switch面版前的燈號有
system LED:顯示系統是否接收到電源並正常工作
開機POST時,若無燈表示測試執行中,綠燈表示成功,amber(黃褐色)表示post失敗
RPS(remote power supply) LED :顯示是不是在使用遠端的電源供應
port LEDs:
開機時若燈號為amber表示正在檢查,若30sec後轉為綠燈表示正常,轉amber燈表示有問題,若無燈表示該port偵測不到連線
透過mode按鈕可選擇以下模式
port mode
port status
cisco switch在auto-negotiation會根據priority table表決定port mode,如下
Priority: Ethernet Mode
7: 100BASE-T2 (full duplex)
6: 100BASE-TX (full duplex)
5: 100BASE-T2
4: 100BASE-T4
3: 100BASE-TX
2: 10BASE-T (full duplex)
1: 10BASE-T
ps:未標注full duplex則為half duplex
……
Operations Within a Layer 2 Catalyst Switch
1
RX switch port
2
Ingress Queues
3
follows decisions are made simultaneously by independent portions of switching hardware
(TCAM)Security ACLs Inbound and Outbound
(TCAM)QoS ACLs Classification and Policing
(CAM)L2 Forwarding Table
4
Egress Queues
5
TX Switch Ports
L2 forwarding table
如同mac table
Security ACLs
ACL can be used to identify frames according to their MAC addresses, protocol types (for non-IP frames), IP addresses, protocols, and Layer 4 port numbers.
The TCAM contains ACLs in a compiled form so that a decision can be made on whether to forward a frame in a single table lookup.
QoS ACLs
Other ACLs can classify incoming frames according to QoS parameters, to police or control the rate of traffic flows, and to mark QoS parameters in outbound frames.
The TCAM also is used to make these decisions in a single table lookup.
………………
cisco catalyst switch使用的MLS技術如下
route caching(first-generation MLS)
topology-based (second-generation MLS)
ps:
only the topology-based is supported in the CiscoIOS Software-based switch families, such as the Catalyst 3750, 4500, and 6500
ps
switching methods由快到慢分別是
dCEF, CEF, fast switching, process switching
Route caching
requiring a RP(route processor) and a SE(switch engine).
The RP must process a traffic flow’s first packet to determine the destination.
The SE listens to the first packet and to the resulting destination, and sets up a “shortcut” entry in its MLS cache.
The SE forwards subsequent packets in the same traffic flow based on shortcut entries in its cache.
ps:
Even if this isn’t used to forward packets in Cisco IOS-based Catalyst switches, the technique generates traffic flow information and statistics.
ps:
This type of MLS also is known by the names
fast switching,Netflow LAN switching, flow-based/demand-based switching, and “route once, switch many.”
Topology-based/CEF (utilizing specialized hardware.)
Layer 3 routing information builds and prepopulates a single database of the entire network topology.
1. This database, an efficient table lookup in hardware, is consulted so that packets can be forwarded at high rates.
2. The longest match found in the database is used as the correct Layer 3 destination.
3. As the routing topology changes over time, the database contained in the hardware can be updated dynamically with no performance penalty
…….
Operations Within a Multilayer Catalyst Switch
1
RX switch port
2
Ingress Queues
3
To forward packets using the simultaneous decision processes
主要包括以下4個同時被執行
(TCAM)Security ACLs Inbound and Outbound
(TCAM)QoS ACLs Classification and Policing
(FIB)L3 Forwarding Table
(CAM)L2 Forwarding Table
4
L3 Packet Rewrite
5
Egress Queues
6
TX Switch Ports
all these multilayer decisions are performed simultaneously in hardware
L2 forwarding table
如同mac table
If the frame contains a Layer 3 packet to be forwarded, the destination MAC address is that of a Layer 3 port on the switch.
In this case, the CAM table results are used only to decide that the frame should be processed at Layer 3.
(FIB)L3 forwarding table
The FIB table is consulted, using the destination IP address as an index.
The longest match in the table is found (both address and mask), and the resulting next-hop Layer 3 address is obtained.
The FIB also contains each next-hop entry’s Layer 2 MAC address and the egress switch port (and VLAN ID) so that further table lookups are not necessary.
欄位包括以下
IP Address
Next-Hop IP Addr
Next-Hop MAC Addr
Egress Port
Security ACLs
Inbound and outbound access lists are compiled into TCAM entries so that decisions of whether to forward a packet can be determined as a single table lookup.
QoS ACLs
Packet classification, policing, and marking all can be performed as single table lookups in the QoS TCAM.
rewritten
Because the contents of the Layer 3 packet (the TTL value) have changed, the Layer 3 header checksum must be recalculated.
And because both Layers 2 and 3 contents have changed, the Layer 2 checksum must be recalculated.
In other words, the entire Ethernet frame must be rewritten before it goes into the egress queue.
This also is accomplished efficiently in hardware
Multilayer Switching Exceptions
it is flagged for further processing and sent or “punted” to the switch CPU for process switching
If a packet meets criteria such as the following:
■ ARP requests and replies
■ IP packets requiring a response from a router
(TTL has expired, MTU is exceeded, fragmentation is needed, and so on)
■ IP broadcasts that will be relayed as unicast
(DHCP requests, IP helper-address functions)
■ Routing protocol updates
■ Cisco Discovery Protocol packets
■ IPX routing protocol and service advertisements
■ Packets needing encryption
■ Packets triggering Network Address Translation (NAT)
■ Other non-IP and non-IPX protocol packets (AppleTalk, DECnet, and so on)
………………………………………………………………………………….
CAM(Content-Addressable Memory)
1. 如同mac table
2. All Catalyst switch models use a CAM table for Layer 2 switching.
3. 欄位包括以下
MAC Address
Egress Port
VLAN
ps:運作方式
1. The port of arrival and the VLAN both are recorded in the table, along with a timestamp.
2.1 If a MAC address learned on one switch port has moved to a different port, the MAC address and timestamp are recorded for the most recent arrival port. Then, the previous entry is deleted.
2.2 If a MAC address is found already present in the table for the correct arrival port, only its timestamp is updated
CAM manage
To manage the CAM table space, stale entries (addresses that have not been heard from for a period of time) are aged out.
By default, idle CAM table entries are kept for 300 seconds before they are deleted
MAC異動運作方式
case1
when a host’s MAC address is learned on one switch port, and then the host moves so that it appears on a different switch port
switch的行為如下
To avoid having duplicate CAM table entries, a switch purges(不需要等待300秒) any existing entries for a MAC address that has just been learned on a different switch port
case2
If a switch notices that a MAC address is being learned on alternating switch ports,
switch的行為如下
it generates an error message that flags the MAC address as “flapping” between interfaces.
………………………………………..
TCAM(Ternary Content-Addressable Memory)
The Catalyst IOS Software has two components that are part of the TCAM operation:
FM(Feature Manager)
After an access list has been created or configured, the FM software compiles, or merges, the ACEs into entries in the TCAM table.
The TCAM then can be consulted at full frame-forwarding speed.
SDM(Switching Database Manager)
You can partition the TCAM on some Catalyst switches into areas for different functions.
The SDM software configures or tunes the TCAM partitions, if needed.
(The TCAM is fixed on Catalyst 4500 and 6500 platforms and cannot be repartitioned.)
ps:
compare
1.In traditional routing,
ACLs can match, filter, or control specific traffic.
Access lists are made up of one or more ACE or matching statements that are evaluated in sequential order.
Evaluating an access list can take up additional time, adding to the latency of forwarding packets.
2.In multilayer switches, however,
all the matching process that ACLs provide is implemented in hardware.
TCAM allows a packet to be evaluated against an entire access list in a single table lookup.
Most switches have multiple TCAMs so that both inbound and outbound security and QoS ACLs can be evaluated simultaneously, or entirely in parallel with a Layer 2 or Layer 3 forwarding decision.
ps:
access control entities (ACE)
concept
The TCAM is an extension of the CAM table concept
TCAM also uses a table-lookup operation but is greatly enhanced to allow a more abstract operation
ex:
binary values (0s and 1s) make up a key into the table, but a mask value also is used to decide which bits of the key are actually relevant.
This effectively makes a key consisting of three input values: 0, 1, and X (don’t care) bit values-a three-fold or ternary combination.
TCAM entries are composed of VMR(Value,Mask,Result) combinations
Values
be always 134-bit quantities, consisting of src and dst addr and other relevant protocol information – all patterns to be matched.
欄位有:IP Protocol,IP ToS,Source IP,Src port,S Port LOU,Dest IP,Dest port,D Port LOU
The information concatenated to form the value depends on the type of access list
Values in the TCAM come directly from any address, port, or other protocol information given in an ACE.
Access List Type: Value and Mask Components, 134 Bits Wide (Number of Bits)
Ethernet: Source MAC (48), destination MAC (48), Ethertype (16)
ICMP: Source IP (32), destination IP (32), protocol (16), ICMP code (8), ICMP type (4), IP type of service (ToS) (8)
Extended IP using TCP/UDP: Source IP (32), destination IP (32), protocol (16), IP ToS (8), source port (16), source operator (4), destination port (16),destination operator (4)
Other IP: Source IP (32), destination IP (32), protocol (16), IP ToS (8)
IGMP: Source IP (32), destination IP (32), protocol (16), IP ToS (8),IGMP message type (8)
IPX: Source IPX network (32), destination IPX network (32), destination node (48), IPX packet type (16)
Masks
are 134-bit quantities, in exactly the same format, or bit order, as the values.
Masks select only the value bits of interest; a mask bit is set to exactly match a value bit or is not set for value bits that do not matter.
The masks used in the TCAM stem from address or bit masks in ACEs
Results
are numeric values that represent what action to take after the TCAM lookup occurs.
Whereas traditional access lists offer only a permit or deny result, TCAM lookups offer a number of possible results or actions.
ex:
the result can be a permit or deny decision, an index value to a QoS policer, a pointer to a next-hop routing table, and so on.
The TCAM always is organized by masks, where each unique mask has eight value patterns associated with it.
ex:
the Catalyst 6500 TCAM (one for security ACLs and one for QoS ACLs) holds up to 4096 masks and 32,768 value patterns.
The trick is that each of the mask-value pairs is evaluated simultaneously, or in parallel, revealing the best or longest match in a single table lookup.
Port Operations in TCAM
1. If an ACE has a port operator
ex:( such as gt, lt, neq, or range,)
access-list 100 deny udp any 192.168.5.0 0.0.0.255 gt 1024
access-list 100 deny udp any 192.168.199.0 0.0.0.255 range 1024 2047
the FM software compiles the TCAM entry to include the use of the operator and the operand in a LOU(logical operation unit) register.
Only a limited number of LOUs are available in the TCAM
ex:
LOU register pairs
A.1( gt 1024) , A.2( )
B.1(range start 1024) , B.2(range end 2047)
ps:
If there are more ACEs with comparison operators than there are LOUs, the FM must break up the ACEs into multiple ACEs with only regular matching (using the eq operator).
2.The FM checks all ACEs for Layer 4 operation and places these into LOU register pairs.
3.These can be loaded with operations, independent of any other ACE parameters.
4.The LOU contents can be reused if other ACEs need the same comparisons and values.
5.After the LOUs are loaded, they are referenced in the TCAM entries that need them.
ps:
A finite number (actually, a rather small number) of LOUs are available in the TCAM, so the FM software must use them carefully.
TCAM resources
TCAMs have a limited number of 1)usable mask, 2)value pattern, and 3)LOU entries.
If access lists grow to be large or many Layer 4 operations are needed, the TCAM tables and registers can overflow.
If that happens while you are configuring an ACL, the switch will generate syslog messages that flag the TCAM overflow situation as it tries to compile the ACL into TCAM entries.
進入punting(平板傳輸)
當TCAM無法用來轉送資料流,系統會自動用CPU來處理,但處理效能有限
可能原因:TCAM容量已滿
解決方式:換成高容量TCAM交換器,或減少TCAM中項目
ps:可根據設備的查驗指令確認TCAM使用率
ps:punting的情況還包括,硬體未支援的功能,遠端登入,等…
…………………………
在switch設定預設閘道
(config)#ip default-gateway < ip>
若封包不知往那送,則送去預設閘道
ps:若想讓switch從遠端連入建議設定,以協助回應抵達遠端
在multilayer switch上啟動route功能
(config)#ip routing
以macro命令指定單一主機介面
Switch(config-if)# switchport host
會發生以下
switchport mode will be set to access
spanning-tree portfast will be enabled
channel group will be disabled
multilayer switch interface mode
Layer 2 mode:layer2介面,一般switch 介面
Layer 3 mode:layer3介面,可設ip,有支援第三層的switch介面
ps:
every switch port on
most Catalyst switch: is a Layer 2 interface,
Catalyst 6500: is a Layer 3 interface
設定multilayer switch interface為layer2 mode
Switch(config-if)# switchport
設定multilayer switch interface為layer3 mode
Switch(config-if)# no switchport
Switch(config-if)# ip address < ip > mask [secondary]
ps:
the EtherChannel can also become a Layer 3 port.
ps:
若layer1,2都無法作業時,則該介面視為關閉狀態
該介面無法參與STP,DTD等交換協定
在指定VLAN內設定SVI
Switch(config)# interface vlan < vlan-id>
Switch(config-if)# ip address < ip > mask [secondary]
Switch(config-if)# no shutdown
ps:若vlan中沒有任何介面運作,則SVI被視為關閉狀態
Verifying interface mode
# show interface < interface > switchport
輸出的Switchport顯示:
Disabled: 該介面為layer3 mode
Enabled: 該介面為layer2 mode
ps:
router介面預設為Disabled,switch介面和SVI預設為Enabled
ps:
若SVI顯示switchport:Disabled則可能有以下原因
the interface is disabled with the shutdown command
the VLAN itself has not been defined on the switch.
ps:
show interface switchport為例,畫面大致如下
namee: Gi4/2
Switchport: Enabled
Administrative Mode: trunk
Operational Mode: trunk //若為down表示介面沒在運作
[omitted]
………………………
to configure static CAM table entries
(config)# mac address-table static < mac-address> vlan interface < interface>
因不用每次都flood來學習動態位置,因此可節省頻寬
ex:設定2950switch fa0/5是由1111.1111.1111的mac位置和vlan1存取
2950(config)#mac-address-table static 1111.1111.1111 vlan 1 int fa0/5
ps:早期若此mac若出現在不同的PORT,則此機器無法上網
ps:1900(config)#mac-address-table permanent
to clear CAM table entries
Switch# clear mac address-table dynamic [address < mac> | interface < interface> | vlan < vlan-id>]
若不想等待動態位置時間到時才被移除可手動立刻移除
to change the CAM table entries aging-time
Switch(config)# mac address-table aging-time < seconds>
default,300sec
To view the contents of the CAM table
#show mac address-table dynamic [address < mac> | interface < interface> | vlan < vlan-id>]
[address < mac>]: to specify a single MAC address
[interface < interface>] to see addresses that have been learned on a specific interface
[vlan < vlan-id>] to see addresses that have been learned on a specific vlan
ps:部份設備需改用show mac-address-table
ps:
to find the learned location of the host with MAC address 0050.8b11.54da
#show mac address-table dynamic address 0050.8b11.54da
Mac Address Table
——————————————–
Vlan Mac Address Type Ports
—- ———– —- —–
54 0050.8b11.54da DYNAMIC Fa1/0/1
Total Mac Addresses for this criterion: 1
ex:
To see all the MAC addresses that are currently found on interface GigabitEthernet1/0/29
Switch# show mac address-table dynamic interface gigabitethernet1/0/29
Mac Address Table
———————————————–
Vlan Mac Address Type Ports
—- ———– —- —–
537 0013.7297.3d4b DYNAMIC Gi1/0/29
Total Mac Addresses for this criterion: 1
ps:
輸出無結果的可能有以下
1. showing nothing about the interface and VLAN where the MAC address is found.
2. the host has not sent a frame that the switch can use for learning its location,or something odd is going on.
3. the host is using two network interface cards (NIC) to load balance traffic;one NIC is only receiving traffic, whereas the other is only sending. Therefore, the switch never hears and learns the receiving-only NIC address
To see the CAM table’s size
Switch# show mac address-table count
MAC address totals are shown for each active VLAN on the switch.
This can give you a good idea of the size of the CAMtable and how many hosts are using the network.
ps:
Switch# show mac address-table count
Mac Entries for Vlan 1:
—————————
Dynamic Address Count : 0
Static Address Count : 0
Total Mac Addresses : 0
Mac Entries for Vlan 2:
—————————-
Dynamic Address Count : 89
Static Address Count : 0
Total Mac Addresses : 89
Mac Entries for Vlan 580:
—————————–
Dynamic Address Count : 600
Static Address Count : 0
Total Mac Addresses : 600
Total Mac Address Space Available: 4810