Application Control Engine Module Routing and Bridging Configuration Guide (Software Version A1(2))
Configuring VLAN Interfaces
Download this chapter
Configuring VLAN InterfacesConfiguring VLAN Interfaces
Download the complete book
Cisco Application Control Engine Module Routing and Bridging Configuration Guide Book-Length PDF (Software Version A1(2))Cisco Application Control Engine Module Routing and Bridging Configuration Guide Book-Length PDF (Software Version A1(2)) (PDF - 2 MB)
give_us_feedback

Table Of Contents

Configuring VLAN Interfaces

Configuring VLANs for the ACE Using Cisco IOS Software

Creating VLAN Groups Using Cisco IOS Software

Assigning VLAN Groups to the ACE through Cisco IOS Software

Adding Switched Virtual Interfaces to the MSFC

Allocating VLANs to a User Context

Configuring a Bank of MAC Addresses for Shared VLANs

Configuring VLAN Interfaces on the ACE

Assigning IP Addresses to Interfaces for Routing Traffic

Disabling and Enabling Traffic on Interfaces

Configuring the MTU for an Interface

Configuring a Peer IP Address

Configuring an Alias IP Address

Enabling the Mac-Sticky Feature

Providing an Interface Description

Assigning a Policy Map to an Interface

Applying an Access List to an Interface

Displaying Interface Information

Displaying VLAN and BVI Information

Displaying the Interface Ethernet Out-of-band channel (eobc) Information

Displaying the Internal Interface Manager Tables

Displaying ACE VLANs Downloaded from the Supervisor

Displaying Private VLAN Information

Clearing Interface Statistics


Configuring VLAN Interfaces

The ACE module does not include any external physical interfaces to receive traffic from clients and servers. Instead, it uses internal VLAN interfaces. You assign VLANs from the supervisor to the ACE. After the VLANs are assigned to the ACE, you can configure the corresponding VLAN interfaces on the ACE as either routed or bridged for use. When you configure an IP address on an interface, the ACE automatically makes it a routed mode interface.

Similarly, when you configure a bridge group on an interface VLAN, the ACE automatically makes it a bridged interface. Then, you associate a bridge-group virtual interface (BVI) with the bridge group. For more information on bridged groups and BVIs, see Chapter 3, Bridging Traffic.

The ACE also supports shared VLANS; multiple interfaces in different contexts on the same VLAN within the same subnet. Only routed interfaces can share VLANs. Note that there is no routing across contexts even when shared VLANs are configured.

The ACE supports a maximum of 4,093 VLANs per system and a maximum of 1,024 shared VLANs per system.

Note The ACE supports a maximum of 8,192 interfaces per system that include VLANs, shared VLANs, and BVI interfaces.

This chapter contains the following major sections:

Configuring VLANs for the ACE Using Cisco IOS Software

Allocating VLANs to a User Context

Configuring a Bank of MAC Addresses for Shared VLANs

Configuring VLAN Interfaces on the ACE

Displaying Interface Information

Clearing Interface Statistics

Configuring VLANs for the ACE Using Cisco IOS Software

For the ACE to receive traffic from the supervisor in the Catalyst 6500 series switch, you must create VLAN groups on the supervisor, and then assign the groups to the ACE. When the VLAN groups are configured on the supervisor to the ACE, you can configure the VLAN interfaces on the ACE. By default, all VLANs are allocated to the Admin context on the ACE.

This section contains the following topics:

Creating VLAN Groups Using Cisco IOS Software

Assigning VLAN Groups to the ACE through Cisco IOS Software

Adding Switched Virtual Interfaces to the MSFC

Creating VLAN Groups Using Cisco IOS Software

In Cisco IOS software, you can create one or more VLAN groups, and then assign the groups to the ACE. For example, you can assign all the VLANs to one group, or you can create an inside group and an outside group, or you can create a group for each customer.

You cannot assign the same VLAN to multiple groups, however, you can assign multiple groups to an ACE up to a maximum of 16 groups. VLANs that you want to assign to multiple ACEs, for example, can reside in a separate group from VLANs that are unique to each ACE.

