|
|
This chapter describes Multilayer Switching (MLS) and is divided into these sections:
MLS enables hardware-based Layer 3 switching to offload routers from forwarding unicast IP data packets over shared media networking technologies such as Ethernet. The packet forwarding function is moved onto Layer 3 Catalyst 5000 series switches whenever a partial or complete switched path exists between two hosts. Packets that do not have a partial or complete switched path to reach their destinations still use routers for forwarding packets.
A Catalyst 5000 series switch with the NetFlow Feature Card (NFFC) is referred to as a Multilayer Switching-Switching Engine (MLS-SE). A Cisco router capable of sending MLS configuration information and updates (such as the router's Media Access Control [MAC] address and virtual LAN [VLAN] number, flow mask, and routing and access list changes) is called a Multilayer Switching-Route Processor (MLS-RP). The protocol used to manage Layer 3 switching that runs between the MLS-SE and MLS-RP is called Multilayer Switching Protocol (MLSP).
This terminology is used in the implementation examples in this chapter and in the router and switch configuration procedures in Chapter 3, "Configuring Multilayer Switching."
This section provides a step-by-step description of MLS implementation.
Step 1. The MLSP informs the Catalyst 5000 series switch of the MLS-RP MAC addresses used on different VLANs and the MLS-RP's routing and access-list changes. Through this protocol, the MLS-RP multicasts its MAC and VLAN information to all MLS-SEs. When the MLS-SE hears the MLSP hello message indicating an MLS initialization, the MLS-SE is programmed with the MLS-RP MAC address and its associated VLAN number (see Figure 2-1).
Implementation: Step 1
Step 2. In Figure 2-2, host A and host B are located on different VLANs. Host A initiates a data transfer to host B. When host A sends the first packet to the MLS-RP, the
MLS-SE recognizes this packet as a candidate packet for Layer 3 switching because the MLS-SE has learned the MLS-RP's destination MAC address and VLAN through MLSP. The MLS-SE learns the Layer 3 flow information (such as the destination address, source address, and protocol port numbers), and forwards the first packet to the MLS-RP. A partial MLS entry for this Layer 3 flow is created in the MLS cache.
The MLS-RP receives the packet, looks at its route table to determine how to forward the packet, and applies services such as access control lists and class of service (COS) policy.
The MLS-RP rewrites the MAC header adding a new destination MAC address (host B's) and its own MAC address as the source.
Implementation: Step 2
Step 3. The MLS-RP routes the packet to host B. When the packet appears back on the Catalyst 5000 series switch backplane, the MLS-SE recognizes the source MAC address as that of the MLS-RP, and that the packet's flow information matches the flow for which it set up a candidate entry. The MLS-SE considers this packet an enabler packet and completes the MLS entry (established by the candidate packet) in the MLS cache (see Figure 2-3).
Implementation: Step 3
Step 4. After the MLS entry has been completed in Step 3, all Layer 3 packets with the same flow from host A to host B are Layer 3 switched directly inside the switch from host A to host B, bypassing the router (see Figure 2-4). After the Layer 3-switched path is established, the packet from host A is rewritten by the MLS-SE before it is forwarded to host B. The rewritten information includes the MAC addresses, encapsulations (when applicable), and some Layer 3 information.
The resultant packet format and protocol behavior is identical to that of a packet that is routed by the RSM or external Cisco router.
Implementation: Step 4
See the "Implementation Examples" section for additional network implementation examples that include network topologies that do not support MLS.
This section describes the packet rewrite sequence that takes place as a packet is Layer 3-switched from host A to host B through the Catalyst 5000 series switch (MLS-SE) with an RSM (MLS-RP). Host A and host B are on different VLANs (same configuration as shown in Figure 2-4).
The following packet is the packet that host A sends to the MLS-RP to be routed to host B. The MLS-SE recognizes that this packet was sent to the MLS-RP's MAC address and finds the entry matching its flow in the MLS cache.
