VLANs require a layer 3 device between them to communicate.  Cisco recommends using layer 3 routing at the distribution layer of the multilayer switched network to terminate local VLANS, isolate network problems,  and avoid access layer issues from affecting the core.

 

There are 3 inter-VLAN routing device options:

• layer 3 multilayer Catalyst switch
• external router that allows trunking (router-on-a-stick)
• external router with enough interfaces for every VLAN (this doesn’t scale and is very expensive)

All Catalyst multilayer switches support the following types of layer 3 interfaces:

Routed port – a pure layer 3 port similar to that on a router
Switch virtual interface (SVI) – virtual routed VLAN interface for inter-VLAN routing
Bridge virtual interface (BVI) – a layer 3 bridging interface

Inter-VLAN Routing Types

External Router (router-on-a-stick)

A layer two switch can be connected to a single router to allow inter-VLAN communication either using a single physical link as a trunk with multiple sub-interfaces (a.k.a. router-on-a-stick) or using seperate physical links between the switch and router for each individual VLAN.

An example configuration on the router would be:

interface FastEthernet 0/1
no ip address
duplex auto
speed auto   

interface FastEthernet 0/1.10
description data vlan
encapsulation dot1q 10
ip address 10.1.10.0 255.255.255.0   

interface FastEthernet 0/1.20
description mgmt vlan
encapsulation dot1q 20
ip address 10.1.20.0 255.255.255.0   

interface FastEthernet 0/1.55
description native vlan
encapsulation dot1q native
ip address 10.1.55.0 255.255.255.0
  

Advantages

• Works with almost all switches because the switches do not have to support layer 3, just VLANs and trunking
• Simple configuration (one switch port, one router interface)

Disadvantages

• Router is a single point of failure
• If the trunk becomes congested, it can affect every VLAN
• Slightly higher latency because (1)traffic must leave and re-enter the switch and (2)the router makes the traffic decisions in software (which is slower than hardware)

Configuring Inter-VLAN Routing with an External Router

Implementation Planning

• Need to know how many VLANS require routing, the VLAN IDs, and what ports connect to the router
• Every router subinterface must be configured with the same type of frame encapsulation (usually 802.1q) as well as the switch side of the link
• Make sure the native VLAN is the same on both ends.  A subinterface on the router can be created for the native VLAN.
• It is best practice to match the subinterface ID to the VLAN ID

Configuring Router-on-a-stick

1. Enable trunking on the switch port
2. Enable the router interface with the no shut command
3. Create the subinterfaces on the router for each VLAN
4. Configure IPs and encapsulation on each subinterface as they relate to their VLANs

Switch (conf-subif)# encapsulation [dot1q | isl] vlan-id {native}
Switch (conf-subif)# ip address x.x.x.x  x.x.x.x

Example router interface configuration

 Router(config)# interface FastEthernet0/0
Router(config-if)#no shutdown
Router(config)# interface FastEthernet 0/0.1
Router(config-subif) description VLAN 1
Router(config-subif)# encapsulation dot1Q 1 native
Router(config-subif)# ip address 10.1.1.1 255.255.255.0
Router(config-subif)# exit
Router(config)# interface FastEthernet 0/0.2
Router(config-subif)# description VLAN 2
Router(config-subif)# encapsulation dot1Q 2
Router(config-subif)# ip address 10.2.2.1 255.255.255.0
Router(config-subif)# exit
Router(config)# end  

Example switch trunk interface configuration (connected to router’s Fa 0/0)

 switch(config)# interface FastEthernet 4/2switch(config-if)# switchport trunk encapsulation dot1qswitch(config-if)# switchport mode trunk

Switch Virtual Interfaces

Remember that Cisco recommends using layer 2 connectivity between access and distribution layers and layer 3 routing between distribution and core layers.

SVIs are virtual VLAN interfaces on multilayer switches; one SVI is created for each VLAN to be routed and it performs the process for all the packets associated with that VLAN.

The only SVI created by default is the SVI for VLAN 1.  The rest must be created manually using the command:

Switch(conf)# interface vlan vlan_id  

SVIs are commonly used for:

• Default gateways for users within the VLAN
• Virtual route between VLANs
• Provides an IP address for connectivity to the switch itself
• Can be used as an interface for routing protocols

An SVI is considered “up” when at least one interface in it’s associated VLAN is active and forwarding traffic.  If all interfaces within that VLAN are down, the SVI goes down to prevent creating a routing loop.

