CCNP Routing and Switching SWITCH 300-115 Official Cert Guide (2015)

Part IV. Multilayer Switching

Chapter 11. Multilayer Switching

This chapter covers the following topics that you need to master for the CCNP SWITCH exam:

Image Inter-VLAN Routing: This section discusses how you can use a routing function with a switch to forward packets between VLANs.

Image Multilayer Switching with CEF: This section discusses Cisco Express Forwarding (CEF) and how it is implemented on Catalyst switches. CEF forwards or routes packets in hardware at a high throughput.

Image Verifying Multilayer Switching: This section provides a brief summary of the commands that can verify the configuration and operation of inter-VLAN routing, CEF, and fallback bridging.

Chapter 2, “Switch Operation,” presents a functional overview of how multilayer switching (MLS) is performed at Layers 3 and 4. The actual MLS process can take two forms: inter-VLAN routing and Cisco Express Forwarding (CEF). This chapter expands on multilayer switch operation by discussing both of these topics in greater detail.

“Do I Know This Already?” Quiz

The “Do I Know This Already?” quiz allows you to assess whether you should read this entire chapter thoroughly or jump to the “Exam Preparation Tasks” section. If you are in doubt based on your answers to these questions or your own assessment of your knowledge of the topics, read the entire chapter. Table 11-1 outlines the major headings in this chapter and the “Do I Know This Already?” quiz questions that go with them. You can find the answers in Appendix A, “Answers to the ‘Do I Know This Already?’ Quizzes.”


Table 11-1 “Do I Know This Already?” Section-to-Question Mapping

1. Which of the following arrangements can be considered inter-VLAN routing?

a. One switch, two VLANs, one connection to a router.

b. One switch, two VLANs, two connections to a router.

c. Two switches, two VLANs, two connections to a router.

d. All of these answers are correct.

2. How many interfaces are needed in a “router-on-a-stick” implementation for inter-VLAN routing among four VLANs?

a. 1

b. 2

c. 4

d. Cannot be determined

3. Which of the following commands configures a switch port for Layer 2 operation?

a. switchport

b. no switchport

c. ip address

d. no ip address

4. Which of the following commands configures a switch port for Layer 3 operation?

a. switchport

b. no switchport

c. ip address

d. no ip address

5. Which one of the following interfaces is an SVI?

a. interface fastethernet 0/1

b. interface gigabit 0/1

c. interface vlan 1

d. interface svi 1

6. What information must be learned before CEF can forward packets?

a. The source and destination of the first packet in a traffic flow

b. The MAC addresses of both the source and destination

c. The contents of the routing table

d. The outbound port of the first packet in a flow

7. Which of the following best defines an adjacency?

a. Two switches connected by a common link.

b. Two contiguous routes in the FIB.

c. Two multilayer switches connected by a common link.

d. The MAC address of a host is known.

8. Assume that CEF is active on a switch. What happens to a packet that arrives, but an ICMP redirect must be sent in return?

a. The packet is switched by CEF and kept intact.

b. The packet is fragmented by CEF.

c. The packet is dropped.

d. The packet is sent to the Layer 3 engine.

9. Suppose that a host sends a packet to a destination IP address and that the CEF-based switch does not yet have a valid MAC address for the destination. How is the ARP entry (MAC address) of the next-hop destination in the FIB obtained?

a. The sending host must send an ARP request for it.

b. The Layer 3 forwarding engine (CEF hardware) must send an ARP request for it.

c. CEF must wait until the Layer 3 engine sends an ARP request for it.

d. All packets to the destination are dropped.

10. During a packet rewrite, what happens to the source MAC address?

a. There is no change.

b. It is changed to the destination MAC address.

c. It is changed to the MAC address of the outbound Layer 3 switch interface.

d. It is changed to the MAC address of the next-hop destination.

11. What command can you use to view the CEF FIB table contents?

a. show fib

b. show ip cef fib

c. show ip cef

d. show fib-table

Foundation Topics

Inter-VLAN Routing

Recall that a Layer 2 network is defined as a broadcast domain. A Layer 2 network can also exist as a VLAN inside one or more switches. VLANs essentially are isolated from each other so that packets in one VLAN cannot cross into another VLAN.

