Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
11
Mälardalens högskola
Stefan Löfgren
Avancerad switching och felsökning i datornätverk
CCNP 3 – 4
Föreläsning 3
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
22
Catalyst 3550Catalyst 3550• The Catalyst 3550 switch with the Enhanced Multilayer The Catalyst 3550 switch with the Enhanced Multilayer
Image (EMI) installed can accelerate packet routing Image (EMI) installed can accelerate packet routing between VLANs by using Layer 3 switchingbetween VLANs by using Layer 3 switching
• The switch bridges the packet, the packet is then routed The switch bridges the packet, the packet is then routed internally without going to an external router, and then internally without going to an external router, and then the packet is bridged again to send it to its destination. the packet is bridged again to send it to its destination. During this process, the switch can enforce ACLs on all During this process, the switch can enforce ACLs on all packets it switches, including packets bridged within a packets it switches, including packets bridged within a VLAN. VLAN.
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
33
Catalyst 3550Catalyst 3550• ACLs on switches function very much like those on a ACLs on switches function very much like those on a
routerrouter• The Catalyst 3550 switch supports two types of ACLs:The Catalyst 3550 switch supports two types of ACLs:
– IP ACLs filter IP traffic, including TCP, UDP, Internet Group IP ACLs filter IP traffic, including TCP, UDP, Internet Group Management Protocol (IGMP), and Internet Control Message Management Protocol (IGMP), and Internet Control Message Protocol (ICMP). Protocol (ICMP).
– Ethernet ACLs filter non-IP traffic. Ethernet ACLs filter non-IP traffic.
• The 2950 switch supports only IP ACLs. The 2950 switch supports only IP ACLs. • The 3550 switch supports two applications of ACLs to The 3550 switch supports two applications of ACLs to
filter traffic:filter traffic:– Router ACLs Router ACLs – VLAN ACLs VLAN ACLs
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
44
Catalyst 3550Catalyst 3550• When a VLAN map (VLAN ACL) is applied to a VLAN, all When a VLAN map (VLAN ACL) is applied to a VLAN, all
packets (routed or bridged) entering the VLAN are packets (routed or bridged) entering the VLAN are checked against the VLAN map. Packets can either checked against the VLAN map. Packets can either enter the VLAN through a switch port or through a routed enter the VLAN through a switch port or through a routed port after being routed. port after being routed.
• VLAN maps can filter all traffic received by the switch. VLAN maps can filter all traffic received by the switch. VLAN maps are applied to all packets that are routed VLAN maps are applied to all packets that are routed into or out of a VLAN or are bridged within a VLAN. into or out of a VLAN or are bridged within a VLAN. VLAN maps are used strictly for security packet filtering. VLAN maps are used strictly for security packet filtering. Unlike router ACLs, VLAN maps are not defined by Unlike router ACLs, VLAN maps are not defined by direction (input or output). direction (input or output).
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
55
Catalyst 3550Catalyst 3550• VLAN maps can be configured to match Layer 3 VLAN maps can be configured to match Layer 3
addresses for IP traffic. All non-IP protocols are addresses for IP traffic. All non-IP protocols are filtered through MAC addresses and Ethertype filtered through MAC addresses and Ethertype using MAC VLAN maps. IP traffic is not access using MAC VLAN maps. IP traffic is not access controlled by MAC VLAN maps. controlled by MAC VLAN maps.
• With VLAN maps, packets are forwarded or With VLAN maps, packets are forwarded or dropped, based on the action specified in the dropped, based on the action specified in the mapmap
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
66
Catalyst 3550Catalyst 3550 Not all IOS router ACL-related features are supported on Not all IOS router ACL-related features are supported on
the switch. The switch the switch. The switch does notdoes not support: support:• Non-IP protocol ACLs Non-IP protocol ACLs • Bridge-group ACLs Bridge-group ACLs • IP Accounting IP Accounting • Rate limiting (except with QoS ACLs) Rate limiting (except with QoS ACLs) • IP packets with a header length of less than five IP packets with a header length of less than five • Reflexive ACLs Reflexive ACLs • Dynamic ACLs (except for specialized dynamic ACLs Dynamic ACLs (except for specialized dynamic ACLs
used by the clustering feature) used by the clustering feature)
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
77
Catalyst 3550Catalyst 3550• Create VLAN MapCreate VLAN Map
Remember that Remember that VLAN maps VLAN maps
have an implicit have an implicit forward feature forward feature at the end of the at the end of the list; a packet is list; a packet is forwarded if it forwarded if it
does not match does not match any ACL within any ACL within the VLAN map.the VLAN map.
