CCNP SWITCH 642-813 :: Inter-VLAN

Routing
By Aaron on November 10, 2010. Posted in
SWITCH.

The Online CCNP Guide   »   SWITCH   »   CCNP SWITCH 642-813 :: Inter-VLAN Routing

http://www.ccnpguide.com/ccnp-switch-642-813-switching/

VLANs require a layer 3 device between them to communicate.  Cisco recommends using layer 3

routing at the distribution layer of the multilayer switched network to terminate local VLANS, isolate

network problems, and avoid access layer issues from affecting the core.

There are 3 inter-VLAN routing device options:

 layer 3 multilayer Catalyst switch

 external router that allows trunking (router-on-a-stick)

 external router with enough interfaces for every VLAN (this doesn’t scale and is very

expensive)

All Catalyst multilayer switches support the following types of layer 3 interfaces:

Routed port – a pure layer 3 port similar to that on a router

Switch virtual interface (SVI) – virtual routed VLAN interface for inter-VLAN routing

Bridge virtual interface (BVI) – a layer 3 bridging interface

Inter-VLAN Routing Types

External Router (router-on-a-stick)

A layer two switch can be connected to a single router to allow inter-VLAN communication either

using a single physical link as a trunk with multiple sub-interfaces (a.k.a. router-on-a-stick) or using

seperate physical links between the switch and router for each individual VLAN.

An example configuration on the router would be:

interface FastEthernet 0/1

no ip address

duplex auto

speed auto   

interface FastEthernet 0/1.10

description data vlan

encapsulation dot1q 10

ip address 10.1.10.0 255.255.255.0   

interface FastEthernet 0/1.20

description mgmt vlan
 encapsulation dot1q 20

ip address 10.1.20.0 255.255.255.0   

interface FastEthernet 0/1.55

description native vlan

encapsulation dot1q native

ip address 10.1.55.0 255.255.255.0

  

Advantages

 Works with almost all switches because the switches do not have to support layer 3, just

VLANs and trunking

 Simple configuration (one switch port, one router interface)

Disadvantages

 Router is a single point of failure

 If the trunk becomes congested, it can affect every VLAN

 Slightly higher latency because (1)traffic must leave and re-enter the switch and (2)the router

makes the traffic decisions in software (which is slower than hardware)

Configuring Inter-VLAN Routing with an

External Router
Implementation Planning

 Need to know how many VLANS require routing, the VLAN IDs, and what ports connect to

the router

 Every router subinterface must be configured with the same type of frame encapsulation

(usually 802.1q) as well as the switch side of the link

 Make sure the native VLAN is the same on both ends.  A subinterface on the router can be

created for the native VLAN.

 It is best practice to match the subinterface ID to the VLAN ID

Configuring Router-on-a-stick

1. Enable trunking on the switch port

2. Enable the router interface with the no shut command

3. Create the subinterfaces on the router for each VLAN

4. Configure IPs and encapsulation on each subinterface as they relate to their VLANs

Switch (conf-subif)# encapsulation [dot1q | isl] vlan-id {native}

Switch (conf-subif)# ip address x.x.x.x  x.x.x.x

Example router interface configuration

 Router(config)# interface FastEthernet0/0

Router(config-if)#no shutdown

Router(config)# interface FastEthernet 0/0.1

Router(config-subif) description VLAN 1

Router(config-subif)# encapsulation dot1Q 1 native

Router(config-subif)# ip address 10.1.1.1 255.255.255.0

Router(config-subif)# exit

Router(config)# interface FastEthernet 0/0.2

Router(config-subif)# description VLAN 2

Router(config-subif)# encapsulation dot1Q 2

Router(config-subif)# ip address 10.2.2.1 255.255.255.0

Router(config-subif)# exit

Router(config)# end  

Example switch trunk interface configuration (connected to router’s Fa 0/0)

  switch(config)# interface FastEthernet 4/2
switch(config-if)# switchport trunk encapsulation dot1q
switch(config-if)# switchport mode trunk

Switch Virtual Interfaces

Remember that Cisco recommends using layer 2 connectivity between access

and distribution layers and layer 3 routing between distribution and core layers.

SVIs are virtual VLAN interfaces on multilayer switches; one SVI is created for each VLAN to be routed

and it performs the process for all the packets associated with that VLAN.

