing in hardware), Cisco Catalyst switches use either: Traditional multilayer switching (traditional MLS) Cisco Express Forwarding (CEF)-based MLS architecture. Traditional MLS is a legacy feature, whereas all leading-edge Catalyst switches support CEF-based multilayer switching (CEF-based MLS).
37
Multilayer Switching
The term multilayer switching (MLS) is a general networking term that refers to hardware-based PDU header rewriting and forwarding, based on information specific to one or more OSI layers When used in the context of this class, MLS refers to Cisco MLS
38
19
Traditional MLS
MLS enables specialized application-specific integrated circuits (ASICs) to perform Layer 2 rewrite operations of routed packets. Layer 2 rewrites include rewriting the source and destination MAC addresses and writing a recalculated cyclic redundancy check (CRC). Because the source and destination MAC addresses change during Layer 3 rewrites, the switch must recalculate the CRC for these new MAC addresses.
39
Traditional MLS
For Catalyst switches that support traditional MLS, the switch learns Layer 2 rewrite information from an MLS router via an MLS protocol. Also known as netflow-based switching. With traditional MLS, the Layer 3 engine (route processor) and switching ASICs work together to build Layer 3 entries on the switch. Each entry contains a source, a source and destination, or full flow information including Layer 4 protocol information.
40
20
Traditional MLS
Ethernet Header
D-MAC= 00-000C-11-11-11 S-MAC= 00-AA00-11-11-11
IP Header
S-IP = 10.1.1.10 D-IP = 10.1.2.20
IP Data
With traditional MLS, the switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching. After the routing of the first packet in the flow, the Layer 3 engine programs the hardware-switching components for routing for subsequent packets.
41
Traditional MLS
Candidate Packet Info Layer 3 Info S-IP 10.1.1.10 D-IP 10.1.2.20 Layer 2 Info S-MAC 00-AA-00-11-11-11 D-MAC 00-00-0C-11-11-11
MLS-RP
The Destination MAC Address is one of the routers interfaces. There is not an existing flow, so I will flag this as a candidate packet.
MLS-SE
Ethernet Header
D-MAC= 00-000C-11-11-11 S-MAC= 00-AA00-11-11-11
IP Header
S-IP = 10.1.1.10 D-IP = 10.1.2.20
IP Data
42
21
Traditional MLS
MLS-RP
MLS-SE
Ethernet Header
D-MAC= 00-AA00-22-22-22 S-MAC= 00-000C-22-22-22
IP Header
S-IP = 10.1.1.10 D-IP = 10.1.2.20
IP Data
43
Traditional MLS
MLS-RP
Found match in MLS Cache, rewrite Ethernet Header and send directly to Host B, forget the router!
Candidate Packet Info Layer 3 Info S-IP 10.1.1.10 D-IP 10.1.2.20 Layer 2 Info S-MAC 00-AA-00-11-11-11 D-MAC 00-00-0C-11-11-11
MLS-SE
Future Packets
Dst IP
Src IP 10.1.1.10
Port TCP
MLS Cache
Dst Port 23
Dst MAC
00-AA00-2222-22
Src MAC
00-000C-2222-22
VLAN 2
Interface 3/1
10.1.2.20
44
22
CEF-based MLS
45
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor, port, or line card for hardware switching of packets. Control plane represents the Layer 3 engine (route processor) Data plane represents the hardware components such as ASICs used by the switch for hardware switching. CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB). As a result of the prepopulation of routing information, Catalyst switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses.
46
23
CEF
Routing Table
The two main components of CEF are FIB and Adjacency Table Forwarding information base (FIB) Used make IP destination prefix-based switching decisions. Similar to a routing table or information base. It maintains a mirror image of the forwarding information contained in the IP routing table. When routing or topology changes occur in the network, the IP routing table is updated, and those changes are reflected in the FIB. The FIB maintains next-hop address information based on the information in the IP routing table. In the context of CEF-based MLS, both the Layer 3 engine and the hardware-switching components maintain an FIB.
