Tuesday 29 March 2011

How To Configure InterVLAN Routing on Layer 3 Switches


Introduction

VLANs divide broadcast domains in a LAN environment. Whenever hosts in one VLAN need to communicate with hosts in another VLAN, the traffic must be routed between them. This is known as inter-VLAN routing. On Catalyst switches it is accomplished by creating Layer 3 interfaces (Switch virtual interfaces (SVI) ). This document provides the configuration and troubleshooting steps applicable to this capability.
Note: This document uses a Catalyst 3550 as an example. However, the concepts can also be applied to other Layer 3 switches that run Cisco IOS® (for example, Catalyst 3560, 3750, Catalyst 4500/4000 Series with Sup II+ or later, or Catalyst 6500/6000 Series that run Cisco IOS System software).
Catalyst switch models 3560, 3750, Catalyst 4500/4000 Series with Sup II+ or later, or Catalyst 6500/6000 Series that run Cisco IOS system software support basic InterVLAN routing features in all their supported software versions. Before you attempt this configuration on a 3550 series switch, ensure that you meet these prerequisites:
· InterVLAN routing on the Catalyst 3550 has certain software requirements to support interVLAN routing on the switch. See this table to determine whether your switch can support interVLAN routing.
Image Type and Version
InterVLAN Routing Capability
Enhanced Multilayer Image (EMI) - All Versions
Yes
Standard Multilayer Image (SMI) - prior to Cisco IOS Software Release12.1(11)EA1
No
Standard Multilayer Image (SMI) - Cisco IOS Software Release 12.1(11)EA1 and later
Yes

The information in this document is based on these software and hardware versions:
· Catalyst 3550-48 that runs Cisco IOS Software Release 12.1(12c)EA1 EMI
The information presented in this document was created from devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If you are working in a live network, ensure that you understand the potential impact of any command before using it.
For more information on document conventions, refer to the Cisco Technical Tips Conventions.
In this section, you are presented with the information to configure the features described in this document.
This logical diagram explains a simple interVLAN routing scenario. The scenario can be expanded to include a multi-switch environment by first configuring and testing inter-switch connectivity across the network before configuring the routing capability. For such a scenario that uses a Catalyst 3550, refer to Configuring InterVLAN Routing with Catalyst 3550 Series Switches.

Broadband Troubleshooting Tips

Home networks not designed and/or implemented by Honeywell GTS, are not within of the scope of the support model for iPass/Remote Access. The following tips are offered as a resource for working with your ISP or network provider to resolve any connectivity problems.

The following Ports are required to be open on your local router (wired or wireless) for iPass and CheckPoint VPN-1 SecureClient:

Port 80 for iPassConnectEngine.exe (iPass destination server IP 216.239.109.200)

TCP 443 for Visitor Mode

Protocol 50 for ESP

UDP 10000 for UDP Encapsulation

UDP 500 for IKE

TCP 500 for IKE over TCP

TCP 18231 for Policy Server logon when the client is inside the network

UDP 18233 for Keep alive protocol when the client is inside the network

TCP 18232 for Distribution Server when the client is inside the network

TCP 264 for topology downloads

UCP 259 for MEP configuration

UDP 18234 for performing tunnel test when the client is inside the network

TCP 18264 for ICA certificate registration

Ports 500 & 10,000 (both TCP and UDP) need to be opened for the VPN tunnel by the ISP. Please contact them. Make sure that your personal router has these same ports opened.  IPSEC needs to be enabled. This includes offices, hotels and homes. (Direct connect or wireless)



Cable Modem

Single Direct Connection - For stand-alone PCs that do not use routing device.


 Ensure the ISP supports IPSec and is configured to allow IPSec traffic to pass 
 Connect the PC directly to the cable modem 
 Power up the cable modem, then the PC 
 Test for Internet connectivity before launching iPass. 
 See the hardware documentation for configuration details or contact the hardware vendor or ISP for additional troubleshooting recommendations. 

