The best solution to inter-VLAN routing might be to provide a Gigabit Ethernet router interface for each VLAN. Obviously this can be cost prohibitive, as well as stretching the physical limitations of router options. What if you have 200 VLANs? Can you really afford a router with 200 Gigabit Ethernet ports? That would be an interesting configuration.
Well, there are some other options open to you, because you can use just one interface for all your VLANs. Using either the Cisco proprietary Inter-Switch Link (ISL) or the standards- based 802.1Q protocol, you can configure routing between VLANs with only one FastEthernet or one Gigabit Ethernet interface. To run either ISL or 802.1Q, you need to have two VLAN- capable FastEthernet or Gigabit Ethernet devices, such as a Cisco 4000 or 6500 switch and a 7000 (or larger) series router. (We will be using a 2600 router in the hands-on lab, but that is a little low-powered for larger networks.)
Remember from Chapter 3 that both ISL and 802.1Q are trunking protocols, ways of explicitly tagging VLAN information onto an Ethernet frame? This tagging information enables VLANs to be multiplexed over a trunk link through an external encapsulation method. By running a trunking protocol on the switch and router interfaces, you can interconnect both devices and maintain VLAN information end to end.
You can configure inter-VLAN routing with either an external router or an internal route processor that can be placed in a slot of a modular Catalyst switch, such as the 4000 and 6500 series (as well as the old 5000 series). In this section, we take a look at both options.
An external layer 3 device can be used to provide routing between VLANs. You can use almost any router to perform the function of external routing between VLANs, but if trunking is being used, the selected router must support the VLAN tagging method used, whether it’s ISL or 802.1Q; then the FastEthernet or Gigabit Ethernet interface would be your choice.
If you have a few small VLANs that perform 80 percent or more of their network function on the local VLAN, then you can probably get away with a 10Mbps Ethernet connection into each VLAN. Just remember that 10Mb interfaces do not support trunking, so the configuration would be one VLAN per interface. You should get FastEthernet if you can.
The external router interface needs to be configured with a trunking protocol encapsulation, such as ISL or 802.1Q, thus allowing different VLANs to be assigned to different subinterfaces. These subinterfaces give you an extremely flexible solution for providing routing between VLANs. To perform ISL routing on a single interface, the interface must be at least a FastEthernet interface that supports ISL routing. The Cisco 1750 is the least expensive router that can perform this function.
To configure ISL/802.1Q routing on a single interface, you must first configure the subinterfaces. These are configured by using the int.subinterface_number global command. Here is an example on a 2600 router with a FastEthernet interface:
Terry_2620#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Terry_2620(config)#interface fa0/0.? <0-4294967295> FastEthernet interface number Terry_2620(config)#interface fa0/0.1 Terry_2620(config-subif)#
Notice the number of subinterfaces available (4.2 billion). You can choose any number that feels good because the subinterfaces are only locally significant to the router. However, we usually like to choose the VLAN number for ease of administration. Notice that the prompt on the router is now telling you that you are configuring a subinterface (config-subif).
After you configure the subinterface number you want, you then need to define the type of encapsulation you are going to use. Here is an example of the different types of trunking protocols you can use:
Terry_2620(config-subif)#encapsulation ? dot1Q IEEE 802.1Q Virtual LAN isl Inter Switch Link - Virtual LAN encapsulation sde IEEE 802.10 Virtual LAN - Secure Data Exchange tr-isl Token Ring Inter Switch Link - Virtual LAN encapsulation
You’re not done yet. You need to tell the subinterface which VLAN it is a member of, and you provide this information on the same line as the encapsulation command. Here is an example:
Terry_2620(config-subif)#encapsulation isl ? <1-1000> Virtual LAN Identifier.
Notice that you can configure the subinterface to be a part of any VLAN up to 1000. The dot1Q encapsulation is for the IEEE standard 802.1Q trunking, and isl is for ISL encapsulation.
After you choose the interface and encapsulation type and VLAN number, configure the IP address that this subinterface is a member of. The complete configuration looks like this:
Terry_2620#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Terry_2620(config)#interface fa0/0.1 Terry_2620(config-subif)#encapsulation isl 1 Terry_2620(config-subif)#ip address 172.16.10.1 255.255.255.0
The preceding configuration is for subinterface fa0/0.1 to VLAN 1. You would create a subinterface for each VLAN. You can verify your configuration with the show running-config command:
! interface FastEthernet0/0.1 encapsulation isl 1 ip address 172.16.10.1 255.255.255.0
If you had elected the 802.1Q encapsulation, the complete router configuration would look like this:
Terry_2620#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Terry_2620(config)#interface fa0/0.1 Terry_2620(config-subif)#encapsulation dot1Q 1 Terry_2620(config-subif)#ip address 172.16.10.1 255.255.255.0
Once again, you can verify your configuration with the show running-config command:
! interface FastEthernet0/0.1 encapsulation dot1Q 1 ip address 172.16.10.1 255.255.255.0 !