47
CEF
Adjacency tables Network nodes in the network are said to be adjacent if they can reach each other with a single hop across a link layer. (OSPF, EIGRP) A router normally maintains: Routing table containing Layer 3 network and next-hop information ARP table containing Layer 3 to Layer 2 address mapping. These tables are kept independently.
48
24
CEF
Adjacency tables Recall that the FIB keeps the Layer 3 next-hop address for each entry. To streamline packet forwarding even more, the FIB has corresponding Layer 2 information for every next-hop entry. This portion of the FIB is called the adjacency table, consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop.
49
CEF
No ARP entry, L3 forwarding engine cant forward packet in hardware, must send to L3 Engine.
Adjacency tables (summary, more detail coming) The adjacency table information is built from the ARP table. As a next-hop address receives a valid ARP entry, the adjacency table is updated. If an ARP entry does not exist, the FIB entry is marked as CEF glean( ). This means that the Layer 3 forwarding engine can't forward the packet in hardware, due to the missing Layer 2 next-hop address. The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply. This is known as the CEF glean state, where the Layer 3 engine must glean the next-hop destination's MAC address.
50
25
CEF
Adjacency tables During the time that a FIB entry is in the CEF glean state waiting for the ARP resolution, subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests. This is called ARP throttling( ) or throttling adjacency. If an ARP reply is not received in two seconds, the throttling is released so that another ARP request can be triggered. Otherwise, after an ARP reply is received, the throttling is released, the FIB entry can be completed, and packets can be forwarded completely in hardware.
51
52
26
53
54
27
55
56
28
29
59
60
30
62
31
63
64
32
66
33
67
Identifying the Multilayer Switch Packet Forwarding Process An example of ARP throttling, which consists of these steps: Step 1 Host A sends a packet to host B. Step 2 The switch forwards the packet to the Layer 3 engine based on the glean entry in the FIB. A glean adjacency entry indicates that a particular next hop should be directly connected, but there is no MAC header rewrite information available. Step 3 The Layer 3 engine sends an ARP request for host B and installs the drop adjacency for host B. At this point, subsequent frames destined for host B from host A are dropped (ARP throttling). Step 4 Host B responds to the ARP request. The Layer 3 engine installs an adjacency for host B and removes the drop adjacency.
68
34
ARP Throttling
When a router is directly connected to a multiaccess segment (Ethernet), the router maintains an additional prefix for the subnet.. This subnet prefix points to a glean adjacency. When a router receives a packets that needs to be forwarded to a specific host, the adjacency database is gleaned for a specific prefix. If the prefix does not exist, the subnet prefix is consulted. The glean adjacency indicates that any address with this range should be forwarded to the Layer 3 engine ARP processing.
69
ARP Throttling
1. Host A sends a packet to Host B. CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table). No rewrite information exists. 2. Packet passed to Layer 3 Engine for processing.
70
35
ARP Throttling
Throttling Adjacency is removed when no ARP Reply is received in 2 seconds. This allows for another packet to initiate a new ARP Request. Throttling Adjacency relieves the Layer 3 Engine of excessive ARP processing or ARP-based DoS attacks.
ARP Request
3. Obtaining rewrite information. L3 Engine sends an ARP Request for Host B and waits for ARP Reply. Throttling Adjacency: While in glean state, subsequent packets to that host are dropped, so that input queues do not fill and so the Layer 3 engine isnt busy with duplicate ARP Requests. (Note: Ciscos routers drop the first packet when there is no ARP entry, while sending the ARP Request.) 71
ARP Throttling
ARP Reply
72
36
ARP Throttling
10.20.10.2
5. The Layer 3 Engine installs Adjacency for Host B and removes the throttling (drop) adjacency. Next: Packet Rewrite (Coming!)