To assign VLANs to a group using Cisco IOS software on the supervisor engine, use the svclc vlan-group command. The syntax for this command is:

svclc vlan-group group_number vlan_range

The arguments are:

group_number—The number of the VLAN group.

vlan_range—One or more VLANs (2 to 1000 and 1025 to 4094) identified in one of the following ways:

A single number (n)

A range (n-x)

Separate numbers or ranges by commas, for example: 

5,7-10,13,45-100

For example, to create three VLAN groups, 50 with a VLAN range of 55 to 57, 51 with a VLAN range of 75 to 86, and 52 with VLAN 100, enter the following commands: 

Router(config)# svclc vlan-group 50 55-57

Router(config)# svclc vlan-group 51 70-85

Router(config)# svclc vlan-group 52 100

Assigning VLAN Groups to the ACE through Cisco IOS Software

The ACE cannot receive traffic from the supervisor unless VLAN groups are assigned to it. To assign the VLAN groups to the ACE using Cisco IOS software on the supervisor engine, use the svc module command in configuration mode. The syntax for this command is:

svc module slot_number vlan-group group_number_range

The arguments are:

slot_number—The slot number where the ACE resides. To display slot numbers and the modules in the chassis, use the show module command in Exec mode. The ACE appears as the Application Control Engine Module in the Card Type field.

group_number_range—One or more group numbers identified in one of the following ways:

A single number (n)

A range (n-x)

Separate numbers or ranges by commas, for example: 

5,7-10

For example, to assign VLAN-groups 50 and 52 to the ACE in slot 5, and VLAN-group 51 and 52 to the ACE in slot 8, enter: 

Router(config)# svc module 5 vlan-group 50,52

Router(config)# svc module 8 vlan-group 51,52

To view the group configuration for the ACE and the associated VLANs, use the show svclc vlan-group command. For example, enter: 

Router(config)# exit

Router# show svclc vlan-group

To view VLAN group numbers for all modules, use the show svclc module command. For example, enter: 

Router# show svc module

Note On the ACE, use the show vlans command in Exec mode from the Admin context to display the ACE VLANs downloaded from supervisor.

Adding Switched Virtual Interfaces to the MSFC

A VLAN defined on the MSFC is called a switched virtual interface (SVI). If you assign the VLAN used for the SVI to the ACE, then the MSFC routes between the ACE and other Layer 3 VLANs. By default, only one SVI can exist between the MSFC and the ACE. However, for multiple contexts, you may need to configure multiple SVIs for unique VLANs on each context.

To add an SVI to the MSFC and configure it with a VLAN assigned to the ACE, perform the following steps:

1. (Optional) If you need to add more than one SVI to the ACE, enter the following command: 

Router(config)# svclc multiple-vlan-interfaces

2. To add a VLAN interface to the MSFC, use the interface vlan command. For example, to add VLAN 55, enter: 

Router(config)# interface vlan 55

3. To set the IP address for this interface on the MSFC, use the ip address command. For example, to set the address 10.1.1.1 255.255.255.0, enter: 

Router(config-if)# ip address 10.1.1.1 255.255.255.0

4. To enable the interface, use the no shut command. For example, enter: 

Router(config-if)# no shut

Note To monitor any VLAN that is associated with more than two trunk ports, physical ports, or trunk-physical ports on the supervisor, enable the autostate feature using the svclc autostate command. When you associate at VLAN to these ports, this feature declares that the VLAN is in the UP state. When a VLAN state change occurs on the supervisor, this feature sends notification to the ACE to bring the interface up or down.

To view this SVI configuration, use the show interface vlan command. For example, enter: 

Router# show int vlan 55

Allocating VLANs to a User Context

By default, all VLANs assigned to the ACE are available at the Admin context. To view the VLANs assigned from the supervisor to the ACE, use the show vlans command in Exec mode from the Admin context.

If you try to configure a VLAN on a context that has not been allocated to it, the following error message is displayed: 

Error: invalid input parameter <<<<<<<<<<<<<

At the Admin context, you can assign a VLAN to a user context. VLANs can be shared across multiple contexts. However, the ACE only supports 1,024 shared VLANs per system.

Note When a VLAN is shared in multiple contexts, the IP addresses across contexts must be unique. The interfaces must be on the same subnet. To classify traffic on multiple contexts, the same VLAN across contexts will have different MAC addresses. There is no routing across contexts even if you configure shared VLANs.

