Switched Virtual Interfaces for Inter-VLAN routing

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
have you ever asked yourself the question what is a VLAN versus an interface VLAN if that question at least once has crossed your mind this videos for you we're gonna take the router on a stick that we did in our previous video now we're gonna collapse the network down to have the integrated routing functionality be done by the switch itself no external router no external interface for the router we'll do it all with something called a switched virtual interface let's jump in so let's take a look at the migration towards nothing eventually we'll have one box that can do it all and there are devices that do all that functionality and the question I guess could be do you really want to put all that functionality in one box the answer is if you replicate everything and you have fault tolerance why not so here in this example we have migrated to one router with a one physical interface trunking from the previous video and we're doing routing based on the logical sub interfaces well if these are just logical sub interfaces for the purpose of routing we can totally remove this router if if our switches are multi-layer switches what is a multi-layer switch I'm glad you asked a layer to switch makes forwarding decisions based on MAC addresses that's what we know and love switches ass however what do you call a device that makes forwarding decisions at layer 3 well normally we'd call a router but if we trained a switch to make forwarding decisions at layer 3 guess what that switch if it can forward it based on layer 2 MAC addresses and make forwarding decisions based on layer 3 IP addresses it's now graduated to the class called a multi-layer switch so if we do get rid of the router so it's completely gone we turn off this port on the trunk on switch and we power off our five what about our clients let's think about this from the pcs perspective it's got an IP address of 1000 10 it believes this default gateway is 1000 - and you know what we should do we should probably provide a default gateway for that client but instead of having the router do it we're gonna go ahead and have the switch to it if it's a multi-layer switch there's a couple processes here they have to happen one is we need to enable on the switch IP routing by default on most switches that are capable of doing layer 3 forwarding the command IP space routing is turned off so we'll need to turn that on and then secondly we need to create out of thin air a layer 3 address that this guy care can use as his default gateway to the 1000 to address so we're gonna do it very much like we did on this router except we're gonna do it on a switch itself instead of saying interface FA 0 0.2 or 0 0.3 we're just gonna go into global configuration mode and say interface VLAN 2 let's stop the bus right there for a moment when we type in interface VLAN 2 that is not creating the VLAN the VLAN 2 already exists we assign this port to be lent to the trunks are allowing VLAN 2 VLAN to the broadcast domain already exists what this command right here is doing it's creating a layer 3 logical interface like a router interface that lives in VLAN 2 so we are creating an interface VLAN 2 that can support users that are currently in VLAN 2 the second thing we're gonna do is need to give it an IP address so it used the command IP space address and give it the IP address we want to in this case 1000 - now take a look at that IP address why that IP address is because the customers in VLAN 2 are looking to use 1000 - as a default gateway so we're gonna assign the IP address that customers need to the virtual interface they call it a switched virtual interface interface VLAN 2 and give it the IP address we're gonna do the same thing for good old customers here and VLAN 3 we're gonna give a create a logical virtual interface called interface VLAN 3 to support our customers in B than 3 and give it an IP address that the customers into then 3 are supposed to use as their default gateway so these are real layer 3 IP addresses but if you get out your microscope and said hmm let me see exactly where those interfaces are you will never find them because they're not physical just like you wouldn't find these sub interfaces from a physical perspective you won't find these switched virtual interfaces either and you know what a switched virtual interface is not that uncommon think about it do we ever have to manage our switches the answer is yeah we might want need to tell net or SSH to them we have been using switched virtual interfaces forever because it's a switched virtual interface we create interface vlan1 and assign it an IP address that allows us to remotely telnet or SSH or open up a browser access to a switch so while we're doing with multi-layer switching is we're saying we're not just going to use an IP address for management of the switch we're gonna use at least two interfaces and enable IP routing so the switch that we configure these on can literally be the router for our two VLANs all right so it's now time to configure this it's a lot of fun it's super easy the very first thing I want to do is point out that we have