Routing and Bridging Guide vA3(1.0), Cisco ACE 4700 Series Application Control Engine Appliance
Configuring VLAN Interfaces
Download this chapter
Configuring VLAN InterfacesConfiguring VLAN Interfaces
Download the complete book
Cisco ACE 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide (Software Version A3(1.0)) Cisco ACE 4700 Series Application Control Engine Appliance Routing and Bridging Configuration Guide (Software Version A3(1.0)) (PDF - 3 MB)
 Feedback

Table Of Contents

Configuring VLAN Interfaces

VLAN Interface Configuration Quick Start

Allocating VLANs to a User Context

Configuring a Bank of MAC Addresses for Shared VLANs

Configuring VLAN Interfaces on the ACE

Assigning IP Addresses to Interfaces for Routing Traffic

Disabling and Enabling Traffic on Interfaces

Configuring the MTU for an Interface

Configuring a Peer IP Address

Configuring an Alias IP Address

Enabling the Mac-Sticky Feature

Providing an Interface Description

Configuring the UDP Booster Feature

Assigning a Policy Map to an Interface

Applying an Access List to an Interface

Displaying Interface Information

Displaying VLAN and BVI Information

Displaying VLAN and BVI Summary Statistics

Displaying the Internal Interface Manager Tables

Clearing Interface Statistics


Configuring VLAN Interfaces

This chapter describes how to configure the VLAN interfaces on the Cisco 4700 Series Application Control Engine (ACE) appliance. When you configure an IP address on an interface, the ACE automatically makes it a routed mode interface.

Similarly, when you configure a bridge group on an interface VLAN, the ACE automatically makes it a bridged interface. Then, you can associate a bridge-group virtual interface (BVI) with the bridge group. For more information on bridged groups and BVIs, see Chapter 4, "Bridging Traffic."

The ACE also supports shared VLANs, which are multiple interfaces in different contexts on the same VLAN within the same subnet. Only routed interfaces can share VLANs. Note that there is no routing across contexts even when shared VLANs are configured.

The ACE supports a maximum of 4,093 VLANs per appliance and a maximum of 1,024 shared VLANs per appliance.

Note The ACE supports a maximum of 8,192 interfaces per appliance that include VLANs, shared VLANs, and BVI interfaces.

This chapter contains the following major sections:

VLAN Interface Configuration Quick Start

Allocating VLANs to a User Context

Configuring a Bank of MAC Addresses for Shared VLANs

Configuring VLAN Interfaces on the ACE

Displaying Interface Information

Clearing Interface Statistics

VLAN Interface Configuration Quick Start

Table 2-1 provides a quick overview of the steps required to configure VLAN interfaces on the ACE. Each step includes the CLI command or a reference to the procedure required to complete the task. For a complete description of each feature and all the options associated with the CLI commands, see the sections following Table 2-1.

Table 2-1 VLAN Interface Configuration Quick Start 

Task and Command Example

1. If you are operating in multiple contexts, observe the CLI prompt to verify that you are operating in the desired context. If necessary, change to the correct context. 

host1/Admin# changeto C1

host1/C1#

The rest of the examples in this table use the C1 user context for illustration purposes, unless otherwise specified. For details on creating contexts, see the Cisco 4700 Series Application Control Engine Appliance Virtualization Configuration Guide.

2. Enter global configuration mode. 

host1/Admin# config

host1/Admin(config)#

3. If you have not already done so, configure Ethernet ports and specify VLAN trunking on the ACE. See Chapter 1, Configuring Ethernet Interfaces, for details.

4. Configure a VLAN interface and access its mode to configure its attributes. For example, to create VLAN 200, enter the following command: 

host1/Admin(config)# interface vlan 200

5. Assign an IP address to a VLAN interface for routing traffic. For example, to set the IP address of 192.168.1.1 255.255.255.0 for VLAN interface 200, enter the following command: 

host1/Admin(config-if)# ip address 192.168.1.1 255.255.255.0

6. Enable the VLAN interface. 

host1/Admin(config-if)# no shutdown

7. (Optional) Specify the MTU for a VLAN interface. 

host1/Admin(config-if)# mtu 1000

8. (Optional) Configure the IP address for an interface on a standby ACE appliance. 

