Module Overview
4.1 Describing Routing Between VLANs
4.1.1 Inter-VLAN Routing Using an External Router
There are advantages and disadvantages of inter-VLAN routing on an external router.
The advantages are as follows:
The advantages are as follows:
Implementation is simple.
Layer 3 services are not required on the switch.
The router provides communications between VLANs.
The disadvantages are as follows:
The router is a single point of failure.
The single traffic path between the switch and the router may become congested.
4.1.2 Describing Inter-VLAN Routing Using External Router Configuration Commands
You can configure inter-VLAN routing using an external router over either ISL or 802.1Q trunks. The commands for configuring the trunk interface on the router are shown in Figure . Figure provides a description of the commands.
4.1.3 Configuring Inter-VLAN Routing Using an External Router
Use the encapsulation dot1q subinterface configuration command to enable 802.1Q encapsulation on a router subinterface. The subinterface number does not have to match the dot-1Q VLAN number, but it is good practice to do so.
Since traffic on the native VLAN is not tagged, all native VLAN frames are received as normal Ethernet frames, so it is not necessary to define a specific encapsulation tag for those networks. Some versions of Cisco IOS allow for the creation of a subinterface for the native VLAN. If the native VLAN is configured as a subinterface, you should use the encapsulation dot1q
The VLAN subnets are directly connected to the router. Routing between these subnets does not require a dynamic routing protocol, because the subnets are directly connected. Routes to the subnets associated with each VLAN appear in the routing table as directly connected interfaces.
Use the encapsulation isl vlan_id subinterface configuration command to enable ISL trunking on a router subinterface.
The native keyword is not used with the encapsulation ISL subinterface command, because ISL does not have the concept of a native VLAN.
Figure describes the actions needed to perform ISL encapsulation on external routers.
After the router is properly configured and connected to the network, the router or the switch can communicate with other nodes on the network.
To test connectivity to remote hosts, use the ping command from privileged mode :
Switch#ping destination-ip-address
Step 1 From the router, ping a host address on each VLAN to verify router connectivity.
Step 2 From a host on a particular VLAN, ping a host on another VLAN to verify routing across the external router.
The ping command returns one of these responses:
Success rate is 100 percent or ip-address is alive: This response occurs in 1 to 10 ms, depending on network traffic and the number of Internet Control Message Protocol (ICMP) packets sent.
Destination does not respond: No answer message is returned if the host does not respond.
Unknown host: This response occurs if the targeted host cannot be resolved.
Destination unreachable: This response occurs if the default gateway cannot reach the specified network or is being blocked.
Network or host unreachable: This response occurs if the Time to Live (TTL) times out. The default is 2 seconds.
Use show commands to display the current (running) configuration, IP routing information, and IP protocol information to verify whether the routing table represents the subnets of all VLANs.
Router#show vlans
Virtual LAN ID: 10 (Inter Switch Link Encapsulation)
vLAN Trunk Interface: FastEthernet0/0.10
Protocols Configured: Address: Received: Transmitted:
IP 10.10.1.1 0 20
Virtual LAN ID: 20 (Inter Switch Link Encapsulation)
vLAN Trunk Interface: FastEthernet0/0.20
Protocols Configured: Address: Received: Transmitted:
IP 10.20.1.1 0 20
Router#show ip route
Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP
D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area
N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2
E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area
* - candidate default, U - per-user static route, o - ODR
P - periodic downloaded static route
Gateway of last resort is not set
10.0.0.0/24 is subnetted, 2 subnets
C 10.10.1.0 is directly connected, FastEthernet0/0.10
C 10.20.1.0 is directly connected, FastEthernet0/0.20
4.1.4 Explaining Multilayer Switching
Traditionally, a switch makes forwarding decisions by looking at the Layer 2 header, whereas a router makes forwarding decisions by looking at the Layer 3 header.
A multilayer switch combines the functionality of a switch and a router into one device, therefore enabling the device to switch traffic when the source and destination are in the same VLAN and to route traffic when the source and destination are in different VLANs (that is, different subnets).
In Figure , traffic between PC A and PC B are switched at Layer 2, whereas traffic between PC B and PC C are switched at Layer 3.
Multilayer switches forward frames and packets at wire speed by using application-specific integrated circuit (ASIC) hardware. Specific Layer 2 and Layer 3 components, such as routing tables or access control lists (ACLs), are cached into hardware. These tables are stored in content-addressable memory (CAM) and ternary content-addressable memory (TCAM).