To transport packets between VLANs, you must use a Layer 3 device. Traditionally, this has been a router’s function. The router must have a physical or logical connection to each VLAN so that it can forward packets between them. This is known as inter-VLAN routing.


Inter-VLAN routing can be performed by an external router that connects to each of the VLANs on a switch. Separate physical connections can be used, or the router can access each of the VLANs through a single trunk link. Part A of Figure 11-1 illustrates this concept. The external router also can connect to the switch through a single trunk link, carrying all the necessary VLANs, as illustrated in Part B of Figure 11-1. Part B illustrates what commonly is referred to as a “router-on-a-stick” or a “one-armed router” because the router needs only a single interface to do its job.


Figure 11-1 Examples of Inter-VLAN Routing Connections

Finally, Part C of Figure 11-1 shows how the routing and switching functions can be combined into one device: a multilayer switch. No external router is needed.

Types of Interfaces

Multilayer switches can perform both Layer 2 switching and inter-VLAN routing, as appropriate. Layer 2 switching occurs between interfaces that are assigned to Layer 2 VLANs or Layer 2 trunks. Layer 3 switching can occur between any type of interface, as long as the interface can have a Layer 3 address assigned to it.


As with a router, a multilayer switch can assign a Layer 3 address to a physical interface. It also can assign a Layer 3 address to a logical interface that represents an entire VLAN. This is known as a switched virtual interface (SVI), sometimes called a switch virtual interface (SVI). Keep in mind that the Layer 3 address you configure becomes the default gateway for any hosts that are connected to the interface or VLAN. The hosts will use the Layer 3 interface to communicate outside of their local broadcast domains.

Configuring Inter-VLAN Routing

Inter-VLAN routing first requires that routing be enabled for the Layer 3 protocol. In the case of IP, you would enable IP routing. In addition, you must configure static routes or a dynamic routing protocol. These topics are covered fully in the CCNP ROUTE course. By default, every switch port on most Catalyst switch platforms is a Layer 2 interface, whereas every switch port on a Catalyst 6500 is a Layer 3 interface. If an interface needs to operate in a different mode, you must explicitly configure it.

An interface is either in Layer 2 or Layer 3 mode, depending on the use of the switchport interface configuration command. You can display a port’s current mode with the following command:

Switch# show interface type member/module/number switchport

If the switchport: line in the command output is shown as enabled, the port is in Layer 2 mode. If this line is shown as disabled, as in the following example, the port is in Layer 3 mode:

Switch# show interface gigabitethernet 1/0/1 switchport
Name: Gi1/0/1
Switchport: Disabled


Whenever you see the term switch port, think Layer 2. So if the switch port is disabled, it must be Layer 3.

Figure 11-2 shows how the different types of interface modes can be used within a single switch.


Figure 11-2 Catalyst Switch with Various Types of Ports

Layer 2 Port Configuration


If an interface is in Layer 3 mode and you need to reconfigure it for Layer 2 functionality instead, use the following command sequence:

Switch(config)# interface type member/module/number
Switch(config-if)# switchport

The switchport command puts the port in Layer 2 mode. Then you can use other switchport command keywords to configure trunking, access VLANs, and so on. As displayed in Figure 11-2, several Layer 2 ports exist, each assigned to a specific VLAN. A Layer 2 port also can act as a trunk, transporting multiple Layer 2 VLANs.

Layer 3 Port Configuration


Physical switch ports also can operate as Layer 3 interfaces, where a Layer 3 network address is assigned and routing can occur, as shown previously in Figure 11-2. For Layer 3 functionality, you must explicitly configure switch ports with the following command sequence:

Switch(config)# interface type member/module/number
Switch(config-if)# no switchport
Switch(config-if)# ip address ip-address mask [secondary]

The no switchport command takes the port out of Layer 2 operation. You then can assign a network address to the port, as you would to a router interface.


By default, a Catalyst switch sets aside the appropriate amounts of TCAM space to perform Layer 3 operation for IPv4. If you intend to use IPv6 also, be sure to reconfigure the SDM template with the sdm prefer dual-ipv4-and-ipv6 command.