Up until recently, the situation was that if you did not have an external router or if you had many VLANs, you should use a L3SM to provide the layer 3 routing for your 4000/6500 series switch.
The introduction of the Supervisor III and IV engines for the Catalyst 4000 and above changes all this. These new Supervisor engines run IOS, and this means that they can route natively without the need for additional hardware. Obviously, Cisco might recommend an upgrade if you are planning much inter-VLAN routing, which is probably a good idea. The faster switching available with these native IOS devices will certainly improve packet forwarding.
First, however, we will look at the configuration of the older design switches, which have a native switching fabric supplemented by some sort of routing module. We will look at a 4000 series switch that has a Layer 3 Services Module in slot 3. Let’s first confirm the hardware configuration of the switch:
Terry_4000> (enable) show module Mod Slot Ports Module-Type Model Sub Status --- ---- ----- ------------------------- ------------------- --- -------- 1 1 0 Switching Supervisor WS-X4012 no ok 2 2 34 10/100/1000 Ethernet WS-X4232 no ok 3 3 Router Switch Card WS-X4232-L3 no ok Mod Module-Name Serial-Num --- ------------------- -------------------- 1 JAE044001T8 2 JAE04271V1N 3 JAE0427155N Mod MAC-Address(es) Hw Fw Sw --- -------------------------------------- ------ ---------- ----------------- 1 00-03-e3-7a-6b-00 to 00-03-e3-7a-6e-ff 2.1 5.4(1) 4.5(2) 2 00-02-b9-61-89-e0 to 00-02-b9-61-8a-0f 2.3 3 00-03-4a-a0-d3-ab to 00-02-4b-a0-d0-cf 1.0 12.0(7)W5( 12.0(7)
Now that we have confirmed that the switch sees the router module in port 3, we need to access the L3SM using the session command:
Terry_4000> (enable) session 3 Trying Router… Connected to Router. Escape character is \Q^]'. Router>
You are now connected to the internal route processor and you should continue to configure the device as you would any other router. Notice in the following router output that we set the hostname and routing protocol as well:
Router> Router>enable Router# Router#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router(config)#hostname Terry_L3SM Terry_L3SM(config)#router eigrp 10 Terry_L3SM (config-router)#network 172.16.0.0
As we mentioned, the route processor looks like any Cisco router, because it is running IOS. Remember that it’s just as important to configure the routing protocols on this device as it is to configure them on any other router. The route processor is able to handle most of the routing protocols that a traditional router can. Be careful of large routing tables, though.
First, it would be common practice to set up the internal gigabit interfaces to act as Gigabit- EtherChannel trunks. This needs to be done at both the L3SM and switch parts of the internal link. On the L3SM, the configuration looks like this:
Terry_L3SM#configure terminal Terry_L3SM(config)#interface GigabitEthernet3 Terry_L3SM(config-if)#channel-group 1 Terry_L3SM(config)#interface GigabitEthernet4 Terry_L3SM(config-if)#channel-group 1
And on the Catalyst it looks like this:
Terry_4000> (enable)set port channel 3/1-2 mode on Terry_4000> (enable)set trunk 3/1 nonegotiate dot1q 1-1005 Terry_4000> (enable)set trunk 3/2 nonegotiate dot1q 1-1005
Next, instead of creating subinterfaces as you would with an external router, you need to configure each VLAN with the interface vlan # command. This establishes a direct virtual connection between the switch backplane and the routing module, and what you are actually doing is associating each VLAN with a virtual interface. Here is an example of how to configure the processor to route between three VLANs:
Terry_L3SM#configure terminal Terry_L3SM(config)#interface vlan 1 Terry_L3SM(config-if)#ip address 172.16.1.1 255.255.255.0 Terry_L3SM(config-if)#interface vlan 2 Terry_L3SM(config-if)#ip address 172.16.2.1 255.255.255.0 Terry_L3SM(config-if)#interface vlan 3 Terry_L3SM(config-if)#ip address 172.16.3.1 255.255.255.0 Terry_L3SM(config-if)#no shutdown
The interesting part of the configuration is the necessary no shutdown command for each VLAN interface. Notice in the preceding configuration that we performed a no shutdown only on interface VLAN 3. Take a look at the output of interface VLAN 2:
Terry_L3SM#show interface vlan 2 Vlan2 is administratively down, line protocol is down
It is important to think of each VLAN interface as a separate interface that needs an IP address and a no shutdown performed, just as with any other router interface.
You can then verify your configuration with the show running-config command:
Terry_L3SM#show running-config Current configuration: ! version 12.0 service timestamps debug uptime service timestamps log uptime no service password-encryption ! hostname Terry_L3SM ! interface Vlan1 ip address 172.16.1.1 255.255.255.0 ! interface Vlan2 ip address 172.16.2.1 255.255.255.0 ! interface Vlan3 ip address 172.16.3.1 255.255.255.0 ! router eigrp 10 network 172.16.0.0
To view the routing table on the internal processor, use the show ip route command:
Terry_L3SM#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M—[output cut] Gateway of last resort is not set 172.16.0.0/24 is subnetted, 3 subnets C 172.16.3.0 is directly connected, Vlan3 C 172.16.2.0 is directly connected, Vlan2 C 172.16.1.0 is directly connected, Vlan1 Terry_L3SM#
The RSM uses only one global MAC address for all VLAN interfaces on the device. If you want to assign a specific MAC address to a VLAN interface, use the mac-address command. You might want to configure this option to enhance the operation of the RSM interface. Here is an example:
Terry_L3SM#configure terminal Terry_L3SM(config)#interface vlan 2 Terry_L3SM(config-if)#mac-address 4004.0144.0011 Terry_L3SM(config-if)#exit Terry_L3SM(config)#exit Terry_L3SM#show running-config [output cut] interface Vlan2 mac-address 4004.0144.0011 ip address 172.16.2.1 255.255.255.0
One thing to keep in mind before configuring ISL on your switches is that the switches must be configured correctly with an IP address, subnet mask, and default gateway. Understand that this has nothing to do with routing, because the switches work only at layer 2. However, the switches need to communicate with IP through the network. Remember that this will not affect data that is passing through the switch. You can think of layer 2 switches as being just like any host on the network. To be able to send packets off the local network, you need to have a default gateway configured.
To configure a default gateway on a 4000 series switch, use the set ip route command:
Terry_4000> (enable) set ip route 0.0.0.0 172.16.1.1 Route added.
You can also use the command set ip route default 172.16.1.1, which configures the route the same as the set ip route 0.0.0.0 172.16.1.1 command does.
The IOS switch default-gateway command was covered in Chapter 2, “Connecting the Switch Block.”
At this stage of learning, it is a simple matter to configure internal routing. The configuration on the modular L3SM is just about identical to that on the modern IOS-based layer 3 switches. This example shows a 3550 configured as a VTP server, and with two VLANs configured. In addition, two interfaces are placed into the created VLANs. No routing protocols are needed unless the requirement exists to route outside the connected VLAN table.
Terry_3550# configure terminal Terry_3550(config)#vtp domain globalnet Terry_3550(config)#vtp mode server Terry_3550(config)#vlan 2 Terry_3550(config-vlan)#name PRODUCTION Terry_3550(config-vlan)#ip address 172.16.2.1 255.255.255.0 Terry_3550(config-vlan)#exit Terry_3550(config)#vlan 3 Terry_3550(config-vlan)#name SALES Terry_3550(config-vlan)#ip address 172.16.3.1 255.255.255.0 Terry_3550(config-vlan)#exit Terry_3550(config)#vlan 1 Terry_3550(config-vlan)#ip address 172.16.1.1 255.255.255.0 Terry_3550(config-vlan)#exit Terry_3550(config)#interface FastEthernet0/1 Terry_3550(config-if)#description PRODUCTION MANAGER Terry_3550(config-if)#switchport access vlan 2 Terry_3550(config-if)#switchport mode access Terry_3550(config)#interface FastEthernet0/2 Terry_3550(config-if)#description SALES MANAGER Terry_3550(config-if)#switchport access vlan 3 Terry_3550(config-if)#switchport mode access
This gives rise to the following running configuration, viewed with the IOS standard show running-config statement:
Terry_3550#show run ! [output cut] ! interface FastEthernet0/1 description PRODUCTION MANAGER switchport access vlan 2 switchport mode access no ip address ! interface FastEthernet0/2 description SALES MANAGER switchport access vlan 3 switchport mode access no ip address ! [output cut] ! interface Vlan1 ip address 172.16.1.1 255.255.255.0 ! interface Vlan2 ip address 172.16.2.1 255.255.255.0 ! interface Vlan3 ip address 172.16.3.1 255.255.255.0 ! [output truncated] ! Terry_3550#
The only other thing we need to do is make sure that the routing table is properly populated. By default, IP routing is not enabled on a layer 3 switch, so we need to configure that with the global command ip routing. After this is done, you can view the routing table in the normal way.
Terry_3550# Terry_3550#conf t Terry_3550(config)#ip routing Terry_3550(config)#exit Terry_3550# Terry_3550#show ip route Codes: C - connected, S - static, I - IGRP, R - RIP, M - mobile, B - BGP D - EIGRP, EX - EIGRP external, O - OSPF, IA - OSPF inter area N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2, E - EGP i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area * - candidate default, U - per-user static route, o - ODR P - periodic downloaded static route Gateway of last resort is not set 172.16.0.0/24 is subnetted, 2 subnets C 172.16.1.0 is directly connected, Vlan1 C 172.16.2.0 is directly connected, Vlan2 C 172.16.3.0 is directly connected, Vlan3 Terry_3550#
Notice that the complete range of routing protocols is available for use. This immensely powerful piece of equipment can be used for full multi-layer switching and routing as needed. So far we have not needed to configure a routing protocol, as all of our subnets are directly attached, but as the internetwork grows we shall undoubtedly need to configure dynamic routing.