This topic is much more than just "VLANs vs
Routed Interface" and if you want to become a CCIE, all the concepts
listed here should be very clear in your mind.
Below you can find a summary of the concepts and for more details there is a very good explanation of the difference between VLANs and Routed Interface a more.
VLAN
As for a routed-port, it is possible to configure routing protocols also on an SVI.
To configure an SVI use the command interface VLAN x where x is the VLAN number and to perform inter-VLAN routing on a layer 3 switch you will have to enable routing with the command ip routing.
Check the SVI status with the command show ip interface brief. If the SVI status is down-down then you forgot to add the VLAN to the database. If it is up-down then it means that there are no access or trunk ports with an up status assigned to this VLAN.
Bridging
Bridge
Virtual Interface
You should configure a BVI interface for every bridge-group you want to route with an exception for the access points where you must configure only one single BVI, regardless of the number of bridge-group you have configured. This is because on an access point the BVI is not really used for routing but rather to provide IP connectivity for device management (similar to an SVI). This is also the only access point interface to which you should assign an IP address.
Hints
On a Catalyst 2960 switch there are two SDM templates, the default one which allows more MAC security access control entries but less MAC QoS access control entries and the QoS template which does exactly the opposite.
On a Catalyst 3750 switch there are three SDM templates for each of two main supported resources (desktop or aggregator). In this case if you want to utilize the switch primary for routing you will have more memory for routing entries but less for the MAC address table and if you want to do the opposite you can use the SDM template VLAN.
Below you can find a summary of the concepts and for more details there is a very good explanation of the difference between VLANs and Routed Interface a more.
VLAN
A Virtual LAN (VLAN)
allows to define a broadcast domain. This means that all the traffic between
devices in the same VLAN will not be sent to other devices in other VLANs
unless there is a routing device that allows inter-vlan routing. You can think
of a VLAN as a virtualized switch. If you had to provide connectivity to three
different office departments and make sure they can not communicate with each
other, you would require three physical switches. With VLANs you can use a
single switch and define a different vlan for each port of the switch according
to the department.
There are two ways to configure VLANs on a switch. The vlan global command and the vlan database. The vlan database method has been deprecated so if you want to add a vlan to a switch you should use vlan x where x is the vlan number. You can created multiple VLANs at once using the vlan range command vlan x-y where x is the starting vlan number and y is the end (e.g. vlan 200-299 will create 100 VLANs). Once in vlan config mode you can assigned a vlan name, mtu size, state and so on.
To list which VLANs are active on a switch and to which ports they are assigned use the command show vlan brief.
To add a VLAN, the switch must be either in VTP mode transparent or VTP mode server. In the first case the VLANs commands will be visible in the configuration while in the second one, they will be saved to the vlan.dat file on the switch NVRAM and will be not visible in the configuration.
To add an extended VLAN (1006-4094) the switch must be in VTP mode transparent or VTP mode server but using VTP version 3.
Switch-PortThere are two ways to configure VLANs on a switch. The vlan global command and the vlan database. The vlan database method has been deprecated so if you want to add a vlan to a switch you should use vlan x where x is the vlan number. You can created multiple VLANs at once using the vlan range command vlan x-y where x is the starting vlan number and y is the end (e.g. vlan 200-299 will create 100 VLANs). Once in vlan config mode you can assigned a vlan name, mtu size, state and so on.
To list which VLANs are active on a switch and to which ports they are assigned use the command show vlan brief.
To add a VLAN, the switch must be either in VTP mode transparent or VTP mode server. In the first case the VLANs commands will be visible in the configuration while in the second one, they will be saved to the vlan.dat file on the switch NVRAM and will be not visible in the configuration.
To add an extended VLAN (1006-4094) the switch must be in VTP mode transparent or VTP mode server but using VTP version 3.
Depending of the kind of
network device, a physical port can be configured to be a switch port or a
routed port. A typical example of device whose ports can be configured either
as switch port or as routed port is a Layer 3 Switch such as Catalyst 3560 or
3750.
A switch port is exclusively Layer 2 and can be assigned to one or more VLANs. There are two kinds of switch ports:
A switch port is exclusively Layer 2 and can be assigned to one or more VLANs. There are two kinds of switch ports:
- Access
Port An access port can be assigned only to single VLAN (two in case
of voice VLAN). Traffic is sent and received without VLAN tags.
- Trunk
Port can carry traffic of multiple VLANs and by default is assigned
to all the VLANs in the switch VLAN database. It is possible to define
which VLANs are allowed on a trunk port.
A routed port is
exclusively Layer 3 and is not assigned to any VLAN. All the Layer 2 protocols
such as Dynamic Trunking Protocol DTP and Spanning Tree Protocol STP will not
run on a routed port. A routed port is like a port on a router and can be
configured to run routing protocols.
To configure a port as routed port on a Layer 3 switch, use the command no switchport followed by assigning an IP address to the port with ip address x.x.x.x y.y.y.y where x is the ip address and y the subnet mask. Note that the port state with flap when you will configure it as routed port.
Switch Virtual Interface
A switch virtual interface or SVI is used to provide Layer 3 connectivity to a
specific VLAN. It is also used bridge non-routable protocols between VLANs and
to provide IP host connectivity to a switch. A switch has configured by default
an SVI for VLAN 1 to allow remote switch administration.To configure a port as routed port on a Layer 3 switch, use the command no switchport followed by assigning an IP address to the port with ip address x.x.x.x y.y.y.y where x is the ip address and y the subnet mask. Note that the port state with flap when you will configure it as routed port.
Switch Virtual Interface
As for a routed-port, it is possible to configure routing protocols also on an SVI.
To configure an SVI use the command interface VLAN x where x is the VLAN number and to perform inter-VLAN routing on a layer 3 switch you will have to enable routing with the command ip routing.
Check the SVI status with the command show ip interface brief. If the SVI status is down-down then you forgot to add the VLAN to the database. If it is up-down then it means that there are no access or trunk ports with an up status assigned to this VLAN.
Bridging
This is exactly what a
switch does by forwarding the frames based on their MAC address and VLAN tags.
An access point performs bridging between the radio and the Ethernet
interface.
Bridging can be configured by grouping together the interfaces using the interface command bridge-group x where x is a number between 1-255. This number must be the same on all the interfaces in the same group and it is common sense to use the same number as the VLAN ID that it is bridged, whereas this is not a requirement. It is also possible to enable a spanning tree protocol for the bridged domain using the command bridge x protocol ieee where x is the number of the bridge group. By default no spanning tree protocol is active.
Integrated
Routing and BridgingBridging can be configured by grouping together the interfaces using the interface command bridge-group x where x is a number between 1-255. This number must be the same on all the interfaces in the same group and it is common sense to use the same number as the VLAN ID that it is bridged, whereas this is not a requirement. It is also possible to enable a spanning tree protocol for the bridged domain using the command bridge x protocol ieee where x is the number of the bridge group. By default no spanning tree protocol is active.
This is a kind of
complex topic if you don't read first the explanation of
Integrated Routing and Bridging.
By definition routing will terminate the VLAN and MAC layer on the layer 3 interface where the frame arrives and will recreate these headers when sending the frame out, after the routing process. This means that all the incoming frames will lose their original VLAN tag as well as the source and destination MAC addresses and information.
In some situations it might be required to be able to forward the frame without touching it. This means bridging or in easier words have a router behave like a switch. A typical example is a router which is supposed to route IP but that cannot do anything with other protocols such as IPX or AppleTalk. If there are other routers able to route these other protocols, the current router should just forward/bridge the frames to allow them to process it correctly by the other routers while keeping routing IP frames.
Now, if you want to combine the routing and the bridging functionalities, you have to configure the router for integrated routing and bridging or IRB. To enable it use the global command bridge irb, configure the interfaces in bridge-groups and enable routing for the bridge group with the command bridge x route ip where x is the bridge group number. To complete the configuration you will have to configure also a BVI (see topic below).
This feature is also used
by autonomous access points but keep in mind that an AP is only a layer 2
bridging device and cannot route. Since the AP cannot route there is some
confusion regarding the use of the commands bridge irb and bridge x route
ip. The reason behind is that when Cisco acquired Aironet, it was taken the
decision to use IRB instead of SVI for the porting to IOS code. Those commands
are hard coded and cannot be removed from the configuration plus it is not
possible to define additional bridge x route ip commands for bridge groups
other than 1. The AP will not use the routing part of irb but it will perform
bridging between the wireless and wired interface.By definition routing will terminate the VLAN and MAC layer on the layer 3 interface where the frame arrives and will recreate these headers when sending the frame out, after the routing process. This means that all the incoming frames will lose their original VLAN tag as well as the source and destination MAC addresses and information.
In some situations it might be required to be able to forward the frame without touching it. This means bridging or in easier words have a router behave like a switch. A typical example is a router which is supposed to route IP but that cannot do anything with other protocols such as IPX or AppleTalk. If there are other routers able to route these other protocols, the current router should just forward/bridge the frames to allow them to process it correctly by the other routers while keeping routing IP frames.
Now, if you want to combine the routing and the bridging functionalities, you have to configure the router for integrated routing and bridging or IRB. To enable it use the global command bridge irb, configure the interfaces in bridge-groups and enable routing for the bridge group with the command bridge x route ip where x is the bridge group number. To complete the configuration you will have to configure also a BVI (see topic below).
Bridge
Virtual Interface
This virtual interface is used in irb to provide a layer interface
to the bridge group and allow in this way the routing part of irb. It is a sort
of SVI that can also perform bridging.
Since it is a layer 3 interface you have to configure an ip address on it that will be used to route the packets that are not bridged.
In the figure below you can see how router R1 thanks to irb can perform bridging between PC_A and PC_B and routing between any of them and PC_C. Since PC_A and PC_B are on the same subnet and their interfaces have been configured to be in the same bridge group, the router will bridge the frames between them. Since PC_A and PC_B are on a different subnet than PC_C and we have configured bridge irb, R1 will understand that the target is on another subnet and will route the frames using the BVI.
Since it is a layer 3 interface you have to configure an ip address on it that will be used to route the packets that are not bridged.
In the figure below you can see how router R1 thanks to irb can perform bridging between PC_A and PC_B and routing between any of them and PC_C. Since PC_A and PC_B are on the same subnet and their interfaces have been configured to be in the same bridge group, the router will bridge the frames between them. Since PC_A and PC_B are on a different subnet than PC_C and we have configured bridge irb, R1 will understand that the target is on another subnet and will route the frames using the BVI.
You should configure a BVI interface for every bridge-group you want to route with an exception for the access points where you must configure only one single BVI, regardless of the number of bridge-group you have configured. This is because on an access point the BVI is not really used for routing but rather to provide IP connectivity for device management (similar to an SVI). This is also the only access point interface to which you should assign an IP address.
On a Catalyst 2960 switch there are two SDM templates, the default one which allows more MAC security access control entries but less MAC QoS access control entries and the QoS template which does exactly the opposite.
On a Catalyst 3750 switch there are three SDM templates for each of two main supported resources (desktop or aggregator). In this case if you want to utilize the switch primary for routing you will have more memory for routing entries but less for the MAC address table and if you want to do the opposite you can use the SDM template VLAN.
No comments:
Post a Comment