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
88
Catalyst 3550Catalyst 3550• Apply a VLAN mapApply a VLAN map
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
99
Catalyst 3550Catalyst 3550• Use the Use the no vlan access-mapno vlan access-map namename
command to delete a map. command to delete a map. • Use the Use the no vlan access-mapno vlan access-map name name numbernumber command to delete a single sequence command to delete a single sequence entry from within the map. entry from within the map.
• Use the Use the no actionno action command to enforce the command to enforce the default action, which is to forward. default action, which is to forward.
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
1010
Catalyst 3550Catalyst 3550To deny a packet by using VLAN maps, create an ACL that To deny a packet by using VLAN maps, create an ACL that
would match the packet, and set the would match the packet, and set the actionaction to to dropdrop. A . A permit in the ACL counts as a match. A deny in the ACL permit in the ACL counts as a match. A deny in the ACL means no match. means no match.
Ex:Ex:Switch(config)#Switch(config)#ip access-list extended ip1ip access-list extended ip1Switch(config-ext-nacl)#Switch(config-ext-nacl)#permit tcp any anypermit tcp any anySwitch(config-ext-nacl)#Switch(config-ext-nacl)#exitexitSwitch(config)#Switch(config)#vlan access-map map_1 10vlan access-map map_1 10Switch(config-access-map)#Switch(config-access-map)#match ip address match ip address ip1ip1Switch(config-access-map)#Switch(config-access-map)#action dropaction drop
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
1111
Catalyst 3550Catalyst 3550Forts. Forts. Switch(config)#Switch(config)#ip access-list extended ip2ip access-list extended ip2Switch(config-ext-nacl)#Switch(config-ext-nacl)#permit udp any anypermit udp any anySwitch(config-ext-nacl)#Switch(config-ext-nacl)#exitexitSwitch(config)#Switch(config)#vlan access-map map_1 20vlan access-map map_1 20Switch(config-access-map)#Switch(config-access-map)#match ip address match ip address ip2ip2Switch(config-access-map)#Switch(config-access-map)#action forwardaction forward
Switch(config)#Switch(config)#vlan access-map map_1 30vlan access-map map_1 30Switch(config-access-map)#Switch(config-access-map)#action dropaction drop
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
1212
Catalyst 3550Catalyst 3550
apply VLAN map 1 to VLANs 20 through 22: apply VLAN map 1 to VLANs 20 through 22:
Switch(config)#Switch(config)#vlan filter map_1 vlan-vlan filter map_1 vlan-list 20-22list 20-22
Remember, VLAN maps have a default Remember, VLAN maps have a default action of forward, so a packet is forwarded action of forward, so a packet is forwarded if it does not match any VLAN map entry. if it does not match any VLAN map entry.
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
1313
Catalyst 3550Catalyst 3550
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
1414
Catalyst 3550Catalyst 3550
• Packets switched within the VLAN without being Packets switched within the VLAN without being routed are only subject to the VLAN map of the routed are only subject to the VLAN map of the input VLAN. input VLAN.
• For routed packets, the ACLs are applied in this For routed packets, the ACLs are applied in this order: order: • VLAN map for input VLAN VLAN map for input VLAN • Input router ACL Input router ACL • Output router ACL Output router ACL • VLAN map for output VLAN VLAN map for output VLAN
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
1515
Catalyst 3550Catalyst 3550• If a router ACL and a VLAN map must be configured on the same VLAN, If a router ACL and a VLAN map must be configured on the same VLAN,
use these guidelines for both router ACL and VLAN map configuration.use these guidelines for both router ACL and VLAN map configuration.• Whenever possible, try to write the ACL with all entries having a single Whenever possible, try to write the ACL with all entries having a single
action except for the final, default action of the other type. That is, write action except for the final, default action of the other type. That is, write the ACL using one of these two forms. the ACL using one of these two forms.
• permit...permit...permit...permit...permit...permit...deny ip any anydeny ip any any
• oror • deny...deny...deny...deny...deny...deny...permit ip any anypermit ip any any
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
1616
Catalyst 3550Catalyst 3550
• To define multiple permit and deny actions in an To define multiple permit and deny actions in an ACL, group each action type together to reduce ACL, group each action type together to reduce the number of entries. the number of entries.
• Avoid including Layer 4 information in an ACL. Avoid including Layer 4 information in an ACL. • Use wildcard masks in the IP address, whenever Use wildcard masks in the IP address, whenever
possible. possible.
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
1717
Catalyst 3550Catalyst 3550• The best merge results are obtained if the ACLs The best merge results are obtained if the ACLs
are filtered based on source or destination IP are filtered based on source or destination IP addresses and not on the full flow (source IP addresses and not on the full flow (source IP address, destination IP address, protocol, and address, destination IP address, protocol, and protocol protocol
• If the full flow must be specified, and the ACL If the full flow must be specified, and the ACL contains both IP ACEs and TCP/UDP/ICMP contains both IP ACEs and TCP/UDP/ICMP ACEs with Layer 4 information, put the Layer 4 ACEs with Layer 4 information, put the Layer 4 ACEs at the end of the list.ACEs at the end of the list.
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
1818
Catalyst 3550Catalyst 3550
• To implement InterVLAN routing on a To implement InterVLAN routing on a 3550 or 3750 switch the first task should 3550 or 3750 switch the first task should always be to turn on the switches IP always be to turn on the switches IP routing functionality with the command: routing functionality with the command:
•Switch(config)#Switch(config)#ip routingip routing
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
1919
Catalyst 3550Catalyst 3550
• Rather than configuring a physical Rather than configuring a physical interface for each VLAN, the router uses a interface for each VLAN, the router uses a virtual interfacevirtual interface
•Switch(config)#Switch(config)#interface vlan 1interface vlan 1Switch(config-if)#Switch(config-if)#ip address ip address 10.0.0.1 255.255.255.010.0.0.1 255.255.255.0Switch(config-if)#Switch(config-if)#no shutdown no shutdown
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
2020
Catalyst 3550Catalyst 3550• It is also possible to configure a physical switch It is also possible to configure a physical switch
port/interface as a router interfaceport/interface as a router interface Switch(config)#Switch(config)#interface fa 0/1interface fa 0/1Switch(config-if)#Switch(config-if)#no switchportno switchport
Switch(config-if)#Switch(config-if)#ip address 10.0.1.1 ip address 10.0.1.1 255.255.255.0255.255.255.0
• it is possible to turn a 12 or 24 port Ethernet it is possible to turn a 12 or 24 port Ethernet switch into a 12 or 24 interface Ethernet router. switch into a 12 or 24 interface Ethernet router.
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
2121
Catalyst 3550Catalyst 3550• A common reason for connecting an external router to an A common reason for connecting an external router to an
internal route switch processor is to provide access to a internal route switch processor is to provide access to a WAN interface as these are often not provided on a WAN interface as these are often not provided on a switch.switch.
ExtRouter(config)#ExtRouter(config)#interface fa 0/0interface fa 0/0ExtRouter(config-if)#ExtRouter(config-if)#ip address ip address 10.0.1.2 255.255.255.010.0.1.2 255.255.255.0
RouteSwitch(config)#RouteSwitch(config)#interface fa 0/1interface fa 0/1RouteSwitch(config-if)#RouteSwitch(config-if)#no switchportno switchportRouteSwitch(config-if)#RouteSwitch(config-if)#ip address ip address 10.0.1.1 255.255.255.010.0.1.1 255.255.255.0
• Routing protocol is neededRouting protocol is needed
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
2222
Catalyst 3550Catalyst 3550• InterVLAN routing would most likely be achieved InterVLAN routing would most likely be achieved
through the use of a virtual interface. through the use of a virtual interface. • RouteSwitch(config)#RouteSwitch(config)#interface vlan interface vlan 1010RouteSwitch(config-if)#RouteSwitch(config-if)#ip address ip address 10.0.10.1 255.255.255.010.0.10.1 255.255.255.0RouteSwitch(config)#RouteSwitch(config)#interface vlan interface vlan 2020RouteSwitch(config-if)#RouteSwitch(config-if)#ip address ip address 10.0.20.1 255.255.255.010.0.20.1 255.255.255.0
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
2323
VLANVLAN• Vlan 1 är normalt konfigurerat som default,
native och innehåller dessutom CDP, VTP, PAgP, and DTP
• Låt endast Låt endast Vlan1 innehålla switch- o Vlan1 innehålla switch- o trunkprotokollen. Låt det vara helt tomt I trunkprotokollen. Låt det vara helt tomt I övrigt – det behöver inte ens terminerasövrigt – det behöver inte ens termineras
• Native vlan är det otaggade vlanet - flytta Native vlan är det otaggade vlanet - flytta det till ett i övrigt tomt vlandet till ett i övrigt tomt vlan
• Management vlanet ska också flyttas till Management vlanet ska också flyttas till ngt annatngt annat
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
2424
Multilayer Switching
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
2525
– MLS is a technique used to increase IP routing performance by handling the packet-switching and rewrite functions in hardware.
• moves the packet-forwarding function traditionally handled by the router to Layer 3 switches whenever a switched path exists.
• can be implemented by using a Layer 3 switch or an external router topology.
Multilayer Switching (MLS)Multilayer Switching (MLS)
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
2626
MLS Equipment Requirements
– IP MLS requires the following software/hardware:IP MLS requires the following software/hardware:
Catalyst 2926G, 5000 or 6000 series switch
Supervisor Engine software release 4.1(1) or later
IOS 11.3(2)WA4(4) or later
Supervisor Engine III with NFFC II or Supervisor Engine II/III G
RSM
If using an external router: 8500, 7500, 7200, 4700, or 4500 series router
IP MLS with an external router and IPX MLS have additional requirements
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
2727
MLS Operations– MLS makes use of three components:
• MLS Route Processor (MLS-RP)
• MLS Switching Engine (MLS-SE)
• MultiLayer Switching Protocol (MLSP)
– uses a four-step process:
The MLS-RP sends MLSP hello packets
The MLS-SE identifies candidate packets
The MLS-SE identifies enable packets
The MLS-SE shortcuts future packets
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
2828
MLS-RP Advertisements
– When the MLS-RP first boots, it begins sending When the MLS-RP first boots, it begins sending MLSP hello packets every 15 seconds.MLSP hello packets every 15 seconds.
• contains information on:contains information on:
– MAC addresses in use on the routerMAC addresses in use on the router– VLANsVLANs– Access list informationAccess list information– Additions and deletions of routesAdditions and deletions of routes
• sent using a multicast address (01-00-0C-DD-DD-DD)sent using a multicast address (01-00-0C-DD-DD-DD)
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
2929
– When a MLS-SE receives a hello message, it will When a MLS-SE receives a hello message, it will perform the following:perform the following:
• extract all the MAC addresses received in the frame and the extract all the MAC addresses received in the frame and the associated interface or VLAN ID for that addressassociated interface or VLAN ID for that address
• Record the addresses of the MLS-RPs in the content Record the addresses of the MLS-RPs in the content addressable memory (CAM)addressable memory (CAM)
MLSP Hello Messages
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
3030
MLS Cache
– Multilayer switching is based on individual flows.Multilayer switching is based on individual flows.
• The MLS-SE maintains a cache for MLS flows and stores The MLS-SE maintains a cache for MLS flows and stores statistics for each flow.statistics for each flow.
– All packets in a flow are compared to the cache.All packets in a flow are compared to the cache.
If the MLS cache contains an entry that matches the packet in If the MLS cache contains an entry that matches the packet in the flow, the MLS-SE switches the packet and bypasses the the flow, the MLS-SE switches the packet and bypasses the router.router.