Keep in mind that a Layer 3 port assigns a network address to one specific physical interface. If several interfaces are bundled as an EtherChannel, the EtherChannel can also become a Layer 3 port. In that case, the network address is assigned to the port-channel interface—not to the individual physical links within the channel.

SVI Port Configuration

On a multilayer switch, you also can enable Layer 3 functionality for an entire VLAN on the switch. This allows a network address to be assigned to a logical interface—that of the VLAN itself. This is useful when the switch has many ports assigned to a common VLAN, and routing is needed in and out of that VLAN.

In Figure 11-2, you can see how an IP address is applied to the SVI called VLAN 10. Notice that the SVI itself has no physical connection to the outside world; to reach the outside, VLAN 10 must extend through a Layer 2 port or trunk to the outside.


The logical Layer 3 interface is known as an SVI. However, when it is configured, it uses the much more intuitive interface name vlan vlan-id, as if the VLAN itself is a physical interface. First, define or identify the VLAN interface; then assign any Layer 3 functionality to it with the following configuration commands:

Switch(config)# interface vlan vlan-id
Switch(config-if)# ip address ip-address mask [secondary]

The VLAN must be defined and active on the switch before the SVI can be used. Make sure that the new VLAN interface also is enabled with the no shutdown interface configuration command.


The VLAN and the SVI are configured separately, even though they interoperate. Creating or configuring the SVI does not create or configure the VLAN; you still must define each one independently.

As an example, the following commands show how VLAN 100 is created and then defined as a Layer 3 SVI:

Switch(config)# vlan 100
Switch(config-vlan)# name Example_VLAN
Switch(config-vlan)# exit
Switch(config)# interface vlan 100
Switch(config-if)# ip address
Switch(config-if)# no shutdown

Be aware that an SVI cannot become active until at least one Layer 2 port assigned to the VLAN has also become active and STP has converged. By automatically keeping the SVI down until the VLAN is ready, no other switching or routing functions can attempt to use the SVI prematurely. This function is called SVI autostate.

You might sometimes want the SVI to stay up even when no Layer 2 ports are active on the VLAN. For example, you might have a Layer 2 port configured for port mirroring to capture traffic. In that case, the port would not be up and functioning normally, so it should be excluded from affecting the state of the SVI. You can exclude a switch port with the following interface configuration command:

Switch(config-if)# switchport autostate exclude

Multilayer Switching with CEF

Catalyst switches can use several methods to forward packets based on Layer 3 and Layer 4 information. The current generation of Catalyst multilayer switches uses the efficient Cisco Express Forwarding (CEF) method. This section describes the evolution of multilayer switching and discusses CEF in detail. Although CEF is easy to configure and use, the underlying switching mechanisms are more involved and should be understood.

Traditional MLS Overview

Multilayer switching began as a dual effort between a route processor (RP) and a switching engine (SE). The basic idea is to “route once and switch many.” The RP receives the first packet of a new traffic flow between two hosts, as usual. A routing decision is made, and the packet is forwarded toward the destination.

To participate in multilayer switching, the SE must know the identity of each RP. The SE then can listen in to the first packet going to the router and also going away from the router. If the SE can switch the packet in both directions, it can learn a “shortcut path” so that subsequent packets of the same flow can be switched directly to the destination port without passing through the RP.

This technique also is known as NetFlow switching or route cache switching. Traditionally, NetFlow switching was performed on legacy Cisco hardware, such as the Catalyst 6000 Supervisor 1/1a and Multilayer Switch Feature Card (MSFC), Catalyst 5500 with a Route Switch Module (RSM), Route Switch Feature Card (RSFC), or external router. Basically, the hardware consisted of an independent RP component and a NetFlow-capable SE component.

CEF Overview

NetFlow switching has given way to a more efficient form of multilayer switching: Cisco Express Forwarding. Cisco developed CEF for its line of routers, offering high- performance packet forwarding through the use of dynamic lookup tables. CEF also has been carried over to the Catalyst switching platforms. CEF runs by default, taking advantage of the specialized hardware.

A CEF-based multilayer switch consists of two basic functional blocks, as shown in Figure 11-3: The Layer 3 engine is involved in building routing information that the Layer 3 forwarding engine can use to switch packets in hardware.


Figure 11-3 Packet Flow Through a CEF-Based Multilayer Switch

Forwarding Information Base


The Layer 3 engine (essentially a router) maintains routing information, whether from static routes or dynamic routing protocols. Basically, the routing table is reformatted into an ordered list with the most specific route first, for each IP destination subnet in the table. The new format is called a Forwarding Information Base (FIB) and contains routing or forwarding information that the network prefix can reference.

In other words, a route to might be contained in the FIB along with routes to and, if those exist. Notice that these examples are increasingly more specific subnets, as designated by the longer subnet masks. In the FIB, these would be ordered with the most specific, or longest match, first, followed by less specific subnets. When the switch receives a packet, it easily can examine the destination address and find the longest-match destination route entry in the FIB.

The FIB also contains the next-hop address for each entry. When a longest-match entry is found in the FIB, the Layer 3 next-hop address is found, too.

You might be surprised to know that the FIB also contains host route (subnet mask entries. These normally are not found in the routing table unless they are advertised or manually configured. Host routes are maintained in the FIB for the most efficient routing lookup to directly connected or adjacent hosts.

As with a routing table, the FIB is dynamic in nature. When the Layer 3 engine sees a change in the routing topology, it sends an update to the FIB. Anytime the routing table receives a change to a route prefix or the next-hop address, the FIB receives the same change. Also, if a next-hop address is changed or aged out of the Address Resolution Protocol (ARP) table, the FIB must reflect the same change.

You can display FIB table entries related to a specific interface or VLAN with the following form of the show ip cef command:

Switch# show ip cef [type member/module/number | vlan vlan-id] [detail]

The FIB entries corresponding to the VLAN 101 switched virtual interface might be shown as demonstrated in Example 11-1.

Example 11-1 Displaying FIB Table Entries for a Specified VLAN

Switch# show ip cef vlan 101
Prefix              Next Hop             Interface         attached             Vlan101             Vlan101             Vlan101

You also can view FIB entries by specifying an IP prefix address and mask, using the following form of the show ip cef command:

Switch# show ip cef [prefix-ip prefix-mask] [longer-prefixes] [detail]

The output in Example 11-2 displays any subnet within that is known by the switch, regardless of the prefix or mask length. Normally, only an exact match of the IP prefix and mask will be displayed if it exists in the CEF table. To see other longer match entries, you can add thelonger-prefixes keyword.

Example 11-2 Displaying FIB Table Entries for a Specified IP Prefix Address/Mask

Switch# show ip cef longer-prefixes
Prefix             Next Hop            Interface        attached            Vlan101            Vlan101            Vlan101        attached            Vlan102         Vlan99
                  Vlan99         Vlan99
                  Vlan99         Vlan99
[output omitted]

Notice that the first three entries are the same ones listed in Example 11-1. Other subnets also are displayed, along with their next-hop router addresses and switch interfaces.

You can add the detail keyword to see more information about each FIB table entry for CEF, as demonstrated in Example 11-3.

Example 11-3 Displaying Detailed CEF Entry Information

Switch# show ip cef detail, version 270, epoch 0, per-destination sharing
0 packets, 0 bytes
  via, Vlan99, 0 dependencies
    traffic share 1
    next hop, Vlan99
    valid adjacency
  via, Vlan99, 0 dependencies
    traffic share 1
    next hop, Vlan99
    valid adjacency
  0 packets, 0 bytes switched through the prefix
  tmstats: external 0 packets, 0 bytes
           internal 0 packets, 0 bytes

The version number describes the number of times the CEF entry has been updated since the table was generated. The epoch number denotes the number of times the CEF table has been flushed and regenerated as a whole. The subnet has two next-hop router addresses, so the local switch is using per-destination load sharing between the two routers.

After the FIB is built, packets can be forwarded along the bottom dashed path in Figure 11-3. This follows the hardware switching process, in which no “expensive” or time-consuming operations are needed. At times, however, a packet cannot be switched in hardware, according to the FIB. Packets then are marked as “CEF punt” and immediately are sent to the Layer 3 engine for further processing, as shown in the top dashed path in Figure 11-3. Some of the conditions that can cause this are as follows:

Image An entry cannot be located in the FIB.

Image The FIB table is full.

Image The IP Time-To-Live (TTL) has expired.

Image The maximum transmission unit (MTU) is exceeded, and the packet must be fragmented.

Image An Internet Control Message Protocol (ICMP) redirect is involved.

Image The encapsulation type is not supported.

Image Packets are tunneled, requiring a compression or encryption operation.

Image An access list with the log option is triggered.

Image A Network Address Translation (NAT) operation must be performed.

CEF operations can be handled on a single, fixed hardware platform. The FIB is generated and contained centrally in the switch. CEF also can be optimized through the use of specialized forwarding hardware, using the following techniques:

Image Accelerated CEF (aCEF): CEF is distributed across multiple Layer 3 forwarding engines, typically located on individual line cards in chassis-based Catalyst switches. These engines do not have the capability to store and use the entire FIB, so only a portion of the FIB is downloaded to them at any time. This functions as an FIB “cache,” containing entries that are likely to be used again. If FIB entries are not found in the cache, requests are sent to the Layer 3 engine for more FIB information. The net result is that CEF is accelerated on the line cards, but not necessarily at a sustained wire-speed rate.

Image Distributed CEF (dCEF): CEF can be distributed completely among multiple Layer 3 forwarding engines for even greater performance. Because the FIB is self- contained for complete Layer 3 forwarding, it can be replicated across any number of independent Layer 3 forwarding engines. For example, the Catalyst 6500 has line cards that support dCEF, each with its own FIB table and forwarding engine. A central Layer 3 engine maintains the routing table and generates the FIB, which is then dynamically downloaded in full to each of the line cards.

Adjacency Table

A router normally maintains a routing table containing Layer 3 network and next-hop information, and an ARP table containing Layer 3 to Layer 2 address mapping. These tables are kept independently.


Recall that the FIB keeps the Layer 3 next-hop address for each entry. To streamline packet forwarding even more, the FIB has corresponding Layer 2 information for every next-hop entry. This portion of the FIB is called the adjacency table, consisting of the MAC addresses of nodes that can be reached in a single Layer 2 hop.

You can display the adjacency table’s contents with the following command:

Switch# show adjacency [type member/module/number | vlan vlan-id] [summary |

As an example, the total number of adjacencies known on each physical or VLAN interface can be displayed with the show adjacency summary command, as demonstrated in Example 11-4.

Example 11-4 Displaying the Total Number of Known Adjacencies

Switch# show adjacency summary
Adjacency Table has 106 adjacencies
  Table epoch: 0 (106 entries at this epoch)
  Interface                 Adjacency Count
  Vlan99                    21
  Vlan101                   3
  Vlan102                   1
  Vlan103                   47
  Vlan104                   7
  Vlan105                   27

Adjacencies are kept for each next-hop router and each host that is connected directly to the local switch. You can see more detailed information about the adjacencies by using the detail keyword, as demonstrated in Example 11-5.

Example 11-5 Displaying Detailed Information About Adjacencies

Switch# show adjacency vlan 99 detail
Protocol Interface                 Address
IP       Vlan99          
                                   0 packets, 0 bytes
                                   epoch 0
                                   sourced in sev-epoch 0
                                   Encap length 14
                                   L2 destination address byte offset 0
                                   L2 destination address byte length 6
                                   Link-type after encap: ip
IP       Vlan99          
                                   1 packets, 104 bytes
                                   L2 destination address byte offset 0
                                   L2 destination address byte length 6
                                   Link-type after encap: ip
                                   L2 destination address byte offset 0
                                   L2 destination address byte length 6
                                   Link-type after encap: ip

Notice that the adjacency entries include both the IP address (Layer 3) and the MAC address (Layer 2) of the directly attached host. The MAC address could be shown as the first six octets of the long string of hex digits (as shaded in the previous output) or on a line by itself. The remainder of the string of hex digits contains the MAC address of the Layer 3 engine’s interface (six octets, corresponding to the Vlan99 interface in the example) and the EtherType value (two octets, where 0800 denotes IP).

The adjacency table information is built from the ARP table. Example 11-5 shows adjacency with the age of its ARP entry. As a next-hop address receives a valid ARP entry, the adjacency table is updated. If an ARP entry does not exist, the FIB entry is marked as “CEF glean.” This means that the Layer 3 forwarding engine cannot forward the packet in hardware because of the missing Layer 2 next-hop address. The packet is sent to the Layer 3 engine so that it can generate an ARP request and receive an ARP reply. This is known as the CEF glean state, in which the Layer 3 engine must glean the next-hop destination’s MAC address.

The glean state can be demonstrated in several ways, as demonstrated in Example 11-6.

Example 11-6 Displaying Adjacencies in the CEF Glean State

Switch# show ip cef adjacency glean
Prefix              Next Hop             Interface         attached             Vlan101         attached             EOBC0/0
[output omitted]
Switch# show ip arp
Switch# show ip cef detail, version 688, epoch 0, attached, connected
0 packets, 0 bytes
  via Vlan101, 0 dependencies
    valid glean adjacency

Notice that the FIB entry for directly connected host is present but listed in the glean state. The show ip arp command shows that there is no valid ARP entry for the IP address.

During the time that an FIB entry is in the CEF glean state waiting for the ARP resolution, subsequent packets to that host are immediately dropped so that the input queues do not fill and the Layer 3 engine does not become too busy worrying about the need for duplicate ARP requests. This is called ARP throttling or throttling adjacency. If an ARP reply is not received in 2 seconds, the throttling is released so that another ARP request can be triggered. Otherwise, after an ARP reply is received, the throttling is released, the FIB entry can be completed, and packets can be forwarded completely in hardware.

The adjacency table also can contain other types of entries so that packets can be handled efficiently. For example, you might see the following adjacency types listed:

Image Null adjacency: Used to switch packets destined for the null interface. The null interface always is defined on a router or switch; it represents a logical interface that silently absorbs packets without actually forwarding them.

Image Drop adjacency: Used to switch packets that cannot be forwarded normally. In effect, these packets are dropped without being forwarded. Packets can be dropped because of an encapsulation failure, an unresolved address, an unsupported protocol, no valid route present, no valid adjacency, or a checksum error. You can gauge drop adjacency activity with the following command:

Switch# show cef drop
CEF Drop Statistics
Slot  Encap_fail  Unresolved Unsupported    No_route     No_adj  ChkSum_Err
RP      8799327           1      45827     5089667        32          0

Image Discard adjacency: Used when packets must be discarded because of an access list or other policy action.

Image Punt adjacency: Used when packets must be sent to the Layer 3 engine for further processing. You can gauge the CEF punt activity by looking at the various punt adjacency reasons listed by the show cef not-cef-switched command:

Switch# show cef not-cef-switched
CEF Packets passed on to next switching layer
Slot  No_adj  No_encap  Unsupp'ted  Redirect  Receive  Options  Access  Frag
RP   3579706        0          0        0  41258564       0       0    0

The reasons shown are as follows:

Image No_adj: An incomplete adjacency

Image No_encap: An incomplete ARP resolution

Image Unsupp’ted: Unsupported packet features

Image Redirect: ICMP redirect

Image Receive: Layer 3 engine interfaces; includes packets destined for IP addresses that are assigned to interfaces on the Layer 3 engine, IP network addresses, and IP broadcast addresses

Image Options: IP options present

Image Access: Access list evaluation failure

Image Frag: Fragmentation failure

Packet Rewrite

When a multilayer switch finds valid entries in the FIB and adjacency tables, a packet is almost ready to be forwarded. One step remains: The packet header information must be rewritten. Keep in mind that multilayer switching occurs as quick table lookups to find the next-hop address and the outbound switch port. The packet is untouched and still has the original destination MAC address of the switch itself. The IP header also must be adjusted, as if a traditional router had done the forwarding.

