switch virtual interface.pdf

White Paper

Switch Virtual Interface for Cisco Integrated Services Routers

Introduction

This document provides an overview of the switch virtual interface (SVI) for Cisco ® Integrated Services Routers.

Cisco offers different flavors of integrated switching modules for the modular Cisco 3900, 3800, 2900, 2800, 1900

and 1800 Series Integrated Services Routers: the Cisco 4- and 8-Port Gigabit Ethernet Enhanced High-Speed WAN

Interface Cards (EHWICs), 16- and 36-port Cisco EtherSwitch ® modules, the Cisco EtherSwitch 4- and 9-port high-

speed WAN interface cards (HWICs), the Cisco EtherSwitch service modules, and the Enhanced Cisco EtherSwitch

service modules. In addition, the Cisco 1800 and 890 Series fixed-configuration Integrated Services Routers are

integrated with an 8-port switch. The Cisco 880, 870, 860 and 850 Series Integrated Services Routers are integrated

with a 4-port switch.

The integrated switch ports for the fixed-configuration Integrated Services Routers and the switch ports on the

HWICs/EHWICs do not natively support Layer 3 addresses or Layer 3 features. They must be assigned to a SVI and

use a VLAN interface for Layer 3 features. SVI represents a logical Layer 3 interface on a switch. In addition to basic

routing, SVI can be used to support additional features for the network that the SVI represents.

Table 1 lists the Cisco IOS ® Software features supported by SVI and summarized the typical use of these features.

Please refer to the Feature Navigator Tool to check whether a specific platform supports a specific feature.

Table 1.

Cisco IOS Software Features Supported by SVI

Cisco IOS Software Feature

SVI Use Scenario

SVI Support Status

Routing Features

Routing protocols

Interconnects Layer 3 networks using protocols such as Routing Information Protocol

(RIP), Open Shortest Path First (OSPF) Protocol, and Enhanced Interior Gateway

Routing Protocol (EIGRP) configured under SVI

Yes

IP Version 6 (IPv6)

Provides IPv6 support

Yes

Network Address Translation

(NAT)

Translates public IP addresses to private address pools, and private addresses to public

IP addresses; SVI is typically used as a NAT inside interface

Yes

● DHCP server feature: Dynamically assigns private IP addresses to devices

connected to the switch ports

● DHCP client feature: Allows the SVI to receive a dynamically assigned IP address

Dynamic Host Configuration

Protocol (DHCP)

Yes

Hot Standby Routing Protocol

(HSRP)

Supports redundancy and high availability with a secondary device connected to the LAN

with SVI, using HSRP

Yes

Virtual Router Redundancy

Protocol (VRRP)

Supports redundancy and high availability with a secondary device connected to the LAN

with SVI, using VRRP

Yes

Gateway Load Balancing

Protocol (GLBP)

Supports redundancy and high availability with a secondary device connected to the LAN

with SVI, using GLBP

Policy-Based Routing (PBR)

Creates policy maps for routing decisions and QoS settings

Yes

Point-to-Point Protocol (PPP)

over Ethernet (PPPoE)

Provides PPPoE client support for a device (such as a DSL modem) connected to the

switch port; typically used when the SVI is the only interface available to provide backup

using the external device

Yes

Multicast

Provides multicast support for clients connected to the switch ports

Yes

VPN Routing and Forwarding

(VRF)

Associates a VRF instance with an SVI to map VLANs to different logical or physical

VPN WAN connections

Yes

Layer 2 Tunnel Protocol Version

3 (L2TPv3)

Provides LAN extension between remote sites; SVI is used as the Layer 2 tunnel

termination point

Yes (12.4(20)T or

later)

Page 1 of 10

White Paper

Cisco IOS Software Feature

SVI Use Scenario

SVI Support Status

Security Features

● Supports Easy VPN remote as the inside interface

● Provides IPsec tunnel termination on the SVI; typically used when SVI is the only

interface available to provide backup WAN connection with an external device (such

as a DSL modem)

IP Security (IPsec)

Yes

Generic Routing Encapsulation

(GRE)

Provides GRE tunnel termination on the SVI;, typically used when SVI is the only

interface available to provide backup WAN connection with an external device (such as a

DSL modem)

Yes

Yes *

Firewall

Provides Firewall support for VLANs

Intrusion Prevention System

(IPS)

Provides IPS support for VLANs

Yes

IP access control lists (ACLs)

Provides packet filtering to control network traffic and restrict the access of users and

devices to the network

Yes

Network Admission Control

(NAC)

Enforces NAC of endpoint devices connected to the VLAN

Yes

Auth-proxy

Authenticates inbound and outbound users connected to the VLAN

Yes

Quality-of-Service (QoS) Features

Classification with standard and

extended access list

Provides QoS classification with standard and extended access lists

Yes (CSCsi01713)

Classification with IP type of

service (ToS): IP precedence,

differentiated services code point

(DSCP), or destination address

Provides QoS classification with IP ToS bits

Yes

Classification with Network-

Based Application Recognition

(NBAR) with TCP

Provides QoS classification with NBAR TCP traffic

Yes

Class-based marking

Provides QoS marking based on user-defined traffic class with DSCP and IP precedence

values

Yes

Policing

Limits the input or output transmission rate on SVI and specifies traffic handling policies

when the traffic either conforms to or exceeds the specified rate limits

Yes (15.1(1)T or

later)

Committed Access Rate

Limits the input or output transmission rate on SVI

Yes

Class-Based Traffic Shaping

Provides Generic Traffic Shaping based on user defined traffic class

Generic-Traffic Shaping

Limits the transmission rate of data to match the speed of the remote, target interface

and helps ensure that the traffic conforms to policies contracted for it

Weighted Random Early

Detection (WRED)

Provides early detection of congestion and differentiated performance characteristics for

different classes of service

Class-Based Weighted Fair

Queue (CBWFQ)

Allocates bandwidth based on user-defined traffic class

Low-Latency Queue (LLQ)

Provides strict priority queuing with CBWFQ to allow delay-sensitive data such as voice

to be dequeued and sent first, giving delay-sensitive data preferential treatment over

other traffic

Hierarchical QoS

Using a modular QoS command-line interface (CLI) in a hierarchical structure, provides a

high degree of granularity for QoS policies and helps meet complex service-level

agreement (SLA) requirements

* Transparent Firewall is only supported between a VLAN and WAN interfaces. It’s not supported between 2 or more VLANs.