If the MLS does not contain an entry that matches the packet, If the MLS does not contain an entry that matches the packet, a cache entry must be established for that flow.a cache entry must be established for that flow.
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
3131
Establishing a MLS Cache Entry– The following steps outline the process in establishing a MLS cache entry:The following steps outline the process in establishing a MLS cache entry:
11 A switch receives a frame and looks at destination MAC A switch receives a frame and looks at destination MAC address.address.
22 The switch recognizes the frame’s destination address as the The switch recognizes the frame’s destination address as the address of the MLS-RP because the switch initially received address of the MLS-RP because the switch initially received this destination address in a Layer 3 hello message and this destination address in a Layer 3 hello message and programmed that MAC address in the CAM table.programmed that MAC address in the CAM table.
33 The MLS-SE checks the MLS cache to determine if an MLS The MLS-SE checks the MLS cache to determine if an MLS flow already established for this flow. If the frame is the first flow already established for this flow. If the frame is the first in a flow, there will not be an entry in the cache. in a flow, there will not be an entry in the cache.
44 The switch forwards the frame to the addressed route The switch forwards the frame to the addressed route processor.processor.This process of sending the frame to the addresses route This process of sending the frame to the addresses route processor creates a candidate entry in the MLS cache.processor creates a candidate entry in the MLS cache.
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
3232
Establishing a MLS Cache Entry– The following steps outline the process in establishing a MLS cache entry:The following steps outline the process in establishing a MLS cache entry:
55 The route processor receives the frame and consults The route processor receives the frame and consults the routing table to determine if there is a route to the the routing table to determine if there is a route to the destination address.destination address.
66 If the route processor finds the destination address in If the route processor finds the destination address in the routing table, the MLS-RP constructs a new the routing table, the MLS-RP constructs a new Layer 2 header containing it’s own MAC address as Layer 2 header containing it’s own MAC address as the source MAC address.the source MAC address.
77 The route processor also enters the MAC address of The route processor also enters the MAC address of the destination host or next-hop route processor in the destination host or next-hop route processor in the destination MAC address field of the Layer 2 the destination MAC address field of the Layer 2 frame.frame.
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
3333
Establishing a Cache Entry Establishing a Cache Entry (Cont.)(Cont.)Step 8Step 8 The route processor forwards the frame back to the MLS-SE.The route processor forwards the frame back to the MLS-SE.
Step 9Step 9 The switch knows which port needs to forward the received frame based on the CAM table. The switch knows which port needs to forward the received frame based on the CAM table. The MLS-SE also recognized the MAC address in the source field belongs to the route The MLS-SE also recognized the MAC address in the source field belongs to the route processor.processor.
Step 10Step 10 This recognition triggers the process of checking the MLS cache to see if there is an entry for This recognition triggers the process of checking the MLS cache to see if there is an entry for this route processor. The switch compares the XTAGs for both the candidate entry in the MLS this route processor. The switch compares the XTAGs for both the candidate entry in the MLS cache and the returned frame. If the two XTAGs match, the frame came from the same route cache and the returned frame. If the two XTAGs match, the frame came from the same route processor for the same flow. processor for the same flow.
Step 11Step 11 The switch records the information from the returned frame in the MLS cache.The switch records the information from the returned frame in the MLS cache.
Step 12Step 12 The switch forwards the frame out the appropriate port using the destination MAC address.The switch forwards the frame out the appropriate port using the destination MAC address.
This second frame becomes the enable entry in the MLS cache and the partial entry for that This second frame becomes the enable entry in the MLS cache and the partial entry for that flow is completed.flow is completed.
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
3434
Switching Subsequent Frames
The following steps take place when switching subsequent frames in a flow:The following steps take place when switching subsequent frames in a flow:
Step 1Step 1 A switch receives subsequent frames in the flow.A switch receives subsequent frames in the flow.
Step 2Step 2 The switch check the MLS cache and finds the entry The switch check the MLS cache and finds the entry matching the flow in question.matching the flow in question.
