Software Configuration Guide (4.5)
Configuring Multilayer Switching
Download this chapter
Configuring Multilayer SwitchingConfiguring Multilayer Switching
give_us_feedback

Table Of Contents

Configuring Multilayer Switching

Understanding How MLS Works

MLS Overview

MLS Components

MLS Flows

MLS Cache

Layer 3-Switched Packet Rewrite

MLS Operation

Standard and Extended Access Lists

Flow Masks

Flow Mask Modes

Flow Mask Mode and show mls entry Command Output

Packet Export Rate

Software and Hardware Requirements

Default MLS Configuration

Configuration Guidelines and Restrictions

General Configuration Guidelines

External Routers

Access Lists

MLS Interaction with Other Features

Maximum Transmission Unit Size

Restrictions on Using IP Router Commands with MLS Enabled

Configuring MLS on the Router

Enabling MLSP on the Router

Adding an MLS Interface to a VTP Domain

Assigning a VLAN ID to a Router Interface

Enabling MLS on a Router Interface

Specifying a Router Interface as a Management Interface

Removing a Router Interface as a Management Interface

Disabling MLS on a Router Interface

Clearing a VLAN ID from a Router Interface

Removing an MLS Interface from a VTP Domain

Removing an MLS Interface from the Null Domain

Disabling MLSP on the Router

Monitoring MLS on the Router

Using Debug Commands on the MLS Router

Configuring MLS on the Switch

Enabling MLS on the Switch

Specifying Routers to Participate in MLS

Specifying MLS Aging-Time Value

Specifying MLS Fast Aging Time and Packet Threshold Values

Setting the Minimum MLS Flow Mask

Removing Routers from Participation in MLS

Disabling MLS on the Switch

Displaying CAM Entries on the Switch

Displaying MLS Information

Displaying MLS Cache Entries

Displaying All MLS Entries

Displaying MLS Entries for a Specific Destination Address

Displaying Entries for a Specific Source Address

Displaying Entries for a Specific IP Flow

Displaying Entries for a Specific MLS-RP

Clearing MLS Cache Entries

Displaying MLS Statistics

Displaying MLS Statistics by Protocol

Displaying Statistics for MLS-RPs

Displaying Statistics for MLS Cache Entries

Clearing MLS Statistics

Displaying MLS Debug Information

MLS Implementation Examples

Basic MLS Implementation

Packets Traversing a Single Router between Two Hosts

Destination Host Connected to a Switch Through a Router

Source Host Connected to a Switch Through a Router

Source and Destination Hosts Connected to a Switch Through Different Routers

Source Host Connected to a Switch Through an FDDI Ring

Source Host Connected to a Switch Through an ATM Cloud

Unsupported Topologies

MLS Configuration Examples

Router Configuration with No Access Lists

Router Configuration with Standard Access List

Router Configuration with Extended Access List

Switch Configuration


Configuring Multilayer Switching

This chapter describes how to configure Multilayer Switching (MLS) on the Catalyst 5000 and 2926G series switches.

Note   For complete syntax and usage information for the commands used in this chapter, refer to the Command Reference for your switch.

This chapter consists of these sections:

Understanding How MLS Works

Software and Hardware Requirements

Default MLS Configuration

Configuration Guidelines and Restrictions

Configuring MLS on the Router

Configuring MLS on the Switch

MLS Implementation Examples

MLS Configuration Examples

Understanding How MLS Works

These sections provide an overview of MLS and describe how MLS works:

MLS Overview

MLS Components

MLS Flows

MLS Cache

Layer 3-Switched Packet Rewrite

MLS Operation

Standard and Extended Access Lists

Flow Masks

Packet Export Rate

MLS Overview

MLS provides high-performance hardware-based Layer 3 switching for Catalyst 5000 and 2926G series LAN switches. MLS switches unicast IP data packet flows between subnets using advanced application-specific integrated circuit (ASIC) switching hardware, offloading processor-intensive packet routing from network routers.

The packet forwarding function is moved onto Layer 3 switches whenever a partial or complete switched path exists between two hosts. Packets that do not have a partial or complete switched path to reach their destinations are still forwarded by routers. Standard routing protocols, such as Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), Routing Information Protocol (RIP), and Intermediate System-to-Intermediate System (IS-IS), are used for route determination.

MLS provides traffic statistics you can use to identify traffic characteristics for administration, planning, and troubleshooting. MLS uses NetFlow Data Export (NDE) to export flow statistics.

Note   For more information about NDE, see "."

In addition, MLS allows you to debug and trace flows in your network. You can identify which switch is handling a particular flow by using MLS explorer packets. The explorer packets aid you in path detection and troubleshooting. For complete information on debugging MLS, see the "Using Debug Commands on the MLS Router" section.

MLS Components

An MLS network topology consists of these components:

Multilayer Switching-Switching Engine (MLS-SE)—Catalyst 2926G series switch, or Catalyst 5000 series switch with the NFFC or NFFC II. The MLS-SE provides Layer 3 LAN-switching services.

Multilayer Switching-Route Processor (MLS-RP)—A Catalyst 5000 series Route Switch Module (RSM) or an externally connected Cisco 7500, 7200, 4500, or 4700 series router with software that supports MLS. The MLS-RP provides Cisco IOS-based multiprotocol routing, network services, and central configuration and control for the switches.

Multilayer Switching Protocol (MLSP)—The protocol running between the MLS-SE and MLS-RP to enable MLS.

MLS Flows

Layer 3 protocols, such as IP and Internetwork Packet Exchange (IPX), are connectionless—they deliver every packet independently of every other packet. However, actual network traffic consists of many end-to-end conversations, or flows, between users or applications.

A flow is a unidirectional sequence of packets between a particular source and destination that share the same protocol and transport-layer information. Communication from a client to a server and from the server to the client are separate flows. For example, Telnet traffic transferred from a particular source to a particular destination comprises a separate flow from File Transfer Protocol (FTP) packets between the same source and destination.

Flows are based only on Layer 3 addresses, which allow IP traffic from multiple users or applications to a particular destination to be carried on a single flow if only the destination IP address is used to identify a flow.

The NFFC (or NFFC II) maintains a Layer 3 switching table (MLS cache) for the Layer 3-switched flows. The cache also includes entries for traffic statistics that are updated in tandem with the switching of packets. After the MLS cache is created, packets identified as belonging to an existing flow can be Layer 3-switched based on the cached information. The MLS cache maintains flow information for all active flows. When the Layer 3-switching entry for a flow ages out, the flow statistics can be exported to a flow collector application.

MLS Cache

The MLS-SE maintains a cache for MLS flows and maintains statistics for each flow. An MLS cache entry is created for the initial packet of each flow. Upon receipt of a packet that does not match any flow currently in the MLS cache, a new MLS entry is created.

The state and identity of the flow are maintained while packet traffic is active; when traffic for a flow ceases, the entry ages out. You can configure the aging time for MLS entries kept in the MLS cache. If an entry is not used for the specified period of time, the entry ages out and statistics for that flow can be exported to a flow collector application.

The maximum MLS cache size is 128K. However, an MLS cache larger than 32K increases the probability that a flow will not be switched by the MLS-SE and will get forwarded to the router.

Note   The number of active flows that can be stored in the MLS cache depends on the type of access lists configured on MLS router interfaces (which determines the flow mask). See the "Flow Masks" section for additional information.

Layer 3-Switched Packet Rewrite

When a packet is Layer 3 switched from a source host to a destination host, the switch (MLS-SE) performs a packet rewrite, based on information learned from the router (MLS-RP) and stored in the MLS cache.

Note   The Catalyst 5000 series 24-port 10/100BaseTX and 12-port 100BaseFX Backbone Fast Ethernet switching modules (WS-X5225R and WS-X5201R) have onboard hardware that performs the packet rewrite, optimizing MLS performance. This optimization is also used on the Catalyst 2926G series switch ports.

Note   There are slot restrictions when using MLS with the Gigabit Ethernet (WS-X5403) switching module. You must install the switching module in specific slots in the Catalyst 5000 series switches to maximize MLS operation. Refer to the Catalyst 5000 Series Module Installation Guide for details.

If Host A and Host B are on different virtual LANs (VLANs) and Host A sends a packet to the MLS-RP to be routed to Host B, the MLS-SE recognizes that the packet was sent to the Media Access Control (MAC) address of the MLS-RP. The MLS-SE checks the MLS cache and finds the entry matching the flow in question.

When the MLS-SE receives the packet, it is formatted as follows:

Frame Header
IP Header
Payload

Destination

Source

Destination

Source

TTL

Checksum

Data

Checksum

MLS-RP MAC

Host A MAC

Host B IP

Host A IP

   

The MLS-SE rewrites the Layer 2 frame header, changing the destination MAC address to the MAC address of Host B and the source MAC address to the MAC address of the MLS-RP (these MAC addresses are stored in the MLS cache entry for this flow). The Layer 3 IP addresses remain the same, but the IP header Time to Live (TTL) is decremented and the checksum is recomputed. The MLS-SE rewrites the switched Layer 3 packets so that they appear to have been routed by a router.

The MLS-SE forwards the rewritten packet to Host B's VLAN (the destination VLAN is saved in the MLS cache entry) and Host B receives the packet.

After the MLS-SE performs the packet rewrite, the packet is formatted as follows:

Frame Header
IP Header
Payload

Destination

Source

Destination

Source

TTL1

Checksum2

Data

Checksum

Host B MAC

MLS-RP MAC

Host B IP

Host A IP

   

1 The IP header TTL value is decremented by 1.

2 The IP header checksum is recalculated.


MLS Operation

shows a simple MLS network topology. In this example, Host A is on the Sales VLAN (IP subnet 171.59.1.0), Host B is on the Marketing VLAN (IP subnet 171.59.3.0), and Host C is on the Engineering VLAN (IP subnet 171.59.2.0).

When Host A initiates an FTP file transfer to Host B, an MLS entry for this flow is created (this entry is the first item in the MLS cache shown in ). The MLS-SE stores the MAC addresses of the MLS-RP and Host B in the MLS entry when the MLS-RP forwards the first packet from Host A through the switch to Host B. The MLS-SE uses this information to rewrite subsequent packets from Station A to Station B.

Similarly, a separate MLS entry is created in the MLS cache for the HTTP traffic from Host A to Host C, and for the HTTP traffic from Host C to Host A. The destination VLAN is stored as part of each MLS entry so that the correct VLAN identifier is used when encapsulating traffic on trunk links.

Figure 42-1 MLS Example Topology

Standard and Extended Access Lists

Note   Router interfaces with input access lists cannot participate in MLS. However, you can translate any input access list to an output access list to provide the same effect on the interface.

MLS allows you to enforce access lists on every packet of the flow without compromising MLS performance. When you enable MLS, the MLS-SE handles standard and extended access list permit traffic at wire speed.

Note   Access list deny traffic is always handled by the MLS-RP, not the MLS-SE.

Route topology changes and the addition or modification of access lists are reflected in the MLS switching path automatically on the MLS-SE. The techniques for handling route and access list changes apply to both the RSM and directly attached external routers.

For example, when Station A wants to communicate with Station B, it sends the first packet to the MLS-RP. If an access list is configured on the MLS-RP to deny access from Station A to Station B, the MLS-RP receives the packet, checks the access list to see if the packet flow is permitted, and discards the packet based on the access list. Because the first packet for this flow does not return from the MLS-RP, an MLS cache entry is not established by the MLS-SE.

If a flow is already being Layer 3 switched by the MLS-SE and the access list is created on the MLS-RP, the MLS-SE learns of the change through MLSP and immediately enforces security for the affected flow by purging it from the MLS cache. New flows are created based on the restrictions imposed by the access list.

Similarly, when the MLS-RP detects a routing topology change, the appropriate MLS cache entries are deleted in the MLS-SE. New flows are created based on the new topology.

Flow Masks

The MLS-SE uses flow mask modes to determine how MLS entries are created. The flow mask mode is based on the access lists configured on the MLS router interfaces. The MLS-SE learns the flow mask through MLSP messages from each MLS-RP for which the MLS-SE is performing Layer 3 switching.

These sections describe how the flow mask modes work:

Flow Mask Modes

Flow Mask Mode and show mls entry Command Output

Flow Mask Modes

An MLS-SE supports only one flow mask (the most specific one) for all MLS-RPs that are Layer 3 switched. If the MLS-SE detects different flow masks from different MLS-RPs for which it is performing Layer 3 switching, it changes its flow mask to the most specific flow mask detected.

When the MLS-SE flow mask changes, the entire MLS cache is purged. When an MLS-SE exports cached entries, flow records are created based on the current flow mask mode. Depending on the current mode, some fields in the flow record might not have values. Unsupported fields are filled with a zero (0).

The three flow mask modes are as follows:

destination-ip mode—The least-specific flow mask mode. The MLS-SE maintains one MLS entry for each destination IP address. All flows to a given destination IP address use this MLS entry. This mode is used if there are no access lists configured on any of the MLS router interfaces.

source-destination-ip mode—The MLS-SE maintains one MLS entry for each source and destination IP address pair. All flows between a given source and destination use this MLS entry regardless of the IP protocol ports. This mode is used if there is a standard access list on any of the MLS interfaces.

ip-flow mode—The most-specific flow mask mode. The MLS-SE creates and maintains a separate MLS cache entry for every IP flow. An ip-flow entry includes the source IP address, destination IP address, protocol, and protocol ports. This mode is used if there is an extended access list on any of the MLS interfaces.

Flow Mask Mode and show mls entry Command Output

This section describes how the flow mask mode impacts the screen output of the show mls entry command.

In destination-ip mode, the source IP, protocol, and source and destination port fields show the details of the last packet that was Layer 3 switched using the MLS cache entry.

This example shows how the show mls entry command output appears in destination-ip mode: 

Console> (enable) show mls entry

                Last Used         Last    Used

Destination IP  Source IP       Port DstPrt SrcPrt Destination Mac   Vlan Port

--------------- --------------- ---- ------ ------ ----------------- ---- -----

MLS-RP 10.20.6.161:

10.19.6.2       10.19.26.9      UDP  6009   69     00-10-0b-16-98-00 250  1/1-2

10.19.22.8      10.19.2.1       TCP  6001   Telnet 00-00-00-00-00-08 22   4/6

10.19.2.1       10.19.22.8      TCP  6008   Telnet 00-10-0b-16-98-00 250  1/1-2

10.19.27.10     10.19.7.3       TCP  6003   20     00-00-00-00-00-10 27   4/8

10.19.28.11     10.19.8.4       UDP  6004   DNS    00-00-00-00-00-11 28   4/9

10.19.26.9      10.19.6.2       UDP  6002   69     00-00-00-00-00-09 26   4/7

10.19.7.3       10.19.27.10     TCP  6010   FTP    00-10-0b-16-98-00 250  1/1-2

MLS-RP 132.68.9.10:

10.19.86.12     10.19.85.7      TCP  6007   SMTP   00-00-00-00-00-12 86   4/10

10.19.85.7      10.19.86.12     TCP  6012   WWW    00-00-00-00-00-07 85   4/5

MLS-RP 10.20.6.82:

10.19.63.13     10.19.73.14     TCP  6014   Telnet 00-00-00-00-00-13 63   4/11

10.19.73.14     10.19.63.13     TCP  6013   FTP    00-00-00-00-00-14 73   4/12

Console> (enable)

In source-destination-ip mode, the protocol, source port, and destination port fields show the details of the last packet that was Layer 3 switched using the MLS cache entry.

This example shows how the show mls entry command output appears in source-destination-ip mode: 

Console> (enable) show mls entry

                                  Last    Used

Destination IP  Source IP       Port DstPrt SrcPrt Destination Mac   Vlan Port

--------------- --------------- ---- ------ ------ ----------------- ---- -----

MLS-RP 10.20.6.161:

10.19.26.9      10.19.6.2       UDP  6002   69     00-00-00-00-00-09 26   4/7

10.19.28.11     10.19.8.4       UDP  6004   DNS    00-00-00-00-00-11 28   4/9

10.19.6.2       10.19.26.9      UDP  6009   69     00-10-0b-16-98-00 251  1/1-2

10.19.2.1       10.19.22.8      TCP  6008   Telnet 00-10-0b-16-98-00 251  1/1-2

10.19.27.10     10.19.7.3       TCP  6003   20     00-00-00-00-00-10 27   4/8

10.19.22.8      10.19.2.1       TCP  6001   Telnet 00-00-00-00-00-08 22   4/6

10.19.7.3       10.19.27.10     TCP  6010   FTP    00-10-0b-16-98-00 251  1/1-2

MLS-RP 132.68.9.10:

10.19.85.7      10.19.86.12     TCP  6012   WWW    00-00-00-00-00-07 85   4/5

10.19.86.12     10.19.85.7      TCP  6007   SMTP   00-00-00-00-00-12 86   4/10

MLS-RP 10.20.6.82:

10.19.63.13     10.19.73.14     TCP  6014   Telnet 00-00-00-00-00-13 63   4/11

10.19.73.14     10.19.63.13     TCP  6013   FTP    00-00-00-00-00-14 73   4/12

Console> (enable)

In ip-flow mode, because a separate MLS entry is created for every ip-flow, details are shown for every flow.

This example shows how the show mls entry command output appears in ip-flow mode: 

Console> (enable) show mls entry

Destination IP  Source IP       Port DstPrt SrcPrt Destination Mac   Vlan Port

--------------- --------------- ---- ------ ------ ----------------- ---- -----

MLS-RP 10.20.6.161:

10.19.26.9      10.19.6.2       UDP  6002   69     00-00-00-00-00-09 26   4/7

10.19.6.2       10.19.26.9      UDP  6009   69     00-10-0b-16-98-00 251  1/1-2

10.19.22.8      10.19.2.1       TCP  6001   Telnet 00-00-00-00-00-08 22   4/6

10.19.2.1       10.19.22.8      TCP  6008   Telnet 00-10-0b-16-98-00 251  1/1-2

10.19.27.10     10.19.7.3       TCP  6003   20     00-00-00-00-00-10 27   4/8

10.19.28.11     10.19.8.4       UDP  6004   DNS    00-00-00-00-00-11 28   4/9

10.19.7.3       10.19.27.10     TCP  6010   FTP    00-10-0b-16-98-00 251  1/1-2

MLS-RP 132.68.9.10:

10.19.86.12     10.19.85.7      TCP  6007   SMTP   00-00-00-00-00-12 86   4/10

10.19.85.7      10.19.86.12     TCP  6012   WWW    00-00-00-00-00-07 85   4/5

MLS-RP 10.20.6.82:

10.19.63.13     10.19.73.14     TCP  6014   Telnet 00-00-00-00-00-13 63   4/11

10.19.73.14     10.19.63.13     TCP  6013   FTP    00-00-00-00-00-14 73   4/12

Console> (enable)

Packet Export Rate

Note   Packets are exported only when NDE is enabled.

Export rates for MLS entries depend on the traffic pattern—there is no typical packet rate. The worst-case packet export rate occurs when all existing MLS entries are purged due to an event such as a route change. The MLS entries are exported at a burst rate of 1,213 datagrams of 27 flows each.

Software and Hardware Requirements

MLS requires these software and hardware versions:

Supervisor engine software—Software release 4.1(1) or later

Cisco IOS router software—IOS release 11.3(2)WA4(4) or later

Catalyst 2926G series switch or a Catalyst 5000 series switch with Supervisor Engine III, III FSX, or III FLX module with a NetFlow Feature Card (NFFC) or NFFC II

Route Switch Module (RSM) or Cisco 7500, 7200, 4500, or 4700 series router

(Optional) Catalyst 5000 series 24-port 10/100BaseTX and 12-port 100BaseFX Backbone Fast Ethernet switching modules (WS-X5225R and WS-X5201R)—These switching modules have onboard hardware that optimizes MLS performance (this optimization is also used in the Catalyst 2926G series switches)

Default MLS Configuration

shows the default MLS configuration.

Table 42-1 Default MLS Configuration

Feature
Default Value

Multilayer Switching

Enabled

Participating routers

None1

MLS aging-time

256 seconds

MLS fast aging-time

0 seconds (no fast aging)

MLS fast aging-time packet threshold

0 packets

Minimum MLS flow mask

Varies depeding on router access list configuration

1 If an RSM is installed in the switch, the RSM is automatically included as a participating MLS router.


Configuration Guidelines and Restrictions

These sections describe configuration guidelines that apply when configuring MLS:

General Configuration Guidelines

External Routers

Access Lists

MLS Interaction with Other Features

Maximum Transmission Unit Size

Restrictions on Using IP Router Commands with MLS Enabled

General Configuration Guidelines

Follow these general guidelines when configuring MLS:

When you enable MLS, the RSM or externally attached router continues to handle all non-IP protocols while offloading the switching of IP packets to the MLS-SE.

Do not confuse MLS with the NetFlow switching supported by Cisco routers. MLS uses both the RSM or directly attached external router and the MLS-SE. With MLS, you are not required to use NetFlow switching on the RSM or directly attached external router; any switching path on the RSM or directly attached external router will work (process, fast, optimum, and so on).

External Routers

Follow these guidelines when using an external router:

We recommend one directly attached external router per switch to ensure that the MLS-SE caches the appropriate flow information from both sides of the routed flow.

You can use Cisco high-end routers (Cisco 7500, 7200, 4500, and 4700 series) for MLS when they are externally attached to the switch. You can make the attachment with multiple Ethernet connections (one per subnet) or by using Fast or Gigabit Ethernet with Inter-Switch Link (ISL) encapsulation.

You can connect end hosts through any media (Ethernet, Fast Ethernet, ATM, and Fiber Distributed Data Interface [FDDI]) but the connection between the external router and the switch must be through standard 10/100 Ethernet interfaces or ISL links.

Access Lists

Access lists affect MLS as follows:

Input access lists—Router interfaces with input access lists cannot participate in MLS. If you configure an input access list on an interface, no packets destined for that interface are Layer 3 switched, even if the flow is not filtered by the access list. Existing flows for that interface are purged, and no new flows are cached.

Note   You can translate input access lists to output access lists to provide the same effect on the interface.

Output access lists—When an output access list is applied to an interface, the MLS cache entries for that interface are purged. Entries associated with other interfaces are not affected; they follow their normal aging or purging procedures.

Applying an output access list that uses the log, precedence, tos, or establish options prevents the interface from participating in MLS.

Access list impact on flow masks—Access lists impact the flow mask mode advertised to the MLS-SE by an MLS-RP. When there is no access list on any MLS-RP interface, the flow mask mode is destination-ip (the least specific) by default. When there is a standard access list on any of the MLS-RP interfaces, the mode is source-destination-ip by default. When there is an extended access list on any of the MLS-RP interfaces, the mode is ip-flow (the most specific) by default. You can specify the minimum flow mask using the set mls flow command.

Reflexive access lists—Router interfaces with reflexive access lists cannot participate in Layer 3 switching.

MLS Interaction with Other Features

Other Cisco IOS software features affect MLS as follows:

IP accounting—Enabling IP accounting on an MLS-enabled interface disables the IP accounting functions on that interface.

Note   To collect statistics for the Layer 3-switched traffic, enable NDE. For information on configuring NDE, see "."

Data encryption—MLS is disabled on an interface when the data encryption feature is configured on the interface.

Policy route-map—MLS is disabled on an interface when a policy route-map is configured on the interface.

TCP intercept—With MLS interfaces enabled, the Transmission Control Protocol (TCP) intercept feature (enabled in global configuration mode) might not work properly. When you enable the TCP intercept feature, the following message displays: 

Command accepted, interfaces with mls might cause inconsistent behavior.

Network Address Translation (NAT)—MLS is disabled on an interface when NAT is configured on the interface.

Committed access rate—MLS is disabled on an interface when Committed Access Rate (CAR) is configured on the interface.

Maximum Transmission Unit Size

The maximum transmission unit (MTU) for an MLS interface must be the default Ethernet MTU, 1500 bytes.

To change the MTU on an MLS-enabled interface, you must first disable MLS on the interface (enter the no mls rp ip command on the interface). If you attempt to change the MTU with MLS enabled, the following message displays: 

Need to turn off the mls router for this interface first.

If you attempt to enable MLS on an interface that has an MTU value other than the default value, the following message displays: 

mls only supports interfaces with default mtu size

Restrictions on Using IP Router Commands with MLS Enabled

When you enable some IP processes on an interface, you will disable MLS on the interface. shows the affected commands.

Table 42-2 IP Router Command Restrictions 

Command
Behavior

clear ip-route

Clears all MLS cache entries for all switches performing Layer 3 switching for this MLS-RP.

ip routing

The no form purges all MLS cache entries and disables MLS on this MLS-RP.

ip security (all forms of this command)

Disables MLS on the interface.

ip tcp compression-connections

Disables MLS on the interface.

ip tcp header-compression

Disables MLS on the interface.


Configuring MLS on the Router

These sections describe how to configure one or more routers for MLS. Depending upon your configuration, you might not have to perform all the steps in the procedure.

Enabling MLSP on the Router

Adding an MLS Interface to a VTP Domain

Assigning a VLAN ID to a Router Interface

Enabling MLS on a Router Interface

Specifying a Router Interface as a Management Interface

Removing a Router Interface as a Management Interface

Disabling MLS on a Router Interface

Clearing a VLAN ID from a Router Interface

Removing an MLS Interface from a VTP Domain

Removing an MLS Interface from the Null Domain

Disabling MLSP on the Router

Monitoring MLS on the Router

Using Debug Commands on the MLS Router

Note   The interface-specific commands in these sections apply only to Ethernet, Fast Ethernet, and VLAN interfaces on the Catalyst RSM/VIP2 or directly-attached external router.

Note   For information on configuring VLAN interfaces on the RSM, see "."

After you perform the steps in this section to configure the router, see the "Configuring MLS on the Switch" section.

Enabling MLSP on the Router

To use MLS in your network, you must globally enable MLSP, the protocol that runs between the MLS-SE and the MLS-RP.

To enable MLSP globally on the MLS-RP, perform this task in global configuration mode:

Task
Command

Globally enable MLSP on the router.

Router(config)#mls rp ip


This example shows how to enable MLSP on the router: 

Router(config)#mls rp ip

Router(config)#

Adding an MLS Interface to a VTP Domain

Note   Perform this configuration task only if the switch is in a VTP domain.

Determine which router interfaces you will use as MLS interfaces and add those interfaces to the same VTP domain as the switches. A switch can be in only one VTP domain and you must add the MLS interfaces to the same domain.

To view the VTP configuration on the switch, including the VTP domain name, enter the show vtp domain command at the switch Console> prompt.

Caution   
Perform this task before you enter any other MLS interface commands on the MLS interface (specifically, the mls rp ip or mls rp management-interface commands). Entering MLS interface commands on an interface prior to putting the interface into a VTP domain places the interface in the null domain. To put the MLS interface into a domain other than the null domain, you must clear the MLS interface configuration before you can add it to another VTP domain (for more information, see the "Removing an MLS Interface from the Null Domain" section).

On ISL interfaces, enter the mls rp vtp-domain command on the primary interface. All subinterfaces on the primary interface inherit the VTP domain assigned to the primary interface.

To add an MLS interface to a VTP domain, perform this task in interface configuration mode:

Task
Command

Add an MLS interface to a VTP domain.

Router(config-if)#mls rp vtp-domain [domain_name]


This example shows how to add an MLS interface to a VTP domain: 

Router(config-if)#mls rp vtp-domain engineering

Router(config-if)#

Assigning a VLAN ID to a Router Interface

Note   This task is not required for RSM VLAN interfaces (virtual interfaces) or ISL-encapsulated interfaces.

The MLS interface must have a VLAN ID configured before you can enable it for MLS. Removing the VLAN ID from an interface disables MLS for the interface.

The assigned interface must be either an Ethernet or Fast Ethernet interface with no subinterfaces.

To assign a VLAN ID to an MLS interface, perform this task in interface configuration mode:

Task
Command

Assign a VLAN ID to an MLS interface.

Router(config-if)#mls rp vlan-id [vlan_id_num]


This example shows how to assign a VLAN ID to an MLS interface: 

Router(config-if)#mls rp vlan-id 23

Router(config-if)#

Enabling MLS on a Router Interface

To enable MLS on a specific router interface, perform this task in interface configuration mode:

Task
Command

Specify a router interface for MLS.

Router(config-if)#mls rp ip


This example shows how to enable MLS on a router interface: 

Router(config-if)#mls rp ip

Router(config-if)#

Specifying a Router Interface as a Management Interface

MLSP packets are sent and received through the management interface. You must specify at least one router interface as a management interface. If you do not specify a management interface, MLSP packets will not be sent or received.

Every switch participating in MLS must have an active port in at least one VLAN that has a corresponding router interface configured as a management interface. If the VLAN to which the management interface belongs does not span the whole MLS network, you must configure multiple management interfaces such that each switch has an active port in a VLAN with a management interface.

To specify a router interface as a management interface, perform this task in interface configuration mode:

Task
Command

Specify an interface as the management interface.

Router(config-if)#mls rp management-interface


This example shows how to specify a router interface as a management interface: 

Router(config-if)#mls rp management-interface 

Router(config-if)#

Removing a Router Interface as a Management Interface

To remove a router interface as a management interface, perform this task in interface configuration mode:

Task
Command

Remove an interface as the management interface.

Router(config-if)#no mls rp management-interface


This example shows how to remove a router interface as a management interface: 

Router(config-if)#no mls rp management-interface 

Router(config-if)#

Disabling MLS on a Router Interface

To disable MLS on a specific router interface, perform this task in interface configuration mode:

Task
Command

Remove a router interface from MLS.

Router(config-if)#no mls rp ip


This example shows how to disable MLS on a router interface: 

Router(config-if)#no mls rp ip

Router(config-if)#

Clearing a VLAN ID from a Router Interface

Note   This task does not apply for RSM VLAN interfaces (virtual interfaces) or ISL-encapsulated interfaces.

Removing the VLAN ID from an interface disables MLS for the interface.

To clear a VLAN ID from an MLS interface, perform this task in interface configuration mode:

Task
Command

Remove a VLAN ID from an MLS interface.

Router(config-if)#no mls rp vlan-id [vlan_id_num]


This example shows how to clear a VLAN ID from an MLS interface: 

Router(config-if)#no mls rp vlan-id 23

Router(config-if)#

Removing an MLS Interface from a VTP Domain

To remove an interface from one VTP domain and add it to another, perform this task in interface configuration mode:

Task
Command

Step 1 Remove an interface from a VTP domain if you have not already entered the mls rp ip or mls rp management-interface commands on the interface.

Router(config-if)#no mls rp vtp-domain [domain_name]

Step 2 Add the interface to a new VTP domain.

Router(config-if)#mls rp vtp-domain [domain_name]


This example shows how to remove an interface from a VTP domain and add it to another VTP domain if you have not already entered the mls rp ip or mls rp management-interface commands on the interface: 

Router(config-if)#no mls rp vtp-domain engineering

Router(config-if)#mls rp vtp-domain wbu

Removing an MLS Interface from the Null Domain

If you entered either the mls rp ip command or the mls rp management-interface command on the interface before you assigned the interface to a VTP domain, the interface will be in the null domain.

To remove an interface from the null domain and add it to another domain, perform this task in interface configuration mode:

Task
Command

Step 1 Remove an interface from the null domain.

Router(config-if)#no mls rp ip

Router(config-if)#no mls rp management-interface

Router(config-if)#no mls rp vtp-domain [domain_name]

Step 2 Add the interface to a new VTP domain.

Router(config-if)#mls rp vtp-domain [domain_name]


This example shows how to remove an interface from the null domain and add it to another VTP domain: 

Router(config-if)#no mls rp ip

Router(config-if)#no mls rp management-interface

Router(config-if)#no mls rp vtp-domain engineering

Router(config-if)#mls rp vtp-domain wbu

Router(config-if)#

Disabling MLSP on the Router

To disable MLSP on the router, perform this task in global configuration mode:

Task
Command

Globally disable MLSP on the router.

Router(config)#no mls rp ip


This example shows how to disable MLSP on the router: 

Router(config)#no mls rp ip

Router(config)#

Monitoring MLS on the Router

The show mls rp command displays MLS details, including specific information about MLSP. The output of the show mls rp command includes:

MLS status (enabled or disabled) for switch interfaces and subinterfaces

Flow mask used by this device when creating Layer 3-switching entries for the router

Current settings for the keepalive timer, retry timer, and retry count

MLSP-ID used in MLSP messages

List of interfaces in all VTP domains that are enabled for MLS

To display detailed MLS information on the router, perform one of these tasks:

Task
Command

Show MLS details for all interfaces.

show mls rp [interface]

Show MLS interfaces for a specific VTP domain.

show mls rp vtp-domain [domain_name]


This example shows how to display details about MLS on the router: 

Router# show mls rp

multilayer switching is globally enabled

mls id is 00e0.fefc.6000

mls ip address 10.20.26.64

mls flow mask is ip-flow

vlan domain name: WBU

   current flow mask: ip-flow

   current sequence number: 80709115

   current/maximum retry count: 0/10

   current domain state: no-change

   current/next global purge: false/false

   current/next purge count: 0/0

   domain uptime: 13:03:19

   keepalive timer expires in 9 seconds

   retry timer not running

   change timer not running

   fcp subblock count = 7

   1 management interface(s) currently defined:

      vlan 1 on Vlan1

   7 mac-vlan(s) configured for multi-layer switching:

      mac 00e0.fefc.6000

         vlan id(s)

         1    10   91   92   93   95   100

   router currently aware of following 1 switch(es):

      switch id 0010.1192.b5ff

Router#

This example shows how to display MLS information about a specific interface (in this case, interface vlan 10) 

Router# show mls rp interface vlan 10

mls active on Vlan10, domain WBU

Router#

This example shows how to show detailed information about MLS interfaces in a specific VTP domain: 

Router# show mls rp vtp-domain WBU

vlan domain name: WBU

   current flow mask: ip-flow

   current sequence number: 80709115

   current/maximum retry count: 0/10

   current domain state: no-change

   current/next global purge: false/false

   current/next purge count: 0/0

   domain uptime: 13:07:36

   keepalive timer expires in 8 seconds

   retry timer not running

   change timer not running

   fcp subblock count = 7

   1 management interface(s) currently defined:

      vlan 1 on Vlan1

   7 mac-vlan(s) configured for multi-layer switching:

      mac 00e0.fefc.6000

         vlan id(s)

         1    10   91   92   93   95   100

   router currently aware of following 1 switch(es):

      switch id 0010.1192.b5ff

Router#

Using Debug Commands on the MLS Router

describes MLS-related debug commands that you can use to troubleshoot MLS problems on the router.

Note   To turn off any of the debug commands listed in , use the no form of the command.

Table 42-3

Command
Description

debug mls rp events

Displays a run-time sequence of events for the MLSP.

debug mls rp packets

Displays packet contents (in verbose and hexadecimal formats) for MLSP messages.

debug mls rp error

Displays error messages related to MLS.

debug mls rp ip

Turns on IP-related events for MLS, including route purging and changes of access lists and flow masks.

debug mls rp locator

Identifies which switch is switching a particular flow by using MLS explorer packets.

debug mls rp all

Turns on all MLS debugging events.


MLS Debug Commands

Configuring MLS on the Switch

MLS is enabled by default on Catalyst 5000 and 2926G series switches. If the MLS-RP is an RSM installed in the Catalyst 5000 series switch chassis, you do not need to configure the switch. You only need to configure the switch in these circumstances:

You have an external router as the MLS-RP (this is always the case with the Catalyst 2926G series switches)

You want to change the MLS aging time

You want to enable NDE

These sections describe how to configure MLS on the switch:

Enabling MLS on the Switch

Specifying Routers to Participate in MLS

Specifying MLS Aging-Time Value

Specifying MLS Fast Aging Time and Packet Threshold Values

Setting the Minimum MLS Flow Mask

Removing Routers from Participation in MLS

Disabling MLS on the Switch

Displaying CAM Entries on the Switch

Displaying MLS Information

Displaying MLS Cache Entries

Clearing MLS Cache Entries

Displaying MLS Statistics

Clearing MLS Statistics

Displaying MLS Debug Information

Note   For information on configuring VLANs on the switch, refer to Chapter 10, "."

Enabling MLS on the Switch

When you enable MLS on the switch, the switch (MLS-SE) starts to process MLSP messages from the MLS-RPs and starts Layer 3 switching. MLS is enabled by default on the MLS-SE.

To enable MLS on the switch, perform this task in privileged mode:

Task
Command

Step 1 Enable MLS on the switch.

set mls enable

Step 2 Verify that MLS is enabled.

show mls [noalias]


This example shows how to enable MLS on the switch and verify the configuration: 

Console> (enable) set mls enable

Multilayer switching is enabled

Console> (enable)

Specifying Routers to Participate in MLS

If the MLS-RP is an external router, you must specify the IP address of the MLS-RP to participate in MLS. The MLS-SE does not process MLSP messages from external routers that have not been included as MLS-RPs.

If an RSM is installed in the switch, it participates in MLS automatically and is included in the inclusion list (provided the RSM is running the correct Cisco IOS software version). If you physically remove the RSM or disable MLS on the RSM, the RSM is removed from the inclusion list.

On the Catalyst 2926G series switches, you must specify at least one external router to participate in MLS.

Note   Before specifying a router to participate in MLS, enter the show mls rp command on the router to identify the MLS-RP IP address. Use the displayed address when you enter the set mls include ip_addr command on the switch.

To specify a router to participate in MLS, perform this task in privileged mode:

Task
Command

Step 1 On the switch, specify the IP address of the MLS-RP to participate in MLS.

set mls include [ip_addr]

Step 2 Verify the configuration.

show mls include


Note   You can specify the IP addresses of multiple MLS-RPs on the same command line. Up to 16 MLS-RPs can be selected to participate in MLS.

This example shows how to identify the MLS-RP IP address on the router, how to specify the MLS-RP to participate in MLS, and how to verify the configuration: 

Console> (enable) set mls include 170.170.2.1

Multilayer switching is enabled for router 170.170.2.1

Console> (enable) show mls include

Included MLS-RP

---------------------------------------

170.67.2.13

170.67.2.12

Console> (enable)

Specifying MLS Aging-Time Value

The MLS aging time applies to all MLS cache entries. Any MLS entry that has not been used for agingtime seconds is aged out. The default is 256 seconds.

You can configure the aging time in the range of 8 to 2032 seconds in 8-second increments. Any aging-time value that is not a multiple of 8 seconds is adjusted to the closest one. For example, a value of 65 is adjusted to 64 and a value of 127 is adjusted to 128.

Other events might cause MLS entries to be purged, such as routing changes or a change in link state (MLS-SE link down).

Note   We recommend that you keep the number of MLS entries in the MLS cache below 32K. If the number of MLS entries is more than 32K, some flows (less than 1 percent) are sent to the router. To help keep the size of the MLS cache down, enable MLS fast aging, as described in the "Specifying MLS Fast Aging Time and Packet Threshold Values" section.

To specify the MLS aging time, perform this task in privileged mode:

Task
Command

Specify the MLS aging time for an MLS cache entry.

set mls agingtime [agingtime]


This example shows how to set the MLS aging time: 

Console> (enable) set mls agingtime 512

Multilayer switching aging time set to 512

Console> (enable)

Specifying MLS Fast Aging Time and Packet Threshold Values

To help keep the MLS cache size below 32K, enable MLS fast aging time. The MLS fast aging time applies to MLS entries that have no more than pkt_threshold packets switc