Cisco Catalyst 6000 Series Switches

IP MultiLayer Switching Sample Configuration

Document ID: 12022

Updated: Nov 17, 2007



MultiLayer Switching (MLS) is Ethernet-based routing switch technology by Cisco that provides Layer 3 (L3) switching in conjunction with existing routers. This document covers only IP MLS. Internetwork Packet Exchange (IPX) MLS and Multicast MLS are beyond the scope of this document.



There are no specific requirements for this document.

Components Used

The information in this document is based on these software and hardware versions:

  • Switch Engines

    • Catalyst 5000

      • Supervisor Engine 4.1(1) or later

      • Catalyst 5000 family switch with Supervisor Engine II G or III G, or Supervisor Engine III or III F with a NetFlow Feature Card (NFFC) or NFFC II

      • If running MLS over ATM media, Catalyst 5000 family ATM module software release 11.3(8)WA4(11) or later, or release 12.0(3c)W5(10) or later

    • Catalyst 6000

      • MLS is supported on all Catalyst 6500 and 6000 switches with Supervisor Engine 1 or 1A using the MultiLayer Switch Feature Card (MSFC) or MSFC2. MLS is enabled by default internally between the Supervisor module and MSFC. No MLS configuration is required on the Supervisor Command Language Interpreter (CLI) or the routing module. The Catalyst 6500 and 6000 do not support external MLS (MLS-RP).

        Note: The Catalyst 6500 and 6000 MSFC2 with PFC2 (Supervisor Engine 2) and Supervisor Engine 720 with MSFC3 perform L3 switching using Cisco Express Forwarding (CEF) and do not require MLS internally. They do not support external MLS (MLS-RP).

  • Routing Engines

    • Route Switch Module (RSM), Route Switch Feature Card (RSFC), or external Cisco 7500, 7200, 4700, 4500, or 3600 series router

    • Cisco IOS® Software Release 11.3(2)WA4(4) or later on the RSM, or on Cisco 7500, 7200, 4700, and 4500 series routers

    • Cisco IOS Software Release 12.0(3c)W5(8a) or later on the RSFC

    • Cisco IOS Software Release 12.0(2) or later on Cisco 3600 series routers

    • Cisco IOS Software Release 12.0(3c)W5(8) or later on the MLS-RP, if running MLS over ATM media

The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, make sure that you understand the potential impact of any command.


For more information on document conventions, refer to the Cisco Technical Tips Conventions.

Background Information

Traditional routers typically perform two main functions: route processing calculation and packet switching based on a routing table (Media Access Control [MAC] Address rewrite, redo checksum, Time To Live [TTL] decrement, and so forth). The major difference between a router and an L3 switch is that packet switching in a router is done in software by microprocessor-based engines, whereas packet switching in an L3 switch is done in hardware by specific Application Specific Integrated Circuits (ASICs).

MLS requires these components:

  • MultiLayer Switching Engine (MLS-SE)—Responsible for packet switching and rewrite functions in custom ASICs, and capable of identifying L3 flows.

  • MultiLayer Switching Route Processor (MLS-RP)—Informs the MLS-SE of MLS configuration, and runs Routing Protocols (RPs) for route calculation.

  • MultiLayer Switching Protocol (MLSP)—Multicast Protocol messages sent by the MLS-RP to inform the MLS-SE of the MAC address used by MLS-RP, routing and access list changes, and so forth. The MLS-SE uses that information to program the custom ASICs.


In this section, you are presented with the information to configure the features described in this document.

Note: Use the Command Lookup Tool (registered customers only) to obtain more information on the commands used in this section.

Network Diagram

This document shows an IP MLS sample configuration using an RSM, as shown in this network diagram:


MLS Operation

In the diagram above, PC-A (A) wants to communicate with PC-B (B). They are in different VLANs, so the traffic is routed via the RSM (the default gateway for the PCs). The first packet is sent by PC-A and is routed by the RSM towards PC-B. A shortcut (A � B) is created, and all subsequent packets will be L3 switched by the MLS-SE, using the Supervisor Engine running on the NFFC.