73
74
37
Verifying CEF
75
76
38
Switch#show interface fastethernet 3/3 | begin L3 L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 12 pkt, 778 bytes mcast L3 out Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes 4046399 packets input, 349370039 bytes, 0 no buffer Received 3795255 broadcasts, 2 runts, 0 giants, 0 throttles ..... Switch#
77
Switch#show interfaces gigabitethernet 9/5 | include switched L2 Switched: ucast: 8199 pkt, 1362060 bytes - mcast: 6980 pkt, 371952 bytes L3 in Switched: ucast: 3045 pkt, 742761 bytes - mcast: 0 pkt, 0 bytes mcast L3 out Switched: ucast: 2975 pkt, 693411 bytes - mcast: 0 pkt, 0 bytes
78
39
Adjacency Information
Switch#show adjacency gigabitethernet 9/5 detail Protocol Interface Address IP GigabitEthernet9/5 172.20.53.206(11) 504 packets, 6110 bytes 00605C865B82 000164F83FA50800 ARP 03:49:31
79
80
40
Step5: Verify the CEF FIB table entry for the route
Switch# show ip cef 192.168.150.0
Step 6 : Verify an adjacency table entry for the destination. Switch#show adjacency detail | begin 192.168.199.3 Step 7: Verify CEF from the supervisor engine for modular switch platforms.
81
4.1 Describing Routing Between VLANs 4.2 Enabling Routing Between VLANS 4.3 Deploying CEF-Based Multilayer Switching 4.4 Inter-VLAN Routing Lab Exercises
41
Internetwork Communications
C:>ping 172.16.30.100
Can two hosts on different subnets communicate without a router? What would happen if a host tried to ping another host? No they cannot communicate. Would it send an ARP Request? Why or why not? The host would not send an ARP Request because there is no default-gateway.
84
42
C:>ping 172.16.30.100
What difference would it make if these hosts were on different VLANs? The Broadcasts would not be forwarded out all ports by the switch. Why does the host send the ARP Request to the router and not the destination host? After all theyre on the same switch. The host doesnt know where the destination host is, just that its not on its network.
85
Internetwork Communications
Then Destination MAC Address is that of the same device as the Destination IP Address. Check ARP cache for entry of Destination IP Address and its MAC Address. If no entry, ARP Request Destination IP Address asking for MAC Address.
Then Destination MAC Address will be that of the Default Gateway. Check ARP cache for entry of Default Gateways IP Address and its MAC Address. If no entry, ARP Request Default Gateways IP Address asking for MAC Address.
86
43
Inter-VLAN Routing
VLAN is a logical group of ports, usually belonging to a single IP subnet to control the size of the broadcast domain. Even though devices in different VLANs may be physically connected, these devices cannot communicate without the services of a default gateway, a router. This is known as Inter-VLAN Routing.
87
Inter-VLAN Routing
The following devices are capable of providing interVLAN routing: Any external router or group of routers with a separate interface in each VLAN Any external router with an interface that supports trunking (router on a stick) Any Layer 3 multilayer Catalyst switch
Or trunk port
88
44
Download: PT-Topology-MLS-1 Configure the router to route between VLANs. Is a routing protocol necessary? Why or why not? No, because all of our networks are directly connected.
89
Router-on-a-Stick
172.16.10.100/24
172.16.20.100/24
Download: PT-Topology-MLS-2.pkt Single trunk link carries traffic for multiple VLANs to and from router.
90
45
172.16.10.100/ 24
172.16.20.100/ 24
Router on a stick is very simple to implement because routers are usually available in every network.
91
Multilayer Switches
Layer 2 Interfaces: Access port Carries traffic for a single VLAN Which are the access ports? Trunk port Carries traffic for multiple VLANs using InterSwitch Link (ISL) encapsulation or 802.1Q tagging Which are the trunk ports?
92
46
Cisco IOS Switchport command The switchport command configures an interface as a Layer 2 interface. Note: The no switchport command configures an interface as a Layer 3 interface.
93
Layer 3 Interfaces
The Catalyst multilayer switches support three different types of Layer 3 interfaces: Routed port A pure Layer 3 interface similar to a routed port on a Cisco IOS router. Switch virtual interface (SVI) A virtual VLAN interface for interVLAN routing. In other words, SVIs are the virtual routed VLAN interfaces. Bridge virtual interface (BVI) A Layer 3 virtual bridging interface. (Not discussed)
94
47
Download: PT-Topology-MLS-3.pkt A routed port is a physical port that acts similarly to a port on a traditional router with Layer 3 addresses configured. Not associated with a particular VLAN. Like a regular router interface, except that it does not support subinterfaces.