Sharing connection with a router (Wired or Wireless)

In general, routing devices used to network other PCs to a cable modem are the primary source of VPN connectivity problems. These devices may have the capability to act as a firewall, router and may provide Network Address Translation (NAT). 

 Ensure the ISP supports IPSec and is configured to allow IPSec traffic to pass 
 Bypass the router by connecting the PC directly to the cable modem 
 Power up the cable modem then the PC 
 Test for Internet connectivity before launching IPASS 
 After successfully connecting to IPASS while bypassing the routing device, you can reconnect the PC and router in the correct manner. You may need to reboot everything.  Be sure to first start up the cable modem, then the router, then the PC.
 Ensure your router supports IPSec, (sometimes referred to as IPSec pass through or VPN pass through), and it is enabled. See your hardware documentation for configuration details or contact your hardware vendor or ISP for more information. 
 You may have to disable any firewall feature on your router. 
 Make sure your router firmware is current. Even though the configuration looks like it supports IPSec traffic, a firmware upgrade may be necessary to get connected. Check your hardware vendor's website for the latest firmware updates and instructions to update your hardware. 
 See the hardware documentation for configuration details or contact the hardware vendor or ISP for additional troubleshooting recommendations. 

DSL

DSL devices are usually routing devices as well, and are frequently the target of connectivity problems. As with cable modems, successful DSL connections require that the ISP support IPSec and be configured to allow IPSec traffic to pass. See your hardware documentation for configuration details or contact your hardware vendor or ISP for additional troubleshooting recommendations.

Recommended Wireless Routers:

LinkSys and Netgear.  Wired and wireless.

Routers known to not work with IPASS/CheckPoint Client:

DLink routers

EMEA:

 Any router that connects via USB cable and shows up as a dial up device cannot be used.  We found this specifically in some of the BT Voyager modems/routers (British Telecom 105).  If it can be configured with manufacturer firmware to show up as a broadband device it should be configurable in the IPASS product.

 Any AOL provided broadband solution:  (such as RoadRunner).

 USA:

Any router that connects via USB cable and shows up as a dial up device cannot be used unless it truly has a dial up option. 

ADSL routers utilizing PPPOa cannot be used because they are not able to been configured as a broadband device.

Any AOL provided broadband solution:  (such as RoadRunner).

Distance Vector Routing Protocols

Most routing protocols fall into one of two classes: distance vector or link state. The basics of distance vector routing protocols are examined here; the next section covers link state routing protocols. Most distance vector algorithms are based on the work done of R. E. Bellman, L. R. Ford, and D. R. Fulkerson, and for this reason occasionally are referred to as Bellman-Ford or Ford-Fulkerson algorithms. A notable exception is EIGRP, which is based on an algorithm developed by J. J. Garcia Luna Aceves.
R. E. Bellman. Dynamic Programming. Princeton, New Jersey: Princeton University Press; 1957.
L. R. Ford Jr. and D. R. Fulkerson. Flows in Networks. Princeton, New Jersey: Princeton University Press; 1962.
The name distance vector is derived from the fact that routes are advertised as vectors of (distance, direction), where distance is defined in terms of a metric and direction is defined in terms of the next-hop router. For example, "Destination A is a distance of five hops away, in the direction of next-hop Router X." As that statement implies, each router learns routes from its neighboring routers' perspectives and then advertises the routes from its own perspective. Because each router depends on its neighbors for information, which the neighbors in turn might have learned from their neighbors, and so on, distance vector routing is sometimes facetiously referred to as "routing by rumor."
Distance vector routing protocols include the following:
  • Routing Information Protocol (RIP) for IP
  • Xerox Networking System's XNS RIP
  • Novell's IPX RIP
  • The Cisco Systems Internet Gateway Routing Protocol (IGRP) and Enhanced Internet Gateway Routing Protocol (EIGRP)
  • DEC's DNA Phase IV
  • AppleTalk's Routing Table Maintenance Protocol (RTMP)


Common Characteristics

A typical distance vector routing protocol uses a routing algorithm in which routers periodically send routing updates to all neighbors by broadcasting their entire route tables.
A notable exception to this convention is the Cisco Enhanced IGRP. EIGRP is a distance vector protocol, but its updates are not periodic, are not broadcasted, and do not contain the full route table. "Enhanced Interior Gateway Routing Protocol (EIGRP)."
The preceding statement contains a lot of information. Following sections consider it in more detail.

Periodic Updates

Periodic updates means that at the end of a certain time period, updates will be transmitted. This period typically ranges from 10 seconds for AppleTalk's RTMP to 90 seconds for the Cisco IGRP. At issue here is the fact that if updates are sent too frequently, congestion and router CPU overloading might occur; if updates are sent too infrequently, convergence time might be unacceptably high.

Neighbors

In the context of routers, neighbors means routers sharing a common data link or some higher-level logical adjacency. A distance vector routing protocol sends its updates to neighboring routers and depends on them to pass the update information along to their neighbors. For this reason, distance vector routing is said to use hop-by-hop updates.
[6] This statement is not entirely true. Hosts also can listen to routing updates in some implementations; but all that is important for this discussion is how routers work.

Broadcast Updates

When a router first becomes active on a network, how does it find other routers and how does it announce its own presence? Several methods are available. The simplest is to send the updates to the broadcast address (in the case of IP, 255.255.255.255). Neighboring routers speaking the same routing protocol will hear the broadcasts and take appropriate action. Hosts and other devices uninterested in the routing updates will simply drop the packets.

Full Routing Table Updates

Most distance vector routing protocols take the very simple approach of telling their neighbors everything they know by broadcasting their entire route table, with some exceptions that are covered in following sections. Neighbors receiving these updates glean the information they need and discard everything else.

Bridge

A device that connects two local-area networks (LANs), or two segments of the same LAN. The two LANs being connected can be alike or dissimilar. For example, a bridge can connect an Ethernet with a Token-Ring network. Unlike routers, bridges are protocol -independent.  They simply forward packets without analyzing and
re-routing messages. Consequently, they're faster than routers, but also less versatile.

Router

A device that connects two LANs. Routers are similar to bridges, but provide additional functionality, such as the ability to filter messages and forward them to different places based on various criteria. The Internet uses routers extensively to forward packets from one host to another.

Switch

In networks, a device that filters and forwards packets between LAN segments. Switches operate at the data link layer (layer 2) of the OSI Reference Model and therefore support any packet protocol. LANs that use switches to join segments are called switched LANs or, in the case of Ethernet networks, switched Ethernet LANs.

Concentrator

A type of multiplexor that combines multiple channels onto a single transmission medium in such a way that all the individual channels can be simultaneously active. For example, ISPs use concentrators to combine their dial-up modem connections onto faster T-1 lines that connect to the Internet. Concentrators are also used in local-area networks (LANs) to combine transmissions from a cluster of
nodes. In this case, the concentrator is often called a hub or MAU.

Gateway

A device which is used to connect networks using different protocols so that information can be passed from one system to the other.  Gateways functions at the Network layer of the OSI model. A Gateway many of the times is simply – Hardware-wise  PC with Both Media Device Interface (NIC’s) and some sort of Software that does the actual conversion of protocols and data packettes.

Multiplexor

A communications device that multiplexes (combines) several signals for transmission over a single medium.  A demultiplexor completes the process by separating multiplexed signals from a transmission line.  Frequently a multiplexor and demultiplexor are combined into a single device capable of processing
both outgoing and incoming signals.  A multiplexor is sometimes called a mux.

Multi-Port Repeater or Intelligent Hubs

So-called intelligent hubs include additional features that enables an administrator tomonitor the traffic passing through the hub and to configure each port in the hub. Intelligent hubs are also called manageable hubs.


No comments:

Post a Comment