Home | Skip to Content | Skip to Search | Skip to Navigation | Skip to Footer |
Worldwide [change] |Register |About Cisco
Guest

Hierarchical Navigation

Support

Configuring IP MLS

Downloads

Table Of Contents

Configuring IP Multilayer Switching

Understanding How IP MLS Works

IP MLS Overview

IP MLS Components

IP MLS Flows

Layer 3 MLS Cache

Flow Masks

Flow Mask Modes

Flow Mask Mode and show mls entry Command Output

Layer 3-Switched Packet Rewrite

IP MLS Operation

Standard and Extended Access Lists

Packet Export Rate

Software and Hardware Requirements

Default IP MLS Configuration

Configuration Guidelines and Restrictions

General Configuration Guidelines

External Routers

Access Lists

IP MLS Interaction with Other Features

Maximum Transmission Unit Size

Restrictions on Using IP Router Commands with IP MLS Enabled

Configuring IP MLS on the Router

Enabling IP MLS on the Router

Adding an IP MLS Interface to a VTP Domain

Assigning a VLAN ID to a Router Interface

Enabling IP MLS on a Router Interface

Specifying a Router Interface as a Management Interface

Removing a Router Interface as a Management Interface

Disabling IP MLS on a Router Interface

Clearing a VLAN ID from a Router Interface

Removing an Interface from a VTP Domain (Including the Null Domain)

Disabling IP MLS on the Router

Monitoring IP MLS on the Router

Using Debug Commands on the IP MLS Router

Configuring IP MLS on the Switch

Enabling IP MLS on the Switch

Specifying Routers to Participate in IP MLS

Specifying IP MLS Aging-Time Value

Specifying IP MLS Fast Aging Time and Packet Threshold Values

Setting the Minimum IP MLS Flow Mask

Removing Routers from Participation in IP MLS

Disabling IP MLS on the Switch

Displaying CAM Entries on the Switch

Displaying IP MLS Information

Displaying IP MLS Cache Entries

Displaying All MLS Entries

Displaying MLS Entries for a Specific Destination Address

Displaying Entries for a Specific Source Address

Displaying Entries for a Specific IP Flow

Displaying Entries for a Specific MLS-RP

Clearing MLS Cache Entries

Displaying IP MLS Statistics

Displaying IP MLS Statistics by Protocol

Displaying Statistics for MLS-RPs

Displaying Statistics for MLS Cache Entries

Clearing IP MLS Statistics

Displaying IP MLS Debug Information

IP MLS Supported Network Topologies

Packets Traversing a Single Router between Two Hosts

Destination Host Connected to a Switch Through a Router

Source Host Connected to a Switch Through a Router

Source and Destination Hosts Connected to a Switch Through Different Routers

Source Host Connected to a Switch Through an FDDI Ring

Source Host Connected to a Switch Through an ATM Cloud

IP MLS Unsupported Network Topologies

IP MLS Examples

Basic IP MLS Implementation

IP MLS With Cisco 7505 Over IEEE 802.1Q

Example Network Topology

Operation before IP MLS

Operation after IP MLS

Router Configuration

Switch A Configuration

Switch B Configuration

Switch C Configuration


Configuring IP Multilayer Switching

This chapter describes how to configure IP Multilayer Switching (MLS) on the Catalyst 5000 family and 2926G series switches.

Note   For complete syntax and usage information for the IOS commands used in this chapter, refer to the software documentation for your router platform. For complete syntax and usage information for the switch commands used in this chapter, refer to the Command Reference for your switch.

This chapter consists of these sections:

Understanding How IP MLS Works

Software and Hardware Requirements

Default IP MLS Configuration

Configuration Guidelines and Restrictions

Configuring IP MLS on the Router

Configuring IP MLS on the Switch

IP MLS Supported Network Topologies

IP MLS Unsupported Network Topologies

IP MLS Examples

Understanding How IP MLS Works

These sections provide an overview of IP MLS and describe how IP MLS works:

IP MLS Overview

IP MLS Components

IP MLS Flows

Layer 3 MLS Cache

Flow Masks

Layer 3-Switched Packet Rewrite

IP MLS Operation

Standard and Extended Access Lists

Packet Export Rate

IP MLS Overview

IP MLS provides high-performance hardware-based Layer 3 switching for Catalyst 5000 family and 2926G series LAN switches. IP MLS switches unicast IP data packet flows between IP subnets using advanced ASIC switching hardware, offloading processor-intensive packet routing from network routers.

The packet forwarding function is moved onto Layer 3 switches whenever a partial or complete switched path exists between two hosts. Packets that do not have a partial or complete switched path to reach their destinations are still forwarded in software by routers. Standard routing protocols, such as Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), Routing Information Protocol (RIP), and Intermediate System-to-Intermediate System (IS-IS), are used for route determination.

IP MLS allows you to debug and trace flows in your network. You can identify which switch is handling a particular flow by using MLS explorer packets. The explorer packets aid you in path detection and troubleshooting. For complete information on debugging IP MLS, see the "Using Debug Commands on the IP MLS Router" section.

In addition, IP MLS provides traffic statistics you can use to identify traffic characteristics for administration, planning, and troubleshooting. IP MLS uses NetFlow Data Export (NDE) to export flow statistics.

Note   For more information about NDE, see "."

IP MLS Components

An IP MLS network topology consists of these components:

Multilayer Switching-Switching Engine (MLS-SE)—Catalyst 5000 family switch with Supervisor Engine III or III F with the NetFlow Feature Card (NFFC) or NFFC II, or Supervisor Engine II G or III G, or a Catalyst 2926G series switch. The MLS-SE provides Layer 3 LAN-switching services.