host1/Admin(config-if)# peer ip address 192.168.1.20 
255.255.255.0

9. (Optional) Enable reverse-path forwarding (RPF) based on a source MAC address for a VLAN interface. 

host1/Admin(config-if)# mac-sticky enable

10. (Optional) Add a description about the interface to help you remember its function. 

host1/Admin(config-if)# description FOR INBOUND AND OUTBOUND 
TRAFFIC

11. Assign a policy map to an interface. For example, to assign the SLB_OPTIMIZE_POLICY policy map for inbound traffic to the VLAN 3, enter the following command: 

host1/Admin(config)# interface vlan 200

host1/Admin(config-if)# service-policy input SLB_OPTIMIZE_POLICY

12. Apply an ACL to the inbound or outbound direction of an interface and make the ACL active. For example, enter the following command: 

host1/Admin(config-if)# access-group input INBOUND

host1/Admin(config-if)# exit

13. Assign VLAN interfaces to a specific context. For example, to assign VLAN 200 to context C1, enter the following command: 

host1/Admin(config)# context C1

host1/C1(config-context)# allocate-interface vlan 200

14. (Optional) Configure a specific bank of MAC addresses for an ACE. For example, to configure bank 2 of MAC addresses, enter the following command: 

host1/Admin(config)# shared-vlan-hostid 2

15. (Optional) If necessary, save your configuration changes to flash memory. 

host1/Admin# copy running-config startup-config

Allocating VLANs to a User Context

By default, all VLANs assigned to the ACE are available at the Admin context. At the Admin context, you can assign a VLAN to a user context. You can configure one or more VLAN interfaces in any user context before you assign those VLAN interfaces to the associated user contexts through the allocate-interface vlan command in the Admin context. VLANs can be shared across multiple contexts. However, the ACE supports only 1024 shared VLANs per system.

Note When a VLAN is shared in multiple contexts, the IP addresses across contexts must be unique and the interfaces must be on the same subnet. To classify traffic on multiple contexts, the same VLAN across contexts will have different MAC addresses. If you configure shared VLANs, no routing can occur across the contexts.

To assign VLAN interfaces to the context, access the context mode and use the allocate-interface vlan command in configuration mode. The syntax of this command is as follows:

allocate-interface vlan vlan_number

The vlan_number argument is the number of a VLAN or a range of VLANs assigned to the ACE.

For example, to assign VLAN 10 to context A, enter: 

host1/Admin(config)# context A

host1/Admin(config-context)# allocate-interface vlan 10

To allocate an inclusive range of VLANs from VLAN 100 through VLAN 200 to a context, enter: 

host1/Admin(config-context)# allocate-interface vlan 100-200

To remove a VLAN from a user context, use the no allocate-interface vlan command in context configuration mode. For example, enter: 

host1/Admin(config)# context A

host1/Admin(config-context)# no allocate-interface vlan 10

Note You cannot deallocate a VLAN from a user context if the VLAN is currently in use on that context.

To remove a range of VLANs from a context, enter: 

host1/Admin(config-context)# no allocate-interface vlan 100-200

Configuring a Bank of MAC Addresses for Shared VLANs

When contexts share a VLAN, the ACE assigns a different MAC address to the VLAN on each context. The MAC addresses reserved for shared VLANs are 0x001243dc6b00 to 0x001243dcaaff, inclusive. All ACE appliances derive these addresses from a global pool of 16,000 MAC addresses. This pool is divided into 16 banks, each containing 1024 addresses. Each subnet can have 16 ACEs.

Each ACE supports 1024 shared VLANs, and uses only one bank of MAC addresses out of the pool. A shared MAC address is associated with a shared VLAN interface.

By default, the bank of MAC addresses that the ACE uses is randomly selected at boot time. However, if you configure two ACE appliances in the same Layer 2 network and they are using shared VLANs, the ACEs may select the same address bank, which results in the use of the same MAC addresses. To avoid this conflict, you must configure the bank that the ACEs will use.