95
192.168.1.4/30
192.168.1.8/30
Core1(config)# interface GigabitEthernet0/1 Core1(config-if)# no switchport Core1(config-if)# ip address 192.168.1.5 255.255.255.252 Core1(config)# interface GigabitEthernet0/2 Core1(config-if)# no switchport Core1(config-if)# ip address 192.168.1.1 255.255.255.252
96
48
192.168.1.4/30
192.168.1.8/30
Core2(config)# interface GigabitEthernet0/1 Core2(config-if)# no switchport Core2(config-if)# ip address 192.168.1.6 255.255.255.252 Core2(config)# interface GigabitEthernet0/2 Core2(config-if)# no switchport Core2(config-if)# ip address 192.168.1.9 255.255.255.252
97
192.168.1.4/30
192.168.1.8/30
DLS1(config)# interface GigabitEthernet0/2 DLS1(config-if)# no switchport DLS1(config-if)# ip address 192.168.1.2 255.255.255.252 DLS2(config)# interface GigabitEthernet0/2 DLS2(config-if)# no switchport DLS2(config-if)# ip address 192.168.1.10 255.255.255.252
98
49
SVI
Switch virtual interfaces (SVI) Layer 3 interfaces that are configured on multilayer Layer 3 switches Used for inter-VLAN routing. A virtual VLAN interface Associated with the VLAN-ID Enable routing capability on that VLAN. Note: These are virtual interfaces!
99
100
50
DLS1(config)# interface vlan 1 DLS1(config-if)# ip address 172.16.1.1 255.255.255.0 DLS1(config-if)# no shutdown DLS1(config)# interface vlan 10 DLS1(config-if)# ip address 172.16.10.1 255.255.255.0 DLS1(config-if)# no shutdown DLS1(config)# interface vlan 20 DLS1(config-if)# ip address 172.16.20.1 255.255.255.0 DLS1(config-if)# no shutdown
The switch routes frames between VLANs directly on the switch via hardware switching without requiring an external router. An SVI is mostly implemented to interconnect the VLANs on the Building Distribution submodules or the Building Access submodules in the multilayer switched network.
101
51
IP Broadcast Forwarding
DHCP use IP subnet broadcasts to the 255.255.255.255 address. Routers do not route these packets by default. Routers and Layer 3 switches can be configured to forward these DHCP and other UDP broadcast packets to a: unicast directed broadcast address
103
MLS(config)#interface vlan 1 MLS(configif)#description DHCP Server VLAN MLS(config-if)#ip address 10.1.1.1 255.255.255.0 MLS(config-if)#no ip directed-broadcast MLS(config)#interface vlan 2 MLS(config-ig)#description DHCP clients MLS(config-if)#ip address 10.2.1.1 255.255.255.0 MLS(config-if)#no shutdown MLS(config-if)#no ip directed-broadcast MLS(config-if)#ip helper-address 10.1.1.254
Layer 3 devices do not pass broadcasts. What issue does this cause for DHCP Servers? Each subnet requires a DHCP server. To enable the DHCP relay agent feature, configure the ip helper-address command with the DHCP server IP address(es) on the client VLAN interfaces.
104
52
105
MLS(config)#interface vlan 1 MLS(configif)#description DHCP Server VLAN MLS(config-if)#ip address 10.1.1.1 255.255.255.0 MLS(config-if)#no ip directed-broadcast MLS(config)#interface vlan 2 MLS(config-ig)#description DHCP clients MLS(config-if)#ip address 10.1.2.1 255.255.255.0 MLS(config-if)#no shutdown MLS(config-if)#no ip directed-broadcast MLS(config-if)#ip helper-address 10.1.1.254
ip helper-address - make sure the ip directed-broadcast is not configured on any outbound interfaces that the UDP broadcast packets need to traverse. The no ip directed-broadcast command configures the router or switch to prevent the translation of a directed broadcast to a physical broadcast (MAC FF). This is a default behavior since Cisco IOS Release 12.0, implemented as a security measure.
