Chapter 12: Multilayer Switching

Cisco Press

1 2 3 4 Page 3
Page 3 of 4
Switch# show cef not-cef-switched
CEF Packets passed on to next switching layer
Slot No_adj No_encap Unsupp'ted Redirect Receive Options  Access   Frag
RP  3579706    0      0    0 41258564    0    0    0
  • The reasons shown are as follows:

  • No_adj—An incomplete adjacency

  • No_encap—An incomplete ARP resolution

  • Unsupp'ted—Unsupported packet features

  • Redirect—ICMP redirect

  • Receive—Layer 3 engine interfaces; includes packets destined for IP addresses that are assigned to interfaces on the Layer 3 engine, IP network addresses, and IP broadcast addresses

  • Options—IP options present

  • Access—Access list evaluation failure

  • Frag—Fragmentation failure

Packet Rewrite

When a multilayer switch finds valid entries in the FIB and adjacency tables, a packet is almost ready to be forwarded. One step remains: The packet header information must be rewritten. Keep in mind that multilayer switching occurs as quick table lookups to find the next-hop address and the outbound switch port. The packet is untouched and still has the original destination MAC address of the switch itself. The IP header also must be adjusted, as if a traditional router had done the forwarding.

The switch has an additional functional block that performs a packet rewrite in real time. The packet rewrite engine (shown in Figure 12-3) makes the following changes to the packet just before forwarding:

  • Layer 2 destination address—Changed to the next-hop device's MAC address

  • Layer 2 source address—Changed to the outbound Layer 3 switch interface's MAC address

  • Layer 3 IP Time To Live (TTL)—Decremented by one because one router hop has just occurred

  • Layer 3 IP checksum—Recalculated to include changes to the IP header

  • Layer 2 frame checksum—Recalculated to include changes to the Layer 2 and Layer 3 headers

A traditional router normally would make the same changes to each packet. The multilayer switch must act as if a traditional router were being used, making identical changes. However, the multilayer switch can do this very efficiently with dedicated packet-rewrite hardware and address information obtained from table lookups.

Configuring CEF

CEF is enabled on all CEF-capable Catalyst switches by default. In fact, the Catalyst 6500 (with a Supervisor 720 and its integrated MSFC3, or a Supervisor 2 and MSFC2 combination) runs CEF inherently, so CEF never can be disabled.

Tip - Switches such as the Catalyst 3750 and 4500 run CEF by default, but you can disable CEF on a per-interface basis. You can use the no ip route-cache cef and no ip cef interface configuration commands to disable CEF on the Catalyst 3750 and 4500, respectively.

You should always keep CEF enabled whenever possible, except when you need to disable it for debugging purposes.

Fallback Bridging

For protocols that CEF can't route or switch, a technique known as fallback bridging is used. Sample protocols are IPX and AppleTalk, which are routable but not supported by CEF, as well as SNA and LAT, which are not routable. To summarize fallback bridging operation, each SVI associated with a VLAN in which nonroutable protocols are being used is assigned to a bridge group. Packets that cannot be routed from one VLAN to another are bridged transparently instead, as long as the two VLANs belong to the same bridge group.

Only the Catalyst 3560 and 3750 offer fallback bridging; these platforms can CEF-switch IP packets, but no others. The Catalyst 4500 and 6500 (all Supervisor models running Cisco IOS Software) also can CEF-switch IP but can handle other routable protocols more slowly with their Layer 3 engines. Those two platforms have no need for fallback bridging.

Bridge groups used in fallback bridging do not interact with normal Layer 2 switching (also using bridging). They do use a special Spanning Tree Protocol to maintain loop-free fallback bridging, but these bridge protocol data units (BPDU) are not exchanged with other 802.1D, Rapid Spanning Tree Protocol (RSTP), or Multiple Spanning Tree (MST) BPDUs on VLANs. Instead, the VLAN-bridge STP is used, with one instance per fallback bridge group.

To configure fallback bridging, first decide which VLANs have traffic that CEF cannot route. Begin by enabling a fallback bridge group and its instance of the VLAN-bridge STP:

Switch(config)# bridge-group bridge-group protocol vlan-bridge

Next, for each VLAN SVI in which nonroutable traffic will be bridged, assign it to the appropriate bridge group:

Switch(config)# interface vlan vlan-id
Switch(config-if)# bridge-group bridge-group

You can configure up to 31 different fallback bridge groups on a switch. Although the VLAN bridge STP instance running on each bridge group does not interact with normal 802.1D STP, it does behave similarly. For example, you can configure the bridge priority, port priority and cost, Hello timer, Forward Delay timer, and Max Age timer. These parameters all should look familiar because they are used in the 802.1D STP. Rather than using the spanning-tree command to adjust the parameter values, you must adjust them according to the bridge group number with the bridge-group bridge-group command keywords.

Verifying Multilayer Switching

The multilayer switching topics presented in this chapter are not difficult to configure; however, you might need to verify how a switch is forwarding packets. In particular, the following sections discuss the commands that you can use to verify the operation of InterVLAN routing, CEF, and fallback bridging.

Verifying InterVLAN Routing

To verify the configuration of a Layer 2 port, you can use the following EXEC command:

Switch# show interface type mod/num switchport

The output from this command displays the access VLAN or the trunking mode and native VLAN. The administrative modes reflect what has been configured for the port, whereas the operational modes show the port's active status.

You can use this same command to verify the configuration of a Layer 3 or routed port. In this case, you should see the switchport (Layer 2) mode disabled, as in Example 12-7.

Example 12-7 Verifying Configuration of a Layer 3 Switch Port

Switch# show interface fastethernet 0/16 switchport
Name: Fa0/16
Switchport: Disabled

To see the physical interface's status and counters, use the command without the switchport keyword. To see a summary listing of all interfaces, you can use the show interface status command.

To verify the configuration of an SVI, you can use the following EXEC command:

Switch# show interface vlan vlan-id

The VLAN interface should be up, with the line protocol also up. If this is not true, either the interface is disabled with the shutdown command or the VLAN itself has not been defined on the switch. Use the show vlan command to see a list of configured VLANs.

Example 12-8 shows the output produced from the show vlan command. Notice that each defined VLAN is shown, along with the switch ports that are assigned to it.

Example 12-8 Displaying a List of Configured VLANs

Switch# show vlan

VLAN Name               Status  Ports
---- -------------------------------- --------- -------------------------------
1  default             active  Fa0/5, Fa0/6, Fa0/7, Fa0/8
                        Fa0/9, Fa0/10, Fa0/11, Fa0/12
                        Fa0/13, Fa0/14, Fa0/15, Fa0/17
                        Fa0/18, Fa0/19, Fa0/20, Fa0/21
                        Fa0/22, Fa0/23, Fa0/24, Fa0/25
                        Fa0/26, Fa0/27, Fa0/28, Fa0/29
                        Fa0/30, Fa0/32, Fa0/33, Fa0/34
                        Fa0/36, Fa0/37, Fa0/38, Fa0/39
                        Fa0/41, Fa0/42, Fa0/43, Fa0/44
                        Fa0/45, Fa0/46, Fa0/47, Gi0/1
2  VLAN0002             active  Fa0/40
5  VLAN0005             active
10  VLAN0010             active
11  VLAN0011             active  Fa0/31
12  VLAN0012             active
99  VLAN0099             active  Fa0/35

You also can display the IP-related information about a switch interface with the show ip interface command, as demonstrated in Example 12-9.

Example 12-9 Displaying IP-Related Information About a Switch Interface

Switch# show ip interface vlan 101
Vlan101 is up, line protocol is up
 Internet address is
 Broadcast address is
 Address determined by setup command
 MTU is 1500 bytes
 Helper address is not set
 Directed broadcast forwarding is disabled
 Outgoing access list is not set
 Inbound access list is not set
 Proxy ARP is enabled
 Local Proxy ARP is disabled
 Security level is default
 Split horizon is enabled
 ICMP redirects are always sent
 ICMP unreachables are always sent
 ICMP mask replies are never sent
 IP fast switching is enabled
 IP fast switching on the same interface is disabled
 IP Flow switching is disabled
 IP CEF switching is enabled
 IP Feature Fast switching turbo vector
 IP Feature CEF switching turbo vector
 IP multicast fast switching is enabled
 IP multicast distributed fast switching is disabled
 IP route-cache flags are Fast, Distributed, CEF
 Router Discovery is disabled
 IP output packet accounting is disabled
 IP access violation accounting is disabled
 TCP/IP header compression is disabled
 RTP/IP header compression is disabled
 Probe proxy name replies are disabled
 Policy routing is disabled
 Network address translation is disabled
 WCCP Redirect outbound is disabled
 WCCP Redirect inbound is disabled
 WCCP Redirect exclude is disabled
 BGP Policy Mapping is disabled
 Sampled Netflow is disabled
 IP multicast multilayer switching is disabled

You can use the show ip interface brief command to see a summary listing of the interfaces involved in routing IP traffic, as demonstrated in Example 12-10.

Example 12-10 Displaying a Summary Listing of Interfaces Routing IP Traffic

Switch# show ip interface brief
Interface         IP-Address   OK? Method Status        Protocol
Vlan1           unassigned   YES NVRAM administratively down down
Vlan54     YES manual up          up 
Vlan101    YES manual up          up 
GigabitEthernet1/1    YES manual up          up 
[output omitted] 

Verifying CEF

CEF operation depends on the correct routing information being generated and downloaded to the Layer 3 forwarding engine hardware. This information is contained in the FIB and is maintained dynamically. To view the entire FIB, use the following EXEC command:

Switch# show ip cef

Example 12-11 shows sample output from this command.

Example 12-11 Displaying the FIB Contents for a Switch

Switch# show ip cef
Prefix       Next Hop       Interface     receive  attached       Vlan1  receive  receive    Vlan1 receive

On this switch, only VLAN 1 has been configured with the IP address Notice several things about the FIB for such a small configuration:

  •—An FIB entry has been reserved for the default route. No next hop is defined, so the entry is marked "receive" so that packets will be sent to the Layer 3 engine for further processing.

  •—The subnet assigned to the VLAN 1 interface is given its own entry. This is marked "attached" because it is connected directly to an SVI, VLAN 1.

  •—An FIB entry has been reserved for the exact network address. This is used to contain an adjacency for packets sent to the network address, if the network is not directly connected. In this case, there is no adjacency, and the entry is marked "receive."

  •—An entry has been reserved for the VLAN 1 SVI's IP address. Notice that this is a host route (/32). Packets destined for the VLAN 1 interface must be dealt with internally, so the entry is marked "receive."

  •—This is an entry for a neighboring multilayer switch, found on the VLAN 1 interface. The next-hop field has been filled in with the same IP address, denoting that an adjacency is available.

  •—An FIB entry has been reserved for the subnet's broadcast address. The route processor (Layer 3 engine) handles all directed broadcasts, so the entry is marked "receive."

To see complete FIB table information for a specific interface, use the following EXEC command:

Switch# show ip cef type mod/num [detail]

Verifying Fallback Bridging

To verify the operation of fallback bridging, you can use the following EXEC commands:

Switch# show bridge group
Switch# show bridge bridge-group [verbose]

The first command shows a summary of all active fallback bridge groups, along with their STP states. The second command displays the bridging table contents for a specific fallback bridge group.

Foundation Summary

The Foundation Summary is a collection of information that provides a convenient review of many key concepts in this chapter. If you are already comfortable with the topics in this chapter, this summary can help you recall a few details. If you just read this chapter, this review should help solidify some key facts. If you are doing your final preparation before the exam, this information is a convenient way to review the day before the exam.

Table 12-2 InterVLAN Routing Configuration Commands


Command Syntax

Put a port into Layer 2 mode

Switch(config-if)# switchport

Put a port into Layer 3 mode

Switch(config-if)# no switchport

Define an SVI

Switch(config)# interface vlan vlan-id

Components of CEF:

1 2 3 4 Page 3
Page 3 of 4
SD-WAN buyers guide: Key questions to ask vendors (and yourself)