Frame Header &&Center&& | IP Header &&Center&& &&Center&& | ||||||
Destination | Source | Destination | Source | TTL | Checksum | ||
MLS-RP MAC | Host A MAC | Host B IP | Host A IP |
|
| Data | Checksum |
The MLS-SE rewrites the Layer 2 MAC header, adding host B as the destination and the MLS-RP's MAC address as the source (both are saved in the MLS cache entry). Note that the Layer 3 IP addresses remain the same but the IP header Time to Live (TTL) is decremented and the checksum is recomputed. The MLS-SE forwards this rewritten packet to the destination VLAN (the VLAN that host B resides on) and host B receives the packet. The destination VLAN is also saved in the MLS cache entry.
Frame Header &&Center&& | IP Header &&Center&& &&Center&& | ||||||
Destination | Source | Destination | Source | TTL1 | Checksum2 | ||
Host B MAC | MLS-RP MAC | Host B IP | Host A IP |
|
| Data | Checksum |
| 1TTL decremented by 1 2Checksum recalculated |
In summary, the MLS-SE rewrites the switched Layer 3-packets in exactly the same way as the router. The switched packets look as if they were routed by a router.
The MLS-SE maintains a cache for the MLS flows, and also maintains statistics for the flows. An MLS cache entry is created for the initial packet of each flow. Upon receipt of a packet that does not match any flow currently in the MLS cache, a new MLS entry is created. The flow's state and identity are maintained while packet traffic is active; when traffic for a flow ceases, the entry ages out. The aging time for MLS entries kept in the MLS cache is configurable. If an entry is not used for a specified period of time, the entry ages out and the statistics can be exported to a flow collector application. The maximum cache size is 128K entries, however going beyond 32K entries increases the statistical probability that a flow will not be switched by the MLS-SE and will get forwarded to the router.
Export rates for MLS entries depend on the traffic pattern---there is no typical packet rate. The worst-case packet export rate occurs when all existing MLS entries are purged due to an event such as a route change. The MLS entries are exported at a burst rate of
1,213 datagrams of 27 flows each.
An MLS-SE supports only one flow mask (the most specific one) for all MLS-RPs that are Layer 3 switched. If the MLS-SE detects different flow masks from different MLS-RPs for which it is performing Layer 3 switching, it changes its flow mask to the most specific flow mask detected. The least-specific flow mask is destination-ip, then source-destination-ip, and the most-specific flow is ip-flow. Descriptions of the flow mask modes follow:
When the MLS-SE flow mask changes, the entire MLS cache is purged. When an MLS-SE exports cached entries, it is in one of the three modes. Depending on which mode, some fields in the flow record might not have values. Unsupported fields are filled with a zero (0).
This section provides examples of the screen header in the three flow mask modes.
In destination-ip mode, the source IP, protocol, and source and destination port fields show the details of the last packet that used the MLS cache entry to be Layer 3 switched (see Last Used fields in the example). The details of the last packet switched is displayed to aid in troubleshooting.
Console>(enable) show mls entry
Last Used Last Used
Destination IP Source IP Prot DstPrt SrcPrt Destination Mac Vlan Port
--------------- --------------- ---- ------ ------ ----------------- ---- -----
MLS-RP 10.20.6.161:
10.19.6.2 10.19.26.9 UDP 6009 69 00-10-0b-16-98-00 250 1/1-2
10.19.22.8 10.19.2.1 TCP 6001 Telnet 00-00-00-00-00-08 22 4/6
10.19.2.1 10.19.22.8 TCP 6008 Telnet 00-10-0b-16-98-00 250 1/1-2
10.19.27.10 10.19.7.3 TCP 6003 20 00-00-00-00-00-10 27 4/8
10.19.28.11 10.19.8.4 UDP 6004 DNS 00-00-00-00-00-11 28 4/9
10.19.26.9 10.19.6.2 UDP 6002 69 00-00-00-00-00-09 26 4/7
10.19.7.3 10.19.27.10 TCP 6010 FTP 00-10-0b-16-98-00 250 1/1-2
MLS-RP 132.68.9.10:
10.19.86.12 10.19.85.7 TCP 6007 SMTP 00-00-00-00-00-12 86 4/10
10.19.85.7 10.19.86.12 TCP 6012 WWW 00-00-00-00-00-07 85 4/5
MLS-RP 10.20.6.82:
10.19.63.13 10.19.73.14 TCP 6014 Telnet 00-00-00-00-00-13 63 4/11
10.19.73.14 10.19.63.13 TCP 6013 FTP 00-00-00-00-00-14 73 4/12
Console>(enable)
In source-destination-ip mode, the protocol and source and destination port fields show the details of the last packet that used the MLS cache entry to be Layer 3 switched (see Last Used fields in the example). Again, these details are useful when troubleshooting.
Console>(enable) show mls entry
Last Used
Destination IP Source IP Prot DstPrt SrcPrt Destination Mac Vlan Port
--------------- --------------- ---- ------ ------ ----------------- ---- -----
MLS-RP 10.20.6.161:
10.19.26.9 10.19.6.2 UDP 6002 69 00-00-00-00-00-09 26 4/7
10.19.28.11 10.19.8.4 UDP 6004 DNS 00-00-00-00-00-11 28 4/9
10.19.6.2 10.19.26.9 UDP 6009 69 00-10-0b-16-98-00 251 1/1-2
10.19.2.1 10.19.22.8 TCP 6008 Telnet 00-10-0b-16-98-00 251 1/1-2
10.19.27.10 10.19.7.3 TCP 6003 20 00-00-00-00-00-10 27 4/8
10.19.22.8 10.19.2.1 TCP 6001 Telnet 00-00-00-00-00-08 22 4/6
10.19.7.3 10.19.27.10 TCP 6010 FTP 00-10-0b-16-98-00 251 1/1-2
MLS-RP 132.68.9.10:
10.19.85.7 10.19.86.12 TCP 6012 WWW 00-00-00-00-00-07 85 4/5
10.19.86.12 10.19.85.7 TCP 6007 SMTP 00-00-00-00-00-12 86 4/10
MLS-RP 10.20.6.82:
10.19.63.13 10.19.73.14 TCP 6014 Telnet 00-00-00-00-00-13 63 4/11
10.19.73.14 10.19.63.13 TCP 6013 FTP 00-00-00-00-00-14 73 4/12
Console>(enable)
In ip-flow mode, since a separate MLS entry is created for every ip-flow, there are no "Last Used" fields.
Console>(enable) show mls entry Destination IP Source IP Prot DstPrt SrcPrt Destination Mac Vlan Port --------------- --------------- ---- ------ ------ ----------------- ---- ----- MLS-RP 10.20.6.161: 10.19.26.9 10.19.6.2 UDP 6002 69 00-00-00-00-00-09 26 4/7 10.19.6.2 10.19.26.9 UDP 6009 69 00-10-0b-16-98-00 251 1/1-2 10.19.22.8 10.19.2.1 TCP 6001 Telnet 00-00-00-00-00-08 22 4/6 10.19.2.1 10.19.22.8 TCP 6008 Telnet 00-10-0b-16-98-00 251 1/1-2 10.19.27.10 10.19.7.3 TCP 6003 20 00-00-00-00-00-10 27 4/8 10.19.28.11 10.19.8.4 UDP 6004 DNS 00-00-00-00-00-11 28 4/9 10.19.7.3 10.19.27.10 TCP 6010 FTP 00-10-0b-16-98-00 251 1/1-2 MLS-RP 132.68.9.10: 10.19.86.12 10.19.85.7 TCP 6007 SMTP 00-00-00-00-00-12 86 4/10 10.19.85.7 10.19.86.12 TCP 6012 WWW 00-00-00-00-00-07 85 4/5 MLS-RP 10.20.6.82: 10.19.63.13 10.19.73.14 TCP 6014 Telnet 00-00-00-00-00-13 63 4/11 10.19.73.14 10.19.63.13 TCP 6013 FTP 00-00-00-00-00-14 73 4/12 Console>(enable)
Figure 2-5 illustrates an example MLS scenario. In this example, station A is on the sales VLAN (subnet 171.59.1.0), station B is on the marketing VLAN (subnet 171.59.3.0), and station C is on the engineering VLAN (subnet 171.59.2.0). The example shows an FTP file transfer from station A to station B. An MLS entry for this flow is shown as the first item in the MLS cache in Figure 2-5. The MLS-SE stores the MLS-RPs MAC address and destination B's address in the MLS entry when the MLS-RP forwards the first packet from station A out across the switch backplane to station B. This information is used to rewrite subsequent packets from station A to station B by the MLS-SE. Similarly, the HTTP web traffic from station A to station C and from station C to station A constitutes completely separate MLS entries in the MLS cache. The destination VLAN is stored as part of the MLS entry in order to use the right VLAN identifier when encapsulating on a trunk link.