106
53
To specify additional UDP broadcasts for forwarding by the router when configuring the ip helper-address interface command, use the following global command: ip forward protocol udp udp_ports Use the no option to remove default or configured applications.
107
54
Multilayer Switching
Traditional MLS
CEF-Based MLS
Multilayer switching - ability of a Catalyst switch to support switching and routing of packets in hardware. Optional support for Layers 4 through 7 switching in hardware as well. Hardware switching: A route processor (Layer 3 engine) must download software-based routing, switching, access lists, QoS, and other information to the hardware for packet processing.
109
Traditional MLS
CEF-Based MLS
Cisco Catalyst switches use either: Traditional multilayer switching (traditional MLS) A legacy feature Cisco Express Forwarding (CEF)-based MLS architecture. All leading-edge Catalyst switches support CEF-based multilayer switching
110
55
Traditional MLS
Specialized application-specific integrated circuits (ASICs) perform Layer 2 rewrite operations of routed packets: Source MAC address Destination MAC address Cyclic redundancy check (CRC). Because the source and destination MAC addresses change during Layer 3 rewrites, the switch must recalculate the CRC for these new MAC addresses.
111
Traditional MLS
Switch learns Layer 2 rewrite information from an MLS router via an MLS protocol. netflow-based switching. With traditional MLS, the Layer 3 engine (route processor) and switching ASICs work together to build Layer 3 entries on the switch. Each entry can be populated in one of three ways: Source IP address only Source and destination IP addresses Full Flow Information with Layer 4 protocol information.
112
56
Traditional MLS
IP Header
S-IP = 10.1.1.10 D-IP = 10.1.2.20
IP Data
AA-00-11-11-11
The switch forwards the first packet in any flow to the Layer 3 engine for processing using software switching. After the routing of the first packet in the flow, the Layer 3 engine programs the hardware-switching components for routing for subsequent packets.
113
Candidate Packet Info Layer 3 Info S-IP 10.1.1.10 D-IP 10.1.2.20 Layer 2 Info S-MAC 00-AA-00-11-11-11 D-MAC 00-00-0C-11-11-11
MLS-RP
The Destination MAC Address is one of the routers interfaces. There is not an existing flow, so I will flag this as a candidate packet.
MLS-SE
Ethernet Header
D-MAC= 00-000C-11-11-11 S-MAC= 00-AA00-11-11-11
IP Header
S-IP = 10.1.1.10 D-IP = 10.1.2.20
IP Data
When workstation A sends a packet to workstation B, workstation A sends the packet to its default gateway. The default gateway is the RSM. The switch (MLS-SE) recognizes this packet as an MLS candidate packet because the destination MAC address matches the MAC address of the MLS router (MLS-RP). As a result, the switch creates a candidate entry for this flow.
114
57
MLS-RP
MLS-SE
Ethernet Header
D-MAC= 00-AA00-22-22-22 S-MAC= 00-000C-22-22-22
IP Header
S-IP = 10.1.1.10 D-IP = 10.1.2.20
IP Data
Next, the router accepts the packets from workstation A, rewrites the Layer 2 MAC addresses and CRC, and forwards the packet to workstation B. The switch refers to the routed packet from the RSM as the enabler packet.
115
Candidate Packet Info Layer 3 Info S-IP 10.1.1.10 D-IP 10.1.2.20 Layer 2 Info S-MAC 00-AA-00-11-11-11 D-MAC 00-00-0C-11-11-11
MLS-RP
MLS-SE
Ethernet Header
D-MAC= 00-AA00-22-22-22 S-MAC= 00-000C-22-22-22
IP Header
S-IP = 10.1.1.10 D-IP = 10.1.2.20
IP Data
MLS-SE recognizes various matches including CAM, details not included. Basically, the MLS-SE recognizes that the packet going out of VLAN 2 was the same one that came in on VLAN 1. The switch, upon seeing both the candidate and enabler packets, creates an MLS entry in hardware (MLS Cache) such that the switch rewrites and forwards all future packets matching this flow.
