Layer 3 Switching

Table of Contents

Layer 3 Switching Operation and Configuration Introduction to Layer 3 Switching ...................... 2

Layer 3 Switching Operation and Configuration Inter-VLAN Routing with Switch Virtual Interfaces ........................................................................................................................................ 3

Layer 3 Switching Operation and Configuration Inter-VLAN Routing with SVIs (Cont.) ................. 4

Layer 3 Switching Operation and Configuration Inter-VLAN Routing with SVIs (Cont.) ................. 5

Layer 3 Switching Operation and Configuration Inter-VLAN Routing with Routed Ports .............. 6

Layer 3 Switching Operation and Configuration Configuring Static Routes on a Catalyst 2960 .... 8

Troubleshooting Layer 3 Switching Layer 3 Switch Configuration Issues ...................................... 9

Troubleshooting Layer 3 Switching Layer 3 Switching Configuration Issues (Cont.) .................... 12

Page 1 of 16

Layer 3 Switching Operation and Configuration Introduction to Layer 3 Switching

Presentation_ID 19© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Layer 3 Switching Operation and Configuration

Introduction to Layer 3 Switching

Layer 3 switches usually have packet-switching throughputs in the millions of packets per second (pps).

All Catalyst multilayer switches support the following types of Layer 3 interfaces:

• Routed port• Switch virtual interface (SVI)

High-performance switches, such as the Catalyst 6500 and Catalyst 4500, are able to perform most of the router’s functions.

Several models of Catalyst switches require enhanced software for specific routing protocol features.

**019 In the catalyst switches, in multilayer switches, there are two ways to do layer three. You can have an SVI, the switch virtual interface like I just drew up. Or you can do it to an actual physical routed port. And usually that works if you're trying to go outside to another location. You don't have to do it that way, you can do an SVI and map it to that interface. And it works the same most of the time. We'll talk about differences.

Page 2 of 16

Layer 3 Switching Operation and Configuration Inter-VLAN Routing with Switch Virtual Interfaces

Presentation_ID 20© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Layer 3 Switching Operation and ConfigurationInter-VLAN Routing with Switch Virtual Interfaces Today’s routing has become faster and cheaper and can be

performed at hardware speed.

Routing can be transferred to core and distribution devices with little to no impact on network performance.

Many users are in separate VLANs, and each VLAN is usually a separate subnet. This implies that each distribution switch must have IP addresses matching each access switch VLAN.

Layer 3 (routed) ports are normally implemented between the distribution and the core layer. This model is less dependent on spanning tree, because there are no loops in the Layer 2 portion of the topology.

**020 Let's see routing can be transferred. Users are in separate VLANs. And these switches also support layer three access controls lists, layer three ACLs. So, if the reasons you divided the network up into multiple VLANs was to be able to manage traffic and to say only the HR staff can talk to the HR servers, so here's the VLAN for HR servers, here's the VLAN for the HR staff. These two are going to talk, and everything else is going to be access denied. You can do that right in the switch. You don't need a router for that. Layer three router ports are normally implemented between distribution and core.

Page 3 of 16

Layer 3 Switching Operation and Configuration Inter-VLAN Routing with SVIs (Cont.)

Presentation_ID 21© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Layer 3 Switching Operation and Configuration

Inter-VLAN Routing with SVIs (Cont.)

By default, an SVI is created for the default VLAN (VLAN 1). This allows for remote switch administration.

Any additional SVIs must be created by the administrator.

SVIs are created the first time the VLAN interface configuration mode is entered for a particular VLAN SVI.

Enter the interface vlan 10 command to create an SVI named VLAN 10.

The VLAN number used corresponds to the VLAN tag associated with data frames on an 802.1Q encapsulated trunk.

When the SVI is created, ensure that the specific VLAN is present in the VLAN database.

**021 By default, and SVI is created for the default VLAN, VLAN1. We already knew that. And you can't delete it. You can't rename it. You can't even label it. Any other additional interfaces can be created by the administrator by entering interface VLAN blank, whatever the number is. It should associated to the VLAN tag associated to that 802.1q network. And when the SVI is created, make sure that the VLAN is present in the database because it's not created automatically. The only time it's created automatically is when you create it on a port.

Page 4 of 16

Layer 3 Switching Operation and Configuration Inter-VLAN Routing with SVIs (Cont.)

Presentation_ID 22© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Layer 3 Switching Operation and Configuration

Inter-VLAN Routing with SVIs (Cont.)

SVIs advantages include:• Much faster than router-on-a-stick, because everything is

hardware-switched and routed.• No need for external links from the switch to the router for

routing.• Not limited to one link. Layer 2 EtherChannels can be used

between the switches to get more bandwidth.• Latency is much lower, because it does not need to leave the

switch.

**022 So, it's faster, no external links, not limited to single links, latency is much lower.

Page 5 of 16

Layer 3 Switching Operation and Configuration Inter-VLAN Routing with Routed Ports

Presentation_ID 23© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Layer 3 Switching Operation and Configuration

Inter-VLAN Routing with Routed Ports A routed port is a physical port that acts similarly to an interface on

a router.