Layer 2 forwarding in hardware is based on the destination MAC address. The Layer 2 switch learns and records the source MAC addresses from all frames that it receives. The MAC address table lists MAC addresses paired with the associated VLANs and interfaces. When a frame is received on an interface, the switch determines which VLAN the frame originated from, searches all interfaces that belong to that VLAN for the destination MAC, and forwards the frame out the appropriate interface.
Figure describes how a Layer 2 switch forwards packets.
Layer 3 forwarding is based on the destination IP address. Layer 3 forwarding occurs when a packet is routed from a source in one subnet to a destination in another subnet. When a multilayer switch (MLS) sees its own MAC address in the Layer 2 header, it recognizes that the packet is either destined for itself or is to be routed. If the packet is not destined for the MLS, the destination IP address is compared against the Layer 3 forwarding table for the longest match. In addition, router ACL checks are performed. In this case, the frame header needs to be rewritten with new source and destination MAC addresses.
Figures and describe how a Layer 3 switch forwards packets.
4.1.5 Frame Rewrite
Figure shows how the frame and packet header would be altered if CEF is used to forward frames. When frames are received on an interface, the trailer checksum is first calculated to verify accurate delivery of the frame. The frame is discarded if the calculation is not accurate. Next the payload is extracted. The IP header checksum is tested to verify that it is an accurate IP header. Once the packet is processed, IP unicast packets are rewritten on the output interface as follows:
The source MAC address changes from the sender MAC address to the router MAC address.
The destination MAC address changes from the router MAC to the next-hop MAC address.
The TTL is decremented by one and, as a result, the IP header checksum is recalculated.
The frame checksum is recalculated.
Routing, switching, ACL, and QoS tables are stored in a high-speed table memory so that forwarding decisions and restrictions can be made in high-speed hardware. Cisco Catalyst switches create and use two primary table architectures:
CAM table: Primary table used to make Layer 2 forwarding decisions. The table is built by recording the source address and inbound port of all frames. When a frame arrives at the switch with a destination MAC address of an entry in the CAM table, the frame is forwarded out only through the port associated with that specific MAC address.
TCAM table: Stores ACL, QoS, and other information generally associated with upper-layer processing.
Table lookups are done with efficient search algorithms. A “key” is created to compare the frame to the table content. For example, the destination MAC address and VLAN ID (VID) of a frame constitute the key for a Layer 2 table lookup. This key is fed into a hashing algorithm, which produces a pointer into the table. The system uses the pointer to access a smaller specific area of the table without requiring searching the entire table.
In a Layer 2 table, all bits of all information are significant for frame forwarding (for example, VLANs, destination MAC addresses, and destination protocol types). However, in more complicated tables associated with upper-layer forwarding criteria, some bits of information may be too inconsequential to analyze. For example, an ACL may require a match on the first 24 bits of an IP address, but the last 8 bits may be insignificant information.
In specific high-end switch platforms, the TCAM is a portion of memory designed for rapid, hardware-based table lookups of Layer 3 and Layer 4 information. In the TCAM, a single lookup provides all Layer 2 and Layer 3 forwarding information for frames, including CAM and ACL information.
Figure displays the ACL information stored in the TCAM table that would result in a packet being permitted or denied.
TCAM matching is based on three values: 0, 1, or X (where X is either number), hence the term “ternary.” The memory structure is broken into a series of patterns and masks. Masks are shared among a specific number of patterns and are used as wildcards in some content fields.
The following two ACL entries are referenced in Figure , which shows how their values are stored in the TCAM:
access-list 101 permit ip host 10.1.1.1 any
access-list 101 deny ip 10.1.1.0 0.0.0.255 any
The TCAM table entries in Figure consist of the following types of regions:
Longest match region: Each longest match region consists of groups of Layer 3 address entries (“buckets”) organized in decreasing order by mask length. All entries within a bucket share the same mask value and key size. The buckets can change their size dynamically by borrowing address entries from neighboring buckets. Although the size of the whole protocol region is fixed, you can reconfigure it. The reconfigured size of the protocol region takes effect only after the next system reboot.
- First-match region: The first-match region consists of ACL entries. Lookup stops after the first match of the entry.
No hay comentarios:
Publicar un comentario