116
58
Candidate Packet Info Layer 3 Info S-IP 10.1.1.10 D-IP 10.1.2.20 Layer 2 Info S-MAC 00-AA-00-11-11-11 D-MAC 00-00-0C-11-11-11
MLS-RP
Found match in MLS Cache, rewrite Ethernet Header and send directly to Host B, forget the router!
MLS-SE
Future Packets
Dst IP
Src IP 10.1.1.10
Port TCP
MLS Cache
Dst Port 23
Dst MAC
00-AA00-2222-22
Src MAC
00-000C-2222-22
VLAN 2
Interface 3/1
10.1.2.20
As future packets from the flow arrive, the MLS-SE uses the destination IP address to look up the entry in the MLS cache. Finding a match, rewrite engine modifies the necessary header information and forwards the frame (the packet is not forwarded to the router). The rewrite operation modifies all the same fields initially modified by the router for the first packet, including the source MAC and destination MAC addresses.
117
CEF-based MLS
118
59
CEF
CEF-based MLS forwarding model is used to download the control plane information such as the access lists to the data plane on the supervisor, port, or line card for hardware switching of packets. Control plane represents the Layer 3 engine (route processor) Data plane represents the hardware components such as ASICs used by the switch for hardware switching. CEF is a topology-based forwarding model in which all routing information is prepopulated into a forwarding information base (FIB). Result is switches can quickly look up routing information such as IP adjacencies and next-hop IP and MAC addresses.
119
CEF
Routing Table
The two main components of CEF are : FIB Adjacency Table Forwarding information base Make IP destination switching decisions. Similar to a routing table Mirror image of the forwarding information contained in the IP routing table. When routing or topology changes occur in the network, the IP routing table is updated, and those changes are reflected in the FIB. Maintains next-hop address information based on the information in the IP routing table. Both the Layer 3 engine and the hardware-switching components maintain a FIB.
120
60
CEF
Adjacency tables Network nodes in the network are said to be adjacent if they can reach each other with a single hop across a link layer. (OSPF, EIGRP) A router normally maintains: Routing table containing Layer 3 network and next-hop information ARP table containing Layer 3 to Layer 2 address mapping. These tables are kept independently.
121
CEF
Next hop?
Adjacency tables The FIB keeps the Layer 3 next-hop address for each entry. To streamline packet forwarding even more, the FIB has corresponding Layer 2 information for every next-hop entry. This portion of the FIB is called the adjacency table, consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop.
122
61
CEF
No ARP entry, L3 forwarding engine cant forward packet in hardware, must send to L3 Engine.
Adjacency tables (summary, more detail coming) Built from the ARP table. As a next-hop address receives a valid ARP entry, the adjacency table is updated. If an ARP entry does not exist, the FIB entry is marked as CEF glean. This means that the Layer 3 forwarding engine can't forward the packet in hardware, due to the missing Layer 2 next-hop address. The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply. This is known as the CEF glean state, where the Layer 3 engine must glean the next-hop destination's MAC address.
123
CEF
Adjacency tables What happens to subsequent packets while FIB entry is in glean state? (L3 engine is sending ARP Request.) These packets are dropped. So input queues do not fill. So Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests. This is called ARP throttling or throttling adjacency. If an ARP reply is not received in two seconds, the throttling is released so that another ARP request can be triggered. After ARP reply is received: Throttling is released FIB entry can be completed Subsequent packets can be forwarded in hardware 124
62
ARP Throttling
1. Host A sends a packet to Host B. CEF lookup shows glean adjacency (ARP entry does not exist so no entry in adjacency table). No rewrite information exists. 2. Packet passed to Layer 3 Engine for processing.
125
ARP Throttling
Throttling Adjacency is removed when no ARP Reply is received in 2 seconds. This allows for another packet to to initiate a new ARP Request. Throttling Adjacency relieves the Layer 3 Engine of excessive ARP processing or ARP-based DoS attacks.