turned off router five it used to be the router on the stick up here we've physically turned it off so we're not gonna have a conflict of IP addresses you can only have the same IP address being used one time in each subnet so switch 1 is going to use the IP addresses of 1000 2 and 3000 3 for the VLAN 2 interface it's gonna use 1000 - why because that's what the clients on that sub network have been trained either through static configuration or DHCP to use as a default gateway and we'll do the same thing for the VLAN 3 interface will use 3000 3 because the clients are expecting to use that as a default gateway we also need to make sure we turn on IP routing which will do otherwise even though a switch might be capable of layer 3 routing it doesn't like to do it most of the time by default so we use the command IP routing so let's start right there well go into configuration mode and in configuration mode will simply say IP space routing poof no beautiful console message or emails but now it's able to route packets next we'll create our logical layer three interfaces will create interface VLAN two and interface VLAN three and as a reminder the VLANs two and three already exist we're just creating the interfaces the logical interfaces that the switch is gonna manage that we can put IP addresses on all right so now that that parts done let's go ahead and create interface VLAN two first and the syntax is really really simple you just go from global config and say interface VLAN to enter now if the VLAN to broadcast domain doesn't exist this interface is worthless but assuming it exists we create VLAN to assign of the IP address and we're good to go just like any other interface it's up and active now we'll create a second logical interface we'll create this one right here for the benefit of customers in VLAN 3 so we go into interface configuration mode I'm scuse me global config and then say interface VLAN 3 which puts us into interface configuration mode and then give it an IP address that is it that's all we need to do no routers required because in this case switch one with these two logical interfaces acting like a router now could we have done these commands over on switch 2 on the left or switch 3 on the right yes it really doesn't matter I picked a middle point but these logical interfaces could be anywhere where that VLAN exists and because the red VLAN VLAN to is allowed across all the trunks we literally could have had these commands on any of the 3 switches now let's go ahead and test this for our test we're gonna put a protocol analyzer on one of these links and that brings us to an important question we have these trunk links going between the switch on the left the middle switch and the switch on the right and these trunk links if we have two parallel paths between two switches what happens well if spanning-tree isn't running we have a loop but spanning tree is running here and so spanning tree is only using one of these links so I'm gonna monitor on both of them and then we'll go ahead and simply take a look at the protocol analysis on the trunk that was active in the next video I'll show you how we can take these two trunk links where only one of them's active because a spanning tree and bundle them together into an ether channel so we're not wasting any bandwidth but for now we just realize that only one of these interfaces is gonna be active for forwarding traffic because of spanning tree so what do we expect to happen fact let me just clear out anything that might be in memory here on the PC I'm gonna go to configuration mode and interface FAA 0/0 I'm gonna shut it down this PC is being played today by an iOS router so by shutting it down that forces any kind of resolution for layer 3 layer 2 mappings there can be completely gone and I'll bring it back up as well so I'll do a no shut and that will come up now we are connected to a switch port here so I would want to give it if I haven't configured a rapid spanning tree or port fast we'd want to give it a few seconds to make sure that the PC has the ability to forward traffic on the network let's do a show art pro quick and verify that there's nothing in the ARP cache now this mac address right here I've hard coded on this PC so it's 1 0 1 0 1 0 1 0 it's really easy to recognize and here's what we expect to have happen when this PC trays up ping of 30.0 dot 0 dot 10 the very first thing it says to itself is and you know the answer to this now it says is this network 3000 is that local or remote and it's assuming it's a 3000 it's a 24-bit network because it has a 24-bit masks that's what pcs do they assume everybody has the same mask they do and then they ask the question is it local or is it remote well in this case 1000 is different than 3000 it's like being on two different streets and as a result the PC knows that you need these to go to its default gateway for help this device is configured with the default gateway of 1000 - so it looks at its ARP cache and says oh I don't know how to get to the layer 2 address of my default gateway and I need it that's how we forward frames at layer two is based on the destination MAC address so it's gonna do in our request this ARP request is gonna go