To configure a specific bank of MAC addresses for a local ACE or a peer ACE (in a redundant configuration), use the shared-vlan-hostid or the peer shared-vlan-hostid command, respectively, in configuration mode in the Admin context. The syntaxes of these commands are as follows:

shared-vlan-hostid number

peer shared-vlan-hostid number

The number argument indicates the bank of MAC addresses that the ACE uses. Enter a number from 1 to 16. Be sure to configure different bank numbers for multiple ACEs. For example, to configure bank 2 of MAC addresses for the local ACE and bank 3 for a peer ACE, enter: 

host1/Admin(config)# shared-vlan-hostid 2

host1/Admin(config)# peer shared-vlan-hostid 3

To remove the configured bank of MAC addresses and allow the ACE to randomly select a bank, use the no shared-vlan-hostid command. For example, enter: 

host1/Admin(config)# no shared-vlan-hostid

To remove the configured bank of MAC addresses from a peer ACE and allow it to randomly select a bank, use the no peer shared-vlan-hostid command. For example, enter: 

host1/Admin(config)# no peer shared-vlan-hostid

Configuring VLAN Interfaces on the ACE

You can configure a VLAN interface and access its mode to configure its attributes by using the interface vlan command in configuration mode for the context. The syntax of this command is as follows:

interface vlan number

The number argument is the VLAN number you want to assign to the interface. VLAN numbers are 2 to 4094. For example, to create VLAN 200, enter: 

host1/Admin(config)# interface vlan 200

To remove a VLAN, use the no interface vlan command. For example, enter: 

host1/Admin(config)# no interface vlan 200

Note For security reasons, the ACE does not allow pings from an interface on a VLAN on one side of the ACE through the module to an interface on a different VLAN on the other side of the module. For example, a host can ping the ACE address that is on the IP subnet using the same VLAN as the host, but cannot ping IP addresses configured on other VLANs on the ACE.

This section contains the following topics:

Assigning IP Addresses to Interfaces for Routing Traffic

Disabling and Enabling Traffic on Interfaces

Configuring the MTU for an Interface

Configuring a Peer IP Address

Configuring an Alias IP Address

Enabling the Mac-Sticky Feature

Providing an Interface Description

Configuring the UDP Booster Feature

Assigning a Policy Map to an Interface

Applying an Access List to an Interface

Note The ACE requires a route back to the client before it can forward a request to a server. If the route back is not present, the ACE cannot establish a flow and drops the client request. Make sure that you configure the appropriate routing to the client network on the ACE VLAN where the client traffic enters the ACE appliance.

Additional configurations and commands are available on a VLAN interface that are not documented in this chapter. These configurations are as follows:

Remote network management—See the Cisco 4700 Series Application Control Engine Appliance Administration Guide.

Allocate individual VLANs to a trunk link—See Allocating an Ethernet Port or Port-Channel Interface to a VLAN Trunk in Chapter 1, "Configuring Ethernet Interfaces."

IEEE 802.1Q Native VLAN for a trunk—See "Specifying the 802.1Q Native VLAN For a Trunk" in Chapter 1, "Configuring Ethernet Interfaces."

Access port to a specific VLAN—See "Configuring a VLAN Access Port" in Chapter 1, "Configuring Ethernet Interfaces."

Default and static routes—See Chapter 3, "Configuring Routes on the ACE."

Bridge parameters including the interface bvi command—See Chapter 4, "Bridging Traffic."

Address Resolution Protocol (ARP)—See Chapter 5, "Configuring ARP."

Dynamic Host Configuration Protocol (DHCP)—See Chapter 6, "Configuring the DHCP Relay."

Policy and class maps, and SNMP management for VLANs, and fault-tolerant VLANs—See the Cisco 4700 Series Application Control Engine Appliance Administration Guide.

Load balancing traffic including stealth firewall load balancing—See the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.

ACLs, Network Address Translation (NAT), IP fragment reassembly, and IP normalization—See the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.

Assigning IP Addresses to Interfaces for Routing Traffic

Observe the following requirements and restrictions when you assign an IP address to an interface:

Assigning an IP address to a VLAN interface automatically makes it a routed mode interface.

Secondary IP addresses are not supported on any ACE interfaces.

In a single context, each interface address must be on a unique subnet and cannot overlap.