ARP Request
X X X
3. Obtaining rewrite information. L3 Engine sends an ARP Request for Host B and waits for ARP Reply. Throttling Adjacency: While in glean state, subsequent packets to that host are dropped, so that input queues do not fill and so the Layer 3 engine isnt busy with duplicate ARP Requests. (Note: Ciscos routers drop the first packet when there is no ARP entry, while sending the ARP Request.) 126
63
ARP Throttling
ARP Reply
X X X
127
ARP Throttling
10.20.10.2
5. The Layer 3 Engine installs Adjacency for Host B and removes the throttling (drop) adjacency. Next: Packet Rewrite (Coming!)
128
64
Packet Rewrite
Egress Packet
129
10.20.10.2
Packet Rewrite
L2 Checksum L3 Checksum
Default Gateway
Host A
TTL
The switch receives another packet: After a multilayer switch finds valid entries in the FIB and adjacency tables, a packet is almost ready to be forwarded. One step remainsthe packet header information must be rewritten. Multilayer switching occurs as quick table lookups: Find the next-hop address Outbound switch port. The IP header must also be adjusted, as if a traditional router had done the forwarding (TTL).
130
65
10.20.10.2
Packet Rewrite
L2 Checksum L3 Checksum
TTL -1
The packet rewrite engine makes the following changes to the packet just prior to forwarding: Layer 2 destination address Changed to the next-hop device's MAC address Layer 2 source address Changed to the outbound Layer 3 switch interface's MAC address Layer 3 IP Time To Live (TTL) Decremented by one, as one router hop has just occurred Layer 2 frame checksum Recalculated to include changes to the Layer 2 and Layer 3 headers Layer 3 IP checksum Recalculated to include changes to the IP header
131
10.20.10.2
Packet Rewrite
L2 Checksum L3 Checksum
TTL -1
A traditional router would normally make the same changes to each packet. The multilayer switch must act as if a traditional router were being used, making identical changes. The multilayer switch: Can do this very efficiently with dedicated packet rewrite hardware and with address information obtained from table lookups.
132
66
10.20.10.2
Packet Rewrite
L2 Checksum L3 Checksum
TTL -1
The switch performs a Layer 3 lookup and finds a CEF entry for Host B. The switch rewrites packets per the adjacency information and forwards the packet to Host B on its VLAN.
133
CEF
Catalyst switches do not support routing of all types of frames in hardware. For example, the following list details common frame types that are not supported by hardware switching: Packets with IP header options Packets sourced from or destined to tunnel interfaces Packets using Ethernet encapsulation types other than ARPA Packets that require fragmentation (exceed MTU of the interface) Two types of CEF Central CEF Forwarding decisions done by ASIC that is central to all interfaces. Distributed CEF (dCEF) Forwarding decisions done on independently on interfaces or line modules (faster).
134
67
Multilayer switches build the following tables for centralized or distributed switching in hardware using high-speed memory tables : Routing (CEF FIB and adjacency) Bridging QoS Access Control :ist (ACL) tables.
135
CAM
TCAM
Multilayer switches deploy memory tables using specialized memory architectures: CAM (content addressable memory) Provides only two results: 0 (true) or 1 (false). For exact matches such as MAC address tables. TCAM (ternary content addressable memory ) Ternary Logic Provides three results: 0 (dont care), 1 (true), 2 (false); Ternary Logic; Ternary number system (Base 3) - trits For longest matches such as IP routing tables organized by IP prefixes.
136
68
CAM
For Layer 2 switching tables. With CAM tables, switches must find exact matches or the switches use a default behavior. Switch must find an exact match to a destination MAC address or the switch floods the packet out all ports in the VLAN.
