Modulo 4-Implementing Inter-VLAN Routing

Module 4: Implementing Inter-VLAN Routing

Module Overview

A switch with multiple VLANs requires a means of passing Layer 3 traffic between those VLANs. This module describes the process and methods of routing traffic from VLAN to VLAN. A router that is external to the Layer 2 switch hosting the VLANs can provide the inter-VLAN routing. When routing occurs within a Catalyst multilayer switch, Cisco Express Forwarding (CEF) is deployed to facilitate Layer 3 switching through hardware-based tables, providing an optimal packet forwarding process. On a multilayer switch, routing is enabled between VLANs through the configuration of switch virtual interfaces (SVIs) associated with the various VLANs on the multilayer switch.

4.1 Describing Routing Between VLANs

4.1.1 Inter-VLAN Routing Using an External Router

If a switch supports multiple VLANs but has no Layer 3 capability to route packets between those VLANs, the switch must be connected to a router external to the switch. This setup is accomplished most efficiently by providing a single trunk link between the switch and the router that can carry the traffic of multiple VLANs and which, in turn, can be routed by the router. This single physical link must be Fast Ethernet or greater to support Inter-Switch Link (ISL) encapsulation, but 802.1Q is supported on 10-Mbps Ethernet router interfaces.

In Figure , the clients on VLAN10 need to establish sessions with a server that is in VLAN20, which requires that traffic be routed between the VLANs. Figure describes the actions necessary for traffic to be routed between VLANs using an external router.

With inter-VLAN routing, the router receives frames from the switch with the source VLAN tagged (for example VLAN10). It associates the frames with the proper subinterface and then decodes the frame payload (the IP packet). The router then performs Layer 3 processing based on the destination network address contained in the IP packet to determine which subinterface should forward the IP packet. The IP packet is now encapsulated in a dot-1Q (or ISL) frame that is tagged with the VLAN identification (for example VLAN20) of the forwarding subinterface and transmitted across the trunk toward the switch.

In Figure , the router can receive packets on one VLAN and forward them to another. To perform inter VLAN routing functions, the router must know how to reach all VLANs that are being interconnected. The router must have a separate logical connection (subinterface) for each VLAN and ISL or 802.1Q trunking must be enabled on the single physical interface between the router and the switch. The routing table lists all the subnets associated with the VLANs that are configured on the router subinterfaces as directly connected. The router must learn routes to networks that are not configured on directly connected interfaces through dynamic routing protocols or static routes.

There are advantages and disadvantages of inter-VLAN routing on an external router.

The advantages are as follows:

The advantages are as follows:

• Implementation is simple.

• Layer 3 services are not required on the switch.

• The router provides communications between VLANs.

The disadvantages are as follows:

• The router is a single point of failure.

• The single traffic path between the switch and the router may become congested.

• • Latency is higher than on a Layer 3 switch.

4.1.2 Describing Inter-VLAN Routing Using External Router Configuration Commands

You can configure inter-VLAN routing using an external router over either ISL or 802.1Q trunks. The commands for configuring the trunk interface on the router are shown in Figure . Figure provides a description of the commands.

4.1.3 Configuring Inter-VLAN Routing Using an External Router

A router interface providing inter-VLAN routing on a trunk link must be configured with a subinterface for each VLAN that will be serviced across the link. Each subinterface on the physical link must then be configured with the same trunk encapsulation protocol. That protocol, either 802.1Q or ISL, is typically determined by what was configured on the switch side of the link.

Use the encapsulation dot1q subinterface configuration command to enable 802.1Q encapsulation on a router subinterface. The subinterface number does not have to match the dot-1Q VLAN number, but it is good practice to do so.

Since traffic on the native VLAN is not tagged, all native VLAN frames are received as normal Ethernet frames, so it is not necessary to define a specific encapsulation tag for those networks. Some versions of Cisco IOS allow for the creation of a subinterface for the native VLAN. If the native VLAN is configured as a subinterface, you should use the encapsulation dot1q native command. All other non-native VLANs have an 802.1Q tag inserted into their frames. These non-native VLANs should always be configured as subinterfaces on the router, and the VLANs must be defined as 802.1Q tagged frames and have the VLAN associated to them identified. The subinterface command encapsulation dot1q accomplishes this task.

The VLAN subnets are directly connected to the router. Routing between these subnets does not require a dynamic routing protocol, because the subnets are directly connected. Routes to the subnets associated with each VLAN appear in the routing table as directly connected interfaces.

Use the encapsulation isl vlan_id subinterface configuration command to enable ISL trunking on a router subinterface.

The native keyword is not used with the encapsulation ISL subinterface command, because ISL does not have the concept of a native VLAN.

Figure describes the actions needed to perform ISL encapsulation on external routers.

After the router is properly configured and connected to the network, the router or the switch can communicate with other nodes on the network.

To test connectivity to remote hosts, use the ping command from privileged mode :

Switch#ping destination-ip-address

Step 1 From the router, ping a host address on each VLAN to verify router connectivity.

Step 2 From a host on a particular VLAN, ping a host on another VLAN to verify routing across the external router.

The ping command returns one of these responses:

• Success rate is 100 percent or ip-address is alive: This response occurs in 1 to 10 ms, depending on network traffic and the number of Internet Control Message Protocol (ICMP) packets sent.

• Destination does not respond: No answer message is returned if the host does not respond.

• Unknown host: This response occurs if the targeted host cannot be resolved.

• Destination unreachable: This response occurs if the default gateway cannot reach the specified network or is being blocked.

• Network or host unreachable: This response occurs if the Time to Live (TTL) times out. The default is 2 seconds.

Use show commands to display the current (running) configuration, IP routing information, and IP protocol information to verify whether the routing table represents the subnets of all VLANs.