The only SVI created by default is the SVI for VLAN 1.  The rest must be created manually using the

command:

Switch(conf)# interface vlan vlan_id  

SVIs are commonly used for:

 Default gateways for users within the VLAN

 Virtual route between VLANs

 Provides an IP address for connectivity to the switch itself

 Can be used as an interface for routing protocols

An SVI is considered “up” when at least one interface in it’s associated VLAN is active and forwarding

traffic.  If all interfaces within that VLAN are down, the SVI goes down to prevent creating a routing

loop.

Advantages

 Fast because all performed in hardware

 No need for external links for routing

 Low latency (doesn’t need to leave the switch)

Disadvantages
 May require a more expensive switch

Configuring Inter-VLAN Routing with SVIs

Implementation Planning

 Identify which VLANs require layer 3 gateways as you may not want all VLANs to be routable

within the organization

 Make sure VLANs are first created on the switch, then make the SVIs

 Find out what IPs need to be configured on each SVI interface, then use the no shutdown

command to enable them

 Configure any routing protocols that are required

 Determine if any switchports should be excluded from contributing to the SVI line-state up-

and-down calculation

Configuring SVIs

1. Enable IP routing

2. Create the VLANs

3. Create the SVI

4. Assign an IP address to each SVI

5. Enable the interface

6. Optional – Enable an IP routing protocol

Note: Routing protocols are only required to allow  different  devices to communicate across different

VLANs or networks.   They are not required to route between SVIs on the same switch because

the  switch  sees the SVIs as connected interfaces.

(Switch virtual interface (SVI) – virtual routed VLAN interface for inter-VLAN routing)

Example Configuration

Switch# configure terminal

Enter configuration commands, one per line.  End with CNTL/Z.

Switch(config)# ip routing  
 Switch(config)# vlan 10  

Switch(config)# interface vlan 10

Switch(config-if)# ip address 10.10.1.1 255.0.0.0  

Switch(config-if)# no shutdown

Switch(config)# router rip

Switch(config-router)# network 10.0.0.0  

SVI Autostate

An SVI is automatically created when the following conditions are met:

 The VLAN is active and exists in the VLN database

 The VLAN interface exists and is not administratively shut down

 At least a single port on the switch has a port in the VLAN, is in the up state, and is in the

spanning-tree forwarding state.

This automatic SVI creation is called SVI Autostate.  If there are multiple ports on the switch in the

same VLAN, the default action is to take down the SVI interface if all of the ports in that VLAN are shut

down.

The command switchport autostate exclude, when applied to port, will allow the VLAN to go down if

all of the other ports in the VLAN go down except the one autostate exclude was applied to.  This is

often desirable when traffic analyzers are attached to a host.  They will stay up, but are just passive

monitors, so if all other devices in the VLAN go down – this port would prevent the VLAN from going

down, so autostate exclude is applied to allow the VLAN to still go down.

Routed Ports
 Routed ports are physical ports on the switch that act much like a router interface would with an IP

address configured.   Routed ports are not associated with an particular VLAN and do not run layer 2

protocols like  STP or VTP.

Note:  Routed interfaces also do not support subinterfaces. Routed ports are point-to-point links that

usually connect core switches to other core switches or distribution layer switches (if the distribution

layer is running layer 3).  They can also be used when a switch has only a single switch port per VLAN

or subnet.

Make sure when configuring a routed port that you use the no switchport command to make sure

the interface is configured to operate at layer 3.  Also make sure to assign an IP addresses and any

other layer 3 information required.  Lastly, check that the appropriate routing protocols are

configured.

Advantages

 A multilayer switch can have both SVIs and routed ports configured

 Multilayer switches forward all layer 2 and 3 traffic in hardware, so it is very fast

Configuring Inter-VLAN Routing with Routed

Ports

1. Select the interface

2. Convert to layer 3 port (no switchport command

3. Add an IP address

4. Enable the interface (no shut command)

Example Configuration

Core(config)# interface GigabitEthernet 1/1

Core(config-if)# no switchport
 Core(config-if)# ip address 10.10.1.1 255.255.255.252

Core(config-if)# exit

Verification Commands

 show ip interfaceinterface_type_port| svi_number

 show interface interface_type_port| svi_number

 show running interfacetype_port| svi_number

 ping

 show vlan

 show interface trunk

Troubleshooting Inter-VLAN
Problems
Here is a list to run through when identifying an issue related to inter-VLAN routing:

 Correct VLANs on switches and trunks

 Correct routes

 Correct primary and secondary root bridges

 Correct IP addresses and masks

The table below outlines common issues that may come up and some potential causes.
 

