Cisco weird interfaces
NVI - NAT Virtual Interface
Not everyone knows that from IOS version 12.3(14)T, Cisco has introduced a new feature called NAT Virtual Interface; NVI removes the requirements to configure an interface as either NAT inside or NAT outside. An interface can be configured to use NAT or not use NAT.
How to use NVI? It’s easy! You must use the command ‘ip nat source …’ without specifying the inside/outside tag and enable the nat to the interfaces using the command ‘ip nat enable’.
For instance, if you use legacy statement:
R1(config)#interface range fastEthernet 0/0 R1(config-if-range)#ip nat inside R1(config)#interface range fastEthernet 0/1 R1(config-if-range)#ip nat outside ! Below is an example of static NAT: Translate an inside network (Fa0/0 side) local to global address (Fa0/1 side) R1(config)#ip nat inside source static 172.16.0.6 220.127.116.11 / \ inside local inside global
with NVI feature the nat will be:
R1(config)#interface range fastEthernet 0/0 R1(config-if-range)#ip nat enable R1(config)#interface range fastEthernet 0/1 R1(config-if-range)#ip nat enable R1#ip access-list standard client-list R1(config-std-nacl)#permit 172.16.0.0 0.0.0.255
Define the NAT Overload:
R1(config)#ip nat source list client-list interface fastethernet0/1 overload
- To check NVI statistics and translations use these commands (observe the ‘nvi’ tag)
show ip nat nvi translations show ip nat nvi statistics !shows active translations count with breakdown to static and dynamic NAT, shows enabled interfaces
SVI - Switch Virtual Interface
In short: A virtual VLAN interface for inter-VLAN routing. In other words, SVIs are the virtual-routed VLAN interfaces in a multilayer switch.
- Switch Virtual Interface for Cisco Integrated Services Routers
Cisco offers different flavors of integrated switching modules for the modular Cisco 3900, 3800, 2900, 2800, 1900 and 1800 Series Integrated Services Routers. Cisco 4- and 8-Port Gigabit Ethernet Enhanced High-Speed WAN Interface Cards (EHWICs) are used with Cisco 1900 series ISR G2 routers.
The integrated switch ports for the fixed-configuration Integrated Services Routers and the switch ports on the HWICs/EHWICs do not natively support Layer 3 addresses or Layer 3 features. They must be assigned to a SVI and use a VLAN interface for Layer 3 features. SVI represents a logical Layer 3 interface on a switch. In addition to basic routing, SVI can be used to support additional features for the network that the SVI represents.
A switch virtual interface (SVI) is a VLAN of switch ports represented by one interface to a routing or bridging system. There is no physical interface for the VLAN and the SVI provides the Layer 3 processing for packets from all switch ports associated with the VLAN.
There is one-to-one mapping between a VLAN and SVI, thus only a single SVI can be mapped to a VLAN. By default, a SVI is created for the default VLAN (VLAN1) to permit remote switch administration. An SVI cannot be activated unless associated with a physical port.
SVIs are generally configured for a VLAN for the following reasons:
- Allow traffic to be routed between VLANs by providing a default gateway for the VLAN.
- Provide fallback bridging (if required for non-routable protocols).
- Provide Layer 3 IP connectivity to the switch.
- Support bridging configurations and routing protocol.
- SVI on Cisco Integrated Services Routers is designed to provide basic Layer 3 functions for the Layer 2 switch ports that belong to a specific VLAN. The SVI does not provide the same feature set and functions as the integrated Layer 3 Ethernet ports of the integrated services routers and should not be used to entirely replace the Layer 3 Ethernet ports. Customer who need additional Layer 3 Ethernet ports for their Integrated Services Routers may consider the use of 1- and 2-Port Fast Ethernet High-Speed WIC for modular ISR platforms. The guidelines presented in this document summarize feature support considerations for an Integrated Services Router deployment that uses SVIs.
- Example configuration on a switch or EtherSwitch card
! create SVI interface for VLAN10 SW(config-if)#interface vlan 10 SW(config-if)#ip address 10.1.1.1 255.255.255.0 SW(config-if)#no shutdown ! create SVI interface for VLAN20 SW(config-if)#interface vlan 20 SW(config-if)#ip address 18.104.22.168 255.255.255.0 SW(config-if)#exit ! enable Layer3 capabilities routing on a switch SW(config)#ip routing ! add physical interfaces to the VLAN10 SW(config-if)#interface f0/0 SW(config-if)#no shutdown SW(config-if)# switchport mode access SW(config-if)# switchport access vlan 10 ! and so on add physical interface to VLAN20
Switch - Routed Ports
A routed port is a physical port that acts similarly to an interface on a router. Unlike an access port, a routed port is not associated with a particular VLAN. A routed port behaves like a regular router interface. Also, because Layer 2 functionality has been removed, Layer 2 protocols, such as STP, do not function on a routed interface. However, some protocols, such as LACP and EtherChannel, do function at Layer 3. Routed ports on a switch do not support sub-interfaces and are used for point-to-point links.
SW(config-if)# no switchport !issued in interface configuration mode on a multilayer switch
BVI - Bridged Virtual Interface
With wireless AP's you are bridging the wireless traffic between your wireless vlans and the local lan subnets. The BVI interface also has to have an ip address on your "native" vlan subnet, whatever that may be. Since cisco ap's only have layer 2 interfaces then the BVI is necessary.
If you assign an ip to a vlan interface, any traffic between the different subnets is no longer bridged, it is routed. You also can only bridge non ip traffic on cisco switches. (IPX, IPV6 on older platforms)
In a wireless network, bridge groups are configured on the wireless access points and bridges in order for the data traffic of a VLAN to be transmitted from wireless media to the wired side and vice versa.
In general, bridge groups create segmented switching domains. Traffic is confined to hosts within each bridge group, but not between the bridge groups. The switch forwards traffic only among the hosts that make up the bridge group, which restricts broadcast and multicast traffic (flooding) to only those hosts. Bridge groups relieve network congestion and provide additional network security when they segment traffic to certain areas of the network.
Refer to Bridging Overview for detailed information.
- Aironet APs: Bridge Groups and BVI Must see
VRF - Virtual Routing and Forwarding
Virtual Routing and Forwarding (VRF) is a technology included in IP network routers that allows multiple instances of a routing table to exist in a router and work simultaneously. This increases functionality because it allows network paths to be segmented without the use of multiple devices. Because traffic is automatically segregated, VRF also increases network security and can eliminate the need for encryption and authentication. Internet Service Providers (ISPs) often take advantage of VRF in order to create separate Virtual Private Networks (VPNs) for customers. Therefore the technology is also referred to as VPN routing and forwarding.
VRF acts like a logical router, but while a logical router can include many routing tables, a VRF instance uses only a single routing table. In addition, VRF requires a forwarding table that designates the next hop for each data packet, a list of devices that can be called upon to forward the packet, and a set of rules and routing protocols that govern how the packet is forwarded. These tables prevent traffic from being forwarded outside a specific VRF path and also keep out traffic that must remain outside the VRF path.