Router#show vlans
Virtual LAN ID: 10 (Inter Switch Link Encapsulation)
vLAN Trunk Interface: FastEthernet0/0.10
Protocols Configured: Address: Received: Transmitted:
IP 10.10.1.1 0 20

Virtual LAN ID: 20 (Inter Switch Link Encapsulation)
vLAN Trunk Interface: FastEthernet0/0.20
Protocols Configured: Address: Received: Transmitted:
IP 10.20.1.1 0 20


Router#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 2 subnets
C 10.10.1.0 is directly connected, FastEthernet0/0.10
C 10.20.1.0 is directly connected, FastEthernet0/0.20

4.1.4 Explaining Multilayer Switching

Traditionally, a switch makes forwarding decisions by looking at the Layer 2 header, whereas a router makes forwarding decisions by looking at the Layer 3 header.

A multilayer switch combines the functionality of a switch and a router into one device, therefore enabling the device to switch traffic when the source and destination are in the same VLAN and to route traffic when the source and destination are in different VLANs (that is, different subnets).

In Figure , traffic between PC A and PC B are switched at Layer 2, whereas traffic between PC B and PC C are switched at Layer 3.

Multilayer switches forward frames and packets at wire speed by using application-specific integrated circuit (ASIC) hardware. Specific Layer 2 and Layer 3 components, such as routing tables or access control lists (ACLs), are cached into hardware. These tables are stored in content-addressable memory (CAM) and ternary content-addressable memory (TCAM).

Layer 2 forwarding in hardware is based on the destination MAC address. The Layer 2 switch learns and records the source MAC addresses from all frames that it receives. The MAC address table lists MAC addresses paired with the associated VLANs and interfaces. When a frame is received on an interface, the switch determines which VLAN the frame originated from, searches all interfaces that belong to that VLAN for the destination MAC, and forwards the frame out the appropriate interface.

Figure describes how a Layer 2 switch forwards packets.

Layer 3 forwarding is based on the destination IP address. Layer 3 forwarding occurs when a packet is routed from a source in one subnet to a destination in another subnet. When a multilayer switch (MLS) sees its own MAC address in the Layer 2 header, it recognizes that the packet is either destined for itself or is to be routed. If the packet is not destined for the MLS, the destination IP address is compared against the Layer 3 forwarding table for the longest match. In addition, router ACL checks are performed. In this case, the frame header needs to be rewritten with new source and destination MAC addresses.

Figures and describe how a Layer 3 switch forwards packets.

4.1.5 Frame Rewrite

Figure shows how the frame and packet header would be altered if CEF is used to forward frames. When frames are received on an interface, the trailer checksum is first calculated to verify accurate delivery of the frame. The frame is discarded if the calculation is not accurate. Next the payload is extracted. The IP header checksum is tested to verify that it is an accurate IP header. Once the packet is processed, IP unicast packets are rewritten on the output interface as follows:

• The source MAC address changes from the sender MAC address to the router MAC address.

• The destination MAC address changes from the router MAC to the next-hop MAC address.

• The TTL is decremented by one and, as a result, the IP header checksum is recalculated.

• The frame checksum is recalculated.

Routing, switching, ACL, and QoS tables are stored in a high-speed table memory so that forwarding decisions and restrictions can be made in high-speed hardware. Cisco Catalyst switches create and use two primary table architectures:

• CAM table: Primary table used to make Layer 2 forwarding decisions. The table is built by recording the source address and inbound port of all frames. When a frame arrives at the switch with a destination MAC address of an entry in the CAM table, the frame is forwarded out only through the port associated with that specific MAC address.

• TCAM table: Stores ACL, QoS, and other information generally associated with upper-layer processing.

Table lookups are done with efficient search algorithms. A “key” is created to compare the frame to the table content. For example, the destination MAC address and VLAN ID (VID) of a frame constitute the key for a Layer 2 table lookup. This key is fed into a hashing algorithm, which produces a pointer into the table. The system uses the pointer to access a smaller specific area of the table without requiring searching the entire table.

In a Layer 2 table, all bits of all information are significant for frame forwarding (for example, VLANs, destination MAC addresses, and destination protocol types). However, in more complicated tables associated with upper-layer forwarding criteria, some bits of information may be too inconsequential to analyze. For example, an ACL may require a match on the first 24 bits of an IP address, but the last 8 bits may be insignificant information.

In specific high-end switch platforms, the TCAM is a portion of memory designed for rapid, hardware-based table lookups of Layer 3 and Layer 4 information. In the TCAM, a single lookup provides all Layer 2 and Layer 3 forwarding information for frames, including CAM and ACL information.

Figure displays the ACL information stored in the TCAM table that would result in a packet being permitted or denied.

TCAM matching is based on three values: 0, 1, or X (where X is either number), hence the term “ternary.” The memory structure is broken into a series of patterns and masks. Masks are shared among a specific number of patterns and are used as wildcards in some content fields.

The following two ACL entries are referenced in Figure , which shows how their values are stored in the TCAM:

access-list 101 permit ip host 10.1.1.1 any
access-list 101 deny ip 10.1.1.0 0.0.0.255 any

The TCAM table entries in Figure consist of the following types of regions:

• Longest match region: Each longest match region consists of groups of Layer 3 address entries (“buckets”) organized in decreasing order by mask length. All entries within a bucket share the same mask value and key size. The buckets can change their size dynamically by borrowing address entries from neighboring buckets. Although the size of the whole protocol region is fixed, you can reconfigure it. The reconfigured size of the protocol region takes effect only after the next system reboot.

• First-match region: The first-match region consists of ACL entries. Lookup stops after the first match of the entry.