Multilayer Switching-Route Processor (MLS-RP)—A Catalyst 5000 family Route Switch Module (RSM) or Route Switch Feature Card (RSFC), or an externally connected Cisco 7500, 7200, 4700, 4500, or 3600 series router with software that supports IP MLS. The MLS-RP provides Cisco IOS-based multiprotocol routing and network services.

IP MLS Flows

Layer 3 protocols, such as IP and Internetwork Packet Exchange (IPX), are connectionless—they deliver every packet independently of every other packet. However, actual network traffic consists of many end-to-end conversations, or flows, between users or applications.

A flow is a unidirectional sequence of packets between a particular source and destination that share the same protocol and transport-layer information. Communication from a client to a server and from the server to the client are separate flows. For example, Telnet traffic transferred from a particular source to a particular destination comprises a separate flow from File Transfer Protocol (FTP) packets between the same source and destination.

Flows are based only on Layer 3 addresses, which allow IP traffic from multiple users or applications to a particular destination to be carried on a single flow if only the destination IP address is used to identify a flow.

Layer 3 MLS Cache

The NFFC (or NFFC II) maintains a Layer 3 switching table (the Layer 3 MLS cache) for Layer 3 switched flows. The cache also includes entries for traffic statistics that are updated in tandem with the switching of packets. After the MLS cache is created, packets identified as belonging to an existing flow can be Layer 3-switched based on the cached information. The MLS cache maintains flow information for all active flows.

An MLS cache entry is created for the initial packet of each flow. Upon receipt of a packet that does not match any flow currently in the MLS cache, a new IP MLS entry is created.

The state and identity of the flow are maintained while packet traffic is active; when traffic for a flow ceases, the entry ages out. You can configure the aging time for MLS entries kept in the MLS cache. If an entry is not used for the specified period of time, the entry ages out and statistics for that flow can be exported to a flow collector application.

The maximum MLS cache size is 128K. However, an MLS cache larger than 32K increases the probability that a flow will not be switched by the MLS-SE and will get forwarded to the router.

Note   The number of active flows that can be stored in the MLS cache depends on the type of access lists configured on IP MLS router interfaces (which determines the flow mask). See the "Flow Masks" section for additional information.

Flow Masks

The MLS-SE uses flow masks to determine how MLS entries are created. The flow mask is based on the access lists configured on the MLS-RP (router) interfaces. The MLS-SE learns the flow mask through Multilayer Switching Protocol (MLSP) messages from each MLS-RP for which the MLS-SE is performing Layer 3 switching. MLSP is the protocol running between the MLS-SE and MLS-RP to enable MLS.

These sections describe how the flow mask modes work:

Flow Mask Modes

Flow Mask Mode and show mls entry Command Output

Flow Mask Modes

An MLS-SE supports only one flow mask (the most specific one) for all MLS-RPs that are Layer 3 switched by that MLS-SE. If the MLS-SE detects different flow masks from different MLS-RPs for which it is performing Layer 3 switching, it changes its flow mask to the most specific flow mask detected.

When the MLS-SE flow mask changes, the entire MLS cache is purged. When an MLS-SE exports cached entries, flow records are created based on the current flow mask. Depending on the current flow mask, some fields in the flow record might not have values.

Note   On a switch with Supervisor Engine III or III F with the NFFC II, and on the Supervisor Engine II G and III G, no values are displayed for the "Last Used" IP address and port fields in the show mls entry command output. A "0" or "-" is displayed.

The three flow masks are as follows:

destination-ip—The least-specific flow mask. The MLS-SE maintains one MLS entry for each destination IP address. All flows to a given destination IP address use this MLS entry. This mode is used if there are no access lists configured on any of the MLS-RP interfaces.

source-destination-ip—The MLS-SE maintains one MLS entry for each source and destination IP address pair. All flows between a given source and destination use this MLS entry regardless of the IP protocol ports. This mode is used if there is a standard access list on any of the MLS-RP interfaces.

ip-flow—The most-specific flow mask. The MLS-SE creates and maintains a separate MLS cache entry for every IP flow. An ip-flow entry includes the source IP address, destination IP address, protocol, and protocol ports. This mode is used if there is an extended access list on any of the MLS-RP interfaces.

Flow Mask Mode and show mls entry Command Output

This section describes how the flow mask impacts the screen output of the show mls entry command.

With the destination-ip flow mask, the source IP, protocol, and source and destination port fields show the details of the last packet that was Layer 3 switched using the MLS cache entry.

This example shows how the show mls entry command output appears in destination-ip mode: 

Console> (enable) show mls entry

                Last Used         Last    Used

Destination IP  Source IP       Port DstPrt SrcPrt Destination Mac   Vlan Port

--------------- --------------- ---- ------ ------ ----------------- ---- -----

MLS-RP 10.20.6.161:

10.19.6.2       10.19.26.9      UDP  6009   69     00-10-0b-16-98-00 250  1/1-2

10.19.22.8      10.19.2.1       TCP  6001   Telnet 00-00-00-00-00-08 22   4/6

10.19.2.1       10.19.22.8      TCP  6008   Telnet 00-10-0b-16-98-00 250  1/1-2

10.19.27.10     10.19.7.3       TCP  6003   20     00-00-00-00-00-10 27   4/8

10.19.28.11     10.19.8.4       UDP  6004   DNS    00-00-00-00-00-11 28   4/9

10.19.26.9      10.19.6.2       UDP  6002   69     00-00-00-00-00-09 26   4/7

10.19.7.3       10.19.27.10     TCP  6010   FTP    00-10-0b-16-98-00 250  1/1-2

MLS-RP 132.68.9.10:

10.19.86.12     10.19.85.7      TCP  6007   SMTP   00-00-00-00-00-12 86   4/10

10.19.85.7      10.19.86.12     TCP  6012   WWW    00-00-00-00-00-07 85   4/5

MLS-RP 10.20.6.82:

10.19.63.13     10.19.73.14     TCP  6014   Telnet 00-00-00-00-00-13 63   4/11

10.19.73.14     10.19.63.13     TCP  6013   FTP    00-00-00-00-00-14 73   4/12

Console> (enable)

With the source-destination-ip flow mask, the protocol, source port, and destination port fields show the details of the last packet that was Layer 3 switched using the MLS cache entry.