The switch has an additional functional block that performs a packet rewrite in real time. The packet rewrite engine (shown in Figure 11-3) makes the following changes to the packet just before forwarding:


Image Layer 2 destination address: Changed to the next-hop device’s MAC address

Image Layer 2 source address: Changed to the outbound Layer 3 switch interface’s MAC address

Image Layer 3 IP TTL: Decremented by one because one router hop has just occurred

Image Layer 3 IP checksum: Recalculated to include changes to the IP header

Image Layer 2 frame checksum: Recalculated to include changes to the Layer 2 and Layer 3 headers

A traditional router normally would make the same changes to each packet. The multilayer switch must act as if a traditional router were being used, making identical changes. However, the multilayer switch can do this very efficiently with dedicated packet-rewrite hardware and address information obtained from table lookups.

Configuring CEF

CEF is enabled on all CEF-capable Catalyst switches by default. In fact, many switches run CEF inherently, so CEF never can be disabled.


Switches such as the Catalyst 3750 and 4500 run CEF by default, but you can disable CEF on a per-interface basis. You can use the no ip route-cache cef and no ip cef interface configuration commands to disable CEF on the Catalyst 3750 and 4500, respectively.

You should always keep CEF enabled whenever possible, except when you need to disable it for debugging purposes.

Verifying Multilayer Switching

The multilayer switching topics presented in this chapter are not difficult to configure; however, you might need to verify how a switch is forwarding packets. In particular, the following sections discuss the commands that you can use to verify the operation of inter-VLAN routing and CEF.

Verifying Inter-VLAN Routing

To verify the configuration of a Layer 2 port, you can use the following EXEC command:

Switch# show interface type member/module/number switchport

The output from this command displays the access VLAN or the trunking mode and native VLAN. The administrative modes reflect what has been configured for the port, whereas the operational modes show the port’s active status.

You can use this same command to verify the configuration of a Layer 3 or routed port. In this case, you should see the switchport (Layer 2) mode disabled, as in Example 11-7.

Example 11-7 Verifying Configuration of a Layer 3 Switch Port

Switch# show interface gigabitethernet 1/0/1 switchport
Name: Gi1/0/1
Switchport: Disabled

To verify the configuration of an SVI, you can use the following EXEC command:

Switch# show interface vlan vlan-id

The VLAN interface should be up, with the line protocol also up. If this is not true, either the interface is disabled with the shutdown command, the VLAN itself has not been defined on the switch, or there are no active Layer 2 switch interfaces configured to use the VLAN. Use the show vlan command to see a list of configured VLANs.

Example 11-8 shows the output produced from the show vlan command. Notice that each defined VLAN is shown, along with the switch ports that are assigned to it.

Example 11-8 Displaying a List of Configured VLANs

Switch# show vlan

VLAN Name                             Status     Ports
---- ---------------------------------- ----------- ------------------------------
1    default                          active    Gi1/0/1, Gi1/0/2, Gi1/0/3
                                                Gi1/0/4, Gi1/0/5, Gi1/0/6
                                                Gi1/0/7, Gi1/0/8, Gi1/0/9
                                                Gi1/0/10, Gi1/0/11, Gi1/0/12
                                                Gi1/0/13, Gi1/0/14, Gi1/0/15
                                                Gi1/0/16, Gi1/0/17, Gi1/0/18
                                                Gi1/0/19, Gi1/0/20, Gi1/0/21
                                                Gi1/0/25, Gi1/0/26, Te1/0/1
2    VLAN0002                         active     Gi1/0/22
5    VLAN0005                         active
10   VLAN0010                         active
11   VLAN0011                         active     Gi1/0/23
12   VLAN0012                         active
99   VLAN0099                         active     Gi1/0/24

You also can display the IP-related information about a switch interface with the show ip interface command, as demonstrated in Example 11-9.

Example 11-9 Displaying IP-Related Information About a Switch Interface

Switch# show ip interface vlan 101
Vlan101 is up, line protocol is up
  Internet address is
  Broadcast address is
  Address determined by setup command
  MTU is 1500 bytes
  Helper address is not set
  Directed broadcast forwarding is disabled
  Outgoing access list is not set
  Inbound  access list is not set
  Proxy ARP is enabled
  Local Proxy ARP is disabled
  Security level is default
  Split horizon is enabled
  ICMP redirects are always sent
  ICMP unreachables are always sent
  ICMP mask replies are never sent
  IP fast switching is enabled
  IP fast switching on the same interface is disabled
  IP Flow switching is disabled
  IP CEF switching is enabled
  IP Feature Fast switching turbo vector
  IP Feature CEF switching turbo vector
  IP multicast fast switching is enabled
  IP multicast distributed fast switching is disabled
  IP route-cache flags are Fast, Distributed, CEF
  Router Discovery is disabled
  IP output packet accounting is disabled
  IP access violation accounting is disabled
  TCP/IP header compression is disabled
  RTP/IP header compression is disabled
  Probe proxy name replies are disabled
  Policy routing is disabled
  Network address translation is disabled
  WCCP Redirect outbound is disabled
  WCCP Redirect inbound is disabled
  WCCP Redirect exclude is disabled
  BGP Policy Mapping is disabled
  Sampled Netflow is disabled
  IP multicast multilayer switching is disabled

You can use the show ip interface brief command to see a summary listing of the Layer 3 interfaces involved in routing IP traffic, as demonstrated in Example 11-10.

Example 11-10 Displaying a Summary Listing of Interfaces Routing IP Traffic

Switch# show ip interface brief
Interface                  IP-Address      OK? Method Status                Protocol
Vlan1                      unassigned      YES NVRAM  administratively down down
Vlan54                   YES manual up                    up
Vlan101                  YES manual up                    up
GigabitEthernet1/0/10        YES manual up                    up
[output omitted]

Verifying CEF

CEF operation depends on the correct routing information being generated and downloaded to the Layer 3 forwarding engine hardware. This information is contained in the FIB and is maintained dynamically. To view the entire FIB, use the following EXEC command:

Switch# show ip cef

Example 11-11 shows sample output from this command.

Example 11-11 Displaying the FIB Contents for a Switch

Switch# show ip cef
Prefix              Next Hop             Interface          receive    attached             Vlan1    receive    receive        Vlan1  receive

On this switch, only VLAN 1 has been configured with the IP address Notice several things about the FIB for such a small configuration:

Image An FIB entry has been reserved for the default route. No next hop is defined, so the entry is marked “receive” so that packets will be sent to the Layer 3 engine for further processing.

Image The subnet assigned to the VLAN 1 interface is given its own entry. This is marked “attached” because it is connected directly to an SVI, VLAN 1.

Image An FIB entry has been reserved for the exact network address. This is used to contain an adjacency for packets sent to the network address, if the network is not directly connected. In this case, there is no adjacency, and the entry is marked “receive.”

Image An entry has been reserved for the VLAN 1 SVI’s IP address. Notice that this is a host route (/32). Packets destined for the VLAN 1 interface must be dealt with internally, so the entry is marked “receive.”

Image This is an entry for a neighboring multilayer switch, found on the VLAN 1 interface. The Next Hop field has been filled in with the same IP address, denoting that an adjacency is available.

Image An FIB entry has been reserved for the subnet’s broadcast address. The route processor (Layer 3 engine) handles all directed broadcasts, so the entry is marked “receive.”

To see complete FIB table information for a specific interface, use the following EXEC command:

Switch# show ip cef type member/module/number [detail]

Exam Preparation Tasks

Review All Key Topics

Review the most important topics in the chapter, noted with the Key Topic icon in the outer margin of the page. Table 11-2 lists a reference of these key topics and the page numbers on which each is found.



Table 11-2 Key Topics for Chapter 11

Complete Tables and Lists from Memory

There are no memory tables in this chapter.

Define Key Terms

Define the following key terms from this chapter, and check your answers in the glossary:

inter-VLAN routing



adjacency table

packet rewrite

Use Command Reference to Check Your Memory

This section includes the most important configuration and EXEC commands covered in this chapter. It might not be necessary to memorize the complete syntax of every command, but you should be able to remember the basic keywords that are needed.

To test your memory of the inter-VLAN routing and CEF configuration and verification commands, use a piece of paper to cover the right side of Tables 11-3 and 11-4, respectively. Read the description on the left side, and then see how much of the command you can remember. Remember that the CCNP exam focuses on practical or hands-on skills that are used by a networking professional.


Table 11-3 Inter-VLAN Routing Configuration Commands


Table 11-4 Multilayer Switching Verification Commands