Routed ports are not associated with any VLANs.

Layer 2 protocols, such as STP, do not function on a routed interface.

Routed ports on a Cisco IOS switch do not support subinterfaces.

To configure routed ports, use the no switchport interface configuration mode command.

Routed ports are requires in some instancesExample: QoS settings can only be applied to physical

interfaces

Note: Routed ports are not supported on Catalyst 2960 Series switches.

**023 Routing port, the difference between what we're talking about now and SVI, what is an SVI? What's the V stand for? Student: Virtual. Instructor: Virtual. So, is it a physical port? Student: No. Instructor: Or is it just kind of floating in space inside the router, inside the switch? Okay, why would you put something on a routed port?

Page 6 of 16

Student: Because if you wanted to link up multiple switches to multiple-- like different VLANs that are on different hardware. Instructor: You could do that. In most cases, there's no real reason to. In most cases, they work just as well on one as they do on the other. Once case in point, routed ports are required in some instances. For example, QoS settings can only applied to physical interfaces. What is a QoS? Student: Quality of service. Instructor: Why can it only be applied to physical interfaces? Because QoS relies on manipulating the buffers of the physical interface. It's manipulating buffers to provide the QoS service, who gets in the buffer first, the person who gets in it later. A virtual interface has no buffers. Therefore, you can't manipulate the buffers. Therefore, you can't apply QoS to a virtual interface. So, if you have to apply QoS to that interface, then it has to be a physical interface. There are some other things where you're trying to force something to go outside the router and back in again trying to put it through an IPS where you may want to actually apply it right to the external interface itself to force the traffic to go out, over, and down, rather than letting it come through directly where it might short circuit and go straight to the two virtual interfaces.

Page 7 of 16

Layer 3 Switching Operation and Configuration Configuring Static Routes on a Catalyst 2960

Presentation_ID 24© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Layer 3 Switching Operation and ConfigurationConfiguring Static Routes on a Catalyst 2960

The Cisco Switch Database Manager (SDM) provides multiple templates for the Cisco Catalyst 2960 switch.

The SDM lanbase-routing template can be enabled to allow the switch to route between VLANs and to support static routing.

Use the show sdm prefer command to verify which template is in use.

The SDM template can be changed in global configuration mode with the sdm prefer command.

**024 There's a Cisco database manager that provides multiple templates for the catalyst. So, we'll see this one.

Page 8 of 16

Troubleshooting Layer 3 Switching Layer 3 Switch Configuration Issues

Presentation_ID 25© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Troubleshooting Layer 3 Switching

Layer 3 Switch Configuration Issues

To troubleshoot Layer 3 issues, verify the following for accuracy:

VLANs• VLANs must be defined across all the switches.• VLANs must be enabled on the trunk ports.• Ports must be in the right VLANs.

SVIs• SVIs must have the correct IP address or subnet mask.• SVIs must be up (must be affiliated with a connection).• SVIs must match with the VLAN number.

**025 Cisco database manager is actually a web based interface that you can use to manage routers and switches. So, troubleshooting, VLANs must be defined across all switches. I had a guy pull his hair out eight months ago, closer to fourteen months ago now. I mean for like two days. He had a situation where-- We had a VOIP phone here. The VOIP phone when into a switch. That switch went into another switch, which went into his big core switch here. And we had the VLAN set. We had the VLAN set. And that VOIP

Page 9 of 16

switch just would not work. We could not get it to work. It was trying to go out an interface here and go out across back to the home office where the voice server was. And we finally found it. And what had happened is it was-- let's say it was VLAN220. VLAN220 was missing on this switch. So what would happen is we'd ping the VLAN the management interface. And we could talk to all these switches on the management interface. Everything looked fine. We could not figure out what the problem was until we found out that VLAN220 was missing. As soon as we added VLAN220 in, then everything worked. And what had happened was he had kept looking at the trunks. And the trunk interfaces were all configured correctly. The trunk interfaces all had VLAN220 in the permit statement. But with VLAN220 not in the VLAN database, the traffic would get to it and the just get thrown away because there was no way it could cross the switch because there was no VLAN220 in that middle switch. Drove him nuts. We finally found it, and everything worked. By that time, it was like almost too late because they'd been struggling with it so long that they kind of gave up on VOIP switching for phones. But finding it was important to know what the problem was. So, again-- VLANs have to be defined across all switches. Enable them on some ports. And the ports must be in

Page 10 of 16

the right VLANs. If you only check two of those three, it may work. And it may not. To make sure it's going to work, you have to check all three, three of three. The right VLANs on each port, the right VLANs on each trunk, and the right VLANs on each switch. And nothing helps you find it. You're going to find it on your own. This is eyes on the screen helps you find this. SVIs must have the correct address or subnet mask. They must be up. If an SVI won't come up, what's the problem with it? SVI is in the down down stage, it won't come up. It's a virtual interface in down down stage. What's the matter with it? Student: It was never configured. Instructor: It's not assigned to anything else that's up. So, there's nothing to bring it up. It's not assigned to a trunk port. It's not assigned to an interface that's up. And the SVI is down because it's got nothing to connect to. So, if you want to bring an SVI up for some reason, you're trying to get it to show, one of the things you have to do is make sure that it's connected to something that is up.