Advantages

• Fast because all performed in hardware
• No need for external links for routing
• Low latency (doesn’t need to leave the switch)

Disadvantages

• May require a more expensive switch

Configuring Inter-VLAN Routing with SVIs

Implementation Planning

• Identify which VLANs require layer 3 gateways as you may not want all VLANs to be routable within the organization
• Make sure VLANs are first created on the switch, then make the SVIs
• Find out what IPs need to be configured on each SVI interface, then use the no shutdown command to enable them
• Configure any routing protocols that are required
• Determine if any switchports should be excluded from contributing to the SVI line-state up-and-down calculation

Configuring SVIs

1. Enable IP routing
2. Create the VLANs
3. Create the SVI
4. Assign an IP address to each SVI
5. Enable the interface
6. Optional – Enable an IP routing protocol

Note: Routing protocols are only required to allow different devices to communicate across different VLANs or networks.  They are not required to route between SVIs on the same switch because the switch sees the SVIs as connected interfaces.

Example Configuration

Switch# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.Switch(config)# ip routing  
Switch(config)# vlan 10  
Switch(config)# interface vlan 10
Switch(config-if)# ip address 10.10.1.1 255.0.0.0  
Switch(config-if)# no shutdown 
Switch(config)# router rip
Switch(config-router)# network 10.0.0.0  

SVI Autostate

An SVI is automatically created when the following conditions are met:

• The VLAN is active and exists in the VLN database
• The VLAN interface exists and is not administratively shut down
• At least a single port on the switch has a port in the VLAN, is in the up state, and is in the spanning-tree forwarding state.

This automatic SVI creation is called SVI Autostate.  If there are multiple ports on the switch in the same VLAN, the default action is to take down the SVI interface if all of the ports in that VLAN are shut down.

The command switchport autostate exclude, when applied to port, will allow the VLAN to go down if all of the other ports in the VLAN go down except the one autostate exclude was applied to.  This is often desirable when traffic analyzers are attached to a host.  They will stay up, but are just passive monitors, so if all other devices in the VLAN go down – this port would prevent the VLAN from going down, so autostate exclude is applied to allow the VLAN to still go down.

Routed Ports

Routed ports are physical ports on the switch that act much like a router interface would with an IP address configured.   Routed ports are not associated with an particular VLAN and do not run layer 2 protocols like  STP or VTP.

Note:  Routed interfaces also do not support subinterfaces. Routed ports are point-to-point links that usually connect core switches to other core switches or distribution layer switches (if the distribution layer is running layer 3).  They can also be used when a switch has only a single switch port per VLAN or subnet.

Make sure when configuring a routed port that you use the no switchport command to make sure the interface is configured to operate at layer 3.  Also make sure to assign an IP addresses and any other layer 3 information required.  Lastly, check that the appropriate routing protocols are configured.

Advantages

• A multilayer switch can have both SVIs and routed ports configured
• Multilayer switches forward all layer 2 and 3 traffic in hardware, so it is very fast

Configuring Inter-VLAN Routing with Routed Ports

1. Select the interface
2. Convert to layer 3 port (no switchport command
3. Add an IP address
4. Enable the interface (no shut command)

Example Configuration

Core(config)# interface GigabitEthernet 1/1
Core(config-if)# no switchport
Core(config-if)# ip address 10.10.1.1 255.255.255.252
Core(config-if)# exit

• show ip interfaceinterface_type_port| svi_number
• show interface interface_type_port| svi_number
• show running interfacetype_port| svi_number
• ping
• show vlan
• show interface trunk

Troubleshooting Inter-VLAN Problems

Here is a list to run through when identifying an issue related to inter-VLAN routing:

• Correct VLANs on switches and trunks
• Correct routes
• Correct primary and secondary root bridges
• Correct IP addresses and masks

The table below outlines common issues that may come up and some potential causes.

 

Routing Protocol Configuration

Unlike routers, multilayer switches do not automatically route until a layer 3 interface is defined or an SVI is created.  Routing can be configured just like on an actual router, using static routes and dynamic routing protocols.  If routing is required, make sure the global ip routing command has first been applied.  You may be required to do some dynamic routing protocol configuration on a multilayer switch within the SWITCH exam, so make sure you brush up on your routing protocol basics.