Note: The entry for a shortcut is unidirectional, so another entry will be created when PC-B communicates with PC-A.

The examples below show the PC communication, the MLS shortcut, and other MLS information.

PC-A# ping

!--- Pinging PC-B.

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echoes to, timeout is 2 seconds:
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/3/4 ms

This output is generated by issuing the indicated commands on the switch.

switch-MLS-SE (enable) show mls entry

Destination IP  Source IP       Prot DstPrt SrcPrt Destination Mac   Vlan Port
--------------- --------------- ---- ------ ------ ----------------- ---- -----
MLS-RP     ICMP -      -      00-d0-58-43-9f-60 11   6/11

!--- As in the note above, there are two shortcuts A � B and B � A.     ICMP -      -      00-00-0c-07-ac-01 12   6/12

switch-MLS-SE (enable) show mls

Multilayer switching enabled

!--- By default, MLS is enabled on the switch.

Multilayer switching aging time = 256 seconds
Multilayer switching fast aging time = 0 seconds, packet threshold = 0
Current flow mask is Destination flow
Configured flow mask is Destination flow
Total packets switched = 8

!--- Five echoes and five replies were sent; the first echo and reply went
!--- through the RSM, and subsequent echoes and replies were L3 switched,
!--- which gives us a total of eight L3 switched packets and two shortcuts.

Active shortcuts = 2
Netflow Data Export disabled
Total packets exported = 0

MLS-RP IP        MLS-RP ID    XTAG MLS-RP             MAC-Vlans
---------------- ------------ ---- ------------------ --------------       00100b108800    2 00-10-0b-10-88-00  11-12

switch-MLS-SE (enable) show mls statistics rp

Total packets switched = 8
Active shortcuts = 2
Total packets exported= 0

                             Total switched 
MLS-RP IP       MLS-RP ID    packets    bytes 
--------------- ------------ ---------- ------------      00100b108800          8 944

RSM-MLS-RP# show mls rp

multilayer switching is globally enabled
mls id is 0010.0b10.8800
mls ip address

!--- IP address of MLS-RP.

mls flow mask is destination-ip
number of domains configured for mls 1

vlan domain name: sales
   current flow mask: destination-ip
   current sequence number: 3150688457
   current/maximum retry count: 0/10
   current domain state: no-change
   current/next global purge: false/false
   current/next purge count: 0/0
   domain uptime: 1d00h
   keepalive timer expires in 8 seconds
   retry timer not running
   change timer not running

   1 management interface(s) currently defined:
      vlan 11 on Vlan11

   2 mac-vlan(s) configured for multi-layer switching:
      mac 0010.0b10.8800
         vlan id(s)
         11   12

!--- VLANs and interfaces participating in MLS.

   router currently aware of following 1 switch(es):
      switch id 0050.d133.2bff

!--- MAC address of the MLS-SE.


In this example, the RSM is used as the MLS-RP, with this software version:

IOS (tm) C5RSM Software (C5RSM-JSV-M), Version 11.3(9)WA4(12) RELEASE SOFTWARE
Copyright (c) 1986-1999 by Cisco Systems, Inc.

The software version on the switch is as follows:

WS-C5509 Software, Version McpSW: 4.5(2) NmpSW: 4.5(2)
Copyright (c) 1995-1999 by Cisco Systems, Inc.

On the switch, MLS is enabled by default. There is no need to specify the MLS-RP IP address if it is the RSM. Conversely, for an external router acting as the MLS-RP, you need to configure the switch with this IP address by issuing this command, where IPaddress is the IP address of the external MLS-RP:

set mls include IPaddress

Use this procedure to configure the router:

  1. Enable MLS in global configuration mode by issuing the mls rp ip command.

    Router(config)# mls rp ip
  2. Assign a Virtual Terminal Protocol (VTP) domain on one MLS interface.

    Router(config-if)# mls rp vtp-domain VTP_domain_name

    Note: You can determine the VTP domain name (VTP_domain_name in the example above) by issuing the show vtp domain command on the switch.

  3. Enable MLS on the interface so that it can participate in the shortcut process.

    Router(config-if)# mls rp ip
  4. Specify a router interface as a management interface, which allows the MLS-SE and MLS-RP to communicate using a multicast protocol (MLSP).

    Router(config-if)# mls rp management-interface
  5. Repeat Steps 2 and 3 for all interfaces participating in MLS.

    Note: Step 4 is needed only once on one interface for MLSP to allow communication (MLS-RP �� MLS-SE).

The MLS-RP current configuration is as follows:

Current configuration:
version 11.3
hostname RSM-MLS-RP
mls rp ip
interface Vlan11
 ip address
 mls rp vtp-domain sales
 mls rp management-interface
 mls rp ip
interface Vlan12
 ip address
 mls rp vtp-domain sales
 mls rp ip
ip classless
line con 0
line aux 0
line vty 0 4

MLS Important Notes

  • For MLS to work, the MLS-SE must see the packet go to the MLS-RP and come back out from the same MLS-RP to the same MLS-SE.

  • The MLS-SE never gets involved in any routing protocols or route calculation. All routing protocols are run by the MLS-RP; for example, Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), Interior Gateway Routing Protocol (IGRP), Routing Information Protocol (RIP), and so forth.

  • The MLS-RP is not aware that the MLS-SE is forwarding some packets on its behalf.

  • If the MLS-SE can not establish an L3 entry for any reason, it sends the packet to the MLS-RP for normal routing; it does not drop the packet.

  • Hot Standby Router Protocol (HSRP) and MLS can interoperate without any problems.

  • The mls and ip cef on exact-route commands for the same DA give different results. This is a normal behavior. The ip cef command information is software-based. This is calculated from the routing table and MAC address table. However, the mls cef command is Hardware forwarding information which is based on software CEF and can be changed by a load balancing algorithm.

  • The mls ip cef load-sharing simple command gives a better load balance and avoids a new adjacency in the forwarding engine. Also, the mls ip cef load-sharing full command is a load balancing algorithm recommended for a single-stage CEF that includes a load balancing algorithm for L4 ports. In order to achieve the best CEF load balancing, alternate L3 and L4 hashing on access, distribution and core routers, and use this type of configuration:

    • On access and core routers - mls ip cef load-sharing simple

    • On distribution routers - mls ip cef load-sharing full

    The mls ip cef load-sharing full command can improve load balancing if there is a good mix of L4 ports in the network. With the SRB2 image it can used in all adjacencies such as ip2ip, ip2tag, tag2tag and tag2ip cases. However, with SRA it works only with ip2ip, ip2tag adjacency.

Verification Tips

Once you have configured MLS, you will see entries in the MLS cache (shortcuts).

The MLS mechanism is relatively simple: PC-A sends the initial packet, and the router rewrites the Layer 2 (L2) address and completes the L3 fields.


The enabler packet is returned and now the shortcut is complete; subsequent packets for this flow will be L3 switched.


In summary, this is the process for all L3 switched packets:

  1. The candidate packet is sent to the router.

  2. The enabler packet is sent by the router.

  3. Everything is configured to get the shortcut and start the L3 switching for this flow (A �� B).


Supported Features and Topologies

Access Lists

Input access lists are supported with IP MLS beginning with Cisco IOS Software Release 12.0(2) and later. Before release 12.0(2), input access lists were not compatible with MLS.

Output access lists have always been supported.

IP Accounting

Enabling IP accounting on an IP-MLS-enabled interface disables the IP accounting functions on that interface.

Data Encryption

IP MLS is disabled on an interface when the data encryption feature is configured on the interface.

Related Information

Updated: Nov 17, 2007
Document ID: 12022