Layer 4 device on a Layer 3 switch

Discussion in 'Cisco' started by Warrick FitzGerald, Feb 24, 2004.

  1. I have an Alteon Ace Director 3, which is a Layer 4-7 device responsible
    for load ballancing a set of web server.

    Traffic entering the network is NAT'd from the public address to the
    virtual ipaddress of the Layer 4 device and then the Layer 4 device is
    responsible for substituting the destination ip address for one of the
    real server that it load ballances.

    Public
    |
    NAT
    |
    Virtual IP
    |
    Group Of real servers

    What I don't understand is when Layer3 switching enters the equation. The
    real servers have there defualt gateway set to the interace on the Layer 4
    device, and by all logic a packet with a source IP of the real server
    should never reach the firewall. Especially if the TCP session was
    initiated from a public IP outside of my network and then connected
    through the Layer 4 device.

    Is it possible that the 6509 that this Layer4 device is plugged into is
    forwarding packets from one VLAN to another and bypassing the expected
    flow of traffic through the Layer 4 device. In doing so packets are not
    getting re-writed with the correct source IP?

    How does one know when the switch will use L3 switching?

    How can I safly disable L3 switching to test that this is not my problem?

    Thanks
    Warrick
    Warrick FitzGerald, Feb 24, 2004
    #1
    1. Advertising

  2. Is the Alteon on the same subnet as your real servers? If so, the real
    servers will never use the default gateway, since they can just send back to
    the web director. The 6509 isn't doing really anythiing here, since all of
    the communication is at layer 2. No routing or layer 3 switching takes
    place except from the Alteon to the 6509.

    Craig Johnson, CCIE #6965
    "Warrick FitzGerald" <> wrote in message
    news:p...
    > I have an Alteon Ace Director 3, which is a Layer 4-7 device responsible
    > for load ballancing a set of web server.
    >
    > Traffic entering the network is NAT'd from the public address to the
    > virtual ipaddress of the Layer 4 device and then the Layer 4 device is
    > responsible for substituting the destination ip address for one of the
    > real server that it load ballances.
    >
    > Public
    > |
    > NAT
    > |
    > Virtual IP
    > |
    > Group Of real servers
    >
    > What I don't understand is when Layer3 switching enters the equation. The
    > real servers have there defualt gateway set to the interace on the Layer 4
    > device, and by all logic a packet with a source IP of the real server
    > should never reach the firewall. Especially if the TCP session was
    > initiated from a public IP outside of my network and then connected
    > through the Layer 4 device.
    >
    > Is it possible that the 6509 that this Layer4 device is plugged into is
    > forwarding packets from one VLAN to another and bypassing the expected
    > flow of traffic through the Layer 4 device. In doing so packets are not
    > getting re-writed with the correct source IP?
    >
    > How does one know when the switch will use L3 switching?
    >
    > How can I safly disable L3 switching to test that this is not my problem?
    >
    > Thanks
    > Warrick
    >
    Craig Johnson, Feb 24, 2004
    #2
    1. Advertising

  3. On Tue, 24 Feb 2004 06:25:43 -0600, Craig Johnson wrote:

    > Is the Alteon on the same subnet as your real servers? If so, the real
    > servers will never use the default gateway, since they can just send back
    > to the web director. The 6509 isn't doing really anythiing here, since
    > all of the communication is at layer 2. No routing or layer 3 switching
    > takes place except from the Alteon to the 6509.
    >


    The Alteon has multiple interfaces on it. It have one interface connected
    to VLAN 3 which is where the inbound internet traffic gets NAT'd to, and
    that it has another interface on VLAN 10 which is where my real servers
    are.

    When the packer arives at the real server it still has the source address
    of the internet client (public ip). The real server when responding to the
    public ip must then use it's default gateway to get out (which is of
    course the alteon interface on that VLAN).

    In essence the Alteon bridges the VLAN's in much the same way that the
    MSFC modules \ routers do.

    Thanks
    Warrick
    Warrick FitzGerald, Feb 24, 2004
    #3
  4. I see. You are correct; the real NAT IPs of the servers should never been
    seen on the outside. The Alteon pretty much acts like a normal router in
    this way. Your 6509 is completely oblivious to what happens after traffic
    hits the alteon.

    I think you may be confusing layer 3 switching. Layer 3 switching is just
    routing. You can't really disable it, without disabling routing. Some
    marketing guys made the term up a few years ago because switching sounds
    fast and routing sounds slow. Just think of the 6509 as a router with a
    whole lot of ports on it. Let me know if that clears anything up.