In different contexts on a nonshared VLAN, the IP subnet can overlap an interface. However, on a shared VLAN, the IP address must be unique.

Routed and bridged mode requires access control lists (ACLs) to allow traffic to pass. To apply an ACL to the inbound or outbound direction of an interface and make the ACL active, use the access-group command in interface configuration mode for the VLAN, as described in the "Applying an Access List to an Interface" section. For more information on configuring ACLs, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.

When you configure remote network management access on an interface, the interface does not require an ACL. However, it does require a management class map and management policy map configuration. For information on configuring remote access to the ACE, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.

To assign an IP address to a VLAN interface, use the ip address command in interface configuration mode. The syntax of this command is as follows:

ip address ip_address mask

The ip_address mask arguments specify the IP address and mask for the VLAN interface. Enter the IP address and subnet mask in dotted-decimal notation (for example, 192.168.1.1 255.255.255.0).

For example, to assign the IP address and mask 192.168.1.1 255.255.255.0 to VLAN interface 200, enter: 

host1/Admin(config)# interface vlan 200

host1/Admin(config-if)# ip address 192.168.1.1 255.255.255.0

If you make a mistake while entering this command, you can reenter the command with the correct information.

To remove the IP address for the VLAN, use the no ip address command. For example, enter: 

host1/Admin(config-if)# no ip address

Disabling and Enabling Traffic on Interfaces

When you configure an interface, the interface is in the shutdown state until you enable it. If you disable or reenable the interface within a context, only that context interface is affected.

To enable the interface, use the no shutdown command in interface configuration mode. For example, enter: 

host1/Admin(config-if)# no shutdown

To disable a VLAN, use the shutdown command in interface configuration mode. The syntax of this command is as follows:

shutdown

For example, to disable VLAN 3, enter: 

host1/Admin(config)# interface vlan 3

host1/Admin(config-if)# shutdown

Configuring the MTU for an Interface

The default maximum transmission unit (MTU) is a 1500-byte block for Ethernet interfaces. This value is sufficient for most applications, but you can pick a lower number if network conditions require this value (for example, to avoid fragmentation over IPSec tunnels) or a larger value (for example, for jumbo frames). Data that is larger than the MTU value is fragmented before being sent.

Caution If you configure a Layer 7 policy map and set the maximum transmit unit (MTU) of the ACE server-side VLAN lower than the client maximum segment size (MSS), ensure that the maximum value of the MSS that you set for the ACE using the set tcp mss max command is at least 40 bytes (size of the TCP header plus options) less than the MTU of the ACE server-side VLAN. Otherwise, the ACE may discard incoming packets from the server.

To specify the MTU for an interface, use the mtu command in interface configuration mode. This command allows you to set the data size that is sent on a connection. The syntax of this command is as follows:

mtu  bytes

The bytes argument is the number of bytes in the MTU. Enter a number from 64 to 9216 bytes. The default is 1500.

For example, to specify the MTU data size of 1000 for an interface: 

host1/Admin(config-if)# mtu 1000

To reset the MTU block size to 1500 bytes, use the no mtu command. For example, enter: 

host1/Admin(config-if)# no mtu

Configuring a Peer IP Address

When you configure redundancy, by default, configuration mode on the standby appliance is disabled and changes on an active appliance are automatically synchronized on the standby appliance. However, interface IP addresses on the active and standby appliances must be unique. To ensure that the addresses on the interfaces are unique, the IP address of an interface on the active appliance is synchronized on the standby appliance as the peer IP address.

To configure the IP address for an interface on a standby appliance, use the peer ip address command in interface configuration mode. The peer IP address on the active appliance is synchronized on the standby appliance as the interface IP address. The syntax of this command is as follows:

peer ip address ip_address mask

The ip_address mask arguments specify the IP address and mask for the peer ACE appliance. Enter the IP address and subnet mask in dotted-decimal notation (for example, 192.168.1.20 255.255.255.0).

Note The peer IP address must be unique across multiple contexts on a shared VLAN.