Please refer to CSCse92575.

Conclusion

SVI on Cisco Integrated Services Routers is designed to provide basic Layer 3 functions for the Layer 2 switch ports

that belong to a specific VLAN. The SVI does not provide the same feature set and functions as the integrated Layer

3 Ethernet ports of the integrated services routers and should not be used to entirely replace the Layer 3 Ethernet

ports. Customer who need additional Layer 3 Ethernet ports for their Integrated Services Routers may consider the

use of 1- and 2-Port Fast Ethernet High-Speed WIC for modular ISR platforms. The guidelines presented in this

document summarize feature support considerations for an Integrated Services Router deployment that uses SVIs.

Page 2 of 10

White Paper

For More Information

Please refer to the following links for more information:

● Cisco 4- and 8-Port Gigabit Ethernet Enhanced High-Speed WAN Interface Cards:

● Cisco HWIC-4ESW and HWIC-D-9ESW EtherSwitch interface cards:

http://www.cisco.com/en/US/partner/products/sw/iosswrel/ps5207/products_feature_guide09186a00802c6bb

6.html

● Cisco EtherSwitch modules comparison:

http://www.cisco.com/en/US/products/ps5854/products_qanda_item0900aecd802a9470.shtml

● 1- and 2-Port Fast Ethernet High-Speed WIC for Cisco 1841, 2800, and 3800 Integrated Services Routers:

http://www.cisco.com/en/US/partner/products/ps5853/products_data_sheet0900aecd80581fe6.html

● Cisco IOS Security Configuration Guide:

http://www.cisco.com/en/US/partner/products/ps6441/products_configuration_guide_book09186a008049e24

9.html

● Cisco IOS Quality-of-Service Solutions Configuration Guide:

http://www.cisco.com/en/US/partner/products/ps6441/products_configuration_guide_book09186a008065c7a

1.html

SVI Configuration Examples

Easy VPN Remote and NAT

http://www.cisco.com/en/US/technologies/tk583/tk372/technologies_white_paper09186a00801fdef9.shtml

Zone-Based Policy Firewall

http://www.cisco.com/en/US/products/ps6350/products_feature_guide09186a008072c6e3.html

DHCP

! SDM Default Configuration

! The default startup configuration file for Cisco Router and Security Device

Manager (SDM)

! DO NOT modify this file; it is required by SDM as is for factory defaults

! Version 1.0

hostname yourname

logging buffered 51200 warnings

username cisco privilege 15 secret 0 cisco

ip dhcp excluded-address 10.10.10.1

ip dhcp pool sdm-pool

import all

network 10.10.10.0 255.255.255.248

default-router 10.10.10.1

lease 0 2

no ip domain lookup

ip domain-name yourdomain.com

Page 3 of 10

White Paper

interface FastEthernet2

no ip address

no shutdown

interface FastEthernet3

no ip address

no shutdown

interface FastEthernet4

no ip address

no shutdown

interface FastEthernet5

no ip address

no shutdown

interface FastEthernet6

no ip address

no shutdown

interface FastEthernet7

no ip address

no shutdown

interface FastEthernet8

no ip address

no shutdown

interface FastEthernet9

no ip address

no shutdown

interface Vlan1

description $ETH-SW-LAUNCH$$INTF-INFO-FE 2$

ip address 10.10.10.1 255.255.255.248

ip tcp adjust-mss 1452

ip http server

ip http access-class 23

ip http secure-server

ip http authentication local

ip http timeout-policy idle 60 life 86400 requests 10000

access-list 23 permit 10.10.10.0 0.0.0.7

banner login ^

--------------------------------------------------------------------

Cisco Router and Security Device Manager (SDM) is installed on this device.

Page 4 of 10

White Paper

This feature requires the one-time use of the username "cisco" with the password

"cisco". The default username and password have a privilege level of 15.

Please change these publicly known initial credentials using SDM or the IOS CLI.

Here are the Cisco IOS commands.

username <myuser> privilege 15 secret 0 <mypassword>

no username cisco

Replace <myuser> and <mypassword> with the username and password you want to use.

For more information about SDM please follow the instructions in the QUICK START

GUIDE for your router or go to http://www.cisco.com/go/sdm

---------------------------------------------------------------------

no cdp run

line con 0

line vty 0 4

access-class 23 in

privilege level 15

transport input telnet

transport input telnet ssh

line vty 5 15

access-class 23 in

privilege level 15

transport input telnet

transport input telnet ssh

! End of SDM default config file

end

HSRP

Router A Config

interface Loopback0

no ip address

interface FastEthernet0

ip address 100.0.0.4 255.255.255.0

duplex auto

speed auto

interface FastEthernet2

switchport mode trunk

interface Vlan1

no ip address

Page 5 of 10

Plik z chomika:

Inne pliki z tego folderu:

Inne foldery tego chomika: