3.8 Virtual Layer 3 Switches
The virtual layer 3 switch function adds a virtual router which can
perform IP routing between multiple Virtual HUBs on the VPN Server, and
enables the realization of a layer 3 connection between Virtual HUB
segments by carrying out IP routing in accordance with routing rules
defined by the Administrator.
3.8.1 What is a Virtual Layer 3 Switch?
Virtual Layer 3 Switch Overview
As described in 「3.4 Virtual HUB Functions」, the Virtual HUB is an object virtually
realizing a physical layer 2 switch (switching hub) using software, and
a plurality of Virtual HUBs can be created in the VPN Server. The
Virtual HUB only supports the exchange of Ethernet frames on layer 2,
and does not support layer 3 routing.
The virtual layer 3 switch was developed and implemented in response
to requests to carry out IP routing between layer 2 segments in multiple
Virtual HUBs. The virtual layer 3 switch implements as software the
functions of communication devices commonly found in the office such as
routers and layer 3 switches. The exchange of IP packets between each
network is supported by creating multiple Virtual HUBs, separating the
layer 2 segments and IP routing between those layer 2 segments.
Fig. 3-8-1 IP Routing between IP Networks with Virtual Layer
3 Switching |
| The virtual layer 3 switch is a
function intended for those with an intricate knowledge of
networks and IP routing and Network Administrators. Virtual
layer 3 switching is not required when using the normal VPN
functions. When using the virtual layer 3 switch, sufficient
consideration should be given to the impact upon the network,
based upon a sound knowledge of IP routing. This explanations
contained within this manual assume that the reader possesses
such knowledge. |
Virtual Layer 3 Switch Authority
Just as only Administrators of the entire VPN Server can create
Virtual HUBs, so does the authority for creating, deleting and setting
of virtual layer 3 switch lies solely with said Administrators. Although
Virtual HUB Administrators can find out how their own Virtual HUB is
connected to the virtual layer 3 switch, they cannot operate or edit the
connection of an existing layer 3 switch nor manipulate the routing
table. VPN Server Administrators are therefore required to perform
settings when using the virtual layer 3 switch function.
3.8.2 Difference between Bridging & IP Routing
Layer 2 network-connecting bridges and cascade connections between
Virtual HUBs are mechanisms which connect two separate network segments
onto a single network segment. When using TCP/IP protocol within one of
the segments, the computers within that segment must, in principle,
belong to the same IP network (while it is possible to multiplex a
plurality of IP networks on the same segment and make them communicate,
computers connected to that network can only communicate directly with
those belonging to the same IP network).
In comparison, IP routing is a mechanism which carries out packet
exchange on an IP layer between two separate network segments. Please
refer to documents on router operation and IP routing for details.
The physical router and layer 3 switch have one IP address for each
network segment subject to routing, and forward the IP packet attempting
to communicate via that IP address to other suitable interfaces using
the routing table held internally by the router.
The VPN Server-definable virtual layer 3 switch operates by the same
mechanism. Placing the virtual layer 3 switch between Virtual HUBs on
the VPN Server enables IP routing between the Virtual HUBs to which it
is connected. In this case, the virtual layer 3 switch has one interface
each for segments on both sides. For example, two IP networks
192.168.1.0/24 and 192.168.2.0/24 exist and routing is carried out
between them using the virtual layer 3 switch, then an interface is
connected to both networks and two IP addresses 192.168.1.254 and
192.168.2.254, for instance, are assigned. When the computer belonging
to 192.168.1.0/24 wants to transmit an IP packet to network
192.168.2.0/24, it is possible to send said packet using 192.168.1.254
as a gateway. The router with two interfaces for 192.168.1.254 and
192.168.2.254 then sends this packet to network 192.168.2.0/24. IP
routing works by such a mechanism. The theoretical interface on the VPN
Server by which the virtual layer 3 switch connects to the Virtual HUB
is called the "virtual interface". The connection between the virtual
layer 3 switch and the Virtual HUB is actually carried out in the
software's internal memory and is not one which can be seen by users.
However, a special virtual session known as a virtual layer 3 session is
registered on the Virtual HUB to which the virtual layer 3 switch's
virtual layer interface is connected.
3.8.3 Defining Virtual Layer 3 Switches
The VPN Server does not have any virtual layer 3 switches in default.
Virtual layer 3 switches can be created at any time they are required by
the VPN Server Administrator and in any amount.
All virtual layer 3 switches can be named and identified by said
name. Alphanumeric characters and some symbols can be used in the name.
To define a new virtual layer 3 switch, first select a name. Note that
once a virtual layer 3 switch is created, its name cannot be changed.
To carry out settings relating to the virtual layer 3 switch, click
the [Layer 3 Switch Setting] button in the VPN Server Manager and
display the [Virtual Layer 3 Switch Setting] dialog box. When a virtual
layer 3 switch is already registered here, double clicking on it opens
up its settings window (all explanations on how to use the virtual layer
3 switch contained herein commence from this window). In the vpncmd
utility, use commands starting with "Router" command.
Fig. 3-8-2 Virtual layer 3 switch setting window |
To create a new virtual layer 3 switch, click the [Create] button and
designate its name. A virtual interface must also be defined and the
[Start] button clicked before the newly-created virtual layer 3 switch
begins running.
Fig. 3-8-3 Create virtual layer 3 switch window |
3.8.4 Adding Virtual Interfaces to connect to Virtual HUBs
Simply creating a virtual layer 3 switch serves no purpose, and is
comparable to buying a physical router and layer 3 switch and simply
leaving them on the shelf. In the same manner as physically connecting a
router to the networks of each connection destination with a network
cable, it is necessary to register virtual interfaces on the virtual
layer 3 switch for the Virtual HUBs of destinations to be connected.
To register a new virtual interface, click the [Add Virtual
Interface] button. Once the [Add Virtual Interface] dialog box appears,
select the destination Virtual HUB. Also designate the subnet space
belonging to the IP address held by that interface within the Virtual
HUB.
Fig. 3-8-4 Add virtual interface window |
Multiple virtual interfaces can be created on a virtual layer 3
switch. Normally two or more virtual interfaces are added (only one
serves almost no purpose). Register all of the Virtual HUBs to be
subject to routing by the virtual layer 3 switch.
| The only Virtual HUBs which can be
directly connected to the virtual layer 3 switch are those
running on the same VPN Server. When wishing to use layer 3
switching to IP route between a VPN Server on a separate
computer or a Virtual HUB running on a VPN Bridge, first create
a suitably-named Virtual HUB on the local side and connect it
with virtual layer 3 switching, then cascade that Virtual HUB
with said VPN Server on a separate computer or said Virtual HUB
running on a VPN Bridge. This method enables the connection
of remote site Virtual HUBs or physical LANs by virtual layer 3
switching as well as the creation of site-to-site VPN skillfully
incorporating an IP routing mechanism.
Previously, performing a similar connection required not only
a VPN but also involved the purchase of hardware for IP routing.
The PacketiX VPN facilitates simple implementation even for
networks of sophisticated design by bringing together as
software the functions required to connect remote locations to
the VPN with IP routing. |
3.8.5 Editing the Routing Table
The virtual layer 3 switch has a routing table similar to that of
common physical routers and layer 3 switches. Even without designating
anything, if a virtual layer 3 switch has a virtual interface connected
to a Virtual HUB, then it has the route information to the IP network
determined by the IP address and subnet mask set for that virtual
interface. Accordingly, it is not necessary to define a routing table
for the layer 2 segment directly connected to the virtual layer 3
switch.
When it is necessary to carry out IP routing via the
directly-connected layer 2 segment to an IP network in a segment further
ahead, then it is necessary to edit the values of the virtual layer 3
switch's routing table and add suitable routing entries.
The current routing able can be displayed using the [Edit Virtual
Layer 3 Switch] dialog box. This table is empty immediately after the
creation of a new virtual layer 3 switch. To make new entries in the
routing table, click the [Routing Table Entry] button.
Fig. 3-8-5 Add routing table entry window |
The [Add Routing Table Entry] window has boxes to enter the details
of new routing table entries for registration. The information which
needs to be registered here is similar to that designated when adding an
entry to the static routing table of a typical router or layer 3 switch.
Specific examples of entries are shown below.
- Network Address
Designates the network address
including the destination IP address subject to routing using this
routing table.
- Subnet Mask
Designates the network mask together with
the network address.
- Gateway Address
Designates the IP address of the IP
packet forwarding destination (i.e. the IP address of the next
router). The IP addresses which can be designated here must be
included in either those IP addresses defined by each virtual
interface of this virtual layer 3 switch or among the IP network
defined by the subnet mask (note that even those not included are
still registered without an error or notification appearing). If
another virtual layer 3 switch is connected to an adjacent Virtual
HUB, then it may also be the IP address of that virtual layer 3
switch's virtual network interface.
- Metric Value
Designates the metric value of the
routing table entry.
| When designating the default route,
set the network address as 0.0.0.0 and the subnet mask as
0.0.0.0. |
3.8.6 Starting and Stopping Virtual Layer 3 Switches
Start and Stop
Operation can be started for virtual layer 3 switches with one or
more registered virtual network interfaces by clicking on the [Start]
button. It is also possible to terminate a virtual layer 3 switch during
operation at any time by clicking on the [Stop] button.
Note that it is not possible to edit the virtual layer 3 switch's
virtual interface list or Routing Table in any mode other than
[Terminated]. Therefore, terminate the virtual layer 3 switch to edit
these parameters.
Virtual Layer 3 Switch Status
The virtual layer 3 switch has the following three modes and each is
displayed in real time in the [Virtual Layer 3 Switch Setting] window.
| Status |
Description |
| Stop |
Virtual layer 3 switch is stopped. This is the only state in
which the virtual layer 3 parameters can be set. |
| Started (operating) |
Indicates that the virtual layer 3 switch is running, and
that it is functioning because all Virtual HUBs connected to
all defined virtual interfaces exist on the VPN Server and
are online. This is the only state in which the virtual
layer 3 switch can perform IP routing. Also, if even one of
the Virtual HUBs connected to the defined virtual interfaces
in this mode is deleted from the VPN Server or goes
[Offline], then a transition to [Start (error)] mode occurs
automatically. |
| Started (error) |
Although the virtual layer 3 switch may be set to Started
status, when one or more of the Virtual HUBs connected to
the defined virtual interfaces does not exist on the VPN
Server or is offline then the virtual layer 3 switch cannot
commence IP routing. Also, if all of Virtual HUBs connected
to the defined virtual interfaces exist on the VPN Server or
come online in this mode, then a transition to [Start
(operating)] mode occurs automatically. |
3.8.7 Limitations
The virtual layer 3 switch function has the following limitations.
- It does not support dynamic routing protocols.
- It does not support IGMP.
- Sending an ICMP Echo request to the virtual layer 3 switch's
virtual interface exceeding 1,472 bytes returns a 1,472 byte ICMP
Echo response.
|