MLS allows you to enforce access lists on every packet of the flow without compromising MLS performance. When you enable MLS, the MLS-SE handles standard and extended access list permit traffic at wire speed.
Route topology changes and the addition or modification of access lists are reflected in the MLS switching path automatically on the MLS-SE. The techniques for handling route and access list changes apply to both the RSM and directly attached external routers.
For example, when Station A wants to communicate with Station B, it sends the first packet to the MLS-RP. If an access list is configured on the MLS-RP to deny access from Station A to Station B, the MLS-RP receives the packet, checks the access list to see if the packet flow is permitted, and discards the packet based on the access list. Because the first packet for this flow does not return from the MLS-RP, an MLS cache entry is not established by the MLS-SE.
If a flow is already being Layer 3 switched by the MLS-SE and the access list is created on the MLS-RP, the MLS-SE learns of the change through MLSP and immediately enforces security for the affected flow by purging it from the MLS cache. New flows are created based on the restrictions imposed by the access list.
Similarly, when the MLS-RP detects a routing topology change, the appropriate MLS cache entries are deleted in the MLS-SE. New flows are created based on the new topology.
This section describes examples that show the interaction between Catalyst 5000 series switches and routers necessary to perform MLS. All examples assume host A and host B are on different VLANs.
In Figure 2-6, the path from host A to host B covers a single router. In the figure, the packet from host A to host B is Layer 3 switched directly inside the switch and bypasses the router.
Figure 2-7 shows the Layer 3-switched packet from host A to R-2.
Figure 2-8 shows the Layer 3-switched packet from R-2 to host B.
Figure 2-9 shows the Layer 3-switched packet from R-2 to R-3.
In Figure 2-10, packets from host A arrive at the Catalyst 5000 series switch through a Fiber Distributed Data Interface (FDDI) ring. The FDDI module translates the FDDI frames received from the ring to Ethernet frames for the Catalyst 5000 series switching bus. The FDDI module also translates the switching bus Ethernet frames to FDDI frames for transmission to the FDDI ring.
In Figure 2-11, packets from host A arrive at the Catalyst 5000 series switch through an ATM cloud. The ATM module translates the ATM cells received from the cloud to Ethernet frames for the Catalyst 5000 series switching bus. The ATM module translates the switching bus Ethernet frames to ATM cells for transmission to the ATM cloud.
In Figure 2-12, the routed path from host A to host B traverses Catalyst 5000 series switch S-1, routers R-1 and R-2, and Catalyst 5000 series switch S-2. Layer 3 switching is not possible as the enabler packet for switch S-1 does not go through it (it goes to R-2). The candidate packet creates an entry in S-1's MLS cache but it times out as no enabler packet flows through it. In this topology, R-1 and R-2 forward the packets between hosts A and B.
)
In Figure 2-13, Layer 3 switching is not possible as the router does not support MLSP over FDDI, ATM, and Token Ring media.
|
|