To assign VLAN interfaces to the context, access the context mode and use the allocate-interface vlan command in configuration mode. The syntax for the command is:

allocate-interface vlan vlan_number

The vlan_number argument is the number of a VLAN or a range of VLANs assigned to the ACE.

Note The ACE allows you to assign a VLAN number to a context even if the VLAN has not been assigned from the supervisor to the ACE. You can configure the VLAN in the context, however the VLAN cannot receive traffic until it is assigned from the supervisor to the ACE.

For example, to assign VLAN 10 to context A, enter: 

host1/Admin(config)# context A

host1/Admin(config-context)# allocate-interface vlan 10

To allocate an inclusive range of VLANs from VLAN 100 through VLAN 200 to a context, enter: 

host1/Admin(config-context)# allocate-interface vlan 100-200

To remove a VLAN from a user context, use the no allocate-interface vlan command in context configuration mode. For example, enter: 

host1/Admin(config)# context A

host1/Admin(config-context)# no allocate-interface vlan 10

Note You cannot deallocate a VLAN from a user context if the VLAN is currently in use on that context.

To remove a range of VLANs from a context, enter: 

host1/Admin(config-context)# no allocate-interface vlan 100-200

Configuring a Bank of MAC Addresses for Shared VLANs

When contexts share a VLAN, the ACE assigns a different MAC address to the VLAN on each context. The MAC addresses reserved for shared VLANs are 0x001243dc6b00 to 0x001243dcaaff, inclusive. All ACE modules derive these addresses from a global pool of 16k MAC addresses. This pool is divided into 16 banks, each containing 1,024 addresses. Thus, there can be 16 ACEs per subnet.

Each ACE supports 1,024 shared VLANs, and uses only one bank of MAC addresses out of the pool. Thus, a shared MAC address is associated with a shared VLAN interface.

By default, the bank of MAC addresses that the ACE uses is randomly selected at boot time. However, if you configure two ACE modules in the same Layer 2 network and they are using shared VLANs, the ACEs may select the same address bank, resulting in the use of the same MAC addresses. To avoid this conflict, you need to configure the bank that the ACEs will use.

To configure a specific bank of MAC addresses for an ACE, use the shared-vlan-hostid command in configuration mode in the Admin context. The syntax for this command is:

shared-vlan-hostid number

The number argument indicates the bank of MAC addresses that the ACE uses. Enter a number from 1 to 16. For example, to configure bank 2 of MAC addresses, enter: 

host1/Admin(config)# shared-vlan-hostid 2

To remove the configured bank of MAC addresses and allow the ACE to randomly select a bank, use the no shared-vlan-hostid command. For example, enter: 

host1/Admin(config)# no shared-vlan-hostid

Configuring VLAN Interfaces on the ACE

To configure a VLAN interface and access its mode to configure its attributes, use the interface vlan command in configuration mode for the context. The syntax for the command is:

interface vlan number

The number argument is the VLAN number you want to assign to the interface. VLAN numbers are 2 to 4094. For example, to create VLAN 200, enter: 

host1/Admin(config)# interface vlan 200

To remove a VLAN, use the no interface vlan command. For example, enter: 

host1/Admin(config)# no interface vlan 200

Note For security reasons, the ACE does not allow pings from an interface on a VLAN on one side of the ACE through the module to an interface on a different VLAN on the other side of the module. For example, a host can ping the ACE address that is on the IP subnet using the same VLAN as the host, but cannot ping IP addresses configured on other VLANs on the ACE.

For information on attributes to configure on a VLAN, see the following sections:

Assigning IP Addresses to Interfaces for Routing Traffic

Disabling and Enabling Traffic on Interfaces

Configuring the MTU for an Interface

Configuring a Peer IP Address

Configuring an Alias IP Address

Enabling the Mac-Sticky Feature

Providing an Interface Description

Assigning a Policy Map to an Interface

Applying an Access List to an Interface

Note The ACE requires a route back to the client before it can forward a request to a server. If the route back is not present, the ACE cannot establish a flow and drops the client request. Make sure that you configure the appropriate routing to the client network on the ACE VLAN where the client traffic enters the ACE module.

Additional configurations and commands are available on a VLAN interface that are not documented in this chapter. These configurations are:

Remote network management. See the Cisco Application Control Engine Module Administration Guide.

Default and static routes. See Chapter 2, Configuring Routes on the ACE.

Bridge parameters including the interface bvi command. See Chapter 3, Bridging Traffic.

ARP. See Chapter 4, Configuring ARP

DHCP. See Chapter 5, Configuring the DHCP Relay

Policy and class maps, and SNMP management for VLANs, and fault-tolerant VLANs. See the Cisco Application Control Engine Module Administration Guide.

Load-balancing traffic including stealth firewall load balancing. See the Cisco Application Control Engine Module Server Load-Balancing Configuration Guide.

ACLs, Network Address Translation (NAT), IP fragment reassembly, and IP normalization. See the Cisco Application Control Engine Module Security Configuration Guide.

Assigning IP Addresses to Interfaces for Routing Traffic

When you assign an IP address to a VLAN interface, the ACE automatically makes it a routed mode interface. To assign an IP address to a VLAN interface, use the ip address command in interface configuration mode. The syntax for the command is:

ip address ip_address netmask

The ip_address netmask arguments specify the IP address and netmask for the VLAN interface. Enter the IP address and subnet mask in dotted-decimal notation (for example, 192.168.1.1 255.255.255.0).

Note Secondary IP addresses are not supported on any ACE interfaces.

In a single context, each interface address must be on a unique subnet and cannot overlap. However, the IP subnet can overlap an interface in different contexts.

Across multiple contexts on a shared VLAN, the IP address must be unique. On a non-shared VLAN, the IP address can be the same.

For example, to set the IP address of 192.168.1.1 255.255.255.0 for VLAN interface 200, enter the following command: 

host1/Admin(config)# interface vlan 200

host1/Admin(config-if)# ip address 192.168.1.1 255.255.255.0

If you make a mistake while entering this command, you can reenter the command with the correct information.

Note Routed and bridged mode requires ACLs to allow the passing of traffic. To apply an ACL to the inbound or outbound direction of an interface and make the ACL active, use the access-group command in interface configuration mode for the VLAN, as described in the "Applying an Access List to an Interface" section. For more information on configuring ACLs, see the Cisco Application Control Engine Module Security Configuration Guide.

To configure remote network management access on an interface, the interface does not require an ACL. However, it does require a class map and policy map configuration. For information on configuring remote access to the ACE, see the Cisco Application Control Engine Module Administration Guide.

To remove the IP address for the VLAN, use the no ip address command. For example, enter:

host1/Admin(config-if)# no ip address

Disabling and Enabling Traffic on Interfaces

When you configure an interface, the interface is in the shutdown state until you enable it. If you disable or reenable the interface within a context, only that context interface is affected.

To enable the interface, use the no shutdown command in interface configuration mode. For example, enter: 

host1/Admin(config-if)# no shutdown

To disable a VLAN, use the shutdown command in interface configuration mode. The syntax for the command is:

shutdown

For example, to disable VLAN 3, enter: 

host1/Admin(config)# interface vlan 3

host1/Admin(config-if)# shutdown

Configuring the MTU for an Interface

The default MTU is 1500 bytes in a block for Ethernet interfaces. This value is sufficient for most applications, but you can pick a lower number if network conditions require. Data that is larger than the MTU value is fragmented before being sent.

To specify the MTU for an interface, use the mtu command in interface configuration mode. This command allows you to set the data size that is sent on a connection. The syntax for this command is:

mtu  bytes

The bytes argument is the number of bytes in the MTU. Enter a number from 64 to 9216 bytes. The default is 1500.

For example, to specify the MTU data size of 1000 for an interface: 

host1/Admin(config-if)# mtu 1000

To reset the MTU block size to 1500 bytes, use the no mtu command. For example, enter: 

host1/Admin(config-if)# no mtu

Configuring a Peer IP Address

When configuring redundancy, by default, configuration mode on the standby module is disabled and changes on an active module are automatically synchronized on the standby module. However, interface IP addresses on the active and standby modules must be unique. To ensure that the addresses on the interfaces are unique, the IP address of an interface on the active module is synchronized on the standby module as the peer IP address.