out it's gonna go into the switch as a broadcast it's gonna go over one of these trunk links this switch is gonna get it this switch is gonna forward it across its trunk links as well so that everybody who is possibly inside of VLAN two will get this broadcast now switch the switch on the right doesn't have any access ports in VLAN three on two so it won't forward them to any access ports here but the broadcast would be received on the trunk link between the middle switch and the right switch okay so the broadcast goes everywhere this switch in the middle once it has the IP address which we just gave it up 10002 is gonna see that it's gonna say oh you're looking for my MAC address and it will respond with the MAC address that it has decided to use for this logical interface that response is gonna go back over the trunk as a unicast back towards the source MAC address of this PC and the PC will get it in all of a sudden the PC will have a new arpan tree it will know that 10002 is reachable by whatever MAC address the switch has assigned to that virtual interface great then what happens well then the PC sends a packet if we do this ping right here the ping packet the request will go from 1000 10 its IP address to 3000 10 so at layer 3 that's the source and destination but it's gonna be forwarded to this logical interface on the switch and the switch is gonna say oh this I'm a router now I have IP routing enabled I need to forward this packet to the 30 Network I'm directly connected I need to figure out what the layer 2 addresses of this server does this story sound familiar this is identical my friends to this story we had with router on a stick it's also very similar to using multiple physical interfaces for routing we have to figure out what the next layer 2 addresses as we forward packets along the way or in this case frames along the way so this switch is gonna say to itself I don't know what the layer to address is of 3000 3 and as a result what is it going to do it's going to generate a broadcast specifically an arp request please respond with your layer 2 address now that broadcast check this out because we did it right here that broadcast where this switch is asking for the IP the MAC address of 3000 10 that broadcast because it is associated with VLAN 3 it's gonna go down this trunk it's also gonna go down this trunk because these trunks are allowing all VLAN traffic now the switch on the left gets that broadcast and says I've got no access ports assigned to VLAN 3 so I received it with a tag and said this is for VLAN 3 this which says I don't need it and it wouldn't actually send it to anybody on this switch because it came in on the trunk and there's no other access ports however we can mitigate that wasted bandwidth of having a broadcast come down here if we use a technique called VTP pruning but just to be clear on what we expect to happen that is the expected behavior so if we track or sniff the wire on these two interfaces whichever one happens to be active from a spanning tree perspective we are gonna see the ARP request of this client looking for the layer 2 address of 1000 - and we're also gonna see the reply come back and we're also going to see in our pre-cast for VLAN 3 looking for a 3000 10 on this segment but we won't see a reply why is that the broadcast went out left the broadcast went out right and the response came from the server back over to the VLAN 3 logical interface so the unicast reply won't be seen over here and then we should see the remainder of the successful at career KO requests and echo replies going across the network that's the theory and to you anyway so let's go ahead and do a ping let me give me a moment let me put the protocol analyzer on go mode so it's listening to both of these two interfaces and now that that's done well let's go ahead and do our ping we also should lose two of our ICMP echo requests why is that one as it we lost on the initial art for looking for 1000 - and 1 as the VLAN 3 interface was looking for the MAC address for 3000 10 and there you have it and if we do a ping again we should have a hundred percent because all the arp resolution is done and if we do a trace the traceroute should show that the first show that I need to put in an IP address 30.0 to 0 to 10 because that's where we're going we'll use our default source address and let it go alright so the first hop was our default gateway of 1000 - and the final destination was 3000 10 and so when a Cisco router does a trace route it's actually sending 3 UDP segments with a TTL of 1 which causes the first router to say hey I'm killing those packets here's your responses and this is how long it took to get those responses then we increase the TTL to 2 and we send out the three segments again and that gets passed the first router to the final destination who doesn't have any services who also sends an ICMP response saying that the destination is not reachable because I'm not running any services on this port and those ports are done dynamically behind the scenes we don't have to manually put them in ok let's take a look at the protocol analyzer and verify what we thought would happen with the ARP requests and the actual ping packets