Switch# show cef not-cef-switched CEF Packets passed on to next switching layer Slot No_adj No_encap Unsupp'ted Redirect Receive Options Access Frag RP 3579706 0 0 0 41258564 0 0 0 Switch#
The reasons shown are as follows:
No_adj—An incomplete adjacency
No_encap—An incomplete ARP resolution
Unsupp'ted—Unsupported packet features
Redirect—ICMP redirect
Receive—Layer 3 engine interfaces; includes packets destined for IP addresses that are assigned to interfaces on the Layer 3 engine, IP network addresses, and IP broadcast addresses
Options—IP options present
Access—Access list evaluation failure
Frag—Fragmentation failure
Packet Rewrite
When a multilayer switch finds valid entries in the FIB and adjacency tables, a packet is almost ready to be forwarded. One step remains: The packet header information must be rewritten. Keep in mind that multilayer switching occurs as quick table lookups to find the next-hop address and the outbound switch port. The packet is untouched and still has the original destination MAC address of the switch itself. The IP header also must be adjusted, as if a traditional router had done the forwarding.
The switch has an additional functional block that performs a packet rewrite in real time. The packet rewrite engine (shown in Figure 12-3) makes the following changes to the packet just before forwarding:
Layer 2 destination address—Changed to the next-hop device's MAC address
Layer 2 source address—Changed to the outbound Layer 3 switch interface's MAC address
Layer 3 IP Time To Live (TTL)—Decremented by one because one router hop has just occurred
Layer 3 IP checksum—Recalculated to include changes to the IP header
Layer 2 frame checksum—Recalculated to include changes to the Layer 2 and Layer 3 headers
A traditional router normally would make the same changes to each packet. The multilayer switch must act as if a traditional router were being used, making identical changes. However, the multilayer switch can do this very efficiently with dedicated packet-rewrite hardware and address information obtained from table lookups.
Configuring CEF
CEF is enabled on all CEF-capable Catalyst switches by default. In fact, the Catalyst 6500 (with a Supervisor 720 and its integrated MSFC3, or a Supervisor 2 and MSFC2 combination) runs CEF inherently, so CEF never can be disabled.
Tip - Switches such as the Catalyst 3750 and 4500 run CEF by default, but you can disable CEF on a per-interface basis. You can use the no ip route-cache cef and no ip cef interface configuration commands to disable CEF on the Catalyst 3750 and 4500, respectively.
You should always keep CEF enabled whenever possible, except when you need to disable it for debugging purposes.
Fallback Bridging
For protocols that CEF can't route or switch, a technique known as fallback bridging is used. Sample protocols are IPX and AppleTalk, which are routable but not supported by CEF, as well as SNA and LAT, which are not routable. To summarize fallback bridging operation, each SVI associated with a VLAN in which nonroutable protocols are being used is assigned to a bridge group. Packets that cannot be routed from one VLAN to another are bridged transparently instead, as long as the two VLANs belong to the same bridge group.
Only the Catalyst 3560 and 3750 offer fallback bridging; these platforms can CEF-switch IP packets, but no others. The Catalyst 4500 and 6500 (all Supervisor models running Cisco IOS Software) also can CEF-switch IP but can handle other routable protocols more slowly with their Layer 3 engines. Those two platforms have no need for fallback bridging.
Bridge groups used in fallback bridging do not interact with normal Layer 2 switching (also using bridging). They do use a special Spanning Tree Protocol to maintain loop-free fallback bridging, but these bridge protocol data units (BPDU) are not exchanged with other 802.1D, Rapid Spanning Tree Protocol (RSTP), or Multiple Spanning Tree (MST) BPDUs on VLANs. Instead, the VLAN-bridge STP is used, with one instance per fallback bridge group.
To configure fallback bridging, first decide which VLANs have traffic that CEF cannot route. Begin by enabling a fallback bridge group and its instance of the VLAN-bridge STP:
Switch(config)# bridge-group bridge-group protocol vlan-bridge
Next, for each VLAN SVI in which nonroutable traffic will be bridged, assign it to the appropriate bridge group:
Switch(config)# interface vlan vlan-id Switch(config-if)# bridge-group bridge-group
You can configure up to 31 different fallback bridge groups on a switch. Although the VLAN bridge STP instance running on each bridge group does not interact with normal 802.1D STP, it does behave similarly. For example, you can configure the bridge priority, port priority and cost, Hello timer, Forward Delay timer, and Max Age timer. These parameters all should look familiar because they are used in the 802.1D STP. Rather than using the spanning-tree command to adjust the parameter values, you must adjust them according to the bridge group number with the bridge-group bridge-group command keywords.
Verifying Multilayer Switching
The multilayer switching topics presented in this chapter are not difficult to configure; however, you might need to verify how a switch is forwarding packets. In particular, the following sections discuss the commands that you can use to verify the operation of InterVLAN routing, CEF, and fallback bridging.
Verifying InterVLAN Routing
To verify the configuration of a Layer 2 port, you can use the following EXEC command:
Switch# show interface type mod/num switchport
The output from this command displays the access VLAN or the trunking mode and native VLAN. The administrative modes reflect what has been configured for the port, whereas the operational modes show the port's active status.
You can use this same command to verify the configuration of a Layer 3 or routed port. In this case, you should see the switchport (Layer 2) mode disabled, as in Example 12-7.
Example 12-7 Verifying Configuration of a Layer 3 Switch Port
Switch# show interface fastethernet 0/16 switchport Name: Fa0/16 Switchport: Disabled Switch#
To see the physical interface's status and counters, use the command without the switchport keyword. To see a summary listing of all interfaces, you can use the show interface status command.
To verify the configuration of an SVI, you can use the following EXEC command:
Switch# show interface vlan vlan-id
The VLAN interface should be up, with the line protocol also up. If this is not true, either the interface is disabled with the shutdown command or the VLAN itself has not been defined on the switch. Use the show vlan command to see a list of configured VLANs.
Example 12-8 shows the output produced from the show vlan command. Notice that each defined VLAN is shown, along with the switch ports that are assigned to it.
Example 12-8 Displaying a List of Configured VLANs
Switch# show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/5, Fa0/6, Fa0/7, Fa0/8
Fa0/9, Fa0/10, Fa0/11, Fa0/12
Fa0/13, Fa0/14, Fa0/15, Fa0/17
Fa0/18, Fa0/19, Fa0/20, Fa0/21
Fa0/22, Fa0/23, Fa0/24, Fa0/25
Fa0/26, Fa0/27, Fa0/28, Fa0/29
Fa0/30, Fa0/32, Fa0/33, Fa0/34
Fa0/36, Fa0/37, Fa0/38, Fa0/39
Fa0/41, Fa0/42, Fa0/43, Fa0/44
Fa0/45, Fa0/46, Fa0/47, Gi0/1
Gi0/2
2 VLAN0002 active Fa0/40
5 VLAN0005 active
10 VLAN0010 active
11 VLAN0011 active Fa0/31
12 VLAN0012 active
99 VLAN0099 active Fa0/35
Switch#
You also can display the IP-related information about a switch interface with the show ip interface command, as demonstrated in Example 12-9.
Example 12-9 Displaying IP-Related Information About a Switch Interface
Switch# show ip interface vlan 101 Vlan101 is up, line protocol is up Internet address is 10.1.1.1/24 Broadcast address is 255.255.255.255 Address determined by setup command MTU is 1500 bytes Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Proxy ARP is enabled Local Proxy ARP is disabled Security level is default Split horizon is enabled ICMP redirects are always sent ICMP unreachables are always sent ICMP mask replies are never sent IP fast switching is enabled IP fast switching on the same interface is disabled IP Flow switching is disabled IP CEF switching is enabled IP Feature Fast switching turbo vector IP Feature CEF switching turbo vector IP multicast fast switching is enabled IP multicast distributed fast switching is disabled IP route-cache flags are Fast, Distributed, CEF Router Discovery is disabled IP output packet accounting is disabled IP access violation accounting is disabled TCP/IP header compression is disabled RTP/IP header compression is disabled Probe proxy name replies are disabled Policy routing is disabled Network address translation is disabled WCCP Redirect outbound is disabled WCCP Redirect inbound is disabled WCCP Redirect exclude is disabled BGP Policy Mapping is disabled Sampled Netflow is disabled IP multicast multilayer switching is disabled Switch#
You can use the show ip interface brief command to see a summary listing of the interfaces involved in routing IP traffic, as demonstrated in Example 12-10.
Example 12-10 Displaying a Summary Listing of Interfaces Routing IP Traffic
Switch# show ip interface brief Interface IP-Address OK? Method Status Protocol Vlan1 unassigned YES NVRAM administratively down down Vlan54 10.3.1.6 YES manual up up Vlan101 10.1.1.1 YES manual up up GigabitEthernet1/1 10.1.5.1 YES manual up up [output omitted] Switch#
Verifying CEF
CEF operation depends on the correct routing information being generated and downloaded to the Layer 3 forwarding engine hardware. This information is contained in the FIB and is maintained dynamically. To view the entire FIB, use the following EXEC command:
Switch# show ip cef
Example 12-11 shows sample output from this command.
Example 12-11 Displaying the FIB Contents for a Switch
Switch# show ip cef Prefix Next Hop Interface 0.0.0.0/32 receive 192.168.199.0/24 attached Vlan1 192.168.199.0/32 receive 192.168.199.1/32 receive 192.168.199.2/32 192.168.199.2 Vlan1 192.168.199.255/32 receive Switch#
On this switch, only VLAN 1 has been configured with the IP address 192.168.199.1 255.255.255.0. Notice several things about the FIB for such a small configuration:
0.0.0.0/32—An FIB entry has been reserved for the default route. No next hop is defined, so the entry is marked "receive" so that packets will be sent to the Layer 3 engine for further processing.
192.168.199.0/24—The subnet assigned to the VLAN 1 interface is given its own entry. This is marked "attached" because it is connected directly to an SVI, VLAN 1.
192.168.199.0/32—An FIB entry has been reserved for the exact network address. This is used to contain an adjacency for packets sent to the network address, if the network is not directly connected. In this case, there is no adjacency, and the entry is marked "receive."
192.168.199.1/32—An entry has been reserved for the VLAN 1 SVI's IP address. Notice that this is a host route (/32). Packets destined for the VLAN 1 interface must be dealt with internally, so the entry is marked "receive."
192.168.199.2/32—This is an entry for a neighboring multilayer switch, found on the VLAN 1 interface. The next-hop field has been filled in with the same IP address, denoting that an adjacency is available.
192.168.199.255/32—An FIB entry has been reserved for the 192.168.199.0 subnet's broadcast address. The route processor (Layer 3 engine) handles all directed broadcasts, so the entry is marked "receive."
To see complete FIB table information for a specific interface, use the following EXEC command:
Switch# show ip cef type mod/num [detail]
Verifying Fallback Bridging
To verify the operation of fallback bridging, you can use the following EXEC commands:
Switch# show bridge group Switch# show bridge bridge-group [verbose]
The first command shows a summary of all active fallback bridge groups, along with their STP states. The second command displays the bridging table contents for a specific fallback bridge group.
Foundation Summary
The Foundation Summary is a collection of information that provides a convenient review of many key concepts in this chapter. If you are already comfortable with the topics in this chapter, this summary can help you recall a few details. If you just read this chapter, this review should help solidify some key facts. If you are doing your final preparation before the exam, this information is a convenient way to review the day before the exam.
Table 12-2 InterVLAN Routing Configuration Commands
Task | Command Syntax |
Put a port into Layer 2 mode | Switch(config-if)# switchport |
Put a port into Layer 3 mode | Switch(config-if)# no switchport |
Define an SVI | Switch(config)# interface vlan vlan-id |
Components of CEF: