Archive
Cisco updates the Catalyst 2960 – Catalyst 2960-X and Catalyst 2960-XR
The Catalyst 2960 is a very common switch in any environment that has
Cisco devices. A couple of years ago the 2960 got stacking via the
2960-S model. It also got the ability to do static routes which
was a nice feature. I used it in some deployments to do routing
locally in 2960 and then add a default route towards WAN provider.
That way I didn’t have to go through a slow CPE to route my local
VLANs.
The 2960-X and -XR are available in 24 or 48 port configurations.
Uplinks are either 2x 10 Gbit SPF+ or 4x 1 Gbit SFP. The PoE models
can support 370W or 740W of power.
The 2960-X provides up to 80 Gbps of stack bandwidth which is 2x more
compared to the 2960-S. It is now also possible to stack up to 8 switches
compared to the earlier maximum of 4. The 2960-S model uses FlexStack while
the newer -X and -XR models uses FlexStack-Plus. FlexStack-Plus supports
detecting stack port operational state in hardware and change the forwarding
according to it. This takes 100 ms or less. The older model does it in CPU
which can take 1 or 2 seconds.
Here are some notable differences between 2960-X and -XR compared to 2960-S.
- Dual core CPU @ 600 MHz. 2960-S has single core
- 2960-XR has support for dual power supplies
- 256 MB of flash for -XR, 128 MB for -X. The S model has 64 MB
- 512 MB of DRAM compared to 256 for 2960-S
- 1k active VLANs compared to 255 for 2960-S
- 48 Etherchannel groups for -XR, 24 for -X and 6 for -S
- 4 MB of egress buffers instead of 2 MB
- 4 SPAN sessions instead of 2
- 32k MACs for -XR, 16k for -X and 8k for -S
- 24k unicast routes for -XR, 16 static routes for -X and -S
The newer models also support Netflow lite, hibernation mode and EEE.
The 2960-XR does support dynamic routing. It has support for RIP, OSPF stub,
OSPFv3 stub, EIGRP stub, HSRP, VRRP and PIM.
Here are some performance numbers:
2960-X Lan Lite has 100 Gbps of switching bandwidth and 64 active VLANS.
2960-X Lan Base has 216 Gbps of switching bandwidth and 1023 active VLANs.
The same holds true for 2960-XR with IP Lite feature set. The 2960-S had
a maximum of 255 VLANs and 176 Gbps switching bandwidth. Depending on
model the 2960-X tops out at 130.9 Mpps compared to 101.2 for 2960-S.
The switches also have added support for IPv6. Notable features are:
- IPv6 MLDv1 and v2 snooping
- IPv6 First Hop Security (RA guard, source guard, and binding integrity guard
- IPv6 ACLs
- IPv6 QoS
- HTTP/HTTPs over IPv6
- SNMP over IPv6
- Syslog over IPv6
I’m expecting more information to come out as it gets presented during Cisco Live
in Orlando.
CCIE link #11
To be a CCIE we need a good grasp of switching and STP. This post by Petr Lapukhov (again) is one of the best I’ve ever seen on STP. This post describes PVST+ in detail. Read it here.
Integrated Routing and Bridging
Sorry for the lack of updates lately but I spent the whole last week skiing and recharging my
batteries and now I’m back fully motivated to continue my path to the lab.
This time we will be talking about Integrated Routing and Bridging (IRB). Before studying for
the lab I had never used this feature. I’m not sure why we would use this feature in a
production network, maybe because we need to bridge two networks instead of routing
them due to some badly written application. If you have used it in real networks please post
in the comments. It is fair game for the lab so we need to know about it.
IRB is a feature used on routers that lets us bridge between a bridged domain and a
routed domain. Remember that in order for a VLAN to span a router the router must
be able to forward frames from one interface to another while maintaining the VLAN
header. If a network protocol is configured on a router interface (IP) it will terminate
the VLAN. This means that the VLAN header will not be maintained. When configuring
IRB we will be using a Bridged Virtual Interface (BVI), this can be compared to a SVI
on a switch. A BVI gives the bridged interfaces a connection to the routed world.
When IRB is configured and traffic comes in on a routed interface (IP address configured)
that is destined for a host in the bridge group the traffic will first be routed to the BVI.
The packet will then be forwarded to the bridging engine which forwards it through a
bridged interface, the forwarding is based on the destination MAC address. If a packet
comes in on a bridged interface destined for a host in a routed network the traffic will
first go to the BVI and then be sent to the routing engine before it sends it out the
routed interface. If bridging between two interfaces with no routed protocols the traffic
will not pass the BVI interface. Think of the bridge-group as an external switch and
the BVI lets us connect this external switch to the router.
The image below describes the scenario. R1 and R3 are in different VLANs but in
the same subnet, we need communication between the two routers. Between the
routers we have a couple of switches.
The configuration on R1 and R3 is straightforward. They have physical interfaces
with an IP address.