A simple example is below:

Switch(config)# ip routing
Switch(config)# router eigrp 20
Switch(config-router)# no auto-summary
Switch(config-router)# network 10.0.0.0
Switch(config-router)# exit  

To verify a routing protocol is behaving as expected, use the show ip route command to display the active routing table routes.  Show IP route will allow you to see the routing protocols currently running on the device.

Multilayer Switching

A Multilayer switch can perform both layer two switching as well as inter-VLAN routing.  While I spend a considerable amount of time walking through the low-level details here, Cisco thinks it is really important.  It’s also easy for Cisco to ask SWITCH exam questions on (like the order of operations), so take your time and make sure you understand the process.  Knowing the order of events within the switch will help you understand how the many forwarding and filtering options interact.

Switch Forwarding Architectures

There are three different ways packets are switched on a layer 3 switch or router:

Process Switching
Each packet is examined by the internal processor and and is handled in software.  This is the slowest option (only used in routers).

Route Caching (old method also known as “fast switching”)
The route processor tracks a flow’s first packet, setting up a “shortcut” for the remaining packets to avoid software-based routing, instead being immediateyforwarded in hardware.  This method is faster than process switching and is done in both routers and layer 3 switches.

Cisco Express Forwarding (a.k.a. CEF or topology-based switching)
Layer 3 routing table dynamically populates a single database of the entire network topology in hardware (the FIB) for fast and efficient lookup.  This is the fastest method and is the defualt option within Cisco routers and multilayer switches.

Cisco Express Forwarding

Multilayer Switching, or MLS, is a fairly general term used to describe features that enable very efficient routing of traffic between VLANs and routed ports.  Cisco Express Forwarding, or CEF, is the specific implimentation of MLS Cisco uses on their multilayer switches.

Layer 2 Forwarding Process

Layer 3 Forwarding Process

CAM

The CAM table stores information about frames that pass through the switch for more intelligent forwarding.

The CAM table stores two pieces of information about traffic:

• MAC address
• Inbound port

Frames passing through the switch first enter the ingress queue, then proceed simultaneously to the Security TCAM (ACLs), QoS TCAM, and L2 Forwarding Table (CAM). Afterwards, they all then enter the egress queue before exiting an interface.

CAM Command Summary

#sh mac address-table dynamic

Allows you to view the contents of the switch’s CAM table (ones learned through passing frames)

#sh mac address-table count

Shows the CAM table entries according to VLAN assignments.  So  if you want to see how many hosts the switch knows about in a particular VLAN, this lays it out in a nice table format.

TCAM

The TCAM stores layer 3 and up information including QoS, ACLs, and routing info.  The TCAM always is organized by masks – each mask has 8 value patterns associated with it.  Note that each mask-value pair is evaluated simultaneously (in parallel) looking for the longest match in a single look up.

Troubleshooting tip:  If you need to find out where a particular device is attached to the network, you can run the sh mac address-table dynamic address xxxx.xxxx.xxxx command at the core of the network, determining which ports it is connected to (and thus downstream switch).  Continue the process until you reach the final access switch that the device is attached to.

CEF Packet Flow:

Ingress queue
        V
Security TCAM, QoS TCAM, L3 Forwarding (FIB), L2 Forwarding (CAM)
        V
L3 packet rewrite
        V
Egress queue

FIB + Adjacency Tables

The FIB, or Forwarding Information Base, is what allows CEF to switch layer 3 traffic so quickly.  It is created in hardware using the existing routing table to create a single route cache, allowing the packets to be forwarded directly the very first time they are seen on the switch.

The FIB uses destination IP address as table index. It also contains next-hop IP and MAC so no other look up is necessary.   CEF uses another table, the adjacency table, along with the FIB to quickly forward packets. While the FIB stores the routing information, the adjacency table is derived from the ARP table and stores the layer 2 next-hop address and frame header rewrite information for all FIB entries.  The control plane is what controls and coordinates all of this information, which is physically separate from the data plane (the actual layer 2 forwarding).  This further allows performance improvements.