This example shows how the show mls entry command output appears in source-destination-ip mode: 

Console> (enable) show mls entry

                                  Last    Used

Destination IP  Source IP       Port DstPrt SrcPrt Destination Mac   Vlan Port

--------------- --------------- ---- ------ ------ ----------------- ---- -----

MLS-RP 10.20.6.161:

10.19.26.9      10.19.6.2       UDP  6002   69     00-00-00-00-00-09 26   4/7

10.19.28.11     10.19.8.4       UDP  6004   DNS    00-00-00-00-00-11 28   4/9

10.19.6.2       10.19.26.9      UDP  6009   69     00-10-0b-16-98-00 251  1/1-2

10.19.2.1       10.19.22.8      TCP  6008   Telnet 00-10-0b-16-98-00 251  1/1-2

10.19.27.10     10.19.7.3       TCP  6003   20     00-00-00-00-00-10 27   4/8

10.19.22.8      10.19.2.1       TCP  6001   Telnet 00-00-00-00-00-08 22   4/6

10.19.7.3       10.19.27.10     TCP  6010   FTP    00-10-0b-16-98-00 251  1/1-2

MLS-RP 132.68.9.10:

10.19.85.7      10.19.86.12     TCP  6012   WWW    00-00-00-00-00-07 85   4/5

10.19.86.12     10.19.85.7      TCP  6007   SMTP   00-00-00-00-00-12 86   4/10

MLS-RP 10.20.6.82:

10.19.63.13     10.19.73.14     TCP  6014   Telnet 00-00-00-00-00-13 63   4/11

10.19.73.14     10.19.63.13     TCP  6013   FTP    00-00-00-00-00-14 73   4/12

Console> (enable)

With the ip-flow flow mask, details are shown for every flow because a separate MLS entry is created for every flow.

This example shows how the show mls entry command output appears in ip-flow mode: 

Console> (enable) show mls entry

Destination IP  Source IP       Port DstPrt SrcPrt Destination Mac   Vlan Port

--------------- --------------- ---- ------ ------ ----------------- ---- -----

MLS-RP 10.20.6.161:

10.19.26.9      10.19.6.2       UDP  6002   69     00-00-00-00-00-09 26   4/7

10.19.6.2       10.19.26.9      UDP  6009   69     00-10-0b-16-98-00 251  1/1-2

10.19.22.8      10.19.2.1       TCP  6001   Telnet 00-00-00-00-00-08 22   4/6

10.19.2.1       10.19.22.8      TCP  6008   Telnet 00-10-0b-16-98-00 251  1/1-2

10.19.27.10     10.19.7.3       TCP  6003   20     00-00-00-00-00-10 27   4/8

10.19.28.11     10.19.8.4       UDP  6004   DNS    00-00-00-00-00-11 28   4/9

10.19.7.3       10.19.27.10     TCP  6010   FTP    00-10-0b-16-98-00 251  1/1-2

MLS-RP 132.68.9.10:

10.19.86.12     10.19.85.7      TCP  6007   SMTP   00-00-00-00-00-12 86   4/10

10.19.85.7      10.19.86.12     TCP  6012   WWW    00-00-00-00-00-07 85   4/5

MLS-RP 10.20.6.82:

10.19.63.13     10.19.73.14     TCP  6014   Telnet 00-00-00-00-00-13 63   4/11

10.19.73.14     10.19.63.13     TCP  6013   FTP    00-00-00-00-00-14 73   4/12

Console> (enable)

Layer 3-Switched Packet Rewrite

When a packet is Layer 3 switched from a source host to a destination host, the switch (MLS-SE) performs a packet rewrite based on information learned from the router (MLS-RP) and stored in the MLS cache.

If Host A and Host B are on different virtual LANs (VLANs) and Host A sends a packet to the MLS-RP to be routed to Host B, the MLS-SE recognizes that the packet was sent to the Media Access Control (MAC) address of the MLS-RP. The MLS-SE checks the MLS cache and finds the entry matching the flow in question.

When the MLS-SE receives the packet, it is formatted as follows:

Frame Header
IP Header
Payload

Destination

Source

Destination

Source

TTL

Checksum

Data

Checksum

MLS-RP MAC

Host A MAC

Host B IP

Host A IP

n

calculation1


The MLS-SE rewrites the Layer 2 frame header, changing the destination MAC address to the MAC address of Host B and the source MAC address to the MAC address of the MLS-RP (these MAC addresses are stored in the MLS cache entry for this flow). The Layer 3 IP addresses remain the same, but the IP header Time to Live (TTL) is decremented and the checksum is recomputed. The MLS-SE rewrites the switched Layer 3 packets so that they appear to have been routed by a router.

The MLS-SE forwards the rewritten packet to Host B's VLAN (the destination VLAN is stored in the MLS cache entry) and Host B receives the packet.

After the MLS-SE performs the packet rewrite, the packet is formatted as follows:

Frame Header
IP Header
Payload

Destination

Source

Destination

Source

TTL

Checksum

Data

Checksum

Host B MAC

MLS-RP MAC

Host B IP

Host A IP

n+1

calculation2


Note   Some Catalyst 5000 family switching modules have onboard hardware that performs the packet rewrite, maximizing IP MLS performance. This performance enhancement is also used on the Catalyst 2926G series switch ports. To determine whether a port supports packet rewrite, use the show port capabilities command. If the port does not support inline rewrite, the packet rewrite is done in the supervisor engine.

