Category: LAN

Ken McCoy sent me a short question:

At one point someone posted an article about a command you could run on the Catalyst switch that would give you back the distance of the cable between the switch and end device, but now I can't find it.

I remembered reading the same article and after I've figured out the underlying technology is called TDR (Time Domain Reflectometer), uncle Google immediately provided a reader tip from Csaba Farkas.

Harold Arley Morales has asked an interesting question:

What's the difference between Cisco Express Forwarding and Cisco MLS? Is Cisco's implementation of MLS standardized?

CEF is a routing table lookup mechanism. Instead of doing a lookup in the main IP routing table (displayed with the show ip route), the router does a lookup in a fully computed non-recursive version of the IP routing table (Forwarding Information Base - FIB) with layer-2 next-hop information attached to it (adjacency table).

MLS is a caching mechanism (similar to Netflow) that offloads layer-3 processing from the routing component into layer-2 ASICs that cannot perform full-blown layer-3 switching. When the layer-2 engine detects a single IP packet traversing multiple VLANs, the MLS populates the cache with the flow details and the subsequent packets belonging to the same flow (same source/destination IP addresses and port numbers ...) are switched without going through all the layer-3 mechanisms (for example, access lists). The Multilayer Switching Overview document gives you additional details.

The MLS uses a proprietary protocol (MLSP) through which the layer-2 switches identify routers.

This article is part of You've asked for it series.

CCIE Pursuit writes about the usage of MAC addresses on SVI (VLAN) interfaces on various Catalyst switches. Some switches might reuse the same MAC address on multiple VLANs, leading to interesting problems if another box bridges those VLANs (for example, a transparent firewall).

Rob van Ooijen has sent me a really interesting question:

I've configured a switch port to be unconditionally a trunk with the switchport mode trunk configuration command. However, when the interface was enabled, I've got a dynamic trap indicating the trunking was still dynamic (and the show commands also showed negotiation of trunking is enabled).

In fact, adjacent layer-2 devices can negotiate a number of things these days, among them:

Mohammad Faraz Rehan has encountered an interesting problem when using IP access-list based class/policy maps on Catalyst 3750:

When I try to apply the same service-policy to more than 15 interfaces, the configuration command fails and the switch generates the following syslog message:

%QOSMGR-4-POLICER_PLATFORM_NOT_SUPPORTED: Policer configuration has exceeded hardware limitation for policymap …

I've tried to help him with various TCAM-related information and in the end he found an interesting solution to the problem:

It looks like there is a limit related to using the same access-list/class-map/policy-map on multiple interfaces.

The first time I was applying the same policy-map (19 classes/19 ACLs/46 ACL lines) on all interfaces, but the switch would not accept it on more than 15 interfaces. Another test scenario had 18 classes/18 ACLs/52 ACL entries and the same policy-map would only work on 13 interfaces.

Now we implemented 24 different policy-maps, class-maps and ACLs remained the same, and the switch is happy.

Catalyst switches have an interesting internal architecture that uses a Ternary Content Addressable Memory (TCAM) to perform a variety of lookups. For example:

• If a CAM entry matches on destination MAC address, it performs L2 switching (aka bridging)
• If it matches on destination IP address, it performs L3 switching (aka routing)
• If it matches on a combination of source/destination IP addresses and ports, it can be used to implement access lists, QoS mechanisms or policy routing

To make things even more interesting, multiple TCAM entries use the same mask (don't care bits) as explained in the Understanding ACL on Catalyst 6500 Series Switches white paper. Most of that information also applies to the Catalyst 3750 platform, more details are available in the Understanding and Configuring Switching Database Manager on Catalyst 3750 Series Switches document (here is the corresponding document for Catalyst 3550). As the TCAM size on Catalyst 3750 might not be large enough, you can split it in various ways with the SDM templates.

Occasionally someone would try to persuade me that the layer-2 VPN services are like aspirin (you know, totally harmless plus it could get rid of all your headaches). OK, that might be true if you take the layer-2 VPN offering as a pure transport solution and plug in an extra router (sometimes also called a layer-3 switch by marketing people) between the Service Provider’s Ethernet (or whatever they give you) and your LAN. But there are people who don’t know the details and plug the SP Ethernet straight into their L2 switch … and things might even work for a while … until the whole network collapses.

The Static routing with Catalyst 3750 post has generated a lot of good, creative ideas. Some of the proposed solutions were better than the others and some were simply not implementable (but nonetheless, had great creative potential :). Here is my list of the favorites:

A routing protocol: as a few of you have rightly pointed out, this is the best choice.

Aggressive Unidirectional Link Detection (UDLD): this is my second favorite, as it's a reliable link-level mechanism that will detect a break in the fiber cable … exactly the right tool for the job.

I've recently replaced my old home router (well, actually a combination of two low-end models, one could handle ISDN and the other one 3DES) with a 1812. After I've struggled past the “interesting” interface names (it has 8 switched ports, named FastEthernet2 to FastEthernet9) and brushed up my BVI/VLAN skills, configuring it was a breeze … only the DHCP server was causing me problems; every time my laptop would wake from the standby mode, it would take almost half a minute before it got the LAN IP address. The obvious suspect (as I've installed the 12.4(15)T on it) was the software, the next one DHCP ping timers.

After replacing the software (didn't help) and tweaking DHCP timers (no change), it finally dawned on me: the ethernet ports are switched, so the spanning tree was playing tricks with me. Disabling spanning tree with the spanning-tree portfast interface configuration command solved the problem.