Step 3Step 3 The MLS-SE rewrites the Layer 2 frame header, The MLS-SE rewrites the Layer 2 frame header, changing the destination and the source MAC changing the destination and the source MAC addresses. The Layer 3 IP address remain the same, addresses. The Layer 3 IP address remain the same, but the IP header Time to Live (TTL) is decremented but the IP header Time to Live (TTL) is decremented and the checksum is recomputed. The MLS-SE and the checksum is recomputed. The MLS-SE rewrites the switched Layer 3 packets so that they rewrites the switched Layer 3 packets so that they appear to have been routed by a route processorappear to have been routed by a route processor
Step 4Step 4 The switch forwards the rewritten frame to the The switch forwards the rewritten frame to the destination MAC address.destination MAC address.
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
3535
MLS Rewrite Options
– MLS can use two options to rewrite the packet:MLS can use two options to rewrite the packet:
• central rewrite enginescentral rewrite engines
– the MLS-SE itself is used to rewrite the packetthe MLS-SE itself is used to rewrite the packet
requires the packet to traverse the bus twicerequires the packet to traverse the bus twice
• inline rewriteinline rewrite
– the rewrite operation can be performed on the output module itselfthe rewrite operation can be performed on the output module itself
allows the packet to cross the bus a single time.allows the packet to cross the bus a single time.
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
3636
MLS Rewrite Modifications
– The rewrite mechanism can modify the following The rewrite mechanism can modify the following fields:fields:
• Source and Destination MAC Address Source and Destination MAC Address
• VLAN ID VLAN ID
• TTL TTL
• IP EncapsulationIP Encapsulation
• Checksums Checksums
• Type of Service/Class of Service (ToS/CoS)Type of Service/Class of Service (ToS/CoS)
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
3737
Cache Aging– To prevent the MLS cache from overflowing, an aging
process must be run.MLS supports three separate aging times:
QuickQuick Utilized to age out partial shortcut entries that never get completed by Utilized to age out partial shortcut entries that never get completed by an enable packet. The aging period for these entries is fixed at 5 an enable packet. The aging period for these entries is fixed at 5 seconds seconds
NormalNormal used for the typical sort of data transfer flow. This is a user-used for the typical sort of data transfer flow. This is a user-configurable interval that can range from 64 to 1920 seconds with the configurable interval that can range from 64 to 1920 seconds with the set mls agingtime [set mls agingtime [agingtimeagingtime]] command. The default is 256 seconds command. The default is 256 seconds
FastFast used to age short-term data flows such as Domain Name System (DNS), used to age short-term data flows such as Domain Name System (DNS), ping, and Trivial File Transfer Protocol (TFTP). The fast aging time ping, and Trivial File Transfer Protocol (TFTP). The fast aging time can be adjusted with the can be adjusted with the set mls agingtime fast [set mls agingtime fast [fastagingtimefastagingtime] ] [[pkt_thresholdpkt_threshold]] command command
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
3838
MLS-RP Configuration– The configuration of the MLS-RP can be completed in The configuration of the MLS-RP can be completed in
the following stepsthe following steps : :Step 1Step 1 Globally enable MLS on the Route Processor for IPGlobally enable MLS on the Route Processor for IP
Router(config)#Router(config)#mls rp ipmls rp ip
Step 2Step 2 Assign an MLS Virtual Trunking Protocol (VTP) domain to the interfaceAssign an MLS Virtual Trunking Protocol (VTP) domain to the interfaceRouter(config-if)#Router(config-if)#mls rp vtp-domain mls rp vtp-domain domain-namedomain-name
Step 3Step 3 Enable MLS on the Route Processor for a specific interfaceEnable MLS on the Route Processor for a specific interfaceRouter(config-if)#Router(config-if)#mls rp ipmls rp ip
Step 4Step 4 Specify an MLS management interfaceSpecify an MLS management interfaceRouter(config-if)#Router(config-if)#mls rp management-interfacemls rp management-interface
Step 5Step 5 Assign a VLAN ID to an interfaceAssign a VLAN ID to an interfaceRouter(config-if)#Router(config-if)#mls rp vlan-idmls rp vlan-id vlan-id-numvlan-id-num
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
3939
Null DomainsNull Domains– There are several ways in which a Route Processor There are several ways in which a Route Processor
and switch can end up in different VTP domains: and switch can end up in different VTP domains: • You can purposely place both devices in separate domains. You can purposely place both devices in separate domains. • You can misname or mistype the VTP domain when You can misname or mistype the VTP domain when
configuring either the switch or the Route Processor. configuring either the switch or the Route Processor. • You can enter the MLS interface command prior to putting You can enter the MLS interface command prior to putting
the interface in a VTP domain. the interface in a VTP domain. – enabling MLS on an interface before assigning the interface to a enabling MLS on an interface before assigning the interface to a
VTP domain places the interface in the null domainVTP domain places the interface in the null domain cannot participate in MLS with the switchcannot participate in MLS with the switch to remove the MLS interface from a null VTP domain, disable to remove the MLS interface from a null VTP domain, disable
MLS on the interfaceMLS on the interface
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
4040
CEFCEFCisco express forwardingCisco express forwarding • All packets, including the first packet in a All packets, including the first packet in a
given flow, are handled in hardware. A given flow, are handled in hardware. A routing table is still maintained by the routing table is still maintained by the router CPU, but two additional tables are router CPU, but two additional tables are created in the CEF-based model:created in the CEF-based model:– Forwarding Information Base Forwarding Information Base – Adjacency Table Adjacency Table – NetFlow Table NetFlow Table
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
4141
CEFCEF• Forwarding Information Base is a copy of the Forwarding Information Base is a copy of the
forwarding information from the routing table. The forwarding information from the routing table. The FIB table contains the minimum information from FIB table contains the minimum information from the routing table necessary to forward packets. the routing table necessary to forward packets. The FIB table does not contain any routing The FIB table does not contain any routing protocol information. protocol information.
• Adjacency Table maintains a database of node Adjacency Table maintains a database of node adjacencies (two nodes are adjacent if they can adjacencies (two nodes are adjacent if they can reach each other through a single Layer 2 hop) reach each other through a single Layer 2 hop) and their associated Layer 2 MAC rewrite or next and their associated Layer 2 MAC rewrite or next hop information. Layer 2 addresses are mapped hop information. Layer 2 addresses are mapped to corresponding Layer 3 addresses to corresponding Layer 3 addresses
• NetFlow Table which provides network accounting NetFlow Table which provides network accounting data. The NetFlow table is updated in parallel with data. The NetFlow table is updated in parallel with the CEF-based forwarding mechanism provided by the CEF-based forwarding mechanism provided by the FIB and adjacency tables. the FIB and adjacency tables.
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
4242
CEFCEF• CEF relies on a longest-CEF relies on a longest-
match forwarding algorithm, match forwarding algorithm, meaning that the tree is meaning that the tree is searched in descending order searched in descending order until the “longest match", or until the “longest match", or greatest number of bits, is greatest number of bits, is matched. matched.
• The appropriate IP routing The appropriate IP routing protocols first resolve the IP protocols first resolve the IP routing table, at which point routing table, at which point the CEF process is invoked the CEF process is invoked and the corresponding FIB and the corresponding FIB and adjacency tables are and adjacency tables are constructed. constructed.
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
4343
CEF – same but differentCEF – same but different• CEF uses a 256-way data structure to store CEF uses a 256-way data structure to store
forwarding and MAC header rewrite forwarding and MAC header rewrite information, but it does not use a tree. CEF information, but it does not use a tree. CEF instead uses a data structure called an mtrie instead uses a data structure called an mtrie (versus mtree), where the actual information (versus mtree), where the actual information being searched for is stored in a separate being searched for is stored in a separate data structure and the mtrie simply points to data structure and the mtrie simply points to it it
• CEF stores the outbound interface information CEF stores the outbound interface information and MAC header information in a separate and MAC header information in a separate data structure called the adjacency table. data structure called the adjacency table.
