I would like to apply simple, local optimization for inter-VLAN routing on the switch via ACL filter rule ...
I may be wrong, but IMO you can't do it. Normal hosts work like this:
- if destination IP address is in the same IP subnet (same subnet address with same network mask), then they expect to communicate directly.
They look for destination's MAC address (using ARP who has protocol) and then send ethernet frame with IP packet with DST-MAC set to destination's MAC. Destination then only picks up ethernet frames with their own MAC address in DST-MAC address (and broadcast MAC addresses, but this is pretty irrelevant in this case), the rest of ethernet frames are silently ignored. - if destination IP address is in different IP subnet, then they will use gateways. So sender determines which gateway to use (IP routing table) and searches for router's MAC address. Then they send out ethenet frame with IP packet (dst-address set to final destination) and with DST-MAC address set to router's MAC address. Router then picks up such frame, decapsulates IP packet, does the routing decission and does similar procedure for egress interface (e.g. uses destination's MAC address as DST-MAC and sets own MAC address as SRC-MAC).
And L3HW routing does all of this in ASIC, but:
- clients still have to be aware that L3HW-offloaded device is their gateway
- ASIC has to be aware that it's routing so that it can perform appropriate DST-MAC and SRC-MAC replacements
If you want to do it transparently by a switch, then ACLs won't do necessary MAC address replacements. So what happens: packet, sent out by source device in certain subnet and sent with router's MAC address set as DST-MAC, will be "pushed over" into another L2 network (which may even be correct for destination IP address), but it will be otherwise identical ethernet frame. However DST-MAC address doesn't exist in that L2 network (if router does one subnet per interface) and nobody will pick up the frame. If router with same MAC address exists in destination L2 network (because router uses same MAC address for all VLANs on same physical interface), then frame will be picked up by router (so it's still pegging router), but router may decide to drop it because ingress interface will be wrong.
So if you want to use your CRS as wirespeed router between some of your VLANs, you'll have to set it as gateway on those VLANs (and provide route towards main router for routing towards other destinations) ... and follow normal L3HW setup.
Statistics: Posted by mkx — Wed Feb 28, 2024 3:32 pm