For example, to configure an IP address and netmask of the peer appliance, enter: 

host1/Admin(config-if)# peer ip address 192.168.1.20 255.255.255.0

To delete the IP address for the peer appliance, enter: 

host1/Admin(config-if)# no peer ip address

Configuring an Alias IP Address

When you configure redundancy with active and standby appliances, you can configure a VLAN interface that has an alias IP address that is shared between the active and standby appliances. The alias IP address serves as a shared gateway for the two ACE appliances in a redundant configuration.

Note You must configure redundancy (fault tolerance) on the ACE for the alias IP address to work. For more information on redundancy, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.

The ACE also uses an alias IP address assigned to a VLAN to address a network device that you want to hide from the rest of the network. Typically, you assign alias IP addresses to VLANs with stealth firewalls so that the firewall remains invisible. An ACE uses the alias IP address configured on another ACE as the destination of the load-balancing process to direct flows through the firewalls. For details about configuring firewalls and firewall load balancing (FWLB) on the ACE, refer to the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide.

To configure an alias IP address, use the alias command in interface configuration mode. The syntax of this command is as follows:

alias ip_address netmask

The ip_address mask arguments specify the alias IP address and subnet mask. Enter the IP address and subnet mask in dotted-decimal notation (for example, 192.168.1.30 255.255.255.0).

For example, to configure an alias IP address, enter: 

host1/Admin(config-if)# alias 192.168.1.30 255.255.255.0

To remove an alias IP address, enter: 

host1/Admin(config-if)# no alias 192.168.1.30 255.255.255.0

Enabling the Mac-Sticky Feature

The mac-sticky feature ensures that the ACE sends return traffic to the same upstream device through which the connection setup from the original client was received. When you enable this feature, the ACE uses the source MAC address from the first packet of a new connection to determine the device to send the return traffic. This guarantees that the ACE sends the return traffic for load-balanced connections to the same device originating the connection. By default, the ACE performs a route lookup to select the next hop to reach the client.

This feature is useful when the ACE receives traffic from Layer 2 and Layer 3 adjacent stateful devices, like firewalls and transparent caches, guaranteeing that it sends return traffic to the correct stateful device that sourced the connection without any requirement for source NAT. For more information on firewall load balancing, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.

To enable the mac-sticky feature for a VLAN interface, use the mac-sticky enable command in interface configuration mode. By default, the mac-sticky feature is disabled on the ACE. The syntax of this command is:

mac-sticky enable

Note You cannot use this command if you configure the ip verify reverse-path command. For information on the ip verify reverse-path command, see theCisco 4700 Series Application Control Engine Appliance Security Configuration Guide.

For example, to enable the mac-sticky feature, enter: 

host1/Admin(config-if)# mac-sticky enable

To disable the mac-sticky feature, use the no mac-sticky enable command. For example, enter: 

host1/Admin(config-if)# no mac-sticky enable

Providing an Interface Description

You can provide a description for the interface by using the description command in interface configuration mode. The syntax of this command is as follows:

description text

The text argument is the description for the interface. Enter an unquoted text string that contains a maximum of 240 alphanumeric characters including spaces.

For example, to provide the description of POLICY MAP 3 FOR INBOUND AND OUTBOUND TRAFFIC, enter: 

host1/Admin(config-if)# description POLICY MAP3 FOR INBOUND AND 
OUTBOUND TRAFFIC

To remove the description for the interface, use the no description command. For example, enter: 

host1/Admin(config-if)# no description

Configuring the UDP Booster Feature

When a network application requires very high UDP connection rates, configure the UDP booster feature. For detailed information concerning this feature and its configuration, see the Cisco 4700 Series Application Control Engine Appliance Server Load-Balancing Configuration Guide. To enable this feature, use the udp command in interface configuration mode. The syntax of this command is as follows:

udp {ip-source-hash | ip-destination-hash}

The keywords are as follows:

ip-source-hash—Instructs the ACE to hash the source IP address of UDP packets that hit a source-hash VLAN interface prior to performing a connection match. Configure this keyword on a client-side interface.

ip-destination-hash—Instructs the ACE to hash the destination IP address of UDP packets that hit a destination-hash VLAN interface prior to performing a connection match. Configure this keyword on a server-side interface.

For example, for a client-side interface, to enable the UDP hash forwarding on the source IP address of the UDP packets, enter: 

host1/Admin(config)# interface vlan 100

host1/Admin(config-if)# udp ip-source-hash

To disable this feature, enter: 

host1/Admin(config-if)# no udp

Assigning a Policy Map to an Interface

When you assign a policy map to a VLAN interface, the ACE can use the map to evaluate all network traffic on the interface. For more information on configuring policy maps, see the Cisco 4700 Series Application Control Engine Appliance Administration Guide.

You can apply one or more policy maps to a VLAN interface or globally to all VLAN interfaces in the same context. A policy map activated on an interface overwrites any specified global policy maps for overlapping classifications and actions.

You can assign multiple policy maps on an interface. However, the ACE allows only one policy map to be active on an interface at a given time. The order in which you configure the policy maps on the ACE is important.

To assign a policy map to an interface, use the service-policy command in interface configuration mode for an individual interface, or use the service-policy command in configuration mode for all interfaces in the same context.

The syntax of this command is as follows:

service-policy input policy_name

The keyword and argument are as follows:

input—Specifies that the traffic policy is to be attached to the inbound direction of an interface. The traffic policy evaluates all traffic received by that interface.

policy_name—Previously configured policy map that you want to apply to the interface.

For example, to specify a VLAN interface and apply multiple service policies to a VLAN, enter: 

host1/Admin(config)# interface vlan 50

host1/Admin(config-if)# service-policy input L4_SLB_POLICY

For example, to globally apply multiple service policies to all of the VLANs associated with a context, enter: 

host1/Admin(config)# service-policy input L4_SLB_POLICY

To remove a traffic policy from a VLAN interface, enter: 

host1/Admin(config-if)# no service-policy input L4_SLB_POLICY

To globally remove a traffic policy from all VLANs associated with a context, enter: 

host1/Admin(config)# no service-policy input L4_SLB_POLICY

Applying an Access List to an Interface

To allow the traffic to pass on an interface, you must apply ACLs to a VLAN interface. You can apply one ACL of each type (extended, ICMP, or EtherType) to both directions of the interface. For more information about ACLs and ACL directions, see the Cisco 4700 Series Application Control Engine Appliance Security Configuration Guide.

For connectionless protocols, you must apply the ACL to the source and destination interfaces if you want traffic to pass in both directions. For example, to allow Border Gateway Protocol (BGP) in an ACL in transparent mode, you must apply the ACL to both interfaces.

To apply an ACL to the inbound or outbound direction of an interface and make the ACL active, use the access-group command in interface configuration mode.

The syntax of this command is as follows:

access-group {input | output} acl_name

The options and arguments are as follows:

input—Specifies the inbound direction of the interface to apply the ACL.

output—Specifies the outbound direction of the interface t o apply the ACL.

acl_name—Identifier of an existing ACL to apply to an interface.

For example, enter: 

host1/Admin(config)# interface vlan100

host1/Admin(config-if)# access-group input INBOUND

To remove an ACL from an interface, use the no access-group command. For example, enter: 

host1/Admin(config-if)# no access-group input INBOUND

Displaying Interface Information

You can display information for the interfaces by using the show interface command. This section contains the following topics:

Displaying VLAN and BVI Information

Displaying VLAN and BVI Summary Statistics

Displaying the Internal Interface Manager Tables

You can display information for an Ethernet data port, Ethernet management port, or a port-channel virtual interface by using the show interface command. See Chapter 1, Configuring Ethernet Interfaces, for details.

Displaying VLAN and BVI Information

You can use the show interface command in Exec mode to display the details, statistics, or IP information for all or a specified VLAN or BVI interface. The syntax of this command is as follows:

show interface [bvi number | vlan number]

The bvi | vlan number options display the information for the specified VLAN or bridge-group virtual interface number.

If you enter the show interface command with no options, the ACE displays all VLAN and BVI interfaces. For example, enter: 

host1/Admin# show interface

Table 2-2 describes the fields in the show interface command output.

Table 2-2 Field Descriptions for the show interface Command
Output 

Field
Description

VLAN_name/
BVI_number is

Status of the specified VLAN or BVI: either up or down.

Hardware type is

Hardware type of the interface: either VLAN or BVI.