as they went over this trunk spanning tree is a chatty little protocol isn't it most of the stuff we captured is related to spanning tree where every 2 seconds for every instance of VLANs we have by default we have little BPD use going out so let's scroll down to our first relevant packet and that is right here so the moment we typed in ping 3000 10 from this PC it said oh it's remote it's not local I need to forward this to my default gateway which is 1000 - I don't have his layer 2 address I need to find it and that's what this ARP request is all about you'll notice because we capture it by the way it was FA 1/11 that was active and FA 1/12 is the one that is currently blocked from the spanning tree perspective this middle switch happens to be the root switch so all the action got caught on this top link so we take a look at the ethernet frame it says ok this Ethernet frame is sourced from the MAC address of the PC which I hard-coded the destination is a broadcast at layer 2 and the next protocol up is 802 dot1q so that's hexadecimal 8100 if we were handing it directly up to IP it would be hexadecimal 800 as the layer 3 protocol number so we're handing it up to 802 that one cue will minimize that open this up and the most important story is this it says this is a broadcast destined for devices in VLAN 2 now how did the switch figure it out because the guy who put the tag on as a switch this because the switch received the broadcast on an access port that was assigned to B then 2 so as he propagates it he tags it with VLAN to before he puts it on the trunk so this receiving switch who received this knew that broadcast was real and 2 because he read the tag and then he forwards it out to any other devices that are interested in VLAN to traffic which would include the logical interface VLAN to and these trunk ports that lead over to the switch on the right so it's a dot1q frame and inside that frame we have an arp request and this is 1000 10 right here asking who has the MAC address or who can tell me that the MAC address is for 1000 - what is the proper response well the proper response is an ARP reply and here's the ARP reply so this ARP reply is sourced from the layer 2 address of this logical interface which is right here we can see that the destination is a unicast MAC address of this PC it's also tagged as VLAN 2 because that was the interface that sourced it so before he put this on the wire he also tagged it as this belongs to V then to sent it cross switches make unicast forwarding decisions based on where they know that MAC address lives so this which knows that this MAC address 1010 1010 lives off this port but in addition instead of just forwarding it also checks to make sure that that port is open if you will for VLAN to traffic so because it's an access port assign'd DB then - that's a yes the only other option would be a trunk port which was allowing VLAN to traffic along it so the response makes it to the PC he's all happy he now knows the layer 3 address on the layer 2 address of his default gateway and one of our pings gets sent off so if we scroll down here here's our ping request so now our ping request makes it to from this PC we'll go to the layer 3 information here from 1000 10 and the destination is 3000 10 that's the layer 3 information but as far as the layer 2 information goes it's sourced from the MAC address of the PC and the destination MAC address is our default gateway 1000 to that we just learned now unfortunately this switch who has two logical interfaces it gets this packet and says oh I need to forward this packet to this layer 3 address and that is right here is 3000 10 and he looks in his routing table just like any router would says do I know how to get to 3000 anything and the answer is yes in this case because he's directly connected to the 3000 Network now let's just do a quick reminder of how a router whether it's a multi-layer switch or a physical router how does the router learn about networks reach ability there's literally only four options number one he can be directly connected in this case he's directly connected to the destination Network of 3000 secondly we can use dynamic routing protocols where you'd have a router that was maybe next a neighboring router who's sharing information with you so we can dynamically learn about networks and reach ability from neighbors in this case there's no routing neighbors because when one routing device no routing protocols running the third option is a static route we could tell a switch multi-layer switch or a router hey buddy to get to some remote network in you know Des Moines Iowa go ahead and use this IP address as the next top and statically configure it and the fourth option would be used a default route a default route that says dear mister router if you don't know how to get to some Network name it like Network 2.3.4 go ahead and use this IP address as the next top so the four options are directly connected networks number two we could use dynamic routing protocols and learn about reach ability from neighbors number three we can use static routes where we hard code and configure it hey buddy to get to this remote network use this next hop or use this exit