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
4444
CEFCEFCisco express forwardingCisco express forwarding • CEF was invented to help overcome the following CEF was invented to help overcome the following
major deficiencies of MLS: major deficiencies of MLS: – MLS does not support overlapping cache MLS does not support overlapping cache
entries. entries. – Any change in the routing table or ARP cache Any change in the routing table or ARP cache
results in the invalidation of large sections of results in the invalidation of large sections of the route cache. the route cache.
– The first packet to any given destination must The first packet to any given destination must be routed to build a route cache entry. be routed to build a route cache entry.
– Load balancing is not handled very intelligently. Load balancing is not handled very intelligently. – All above is important for the internet backboneAll above is important for the internet backbone
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
4545
CEFCEFCisco express forwardingCisco express forwarding
• The separation of the reachability information (in the The separation of the reachability information (in the CEF table) and the forwarding information (in the CEF table) and the forwarding information (in the adjacency table), provides numerous benefits:adjacency table), provides numerous benefits:
• The adjacency table can be built separately from the The adjacency table can be built separately from the CEF table, allowing both to be built without process CEF table, allowing both to be built without process switching any packets. switching any packets.
• The MAC header rewrite used to forward a packet is The MAC header rewrite used to forward a packet is not stored in cache entries, so changes in a MAC not stored in cache entries, so changes in a MAC header rewrite string do not require invalidation of header rewrite string do not require invalidation of cache entries. cache entries.
• Recursive routes can be resolved by pointing to the Recursive routes can be resolved by pointing to the recursed next hop, rather than directly to the recursed next hop, rather than directly to the forwarding information. A recursive route is one that forwarding information. A recursive route is one that specifies an intermediate address to which traffic specifies an intermediate address to which traffic should be sent. The intermediate address might be should be sent. The intermediate address might be several hops away; the next hop for the recursive several hops away; the next hop for the recursive route is the next hop for the route's intermediate route is the next hop for the route's intermediate address. address.
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
4646
CEFCEFCisco express forwardingCisco express forwarding • Essentially, all cache aging is eliminated, and the Essentially, all cache aging is eliminated, and the
cache is built based on the information contained cache is built based on the information contained in the routing table and ARP cache. There is no in the routing table and ARP cache. There is no need to process switch any packet to build a need to process switch any packet to build a cache entry. cache entry.
• The CEF table is a "stripped-down" version of the The CEF table is a "stripped-down" version of the routing table, implemented as a 256-way mtrie routing table, implemented as a 256-way mtrie data structure for optimum retrieval data structure for optimum retrieval performance. Note that, unlike with fast performance. Note that, unlike with fast switching, there is a one-to-one correspondence switching, there is a one-to-one correspondence between the routing table entries and the CEF between the routing table entries and the CEF table. You can display the size of the CEF table table. You can display the size of the CEF table as well as other information by using the as well as other information by using the command command show ip cef summaryshow ip cef summary
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
4747
RedundancyRedundancy• HSRP - HSRP - By sharing an IP address and a MAC By sharing an IP address and a MAC
address, a set of two or more routers can address, a set of two or more routers can operate as a single router called a virtual router. operate as a single router called a virtual router.
• The individual routers may participate in The individual routers may participate in multiple groups. In this case, the router multiple groups. In this case, the router maintains separate states and timers for each maintains separate states and timers for each group. Each standby group has a single virtual group. Each standby group has a single virtual MAC and IP address. MAC and IP address.
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
4848
RedundancyRedundancy• Virtual Router Redundancy Protocol Virtual Router Redundancy Protocol
(VRRP)(VRRP) • VRRP is an IETF proposed standard (RFC 2338) VRRP is an IETF proposed standard (RFC 2338)
nearly identical to the Cisco proprietary HSRP. nearly identical to the Cisco proprietary HSRP.
Stefan Löfgren MälardalStefan Löfgren Mälardalens högskolaens högskola
4949
RedundancyRedundancy• Gateway Load Balancing Protocol (GLBP)• GLBP supplies a method of providing nonstop
path redundancy for IP by sharing protocol and MAC addresses between redundant gateways. GLBP also allows a group of routers to share the load of the default gateway on a LAN.