MAC address

MAC address of the system mapped to the IP address. Note that the BVI MAC address is the same address as an associated bridge-group VLAN address.

Mode

Mode associated with the VLAN or BVI. A bridge-group VLAN is displayed as transparent. A routed VLAN or BVI is displayed as routed. Otherwise, this field displays the value "unknown."

FT status

Status of whether the interface is redundant.

Description

Description for the VLAN or BVI.

MTU

Configured MTU in bytes.

Last cleared

Last time that the VLAN or BVI was cleared.

Alias IP address

Configured alias IP address.

Peer IP address

Configured peer IP address.

Virtual MAC address

MAC address used by the alias IP address and VIP address when the interface is in the redundant active state (displayed only if the interface is in this state).

# unicast packets input, # bytes

Total number of incoming unicast packets and number of bytes.

# multicast, # broadcast

Total number of incoming multicast and broadcast packets.

# input errors, # unknown, # ignored, # unicast RFP drops

Total number of errors for incoming packets, including numbers for packets that are unknown, ignored, and RFP drops.

# unicast packets output, # bytes

Total number of outgoing unicast packets and number of bytes.

# multicast, # broadcast

The total number of outgoing multicast and broadcast packets.

# output errors, # unknown

Number of errors for outgoing packets, including unknown packets.


Displaying VLAN and BVI Summary Statistics

You can use the show ip interface brief command in Exec mode to display a brief configuration and status summary of all interfaces or a specified BVI or a VLAN display. The syntax of this command is as follows:

show ip interface brief [bvi number | vlan number]

The bvi | vlan number options display the information for the specified VLAN or bridge-group virtual interface number.

If you enter the show ip interface brief command with no options, the ACE displays all VLAN and BVI interfaces. For example, enter: 

host1/Admin# show ip interface brief

Table 2-3 describes the fields in the show ip interface brief command output.

Table 2-3 Field Descriptions for the show ip interface brief Command
Output 

Field
Description

Interface

VLAN or bridge-group virtual interface number.

IP Address

IP address and mask for the VLAN interface.

Status

Status of the specified VLAN or BVI: either up or down.

Protocol

Status of the line protocol: either up or down.


Displaying the Internal Interface Manager Tables

You can display the internal interface manager tables and events by using the show interface internal command in Exec mode. The syntax of this command is as follows:

show interface internal {event-history {dbg | mts} |
iftable [interface_name] | vlantable [vlan_number]

The keywords and arguments are as follows:

event-history {dbg | mts}—Displays the debug history (dbg) or message history (mts). This keyword is available in the Admin context only.

iftable [interface_name]—Displays the master interface table. If you specify an interface name, the ACE displays the table information for that interface.

vlantable [vlan_number]Displays the VLAN table. If you specify an interface number, the ACE displays the table information for that interface.

Note The show interface internal command is used for debugging purposes. The output for this command is for use by trained Cisco personnel as an aid in debugging and troubleshooting the ACE. For information on the command syntax, see the Cisco 4700 Series Application Control Engine Appliance Command Reference.

For example, to display the interface internal debug event history starting with the most recent event, enter: 

host1/Admin# show interface internal event-history dbg

To display the interface internal message event history starting with the most recent event, enter: 

host1/Admin# show interface internal event-history mts

To display the master interface table, enter: 

host1/Admin# show interface internal iftable

To display the master VLAN table, enter: 

host1/Admin# show interface internal vlantable

Clearing Interface Statistics

You can clear the statistics displayed through the show interface command by using the clear interface command in Exec mode. The syntax of this command is as follows:

clear interface [vlan number | bvi number]

If you do not enter an option and argument, the statistics for all VLANs and BVIs are set to zero. The options and arguments are as follows:

vlan number—Clears the statistics for the specified VLAN.

bvi number—Clears the statistics for the specified BVI. Statistics are not collected for BVI interfaces. The packets are counted against the underlying bridged (Layer 2) interfaces.

For example to clear the statistics for VLAN 10, enter: 

host1/Admin# clear interface vlan 10

Note If you configure redundancy, you must explicitly clear the statistics (hit counts) on both the active and the standby ACEs. If you clear the statistics on the active appliance only, the standby appliance statistics remain at the old values.