To recap, the FIB is responsible for maintaining the next-hop IP address for all known routes and the adjacency tables maintain the layer 2 information.  The adjacency table links to the FIB entries, so combined they provide all the layer 2 and 3 next hop information necessary to dramatically increase packet switching speed. When the adjacency table is full, a TCAM entry points to the L3 engine to redirect the adjacency.

There are five adjacency categories that you should be aware of:

• Null
• Punt
• Glean
• Discard
• Drop

For the CCNP SWITCH exam, it’s not important that you understand the function of each adjacency.  Just know that they provide L2 information for CEF , derived from ARP table, and be able to recognize the names.

Distributed CEF (dCEF)

Distributed CEF, commonly denoted dCEF, speeds up CEF switching even more by running a FIB table on each of a switch’s line cards.  Because the FIB look up occurs directly on the line card itself, it no longer has to query the switch’s processor or route table for next hop information.

This is currently the fastest method of implementing CEF on Cisco switches. Switching methods in order from fastest to slowest:  dCEF, CEF, fast switching, process switching.

CEF Configuration and Verification

All modern Catalyst switches use CEF by default, so no manual configuration is necessary.

Some verification commands to know:

Switch# show ip cef
Shows entries currently in the FIB 

Switch# show adjacency  
Displays current adjacency information 

CEF Exceptions

Some types of traffic are not able to bypass the processor using CEF.  Some examples include:

• ARP packets
• Router response (TTL expired, MTU exceeded, etc.)
• IP broadcasts (DHCP request)
• Routing Protocol Updates
• CDP packets
• Anything encrypted
• Packets triggering NAT
• Most non-IP packets

Implementing DHCP in a Multilayer Switch Environment

By default, Catalyst multilayer switches include DHCP relay agent software.

Distribution multilayer switches often act as layer 3 gateways for clients connecting to the access switches.  Because of this, DHCP can be provided within the same switches to serve the hosts with IP addresses and other necessary network parameters.

The other option is to consolidate the DHCP services to one or more dedicated servers.  In that case, the distribution layer must redirect incoming client DHCP requests to the external DHCP server.

Configuring DHCP service on the multilayer switch

1.  By default the switch assumes the whole network range for the DHCP scope.  To exclude certain addresses or ranges, in global config mode, use the ip dhcp excluded-address command.  Follow it with a range of addresses to exclude from your scope.  For discontinuous ranges, use more than one ip dhcp excluded-address commands.

2.  Configure the network value, which indicates the subnet to offer addresses from.

3.  Configure any other network parameters you would like the switch to serve in its DHCP offers (ex. default-gateway, lease duration, subnetmask, DNS server address).

Note:  Remember that a switch cannot offer DHCP addresses for a subnet it is not a member of.

Configuration Example

Switch(config)# ip dhcp excluded-address 10.1.10.1 10.1.10.20 (range beginning to end)
Switch(config)# ip dhcp pool example10
Switch(config-dhcp)# network 10.1.10.0 255.255.255.0
Switch(config-dhcp)# default-router 10.1.10.1
Switch(config-dhcp)# option 150 10.1.1.50 (Option 15- specifies a TFTP server IP - often for IP phones to reach Call Managers)
Switch(config-dhcp)# lease 0 8 0 (0 days 8 hours 0 minutes)
Switch(config)# interface vlan10
Switch(config-if)# ip address 10.1.10.1 255.255.255.0  

Configuring DHCP Relay

If an enterprise is using external DHCP servers, then the ip helper-address command must be entered on the layer 3 interface.  Because hosts use broadcast messages to try to find the DHCP server, if it is in a different subnet, it will be dropped at the default gateway because broadcasts are not forwarded across VLAN boundaries.

The DHCP relay agent allows the DHCP request to be forwarded on as a unicast message to a single IP address.  It not only forwards DHCP services, but also TFTP, DNS, Time, NetBIOS, names server, and BOOTP packets by default.  The ip helper-address command must be applied to the layer 3 interface itself.

Configuration Example

switch(config)# interface vlan10
switch(config-if)# ip address 10.1.10.1 255.255.255.0
switch(config-if)# ip helper-address 10.1.100.1  

Note:  You can apply to to an SVI or a routed interface.

Verifying DHCP Settings

Use these two commands to check its operation:

Switch# show ip dhcp binding - displays client DHCP bindings including IP address and MAC  

Switch# debug ip dhcp server packet- shows in real-time the DHCP discover, offer, reply, and ack packets