To configure the IP address for an interface on a standby module, use the peer ip address command in interface configuration mode. The peer IP address on the active module is synchronized on the standby module as the interface IP address. The syntax for the command is:

peer ip address ip_address netmask

The ip_address netmask arguments are the address and subnet netmask for the peer module. Enter the IP address and subnet mask in dotted-decimal notation (for example, 192.168.1.1 255.255.255.0).

Note Across multiple contexts on a shared VLAN, the peer IP address must be unique.

For example, to configure an IP address and netmask of the peer module, enter: 

host1/Admin(config-if)# peer ip address 11.0.0.81 255.0.0.0

To delete the IP address for the peer module, enter: 

host1/Admin(config-if)# no peer ip address

Configuring an Alias IP Address

When configuring a redundant configuration with active and standby modules, you can configure a VLAN interface that has an alias IP address that floats between active and standby modules. The alias IP address serves as a shared gateway for the two ACE modules in a redundant configuration.

Note You must configure redundancy (fault tolerance) on the ACE for the alias IP address to work. For more information on redundancy, see the Cisco Application Control Engine Module Administration Guide.

To configure an alias IP address, use the alias command in interface configuration mode. The syntax of this command is:

alias ip_address netmask

The ip_address netmask arguments specify the IP address and netmask for the VLAN interface. Enter the IP address and subnet mask in dotted-decimal notation (for example, 192.168.1.1 255.255.255.0).

For example, to configure an alias IP address, enter: 

host1/Admin(config-if)# alias 192.168.12.15 255.255.255.0

To remove an alias IP address, enter: 

host1/Admin(config-if)# no alias 192.168.12.15 255.255.255.0

Enabling the Mac-Sticky Feature

The mac-sticky feature ensures that the ACE sends return traffic to the same upstream device through which the connection setup from the original client was received. When you enable this feature, the ACE uses the source MAC address from the first packet of a new connection to determine the device to send the return traffic. This guarantees that the ACE sends the return traffic for load-balanced connections to the same device originating the connection. By default, the ACE performs a route lookup to select the next hop to reach the client.

This feature is useful when the ACE receives traffic from Layer-2/Layer-3 adjacent stateful devices, like firewalls and transparent caches, guaranteeing that it sends return traffic to the correct stateful device that sourced the connection without any requirement for source NAT. For more information on firewall load balancing, see the Cisco Application Control Engine Module Security Configuration Guide.

To enable the mac-sticky feature for a VLAN interface, use the mac-sticky enable command in interface configuration mode. By default, the mac-sticky feature is disabled on the ACE. The syntax for this command is:

mac-sticky enable

Note You cannot use this command if you configure the ip verify reverse-path command. For information on the ip verify reverse-path command, see theCisco Application Control Engine Module Security Configuration Guide.

For example, to enable the mac-sticky feature, enter: 

host1/Admin(config-if)# mac-sticky enable

To disable the mac-sticky feature, use the no mac-sticky enable command. For example, enter: 

host1/Admin(config-if)# no mac-sticky enable

Providing an Interface Description

To provide a description for the interface, use the description command in interface configuration mode. The syntax for the command is:

description text

The text argument is the description for the interface. Enter an unquoted text string containing a maximum of 240 characters including spaces.

For example, to provide the description of POLICY MAP 3 FOR INBOUND AND OUTBOUND TRAFFIC, enter: 

host1/Admin(config-if)# description POLICY MAP3 FOR INBOUND AND 
OUTBOUND TRAFFIC

To remove the description for the interface, use the no description command. For example, enter: 

host1/Admin(config-if)# no description

Assigning a Policy Map to an Interface

When you assign a policy map to a VLAN interface, the ACE can use the map to evaluate all network traffic on the interface. For more information on configuring policy maps, see the Cisco Cisco Application Control Engine Module Administration Guide.

You can apply one or more policy maps to a VLAN interface or globally to all VLAN interfaces in the same context. A policy map activated on an interface overwrites any specified global policy maps for overlapping classification and actions.

You can assign multiple policy maps on an interface. However, the ACE allows only one policy map to be active on an interface at a given time. The order in which you configure the policy maps on the ACE is important.

To assign a policy map to an interface, use the service-policy command in interface configuration mode for an individual interface, or in configuration mode for all interfaces in the same context. The syntax for the command is:

service-policy input policy_name

The keyword and argument are:

input—Specifies that the traffic policy is to be attached to the inbound direction of an interface. The traffic policy evaluates all traffic received by that interface.

policy_name—A previously configured policy map that you want to apply to the interface.

For example, to assign the L4_SLB_POLICY policy map for inbound traffic to the VLAN 3, enter: 

host1/Admin(config)# interface vlan 3

host1/Admin(config-if)# service-policy input L4_SLB_POLICY

To remove a policy map from an interface, use the no service-policy command. For example, enter: 

host1/Admin(config-if)# no service-policy input L4_SLB_POLICY

Applying an Access List to an Interface

To allow the passing of traffic on an interface, you must apply ACLs to a VLAN interface. You can apply one ACL of each type (extended, ICMP, or EtherType) to both directions of the interface. For more information about ACLs and ACL directions, see the Cisco ACE Security Configuration Guide.

For connectionless protocols, you need to apply the ACL to the source and destination interfaces if you want traffic to pass in both directions. For example, to allow BGP in an ACL in transparent mode, you need to apply the ACL to both interfaces.

To apply an ACL to the inbound or outbound direction of an interface and make the ACL active, use the access-group command in interface configuration mode.

The syntax of this command is:

access-group {input | output} acl_name

The options and arguments are:

input—Specifies the inbound direction of the interface to apply the ACL

output—Specifies the outbound direction of the interface t o apply the ACL

acl_name—Identifier of an existing ACL to apply to an interface

For example, enter: 

host1/Admin(config)# interface vlan100

host1/Admin(config-if)# access-group input INBOUND

To remove an ACL from an interface, use the no access-group command. For example, enter: 

host1/Admin(config-if)# no access-group input INBOUND

Displaying Interface Information

You can display information for the interfaces through the show interface command as described in the following sections:

Displaying VLAN and BVI Information

Displaying the Interface Ethernet Out-of-band channel (eobc) Information

Displaying the Internal Interface Manager Tables

Displaying ACE VLANs Downloaded from the Supervisor

Displaying Private VLAN Information

Displaying VLAN and BVI Information

The show interface command in Exec mode displays the details, statistics, or IP information for all or a specified VLAN or BVI interface. The syntax for this command is:

show interface [bvi | vlan {number}]

The bvi | vlan number options display the information for the specified VLAN or bridge-group virtual interface number.

If you enter the show interface command with no options, the ACE displays all VLAN and BVI interfaces. For example, enter: 

host1/Admin# show interface

Table 1-1 describes the fields for the show interface command output.

Table 1-1 Field Descriptions for the show interface Command
Output 

Field
Description

VLAN_name/
BVI_number is

Whether the specified VLAN or BVI is up or down.

Hardware type is

This field indicates that the interface is a VLAN or BVI.

MAC address

The MAC address of the system mapped to the IP address. Note that the BVI MAC address is the same address as an associated bridge-group VLAN address.

Mode

The mode associated with the VLAN or BVI. A bridge-group VLAN is displayed as transparent. A routed VLAN or BVI is displayed as routed. Otherwise, this field displays unknown.

FT status

Whether the interface is redundant.

Description

The description for the VLAN or BVI.

MTU

The configured MTU in bytes.

Last cleared

The last time that the VLAN or BVI was cleared.

Alias IP address

The configured alias IP address.

Peer IP address

The configured peer IP address.

Virtual MAC address

The MAC address used by the alias IP address and VIP address when the interface is in the redundant active state (displayed only if the interface is in this state).

Assigned - Supervisor

Whether the VLAN or BVI is assigned from the supervisor and is up or down on the supervisor.

# unicast packets input, # bytes

The total number of incoming unicast packets and number of bytes.

# multicast, # broadcast

The total number of incoming multicast and broadcast packets.

# input errors, # unknown, # ignored, # unicast RFP drops

The total number of errors for incoming packets, including numbers for packets that are unknown, ignored, and RFP drops.