Page 11 of 16

Troubleshooting Layer 3 Switching Layer 3 Switching Configuration Issues (Cont.)

Presentation_ID 26© 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential

Troubleshooting Layer 3 Switching

Layer 3 Switching Configuration Issues (Cont.)

To troubleshoot Layer 3 issues, verify the following for accuracy:

Routing• Routing must be enabled.• Each interface or network should be added to the routing

protocol.

Hosts• Hosts must have the correct IP address or subnet mask.• Hosts must have a default gateway associated with an SVI or

routed port.

**026 So, next, routing, for routing to work, it has be enabled. That's kind of like step one, right? Each interface or network should be added to the routing protocol. That's a big one. If you do-- and I'm kind of jumping ahead-- But because they brought it up, if you do router RIP, and you say network 10.0.0. network like that, if one of your interfaces, interface serial 02, is 192.168.2.0, if that's not in this, what fails to happen? Student: The advertisement of the correct network.

Page 12 of 16

Instructor: Right. RIP will never advertise that route because you didn't make that route eligible to be advertised by RIP. You didn't put in the list of RIP's networks. It acts the same way if it's OSPF, same way if it's EIGRP. The routing protocols will only advertise the networks you tell them to advertise, not by default all the ones that are directly connected. So, it's really funny because people go nuts because they type show IP route, and they say well it shows up on my router. How come it's not on the other guy's router? And they never go back to look to see I didn't tell the routing protocol to tell the other routers about that network. And how would I fix that? Student: Know network 192.168. Instructor: No, you just say up here, network 192.168.2.0 under router RIP. It's already here. It's already on the interface, it just wasn't put in the advertisement list. As soon as you put it in the advertisement list, it works. Student: If you ran know auto summary on RIP, couldn't you do 192.168.0.0? Instructor: Nope because that's a class C network. It's 255.255.255.0. Student: I thought you could summarize?

Page 13 of 16

Instructor: Right, but then you'd have to manually summarize it because it doesn't know to automatically summarize because it doesn't know it's eligible. Student: Okay. Instructor: Yeah, this is a very common mistake is to miss getting that in the list. Because you see it in your own route table, you keep wondering how come it's not showing up in the other guy's route table. And you don't look back to see I didn't tell it to advertise. How can you find it? You can actually turn on debugging on the other guy's router and look at the packets coming in. When you look at the packets coming in, you'll see 192.168.2.0 is not in the inbound packets. Well, no wonder it doesn't know. I'm not telling it. Student: Just for housekeeping's sake, wouldn't you want to get rid of the 168.0.0 network, though, as an advertised network? Instructor: Not if it's a real one. Student: Oh, okay. So, you're saying there were three of those networks, not just one was entered incorrectly. Okay, never mind. Instructor: Yeah 118.168.0.0 is a legal class C network because zero is a legal address in the third octet. So, yeah.

Page 14 of 16

And hosts, if the hosts are working, are the hosts connected correctly? Do they hosts have the right default gateway and the right SVI and routed port? How does that get screwed up most commonly, by the way? How do host addresses get incorrectly assigned? Student: People are entering them statically. Instructor: Yeah, they're entering them statically. Or if it affects everybody--? Student: DHCP is wrong. Instructor: Yeah, DHCP is wrong. And what happens is somebody will type the wrong address in for the gateway. By the way, do the hosts ever learn about RIP routing or OSPF routing or anything like that? Student: They could. Instructor: Nope, not unless you're actually a Windows server that supports routing protocols. The hosts are just using a default gateway. That's why one of the ways to screw a host up is if I have a host, like right now if I took one of these laptops and I hooked it to a wired network and the wireless network, it would have how many default gateways? Student: Two. Instructor: At least two, correct? Can a host have two default gateways and not get confused? Not

Page 15 of 16

very easily. Hosts are much better off if they only have one default gateway. Microsoft advises against it. Everywhere you-- anyplace you want to put on Microsoft about dual default gateways, they'll come back and say uh-uh, don't do that. So, if you have two networks, one of the ways to do it is manually assign one network an IP address and a mask without a gateway. And then if you have multiple networks on that, you can manually assign the network by saying route add, the same way I did route print. You can do a route add. And you can do a route add statement for networks off of that interface. What will happen is it will be just like a router then, it will have some defined static networks that it knows are this way. And it'll say everything else is in my default network going that way. And then it works just find. But Cisco bought devices won't let you in most cases. Microsoft devices might let you but throw up a warning message. And they scream. And they don't react well to having multiple default gateways.

Page 16 of 16