137
CAM
VLAN ID
Key
Key
The information a switch uses to perform a lookup in a CAM table is called a key. Destination MAC address VLAN ID
138
69
TCAM
TCAM is a specialized CAM designed for rapid table lookups. For example, the Catalyst 2950, 3550, 4500, and 6500 families of switches use TCAM to handle ACL lookups at line rate. Thus applying ACLs does not affect the performance of the switch. Single lookup provides the following information: Layer 2 Layer 3 ACL
139
TCAM
VMR (value, mask, and result) refers to the format of entries in TCAM. The value in VMR refers to the pattern that is to be matched: Examples include IP addresses and protocol ports The mask refers to the mask bits associated with the pattern and determines the prefix. The result refers to the result or action that occurs in the case where a lookup returns a hit for the pattern and mask. This result might be a permit or deny in the case of a TCAM for ACLs. Another example of a result is a pointer to an entry in the hardware adjacency table that contains the next-hop MAC rewrite information in the case of a TCAM used for IP routing. If TCAM becomes full the wildcard entry will force the packet to route via the routing table.
140
70
1. Layer 3 packets initiate TCAM lookup. 2. The longest match returns adjacency with rewrite information. 3. The packet is rewritten per adjacency information and forwarded.
141
A router on a stick can be used to route between VLANs using either ISL or 802.1Q as the trunking protocol. A router on a stick requires subinterfaces, one for each VLAN. Verify inter-VLAN routing by generating IP packets between two subnets. Multilayer switches can forward traffic both at Layer 2 and at Layer 3. Multilayer switches rewrite the Layer 2 and Layer 3 header using
142
71
143
144
72
Enabling CEF
The commands required to enable CEF are platform dependent: On the Cisco Catalyst 4000 switch
Switch(config-if)#ip cef
145
Verifying CEF
Switch#show ip cef [type mod/port | vlan_interface] [detail]
Switch# show ip cef vlan 11 detail IP CEF with switching (Table Version 11), flags=0x0 10 routes, 0 reresolve, 0 unresolved (0 old, 0 new), peak 0 13 leaves, 12 nodes, 14248 bytes, 14 inserts, 1 invalidations 0 load sharing elements, 0 bytes, 0 references universal per-destination load sharing algorithm, id 4B936A24 2(0) CEF resets, 0 revisions of existing leaves Resolution Timer: Exponential (currently 1s, peak 1s) 0 in-place/0 aborted modifications refcounts: 1061 leaf, 1052 node Table epoch: 0 (13 entries at this epoch) 172.16.11.0/24, version 6, epoch 0, attached, connected 0 packets, 0 bytes via Vlan11, 0 dependencies valid glean adjacency
146
73
Switch#show interface fastethernet 3/3 | begin L3 L3 in Switched: ucast: 0 pkt, 0 bytes - mcast: 12 pkt, 778 bytes mcast L3 out Switched: ucast: 0 pkt, 0 bytes - mcast: 0 pkt, 0 bytes 4046399 packets input, 349370039 bytes, 0 no buffer Received 3795255 broadcasts, 2 runts, 0 giants, 0 throttles ..... Switch#
147
Switch#show interfaces gigabitethernet 9/5 | include switched L2 Switched: ucast: 8199 pkt, 1362060 bytes - mcast: 6980 pkt, 371952 bytes L3 in Switched: ucast: 3045 pkt, 742761 bytes - mcast: 0 pkt, 0 bytes mcast L3 out Switched: ucast: 2975 pkt, 693411 bytes - mcast: 0 pkt, 0 bytes
148
74
Adjacency Information
Switch#show adjacency [{{type mod/port} | {port-channel number}} | detail | internal | summary]
Switch#show adjacency gigabitethernet 9/5 detail Protocol Interface Address IP GigabitEthernet9/5 172.20.53.206(11) 504 packets, 6110 bytes 00605C865B82 000164F83FA50800 ARP 03:49:31
149
Switch#debug ip cef {ipc | interface-ipc} Displays debug information related to IPC in CEF
150
75
CEF Summary
Layer 3 switching is high-performance packet switching in hardware. MLS functionality can be implemented through CEF. CEF uses tables in hardware to forward packets. Specific commands are used to enable and verify CEF operations. Commands to enable CEF are platform dependent. CEF problems can be matched to specific solutions. Specific commands are used to troubleshoot and solve CEF problems. Ordered steps assist in troubleshooting CEF-based problems.
151
76