# unicast packets output, # bytes

The total number of outgoing unicast packets and number of bytes.

# multicast, # broadcast

The total number of outgoing multicast and broadcast packets.

# output errors, # unknown

The number of errors for outgoing packets, including unknown packets.


Displaying the Interface Ethernet Out-of-band channel (eobc) Information

To display the Ethernet Out-of-band channel (eobc) information, use the show interface eobc command in Exec mode. This command is available in the Admin context only. For example, enter: 

host1/Admin# show interface eobc

Table 1-2 describes the field for the show interface eobc command output.

Table 1-2 Field Descriptions for the show interface eobc
Command Output 

Field
Description

Hardware type

The hardware type is EOBC

MAC address

The MAC address of the system mapped to the IP address

Description

The description for the VLAN

MTU

The MTU in bytes

BW # bits/sec

The bits per second on the bus width

IP address

The internal IP address

# unicast packets input, # bytes

The total number of incoming unicast packets and number of bytes

# input errors, # ignored

The number of errors for incoming packets, including numbers for packets that are ignored

# unicast packets output, # bytes

The total number of outgoing unicast packets and number of bytes

# output errors, # ignore

The number of errors for outgoing packets, including numbers for packets that are ignored


Displaying the Internal Interface Manager Tables

To display the internal interface manager tables and events, use the show interface internal command in Exec mode. The syntax for this command is:

show interface internal {event-history {dbg | mts} |
iftable [interface_name] | vlantable [vlan_number]

The keywords and arguments are:

event-history {dbg | mts}—Displays the debug history (dbg) or message history (mts). This keyword is available in the Admin context only.

iftable [interface_name]—Displays the master interface table. If you specify an interface name, the ACE displays the table information for that interface.

vlantable [vlan_number]Displays the VLAN table. If you specify an interface number, the ACE displays the table information for that interface.

Note The show interface internal command is used for debugging purposes. The output for this command is for use by trained Cisco personnel as an aid in debugging and troubleshooting the ACE. For information on the command syntax, see the Cisco Application Control Engine Module Command Reference.

For example, to display the interface internal debug event history starting with the most recent event, enter: 

host1/Admin# show interface internal event-history dbg

To display the interface internal message event history starting with the most recent event, enter: 

host1/Admin# show interface internal event-history mts

To display the master interface table, enter: 

host1/Admin# show interface internal iftable

To display the master VLAN table, enter: 

host1/Admin# show interface internal vlantable

Displaying ACE VLANs Downloaded from the Supervisor

Use the show vlans command in Exec mode for the Admin context to display the VLANs on the ACE downloaded from the supervisor. For example, enter: 

host1/Admin# show vlans

Vlans configured on SUP for this module

vlan192-193 vlan333

Displaying Private VLAN Information

The private VLAN feature on the Catalyst 6500 works with the ACE. The IOS PVLAN configuration populates the PVLAN mapping database on the ACE. See the documentation for the switch for detailed information.

To display the private VLANs on the ACE downloaded from the supervisor, use the show pvlans command in Exec mode. For example, enter: 

host1/Admin# show pvlans

Table 1-3 describes the field for the show pvlans command output.

Table 1-3 Field Descriptions for the show pvlans Command Output

Field
Description

Primary

The VLAN number for the primary private VLAN

Secondary

The VLAN number for the secondary private VLAN

Type

One of the three ways that the private VLAN uses VLANs: primary, isolated, or community


Clearing Interface Statistics

To clear the statistics displayed through the show interface command, use the clear interface command in Exec mode. The syntax for this command is:

clear interface [vlan number | bvi number]

If you do not enter an option and argument, the statistics for all VLANs and BVIs are set to zero. The options and arguments are:

vlan number—Specifies the VLAN number for the clearing of its statistics.

bvi number—Specifies the BVI number for the clearing of its statistics. Statistics are not collected for BVI interfaces. The packets are counted against the underlying bridged (Layer 2) interfaces.

For example to clear the statistics for VLAN 10, enter: 

host1/Admin# clear interface vlan 10

Note If you have redundancy configured, you need to explicitly clear statistics (hit counts) on both the active and the standby ACEs. If you clear statistics on the active module only, the standby module statistics remain at the old values.