R1:
interface FastEthernet0/0
ip address 136.1.136.1 255.255.255.0
R3:
interface FastEthernet0/1
ip address 136.1.136.3 255.255.255.0
R1 is connected to SW1 and R3 to SW3. The switch configuration is just a basic access port.
SW1:
interface FastEthernet0/1
switchport access vlan 16
SW3:
interface FastEthernet0/3
switchport access vlan 36
Router R6 is connected to SW2 and it needs a trunk port.
SW2:
interface FastEthernet0/6
switchport trunk encapsulation dot1q
switchport trunk allowed vlan 16,36
switchport mode trunk
Now we need to configure R6 to bridge between the two different VLANs. We start by activating IRB.
bridge irb
Then we need to tie the interfaces to the bridge-group.
interface FastEthernet0/0.16
bridge-group 1
!
interface FastEthernet0/0.36
bridge-group 1
Now we create a BVI interface in the subnet.
interface BVI1
ip address 136.1.136.6 255.255.255.0
Lastly we need to activate spanning-tree and activate routing for the bridged interfaces.
bridge 1 protocol ieee
bridge 1 route ip
So using IRB we can both bridge and route between interfaces on a
router, something that is not possible otherwise.
Finally, these are some useful commands to show what is going on when using IRB.
show interfaces irb
show bridge
show spanning-tree
Private VLANs
Private VLANs is a method to segment devices at layer 2 that are in the same IP network. Different VLANs are used but they share a common IP network.
The most common scenario for a private VLAN is a residential network where customers
connect to a switch provisioned by the ISP and the ISP wants to provision only one
subnet but the customers should not be able to reach each other at layer 2.
The reason to disallow layer two intercommunication is for security, to prevent someone
from interfearing or eavesdropping on another customers traffic. Another scenario could
be a hosting environment where servers are connected to a switch and a common VLAN
is used instead of provisioning one VLAN for every new customer.
Take a look at this picture.
PC’s in the grey VLAN can only communicate with each other and the router. The same goes for the PC’s in the green VLAN. PC’s in the blue VLAN can ONLY communicate with the router not with each other. The picture shows only one PC but if there was another PC it would not be able to communicate with the other PC in the same VLAN.
Lets look at some of the building blocks of private VLANs.
Types of VLAN:
Primary VLAN – The VLAN that is used for receiving traffic from the device connected to the promiscous port.
Community VLAN – Everybody that is located in a community VLAN may communicate with others in the same
community VLAN and with the primary VLAN but not with other VLANs.
Isolated VLAN – Can only reach the device on the promiscous port, can not reach any other devices.
Types of ports:
Promiscous port – A port that is connected to the primary VLAN where a promiscous device is connected. This device will route traffic between the different VLANs. Requires mapping between primary VLAN and all secondary VLANs.
Host port – Hosts are connected to host ports, requires a association between the secondary VLAN in use on the port and the primary VLAN.
This picture shows the traffic flow.
When communicating in the same community VLAN the traffic forwarding is direct (layer 2) but it traffic is sent between different secondary VLANs the traffic must pass through the router which allows us to do packet filtering at layer 3 and it also means that ARP can not be sent directly between hosts even though they are in the same IP subnet. The arrows from the PC in the blue VLAN to the PC in the black VLAN shows the traffic flow with numbering. First the PC in the blue VLAN sends a packet, this packet is always source with the VID from the secondary VLAN. The router receives the traffic and if no filtering is done it sends the packet out sourcing with the primary VLAN. The PC in the black VLAN receives the packet from the primary VLAN and sends it response with its secondary VLAN. Finally the router sends the packet back to the blue VLAN with the VID of the primary VLAN.
Lets have a look at what needs to be configured, lets start with the VLAN configuration. The scenario is that there are two switches connected by a trunk and routers are connected to the switchports (INE topology).
vlan 100
name PRIMARY
private-vlan primary
private-vlan association 1000,2000,3000
!
vlan 1000
name COMMUNITY_1
private-vlan community
!
vlan 2000
name COMMUNITY_2
private-vlan community
!
vlan 3000
name ISOLATED
private-vlan isolated
We create the VLANs and configure them to be primary, community or isolated. The primary VLAN needs to know the secondary VLANs it should be be associated to. Next is the interface configuration.
interface FastEthernet0/1
switchport private-vlan mapping 100 1000,2000,3000
switchport mode private-vlan promiscuous
!
interface FastEthernet0/3
switchport private-vlan host-association 100 1000
switchport mode private-vlan host
!
interface FastEthernet0/5
switchport private-vlan host-association 100 2000
switchport mode private-vlan host
One port is configured as promiscous and the others as hosts. The host ports with secondary VLANs need to know what primary VLAN is used and the promiscous port needs to know what the secondary VLANs are.
Show vlan private-vlan will show what has been configured.
SW1#show vlan private-vlan
Primary Secondary Type Ports
——- ——— —————– ——————————————
100 1000 community Fa0/1, Fa0/3
100 2000 community Fa0/1, Fa0/5
100 3000 isolated Fa0/1
We also need configuration for SW2.
vlan 100
name PRIMARY
private-vlan primary
private-vlan association 1000,2000,3000
!
vlan 1000
name COMMUNITY_1
private-vlan community
!
vlan 2000
name COMMUNITY_2
private-vlan community
!
vlan 3000
name ISOLATED
private-vlan isolated
!
interface FastEthernet0/2
switchport private-vlan host-association 100 1000
switchport mode private-vlan host
!
interface FastEthernet0/4
switchport private-vlan host-association 100 2000
switchport mode private-vlan host
!
interface FastEthernet0/6
switchport private-vlan host-association 100 3000
switchport mode private-vlan host
Show interface switchport will show how the port is configured.
SW1#show interfaces f0/1 switchport
Name: Fa0/1
Switchport: Enabled
Administrative Mode: private-vlan promiscuous
Operational Mode: private-vlan promiscuous
Administrative Trunking Encapsulation: negotiate
Operational Trunking Encapsulation: native
Negotiation of Trunking: Off
Access Mode VLAN: 1 (default)
Trunking Native Mode VLAN: 1 (default)
Administrative Native VLAN tagging: enabled
Voice VLAN: none
Administrative private-vlan host-association: none
Administrative private-vlan mapping: 100 (PRIMARY) 1000 (COMMUNITY_1) 2000 (COMMUNITY_2) 3000 (ISOLATED)
Administrative private-vlan trunk native VLAN: none
Administrative private-vlan trunk Native VLAN tagging: enabled
Administrative private-vlan trunk encapsulation: dot1q
Administrative private-vlan trunk normal VLANs: none
Administrative private-vlan trunk associations: none
Administrative private-vlan trunk mappings: none
Operational private-vlan:
100 (PRIMARY) 1000 (COMMUNITY_1) 2000 (COMMUNITY_2) 3000 (ISOLATED)
Trunking VLANs Enabled: ALL
Pruning VLANs Enabled: 2-1001
Capture Mode Disabled
Capture VLANs Allowed: ALL
Protected: false
Unknown unicast blocked: disabled
Unknown multicast blocked: disabled
Appliance trust: none
Lets try the configuration, we will start at R1 which is on the promiscous port and see if it can ping R2-R6.
R1#ping 255.255.255.255 re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:
Reply to request 0 from 100.0.0.5, 4 ms
Reply to request 0 from 100.0.0.2, 4 ms
Reply to request 0 from 100.0.0.3, 4 ms
Reply to request 0 from 100.0.0.4, 4 ms
Reply to request 0 from 100.0.0.6, 4 ms
As expected we can ping all the devices. R2 should only be able to ping R3 and R1.
R2#ping 255.255.255.255 re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:
Reply to request 0 from 100.0.0.3, 4 ms
Reply to request 0 from 100.0.0.1, 4 ms
Working as expected. R6 should only be able to ping R1 since it is in an isolated VLAN.
R6#ping 255.255.255.255 re 1
Type escape sequence to abort.
Sending 1, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:
Reply to request 0 from 100.0.0.1, 4 ms
The configuration is working. What if we want to create a SVI in one of the switches? This is the configuration.
SW1(config)#int vlan 100
SW1(config-if)#ip add 100.0.0.7 255.255.255.0
SW1(config-if)#no sh
Lets try to ping.
SW1#ping 100.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
SW1#ping 100.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
Why can’t we ping R2? We have no mapping to the secondary VLAN!
SW1(config)#int vlan 100
SW1(config-if)#private-vlan mapping 1000
SW1(config-if)#^Z
SW1#
*Mar 1 01:08:47.983: %PV-6-PV_MSG: Created a private vlan mapping, Primary 100, Secondary 1000
SW1#
*Mar 1 01:08:49.267: %SYS-5-CONFIG_I: Configured from console by console
SW1#ping 100.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.2, timeout is 2 seconds:
…..
Success rate is 0 percent (0/5)
SW1#sh run int vlan 100
Building configuration…
Current configuration : 88 bytes
!
interface Vlan100
ip address 100.0.0.7 255.255.255.0
private-vlan mapping 1000
end
Still no success, why?
SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#ip routing
SW1(config)#^Z
SW1#
*Mar 1 01:14:26.858: %SYS-5-CONFIG_I: Configured from console by console
SW1#ping 100.0.0.2
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 100.0.0.2, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/2/8 ms
IP routing was needed! If you need to find documentation @ Cisco here is how you find it:
Support -> Configure -> Products -> Switches -> LAN Switches -> Access -> Cisco Catalyst 3560 Series Switches -> Configuration Guides -> Catalyst 3560 Software Configuration Guide, Release 12.2(52)SE -> Configuring Private VLANs