Routing Protocol Configuration

Unlike routers, multilayer switches do not automatically route until a layer 3 interface is defined or an

SVI is created.  Routing can be configured just like on an actual router, using static routes and

dynamic routing protocols.  If routing is required, make sure the global ip routing command has first

been applied.  You may be required to do some dynamic routing protocol configuration on a

multilayer switch within the SWITCH exam, so make sure you brush up on your routing protocol

basics.

A simple example is below:

Switch(config)# ip routing

Switch(config)# router eigrp 20

Switch(config-router)# no auto-summary

Switch(config-router)# network 10.0.0.0

Switch(config-router)# exit  
To verify a routing protocol is behaving as expected, use the show ip route command to display the

active routing table routes.  Show IP route will allow you to see the routing protocols currently

running on the device.

Multilayer Switching
A Multilayer switch can perform both layer two switching as well as inter-VLAN routing.  While I spend

a considerable amount of time walking through the low-level details here, Cisco thinks it is really

important.  It’s also easy for Cisco to ask SWITCH exam questions on (like the order of operations), so

take your time and make sure you understand the process.  Knowing the order of events within the

switch will help you understand how the many forwarding and filtering options interact.

Switch Forwarding Architectures

There are three different ways packets are switched on a layer 3 switch or router:

Process Switching

Each packet is examined by the internal processor and and is handled in software.  This is the slowest

option (only used in routers).

Route Caching (old method also known as “fast switching”)

The route processor tracks a flow’s first packet, setting up a “shortcut” for the remaining packets to

avoid software-based routing, instead being immediateyforwarded in hardware.  This method is

faster than process switching and is done in both routers and layer 3 switches.

Cisco Express Forwarding (a.k.a. CEF or topology-based switching)

Layer 3 routing table dynamically populates a single database of the entire network topology in

hardware (the FIB) for fast and efficient lookup.  This is the fastest method and is the defualt option

within Cisco routers and multilayer switches.

Cisco Express Forwarding

Multilayer Switching, or MLS, is a fairly general term used to describe features that enable very

efficient routing of traffic between VLANs and routed ports.  Cisco Express Forwarding, or CEF, is the

specific implimentation of MLS Cisco uses on their multilayer switches.

Layer 2 Forwarding Process

Layer 3 Forwarding Process

CAM

The CAM table stores information about frames that pass through the switch for more intelligent

forwarding.
 The CAM table stores two pieces of information about traffic:

 MAC address

 Inbound port

Frames passing through the switch first enter the ingress queue, then proceed simultaneously to the

Security TCAM (ACLs), QoS TCAM, and L2 Forwarding Table (CAM). Afterwards, they all then enter

the egress queue before exiting an interface.

CAM Command Summary

#sh mac address-table dynamic

Allows you to view the contents of the switch’s CAM table (ones learned through passing frames)

#sh mac address-table count

Shows the CAM table entries according to VLAN assignments.  So  if you want to see how many hosts

the switch knows about in a particular VLAN, this lays it out in a nice table format.

TCAM

The TCAM stores layer 3 and up information including QoS, ACLs, and routing info.  The TCAM

always is organized by masks – each mask has 8 value patterns associated with it.  Note that each

mask-value pair is evaluated simultaneously (in parallel) looking for the longest match in a single look

up.

Troubleshooting tip:  If you need to find out where a particular device is attached to the network, you can

run the sh mac address-table dynamic address xxxx.xxxx.xxxx command at the core of the network,

determining which ports it is connected to (and thus downstream switch).  Continue the process until you

reach the final access switch that the device is attached to.

CEF Packet Flow:

Ingress queue

    V
 Security TCAM, QoS TCAM, L3 Forwarding (FIB), L2 Forwarding (CAM)

    V

L3 packet rewrite

    V

Egress queue

FIB + Adjacency Tables

The FIB, or Forwarding Information Base, is what allows CEF to switch layer 3 traffic so quickly.  It is

created in hardware using the existing routing table to create a single route cache, allowing the

packets to be forwarded directly the very first time they are seen on the switch.

The FIB uses destination IP address as table index. It also contains next-hop IP and MAC so no other

look up is necessary.   CEF uses another table, the adjacency table, along with the FIB to quickly

forward packets. While the FIB stores the routing information, the adjacency table is derived from the

ARP table and stores the layer 2 next-hop address and frame header rewrite information for all FIB

entries.  The control plane is what controls and coordinates all of this information, which is physically

separate from the data plane (the actual layer 2 forwarding).  This further allows performance

improvements.