interface as it might be in a serial point-to-point link and then fourth we can use default routes and default routes could be learned either dynamically or they could also be statically configured okay so that's a little refresher on routing so our three are the switch rather says I know how to get to the 3000 Network I don't however know what the layer 2 addresses of the final destination so it does an hour pre quest so this is the switched virtual interface that's asking it says and look at the trunk it's sending it out on its VLAN 3 interface so VLAN 3 interface logically is making a request saying I'm looking for the person who has the IP address of 3000 10 I would very much love to get your layer 2 information and if we scroll down a little bit some a spanning tree came in the way we have no response and let's talk about that oh gosh I mentioned this earlier and now I'm looking for the response why aren't we seeing an echo reply or the ARP reply and here's the reason this switch here made in our pre quest because it's a broadcast right here it went left and it went right the server listened to that broadcast request and responded unicast the unicast reply came back to this switch got forwarded to the switch in the middle based on the layer to destination MAC address and that's why our protocol analyzer over here never saw it so the ARP reply happened but it happened over here on this segment so now this switch knows the layer 2 addresses of everybody it needs to talk to so far on these two subnets and then we have our actual echo requests going through and the replies so if you take a look at this request we have the request coming from the PC they scroll up here a little bit and that request is being injected into the switch on VLAN 2 you'll notice there that unicast gets forward layer 2 wise to the logical interface on this middle switch the middle switch routes it between VLAN to VLAN 3 interfaces the logical layer 3 interfaces and then it forwards the packet on to the final destination using the layer 2 MAC address of the destination on that local subnet and the reply comes back and everything we see here is simply gonna be be tagged as VLAN 2 because on this segment of our network it's all of you LAN to traffic if we put the protocol analyzer over here it would be all VLAN 3 tag traffic I hope you had a lot of fun I think everybody deserves really to understand how things are really working not just logically but also how the pieces all fit together in these three videos we start off with physical routers and physical interfaces we reduced it down in the second video to using a router on a stick with one physical interface on an external router and multiple logical sub interfaces in this third video we've removed an external router altogether by using the built-in functionality of a multi-layer switch and creating logical VLAN interfaces layer 3 interfaces for the routing process the last challenge that I like to solve in this in a fourth video the next one is what do we do about these pesky trunk links I mean really we have two physical interfaces we're using all the ports however only traffic is being moved on one of them because of spanning tree will solve that with the solution called ether channel as we bundle fa 1/11 and 1/12 together to make spanning-tree believe that we have one huge pipe that is 200 megabits per second as opposed to a single physical interface which has a capacity of 100 megabits per second come back and see me for that one and I appreciate you watching have a great great rest of the day you
Info
Channel: Keith Barker
Views: 81,569
Rating: 4.9475985 out of 5
Keywords: Cisco, CCNA, Video, Training, cbt, inter-vlan, vlan, routing, ICND, CCENT, switching, trunk, switched, virtual, interface, inter-vlan routing, inter-vlan routing with switch virtual interfaces, inter-vlan routing with multilayer switch, inter-vlan routing types, inter-vlan routing configuration, inter-vlan communication, cisco, ccna
Id: Wl_-tdnCUEE
Channel Id: undefined
Length: 27min 12sec (1632 seconds)
Published: Tue May 17 2011
Related Videos
Inter-VLAN Routing using a Multi-Layer Switch | Cisco CCNA 200-301
Keith Barker
27K
802.1Q and Trunking 101
Keith Barker
259K
DO NOT design your network like this!! // FREE CCNA // EP 6
NetworkChuck
1.2M
Subnet Mask - Explained
PowerCert Animated Videos
93K
What is a SWITCH? // FREE CCNA // Day 1
NetworkChuck
527K
GLBP Operation (Cisco SWITCH (300-115) Complete Video Course)
Kevin Wallace Training, LLC
55K
How To Setup VLANS With pfsense & UniFI. Also how to build for firewall rules for VLANS in pfsense
Lawrence Systems
319K
Configure VLAN | Allow VLANs to Access Internet
IT Support People
36K
IPv6 SLAAC and DHCP Packet Tracer Lab | Cisco CCNA 200-301
Keith Barker
7.7K
MicroNugget: VLANs Explained | CBT Nuggets
CBT Nuggets
126K
802.1Q Ethernet Trunking | Cisco CCNA 200-301
Keith Barker
38K
Inter VLAN Configuration plus IP- Helper Address
The Networking Doctors
301K
Inter Vlan Routing mls - Video By Sikandar Shaik || Dual CCIE (RS/SP) # 35012
Sikandar Shaik
69K
TCP/IP and Subnet Masking
Eli the Computer Guy
3.5M
What is a Router on a Stick
Networklessons.com
55K
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.