    Craig Johnson, CCIE #6965


    "Warrick FitzGerald" <> wrote in message
    news:p...
    > On Tue, 24 Feb 2004 06:25:43 -0600, Craig Johnson wrote:
    >
    > > Is the Alteon on the same subnet as your real servers? If so, the real
    > > servers will never use the default gateway, since they can just send

    back
    > > to the web director. The 6509 isn't doing really anythiing here, since
    > > all of the communication is at layer 2. No routing or layer 3 switching
    > > takes place except from the Alteon to the 6509.
    > >

    >
    > The Alteon has multiple interfaces on it. It have one interface connected
    > to VLAN 3 which is where the inbound internet traffic gets NAT'd to, and
    > that it has another interface on VLAN 10 which is where my real servers
    > are.
    >
    > When the packer arives at the real server it still has the source address
    > of the internet client (public ip). The real server when responding to the
    > public ip must then use it's default gateway to get out (which is of
    > course the alteon interface on that VLAN).
    >
    > In essence the Alteon bridges the VLAN's in much the same way that the
    > MSFC modules \ routers do.
    >
    > Thanks
    > Warrick
    >
    Craig Johnson, Feb 24, 2004
    #4
  5. On Tue, 24 Feb 2004 08:34:57 -0600, Craig Johnson wrote:

    > I see. You are correct; the real NAT IPs of the servers should never been
    > seen on the outside. The Alteon pretty much acts like a normal router in
    > this way. Your 6509 is completely oblivious to what happens after traffic
    > hits the alteon.
    >
    > I think you may be confusing layer 3 switching. Layer 3 switching is just
    > routing. You can't really disable it, without disabling routing. Some
    > marketing guys made the term up a few years ago because switching sounds
    > fast and routing sounds slow. Just think of the 6509 as a router with a
    > whole lot of ports on it. Let me know if that clears anything up.


    I guess the piece I don't understand is how it makes these L3 decisions.
    In a normal L2 environment the CAM table is built up using regular MAC
    addresses. When this concept is applied to L3 switching \ routing does the
    switch maintain some kind of tabel for doing the same thing?

    If this were the case, then I would expect that L3 switching would only
    come into play when the destination IP address in the packet is on one of
    the MSFC routers locally connected VLAN's?

    If I'm understanding you correctly the only difference between L3
    switching and routing is that the internal routers have a hook into the
    backplane, so that instead of having to read the packet into the router,
    then routing it to another VLAN, they simply send an instuction to the
    backplane to copy the packet from point A to point B without having to
    fully traverse the router?

    Thanks for all your help
    Warrick
    Warrick FitzGerald, Feb 24, 2004
    #5
  6. A layer 3 switch makes forwarding decisions just like any other router, with
    its routing table. If you just have VLANs, it forwards these directly
    connected interfaces. You are mostly correct about when layer 3 decisions
    are made, but the destination doesn't have to be local. If it has routes,
    whether connected, statically or dynamically, the switch will rewrite the
    destination mac and next hop IP to forward. The biggest difference is that
    you don't explicitly have to copy the frame to the router, which is where
    the performance benefit is. Logically, however, layer 3 switching and
    routing are exactly the same.

    Craig Johnson, CCIE #6965
    "Warrick FitzGerald" <> wrote in message
    news:p...
    > On Tue, 24 Feb 2004 08:34:57 -0600, Craig Johnson wrote:
    >
    > > I see. You are correct; the real NAT IPs of the servers should never

    been
    > > seen on the outside. The Alteon pretty much acts like a normal router

    in
    > > this way. Your 6509 is completely oblivious to what happens after

    traffic
    > > hits the alteon.
    > >
    > > I think you may be confusing layer 3 switching. Layer 3 switching is

    just
    > > routing. You can't really disable it, without disabling routing. Some
    > > marketing guys made the term up a few years ago because switching sounds
    > > fast and routing sounds slow. Just think of the 6509 as a router with a
    > > whole lot of ports on it. Let me know if that clears anything up.

    >
    > I guess the piece I don't understand is how it makes these L3 decisions.
    > In a normal L2 environment the CAM table is built up using regular MAC
    > addresses. When this concept is applied to L3 switching \ routing does the
    > switch maintain some kind of tabel for doing the same thing?
    >
    > If this were the case, then I would expect that L3 switching would only
    > come into play when the destination IP address in the packet is on one of
    > the MSFC routers locally connected VLAN's?
    >
    > If I'm understanding you correctly the only difference between L3
    > switching and routing is that the internal routers have a hook into the
    > backplane, so that instead of having to read the packet into the router,
    > then routing it to another VLAN, they simply send an instuction to the
    > backplane to copy the packet from point A to point B without having to
    > fully traverse the router?
    >
    > Thanks for all your help
    > Warrick
    >
    Craig Johnson, Feb 24, 2004
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. praveen
    Replies:
    1
    Views:
    3,086
    Bjørn Djupvik
    Oct 22, 2003
  2. Joel M. Baldwin

    bridge / layer 2 switch / layer 3 switch

    Joel M. Baldwin, Nov 6, 2003, in forum: Cisco
    Replies:
    2
    Views:
    4,466
    Scooby
    Nov 6, 2003
  3. Michael
    Replies:
    1
    Views:
    1,024
  4. Replies:
    14
    Views:
    6,798
    Erik Freitag
    Dec 26, 2004
  5. Replies:
    0
    Views:
    936
Loading...

Share This Page