IP MLS Operation

shows a simple IP MLS network topology. In this example, Host A is on the Sales VLAN (IP subnet 171.59.1.0), Host B is on the Marketing VLAN (IP subnet 171.59.3.0), and Host C is on the Engineering VLAN (IP subnet 171.59.2.0).

When Host A initiates an FTP file transfer to Host B, an MLS entry for this flow is created (this entry is the first item in the MLS cache shown in ). The MLS-SE stores the MAC addresses of the MLS-RP and Host B in the MLS entry when the MLS-RP forwards the first packet from Host A through the switch to Host B. The MLS-SE uses this information to rewrite subsequent packets from Station A to Station B.

Similarly, a separate MLS entry is created in the MLS cache for the HTTP traffic from Host A to Host C, and for the HTTP traffic from Host C to Host A. The destination VLAN is stored as part of each MLS entry so that the correct VLAN identifier is used when encapsulating traffic on trunk links.

Figure 5-1 IP MLS Example Topology

Standard and Extended Access Lists

Note   Router interfaces with input access lists cannot participate in IP MLS. However, you can translate any input access list to an output access list to provide the same effect on the interface.

IP MLS allows you to enforce access lists on every packet of the flow without compromising IP MLS performance. When you enable IP MLS, the MLS-SE handles standard and extended access list permit traffic at wire speed.

Note   Access list deny traffic is always handled by the MLS-RP, not the MLS-SE.

Route topology changes and the addition or modification of access lists are reflected in the IP MLS switching path automatically on the MLS-SE. The techniques for handling route and access list changes apply to the RSM and to directly attached external routers.

For example, when Station A wants to communicate with Station B, it sends the first packet to the MLS-RP. If an access list is configured on the MLS-RP to deny access from Station A to Station B, the MLS-RP receives the packet, checks the access list to see if the packet flow is permitted, and discards the packet based on the access list. Because the first packet for this flow does not return from the MLS-RP, an MLS cache entry is not established by the MLS-SE.

If a flow is already being Layer 3 switched by the MLS-SE and the access list is created on the MLS-RP, the MLS-SE learns of the change through MLSP and immediately enforces security for the affected flow by purging it from the MLS cache. New flows are created based on the restrictions imposed by the access list.

Similarly, when the MLS-RP detects a routing topology change, the appropriate MLS cache entries are deleted in the MLS-SE. New flows are created based on the new topology.

Packet Export Rate

Note   Packets are exported only when NDE is enabled.

Export rates for MLS entries depend on the traffic pattern; there is no typical packet rate. The worst-case packet export rate occurs when all existing MLS entries are purged due to an event such as a route change. The MLS entries are exported at a burst rate of 1,213 datagrams of 27 flows each.

Software and Hardware Requirements

IP MLS requires these software and hardware versions:

Supervisor engine software release 4.1(1) or later

Cisco IOS router software:

IOS release 12.0(3c)W5(8a) or later on the Route Switch Feature Card (RSFC)

IOS release 12.0(3c)W5(8) or later on the MLS-RP if running MLS over ATM media

IOS release 12.0(2) or later on Cisco 3600 series routers

IOS release 11.3(2)WA4(4) or later and IOS release 12.0(1) or later on the Route Switch Module (RSM), or Cisco 7500, 7200, 4700, and 4500 series routers

If running MLS over ATM media, Catalyst 5000 family ATM module software release 11.3(8)WA4(11) or later, or release 12.0(3c)W5(10) or later

Hardware:

Catalyst 2926G series switch, or a Catalyst 5000 family switch with Supervisor Engine II G or III G, or Supervisor Engine III or III F with a NetFlow Feature Card (NFFC) or NFFC II

RSM, RSFC, or external Cisco 7500, 7200, 4700, 4500, or 3600 series router

Catalyst 5000 family ATM module and a router with an ATM interface if running MLS over ATM media

(Optional) Inline-rewrite capable switching modules—These switching modules have onboard hardware that maximizes IP MLS performance (this performance enhancement is also used in the Catalyst 2926G series switches). Use the show port capabilities command to determine if your hardware supports inline rewrite.

Note   When using IP MLS with the Gigabit Ethernet (WS-X5403) switching module, you must install the module in specific slots in the Catalyst 5000 family switches to maximize IP MLS operation. Refer to the Catalyst 5000 Family Module Installation Guide for details.

Default IP MLS Configuration

shows the default IP MLS configuration.

Table 5-1 Default IP MLS Configuration

Feature
Default Value

IP MLS enable state

Enabled

Participating routers

None1

IP MLS aging-time

256 seconds

IP MLS fast aging-time

0 seconds (no fast aging)

IP MLS fast aging-time packet threshold

0 packets

Minimum IP MLS flow mask

Varies depending on router access list configuration

1 If an RSM is installed in the switch, the device is automatically included as a participating IP MLS router.


Configuration Guidelines and Restrictions

These sections describe configuration guidelines that apply when configuring IP MLS:

General Configuration Guidelines

External Routers

Access Lists

IP MLS Interaction with Other Features

Maximum Transmission Unit Size

Restrictions on Using IP Router Commands with IP MLS Enabled

General Configuration Guidelines

Follow these general guidelines when configuring IP MLS:

When you enable IP MLS, the RSM or externally attached router continues to handle all non-IP-unicast traffic while offloading the routing of IP packets to the MLS-SE.

Do not confuse IP MLS with the NetFlow switching supported by Cisco routers. MLS uses both the RSM or directly attached external router and the MLS-SE. With IP MLS, you are not required to use NetFlow switching on the RSM or directly attached external router; any switching path on the RSM or directly attached external router will work (process, fast, optimum, and so on).