To recap, the FIB is responsible for maintaining the next-hop IP address for all known routes and the

adjacency tables maintain the layer 2 information.  The adjacency table links to the FIB entries, so

combined they provide all the layer 2 and 3 next hop information necessary to dramatically increase

packet switching speed. When the adjacency table is full, a TCAM entry points to the L3 engine to

redirect the adjacency.

There are five adjacency categories that you should be aware of:

 Null

 Punt

 Glean

 Discard

 Drop
 For the CCNP SWITCH exam, it’s not important that you understand the function of each adjacency. 

Just know that they provide L2 information for CEF , derived from ARP table, and be able to recognize

the names.

Distributed CEF (dCEF)

Distributed CEF, commonly denoted dCEF, speeds up CEF switching even more by running a FIB table

on each of a switch’s line cards.  Because the FIB look up occurs directly on the line card itself, it no

longer has to query the switch’s processor or route table for next hop information.

This is currently the fastest method of implementing CEF on Cisco switches. Switching methods in

order from fastest to slowest:  dCEF, CEF, fast switching, process switching.

CEF Configuration and Verification

All modern Catalyst switches use CEF by default, so no manual configuration is necessary.

Some verification commands to know:

Switch# show ip cef

Shows entries currently in the FIB 

Switch# show adjacency  

Displays current adjacency information 

CEF Exceptions

Some types of traffic are not able to bypass the processor using CEF.  Some examples include:

 ARP packets

 Router response (TTL expired, MTU exceeded, etc.)

 IP broadcasts (DHCP request)

 Routing Protocol Updates

 CDP packets

 Anything encrypted

 Packets triggering NAT

 Most non-IP packets

Implementing DHCP in a Multilayer

Switch Environment
By default, Catalyst multilayer switches include DHCP relay agent software.

Distribution multilayer switches often act as layer 3 gateways for clients connecting to the access

switches.  Because of this, DHCP can be provided within the same switches to serve the hosts with IP

addresses and other necessary network parameters.

The other option is to consolidate the DHCP services to one or more dedicated servers.  In that case,

the distribution layer must redirect incoming client DHCP requests to the external DHCP server.

Configuring DHCP service on the multilayer

switch

1.  By default the switch assumes the whole network range for the DHCP scope.  To exclude certain

addresses or ranges, in global config mode, use the ip dhcp excluded-address command.  Follow it

with a range of addresses to exclude from your scope.  For discontinuous ranges, use more than one

ip dhcp excluded-address commands.

2.  Configure the network value, which indicates the subnet to offer addresses from.

3.  Configure any other network parameters you would like the switch to serve in its DHCP offers (ex.

default-gateway, lease duration, subnetmask, DNS server address).

Note:  Remember that a switch cannot offer DHCP addresses for a subnet it is not a member of.
Configuration Example

Switch(config)# ip dhcp excluded-address 10.1.10.1 10.1.10.20 (range

beginning to end)

Switch(config)# ip dhcp pool example10

Switch(config-dhcp)# network 10.1.10.0 255.255.255.0

Switch(config-dhcp)# default-router 10.1.10.1

Switch(config-dhcp)# option 150 10.1.1.50 (Option 15- specifies a TFTP

server IP - often for IP phones to reach Call Managers)

Switch(config-dhcp)# lease 0 8 0 (0 days 8 hours 0 minutes)

Switch(config)# interface vlan10

Switch(config-if)# ip address 10.1.10.1 255.255.255.0  

Configuring DHCP Relay

If an enterprise is using external DHCP servers, then the ip helper-address command must be

entered on the layer 3 interface.  Because hosts use broadcast messages to try to find the DHCP

server, if it is in a different subnet, it will be dropped at the default gateway because broadcasts are

not forwarded across VLAN boundaries.

The DHCP relay agent allows the DHCP request to be forwarded on as a unicast message to a single

IP address.  It not only forwards DHCP services, but also TFTP, DNS, Time, NetBIOS, names server,

and BOOTP packets by default.  The ip helper-address command must be applied to the layer 3

interface itself.

Configuration Example

switch(config)# interface vlan10

switch(config-if)# ip address 10.1.10.1 255.255.255.0

switch(config-if)# ip helper-address 10.1.100.1  

Note:   You can  apply  to to an SVI or a routed interface.

Verifying DHCP Settings

Use these two commands to check its operation:

Switch# show ip dhcp binding - displays client DHCP bindings including

IP address and MAC  

Switch# debug ip dhcp server packet- shows in real-time the DHCP

discover, offer, reply, and ack packets