External Routers

Follow these guidelines when using an external router:

We recommend one directly attached external router per switch to ensure that the MLS-SE caches the appropriate flow information from both sides of the routed flow.

You can use Cisco high-end routers (Cisco 7500, 7200, 4700, and 4500 series) for IP MLS when they are externally attached to the switch. You can make the attachment in any of these configurations:

Fast or Gigabit Ethernet interface with Inter-Switch Link (ISL) or IEEE 802.1Q encapsulation on multiple subinterfaces (one per subnet)

ATM interface with LANE encapsulation on multiple subinterfaces (one per subnet)

Multiple Ethernet interfaces (one per subnet)

You can connect end hosts through any media (Ethernet, Fast Ethernet, ATM, Fiber Distributed Data Interface [FDDI], or Token Ring) but the connection between the external router and the switch must be through standard Ethernet, Fast Ethernet, or Gigabit Ethernet interfaces, ISL trunk links, IEEE 802.1Q trunk links, or ATM LANE trunk links.

Access Lists

Access lists affect IP MLS as follows:

Input access lists—Input access lists are supported with IP MLS in Cisco IOS release 12.0(2) and later.

Prior to IOS release 12.0(2), input access lists are not supported with IP MLS and router interfaces with input access lists cannot participate in IP MLS. No packets destined for that interface are Layer 3 switched, even if the flow is not filtered by the access list. Existing flows for that interface are purged, and no new flows are cached.

Note   You can translate input access lists to output access lists to provide the same effect on the interface.

Output access lists—When an output access list is first applied to an interface, the MLS cache entries for that interface are purged. Entries associated with other interfaces are not affected; they follow their normal aging or purging procedures.

Applying an output access list that uses the log, precedence, tos, or establish options prevents the interface from participating in IP MLS.

Access list impact on flow masks—Access lists impact the flow mask advertised to the MLS-SE by an MLS-RP. You can specify the minimum flow mask using the set mls flow command. For more information, see the "Flow Masks" section.

Reflexive access lists—Router interfaces with reflexive access lists cannot participate in Layer 3 switching.

IP MLS Interaction with Other Features

Other Cisco IOS software features affect IP MLS as follows:

IP accounting—Enabling IP accounting on an IP MLS-enabled interface disables the IP accounting functions on that interface.

Note   To collect statistics for the Layer 3-switched traffic, enable NDE. For information on configuring NDE, see "."

Data encryption—IP MLS is disabled on an interface when the data encryption feature is configured on the interface.

Policy route-map—Policy routing is supported with IP MLS in Cisco IOS release 12.0(3) and later. Enter the [no] mls rp ip route-map global configuration command to allow policy routing in conjunction with IP MLS. IP MLS cannot function on interfaces that are configured to policy route based on packet length.

In Cisco IOS releases prior to release 12.0(3), IP MLS is disabled on an interface when a policy route-map is configured on the interface.

TCP intercept—With IP MLS interfaces enabled, the TCP intercept feature (enabled in global configuration mode) might not work properly. When you enable TCP intercept, the following message displays: 

Command accepted, interfaces with mls might cause inconsistent behavior.

Network Address Translation (NAT)—IP MLS is disabled on an interface when NAT is configured on the interface.

Committed access rate (CAR)—IP MLS is disabled on an interface when CAR is configured on the interface.

Maximum Transmission Unit Size

The maximum transmission unit (MTU) for an IP MLS interface must be the default Ethernet MTU, 1500 bytes.

To change the MTU on an IP MLS-enabled interface, you must first disable IP MLS on the interface (enter the no mls rp ip command on the interface). If you attempt to change the MTU with IP MLS enabled, the following message displays: 

Need to turn off the mls router for this interface first.

If you attempt to enable IP MLS on an interface that has an MTU value other than the default value, the following message displays: 

mls only supports interfaces with default mtu size

Restrictions on Using IP Router Commands with IP MLS Enabled

When you enable some IP processes on an interface, you will disable IP MLS on the interface. shows the affected commands.

Table 5-2 IP Router Command Restrictions 

Command
Behavior

clear ip route

Clears all MLS cache entries for all switches performing Layer 3 switching for this MLS-RP.

ip routing

The no form purges all MLS cache entries and disables IP MLS on this MLS-RP.

ip security (all forms of this command)

Disables IP MLS on the interface.

ip tcp compression-connections

Disables IP MLS on the interface.

ip tcp header-compression

Disables IP MLS on the interface.


Configuring IP MLS on the Router

These sections describe how to configure one or more routers for IP MLS. Depending upon your configuration, you might not have to perform all the steps in the procedure.

Enabling IP MLS on the Router

Adding an IP MLS Interface to a VTP Domain

Assigning a VLAN ID to a Router Interface

Enabling IP MLS on a Router Interface

Specifying a Router Interface as a Management Interface

Removing a Router Interface as a Management Interface

Disabling IP MLS on a Router Interface

Clearing a VLAN ID from a Router Interface

Removing an Interface from a VTP Domain (Including the Null Domain)

Disabling IP MLS on the Router

Monitoring IP MLS on the Router

Using Debug Commands on the IP MLS Router

Note   For information on configuring interVLAN routing on the RSM and external routers, see "."

For information on configuring IP MLS on the switch, see the "Configuring IP MLS on the Switch" section.

Enabling IP MLS on the Router

To use IP MLS, you must globally enable IP MLS on the router.

To enable IP MLS globally on the MLS-RP, perform this task in global configuration mode:

Task
Command

Globally enable IP MLS on the router.

mls rp ip


This example shows how to enable IP MLS globally on the router: 

Router(config)#mls rp ip

Router(config)#

Adding an IP MLS Interface to a VTP Domain

Note   Perform this configuration task only if the switch is a VTP server or client.

Determine which router interfaces you will use as IP MLS interfaces and add those interfaces to the same VTP domain as the MLS-SE.

To view the VTP configuration on the switch, including the VTP domain name, enter the show vtp domain command on the switch.

Caution   
Perform this task before you enter any other IP MLS interface commands on the IP MLS interface (specifically, the mls rp ip interface command or mls rp management-interface interface command). Entering IP MLS interface commands on an interface prior to putting the interface into a VTP domain places the interface in the null domain. To put the IP MLS interface into a domain other than the null domain, you must clear the IP MLS interface configuration before you can add it to another VTP domain (for more information, see the "Removing an Interface from a VTP Domain (Including the Null Domain)" section).

On ISL or 802.1Q trunk links, enter the mls rp vtp-domain command on the primary interface (not on the individual subinterfaces). All subinterfaces on the primary interface inherit the VTP domain assigned to the primary interface.

To add an IP MLS interface to a VTP domain, perform this task in interface configuration mode:

Task
Command

Add an IP MLS interface to a VTP domain.

mls rp vtp-domain [domain_name]


This example shows how to add an IP MLS interface to a VTP domain: 

Router(config-if)#mls rp vtp-domain engineering

Router(config-if)#

Assigning a VLAN ID to a Router Interface

Note   This task is not required for RSM VLAN interfaces (virtual interfaces), ISL-encapsulated interfaces, and 802.1Q-encapsulated interfaces.

Note   Make sure you add the interface to a VTP domain before performing this task. For more information, see the "Adding an IP MLS Interface to a VTP Domain" section.

In these configurations, the IP MLS interface must have a VLAN ID configured before you can enable it for IP MLS:

ATM interface with LANE encapsulation and multiple subinterfaces (one per subnet/VLAN)

Ethernet, Fast Ethernet, or Gigabit Ethernet interface with no subinterfaces. (one physical interface per subnet/VLAN)

To assign a VLAN ID to an IP MLS interface, perform this task in interface configuration mode:

Task
Command

Assign a VLAN ID to an IP MLS interface.

mls rp vlan-id [vlan_id_num]


This example shows how to assign a VLAN ID to an IP MLS interface: 

Router(config-if)#mls rp vlan-id 23

Router(config-if)#

Enabling IP MLS on a Router Interface

Note   Make sure you add the interface to a VTP domain before performing this task. For more information, see the "Adding an IP MLS Interface to a VTP Domain" section.

To enable IP MLS on a specific router interface, perform this task in interface configuration mode:

Task
Command

Specify a router interface for IP MLS.

mls rp ip


This example shows how to enable IP MLS on a router interface: 

Router(config-if)#mls rp ip

Router(config-if)#

Specifying a Router Interface as a Management Interface

MLSP packets are sent and received through the management interface. You must specify at least one router interface as a management interface. If you do not specify a management interface, IP MLS will not function.

Every switch participating in IP MLS must have an active port in at least one VLAN that has a corresponding router interface configured as a management interface. If the VLAN to which the management interface belongs does not span the whole IP MLS network, you must configure multiple management interfaces such that each switch has an active port in a VLAN with a management interface.

To specify a router interface as a management interface, perform this task in interface configuration mode:

Task
Command

Specify an interface as the management interface.

mls rp management-interface


This example shows how to specify a router interface as a management interface: 

Router(config-if)#mls rp management-interface 

Router(config-if)#

Removing a Router Interface as a Management Interface

To remove a router interface as a management interface, perform this task in interface configuration mode:

Task
Command

Remove an interface as the management interface.

no mls rp management-interface


This example shows how to remove a router interface as a management interface: 

Router(config-if)#no mls rp management-interface 

Router(config-if)#

Disabling IP MLS on a Router Interface

To disable IP MLS on a specific router interface, perform this task in interface configuration mode:

Task
Command

Remove a router interface from IP MLS.

no mls rp ip


This example shows how to disable IP MLS on a router interface: 

Router(config-if)#no mls rp ip

Router(config-if)#

Clearing a VLAN ID from a Router Interface

Note   This task does not apply for RSM VLAN interfaces (virtual interfaces), ISL-encapsulated interfaces, and 802.1Q-encapsulated interfaces.

Removing the VLAN ID from an interface disables IP MLS for the interface.

To clear a VLAN ID from an IP MLS interface, perform this task in interface configuration mode:

Task
Command

Remove a VLAN ID from an IP MLS interface.

no mls rp vlan-id [vlan_id_num]


This example shows how to clear a VLAN ID from an IP MLS interface: 

Router(config-if)#no mls rp vlan-id 23

Router(config-if)#

Removing an Interface from a VTP Domain (Including the Null Domain)

To remove an interface from a VTP domain (including the null domain) and add it to another domain, perform this task in interface configuration mode:

Task
Command

Step 1 Clear the IP MLS configuration on the interface, if necessary.

no mls rp ip

no mls rp management-interface

Step 2 Remove the interface from the VTP domain.

no mls rp vtp-domain [domain_name]

Step 3 Add the interface to a new VTP domain.

mls rp vtp-domain [domain_name]


This example shows how to remove an interface from one VTP domain (including the null domain) and add it to another VTP domain: 

Router(config-if)#no mls rp ip

Router(config-if)#no mls rp management-interface

Router(config-if)#no mls rp vtp-domain engineering

Router(config-if)#mls rp vtp-domain wbu

Router(config-if)#

Disabling IP MLS on the Router

To disable IP MLS on the router, perform this task in global configuration mode:

Task
Command

Globally disable IP MLS on the router.

no mls rp ip


This example shows how to disable IP MLS on the router: 

Router(config)#no mls rp ip

Router(config)#

Monitoring IP MLS on the Router

The show mls rp command displays IP MLS details, including specific information about MLSP. The output of the show mls rp command includes:

IP MLS status (enabled or disabled) for switch interfaces and subinterfaces

Flow mask used by this device when creating Layer 3-switching entries for the router

Current settings for the keepalive timer, retry timer, and retry count

MLSP-ID used in MLSP messages

List of interfaces in all VTP domains that are enabled for IP MLS

To display detailed IP MLS information on the router, perform one of these tasks in privileged mode:

Task
Command

Show IP MLS details for all interfaces.

show mls rp [interface]

Show IP MLS interfaces for a specific VTP domain.

show mls rp vtp-domain [domain_name]


This example shows how to display details about IP MLS on the router: 

Router# show mls rp

multilayer switching is globally enabled

mls id is 00e0.fefc.6000

mls ip address 10.20.26.64

mls flow mask is ip-flow

vlan domain name: WBU

   current flow mask: ip-flow

   current sequence number: 80709115

   current/maximum retry count: 0/10

   current domain state: no-change

   current/next global purge: false/false

   current/next purge count: 0/0

   domain uptime: 13:03:19

   keepalive timer expires in 9 seconds

   retry timer not running

   change timer not running

   fcp subblock count = 7

   1 management interface(s) currently defined:

      vlan 1 on Vlan1

   7 mac-vlan(s) configured for multi-layer switching:

      mac 00e0.fefc.6000

         vlan id(s)

         1    10   91   92   93   95   100

   router currently aware of following 1 switch(es):

      switch id 0010.1192.b5ff

Router#

This example shows how to display IP MLS information about a specific interface (in this case, interface vlan 10): 

Router# show mls rp interface vlan 10

mls active on Vlan10, domain WBU

Router#

This example shows how to show detailed information about IP MLS interfaces in a specific VTP domain: 

Router# show mls rp vtp-domain WBU

vlan domain name: WBU

   current flow mask: ip-flow

   current sequence number: 80709115

   current/maximum retry count: 0/10

   current domain state: no-change

   current/next global purge: false/false

   current/next purge count: 0/0

   domain uptime: 13:07:36

   keepalive timer expires in 8 seconds

   retry timer not running

   change timer not running

   fcp subblock count = 7

   1 management interface(s) currently defined:

      vlan 1 on Vlan1

   7 mac-vlan(s) configured for multi-layer switching:

      mac 00e0.fefc.6000

         vlan id(s)

         1    10   91   92   93   95   100

   router currently aware of following 1 switch(es):

      switch id 0010.1192.b5ff

Router#

Using Debug Commands on the IP MLS Router

describes IP MLS-related debug commands that you can use to troubleshoot IP MLS problems on the router.

Table 5-3

Command
Description

[no] debug mls rp events

Displays a run-time sequence of events for MLSP.

[no] debug mls rp packets

Displays packet contents (in verbose and hexadecimal formats) for MLSP messages.

[no] debug mls rp error

Displays error messages related to MLS.

[no] debug mls rp ip

Turns on IP-related events for MLS, including route purging and changes of access lists and flow masks.

[no] debug mls rp locator

Identifies which switch is switching a particular flow by using MLS explorer packets.

[no] debug mls rp all

Turns on all MLS debugging events.


IP MLS Debug Commands

Configuring IP MLS on the Switch

IP MLS is enabled by default on Catalyst 5000 family and 2926G series switches. If the MLS-RP is an RSM installed in the Catalyst 5000 family switch chassis, you do not need to configure the switch. You only need to configure the switch in these circumstances:

You have an external router as the MLS-RP (this is always the case with the Catalyst 2926G series switches)

You want to change the IP MLS aging time

You want to enable NDE

These sections describe how to configure IP MLS on the switch:

Enabling IP MLS on the Switch

Specifying Routers to Participate in IP MLS

Specifying IP MLS Aging-Time Value

Specifying IP MLS Fast Aging Time and Packet Threshold Values

Setting the Minimum IP MLS Flow Mask

Removing Routers from Participation in IP MLS

Disabling IP MLS on the Switch

Displaying CAM Entries on the Switch

Displaying IP MLS Information

Displaying IP MLS Cache Entries

Clearing MLS Cache Entries

Displaying IP MLS Statistics

Clearing IP MLS Statistics

Displaying IP MLS Debug Information

Note   For information on configuring VLANs on the switch, refer to the "Configuring VTP and VLANs on the Switch" section.

For information on configuring IP MLS on the router, see the "Configuring IP MLS on the Router" section.

Enabling IP MLS on the Switch

When you enable IP MLS on the switch, the switch (MLS-SE) starts to process MLSP messages from the MLS-RPs and starts Layer 3 switching. IP MLS is enabled by default on the MLS-SE.

To enable IP MLS on the switch, perform this task in privileged mode:

Task
Command

Step 1 Enable IP MLS on the switch.

set mls enable

Step 2 Verify that IP MLS is enabled.

show mls [noalias]


This example shows how to enable IP MLS on the switch and verify the configuration: 

Console> (enable) set mls enable

Multilayer switching is enabled

Console> (enable)

Specifying Routers to Participate in IP MLS

If the MLS-RP is an external router, you must specify the IP address of an interface on the MLS-RP to participate in IP MLS. The MLS-SE does not process MLSP messages from external routers that have not been included as MLS-RPs.

If an RSM is installed in the switch, it participates in IP MLS automatically and is included in the inclusion list (provided the device is running the correct Cisco IOS software version). If you physically remove the RSM or if you disable IP MLS on the RSM, the device is removed from the inclusion list.

On the Catalyst 2926G series switches, you must specify at least one external router to participate in IP MLS.

Note   Before specifying a router to participate in IP MLS, enter the show mls rp command on the router to identify the MLS-RP IP address. Use the displayed address when you enter the set mls include ip_addr command on the switch.

To specify a router to participate in IP MLS, perform this task in privileged mode:

Task
Command

Step 1 On the switch, specify the IP address of the MLS-RP to participate in IP MLS.

set mls include [ip_addr]

Step 2 Verify the configuration.

show mls include


Note   You can specify the IP addresses of multiple MLS-RPs on the same command line. Up to 16 MLS-RPs can be selected to participate in IP MLS.

This example shows how to identify the MLS-RP IP address on the router, how to specify the MLS-RP to participate in IP MLS, and how to verify the configuration: 

Console> (enable) set mls include 170.170.2.1

Multilayer switching is enabled for router 170.170.2.1

Console> (enable) show mls include

Included MLS-RP

---------------------------------------

170.67.2.13

170.67.2.12

Console> (enable)

Specifying IP MLS Aging-Time Value

The IP MLS aging time applies to all MLS cache entries. Any MLS entry that has not been used for agingtime seconds is aged out. The default is 256 seconds.

You can configure the aging time in the range of 8 to 2032 seconds in 8-second increments. Any aging-time value that is not a multiple of 8 seconds is adjusted to the closest one. For example, a value of 65 is adjusted to 64 and a value of 127 is adjusted to 128.

Other events might cause MLS entries to be purged, such as routing changes or a change in link state (MLS-SE link down).

Note   We recommend that you keep the number of MLS entries in the MLS cache below 32K. If the number of MLS entries is more than 32K, some flows are sent to the router. To help keep the size of the MLS cache down, enable IP MLS fast aging, as described in the "Specifying IP MLS Fast Aging Time and Packet Threshold Values" section.

To specify the IP MLS aging time, perform this task in privileged mode:

Task
Command

Specify the IP MLS aging time for an MLS cache entry.

set mls agingtime [agingtime]


This example shows how to set the IP MLS aging time: 

Console> (enable) set mls agingtime 512

Multilayer switching aging time set to 512

Console> (enable)

Specifying IP MLS Fast Aging Time and Packet Threshold Values

To help keep the MLS cache size below 32K, enable IP MLS fast aging time. The IP MLS fast aging time applies to MLS entries that have no more than pkt_threshold packets switched within fastagingtime seconds after it is created. A typical cache entry that is removed is the entry for flows to and from a Domain Name Server (DNS) or TFTP server; the entry might never be used again after it is created. Detecting and aging out these entries saves space in the MLS cache for other data traffic.

The default fastagingtime value is 0 (no fast aging). You can configure the fastagingtime value to 32, 64, 96, or 128 seconds. Any fastagingtime value that is not configured exactly as the indicated values is adjusted to the closest one. You can configure the pkt_threshold value to 0, 1, 3, 7, 15, 31, or 63 packets.

If you need to enable IP MLS fast aging time, initially set the value to 128 seconds. If the size of the MLS cache continues to grow over 32K, decrease the setting until the cache size stays below 32K. If the cache continues to grow over 32K, decrease the normal IP MLS aging time.

Typical values for fastagingtime and pkt_threshold are 32 seconds and 0 packets (no packets switched within 32 seconds after the entry is created).

To specify the IP MLS fast aging time and packet threshold, perform this task in privileged mode:

Task
Command

Specify the IP MLS fast aging time and packet threshold for an MLS cache entry.

set mls agingtime fast [fastagingtime] [pkt_threshold]


This example shows how to set the IP MLS fast aging time to 32 seconds with a packet threshold of 0 packets: 

Console> (enable) set mls agingtime fast 32 0

Multilayer switching fast aging time set to 32 seconds for entries with no more than 0 
packets switched.

Console> (enable)

Setting the Minimum IP MLS Flow Mask

You can set the minimum granularity of the flow mask for the MLS cache on the MLS-SE. The actual flow mask used will be at least of the granularity specified by this command. For information on how the different flow masks work, see the "Flow Masks" section.

For example, if you do not configure access lists on any MLS-RP, then the IP MLS flow mask on the MLS-SE is destination-ip by default. However, you can force the MLS-SE to use the source-destination-ip flow mask by setting the minimum IP MLS flow mask using the set mls flow destination-source command. If an extended access list is configured on MLS-RP, then the flow mask is changed to ip-flow, which is a more granular flow mask than the configured source-destination-ip flow mask.

Caution   
Be careful when using this command. This command purges all existing shortcuts in the MLS cache and affects the number of active shortcuts on the MLS-SE.

To specify the minimum IP MLS flow mask, perform this task in privileged mode:

Task
Command

Specify the minimum IP MLS flow mask.

set mls flow {destination | destination-source | full}


This example shows how to set the minimum IP MLS flow mask to destination-source-ip: 

Console> (enable) set mls flow destination-source

Configured flow mask is set to destination-source flow.

Console> (enable)

Removing Routers from Participation in IP MLS

To remove a router from the list of routers participating in IP MLS, perform this task in privileged mode:

Task
Command

Remove an MLS-RP from participation in IP MLS.

clear mls include [ip_addr] [all]


Note   You cannot remove an RSM or RSFC installed in the switch from the inclusion list using the clear mls include command. To remove an RSM or RSFC from the inclusion list, you must disable IP MLS on the RSM or RSFC or physically remove the RSM or RSFC from the switch.

This example shows how to remove a router from the IP MLS inclusion list on the switch: 

Console> (enable) clear mls include stargate

Multilayer switching is disabled for router 170.20.15.1 (Stargate)

Console> (enable)

Disabling IP MLS on the Switch

When you disable IP MLS on the switch, the MLS-SE does not process any MLSP messages from any MLS-RPs, and all existing MLS cache entries are purged.

Note   If NDE is enabled and you disable IP MLS, you lose the statistics for existing cache entries. The flow statistics are not exported.

To disable IP MLS on the switch, perform this task in privileged mode:

Task
Command