Downloads |
Table Of Contents
Configuring IP Multilayer Switching
Understanding How IP MLS Works
Flow Mask Mode and show mls entry Command Output
Layer 3-Switched Packet Rewrite
Standard and Extended Access Lists
Software and Hardware Requirements
Configuration Guidelines and Restrictions
General Configuration Guidelines
IP MLS Interaction with Other Features
Maximum Transmission Unit Size
Restrictions on Using IP Router Commands with IP MLS Enabled
Configuring IP MLS on the Router
Adding an IP MLS Interface to a VTP Domain
Assigning a VLAN ID to a Router Interface
Enabling IP MLS on a Router Interface
Specifying a Router Interface as a Management Interface
Removing a Router Interface as a Management Interface
Disabling IP MLS on a Router Interface
Clearing a VLAN ID from a Router Interface
Removing an Interface from a VTP Domain (Including the Null Domain)
Disabling IP MLS on the Router
Monitoring IP MLS on the Router
Using Debug Commands on the IP MLS Router
Configuring IP MLS on the Switch
Specifying Routers to Participate in IP MLS
Specifying IP MLS Aging-Time Value
Specifying IP MLS Fast Aging Time and Packet Threshold Values
Setting the Minimum IP MLS Flow Mask
Removing Routers from Participation in IP MLS
Disabling IP MLS on the Switch
Displaying CAM Entries on the Switch
Displaying IP MLS Cache Entries
Displaying MLS Entries for a Specific Destination Address
Displaying Entries for a Specific Source Address
Displaying Entries for a Specific IP Flow
Displaying Entries for a Specific MLS-RP
Displaying IP MLS Statistics by Protocol
Displaying Statistics for MLS-RPs
Displaying Statistics for MLS Cache Entries
Displaying IP MLS Debug Information
IP MLS Supported Network Topologies
Packets Traversing a Single Router between Two Hosts
Destination Host Connected to a Switch Through a Router
Source Host Connected to a Switch Through a Router
Source and Destination Hosts Connected to a Switch Through Different Routers
Source Host Connected to a Switch Through an FDDI Ring
Source Host Connected to a Switch Through an ATM Cloud
IP MLS Unsupported Network Topologies
IP MLS With Cisco 7505 Over IEEE 802.1Q
Configuring IP Multilayer Switching
This chapter describes how to configure IP Multilayer Switching (MLS) on the Catalyst 5000 family and 2926G series switches.
Note
For complete syntax and usage information for the IOS commands used in this chapter, refer to the software documentation for your router platform. For complete syntax and usage information for the switch commands used in this chapter, refer to the Command Reference for your switch.
This chapter consists of these sections:
•
•
•
•
•
•
•
Understanding How IP MLS Works
These sections provide an overview of IP MLS and describe how IP MLS works:
•
•
IP MLS Overview
IP MLS provides high-performance hardware-based Layer 3 switching for Catalyst 5000 family and 2926G series LAN switches. IP MLS switches unicast IP data packet flows between IP subnets using advanced ASIC switching hardware, offloading processor-intensive packet routing from network routers.
The packet forwarding function is moved onto Layer 3 switches whenever a partial or complete switched path exists between two hosts. Packets that do not have a partial or complete switched path to reach their destinations are still forwarded in software by routers. Standard routing protocols, such as Open Shortest Path First (OSPF), Enhanced Interior Gateway Routing Protocol (EIGRP), Routing Information Protocol (RIP), and Intermediate System-to-Intermediate System (IS-IS), are used for route determination.
IP MLS allows you to debug and trace flows in your network. You can identify which switch is handling a particular flow by using MLS explorer packets. The explorer packets aid you in path detection and troubleshooting. For complete information on debugging IP MLS, see the "Using Debug Commands on the IP MLS Router" section.
In addition, IP MLS provides traffic statistics you can use to identify traffic characteristics for administration, planning, and troubleshooting. IP MLS uses NetFlow Data Export (NDE) to export flow statistics.
Note
IP MLS Components
An IP MLS network topology consists of these components:
•
•
IP MLS Flows
Layer 3 protocols, such as IP and Internetwork Packet Exchange (IPX), are connectionless—they deliver every packet independently of every other packet. However, actual network traffic consists of many end-to-end conversations, or flows, between users or applications.
A flow is a unidirectional sequence of packets between a particular source and destination that share the same protocol and transport-layer information. Communication from a client to a server and from the server to the client are separate flows. For example, Telnet traffic transferred from a particular source to a particular destination comprises a separate flow from File Transfer Protocol (FTP) packets between the same source and destination.
Flows are based only on Layer 3 addresses, which allow IP traffic from multiple users or applications to a particular destination to be carried on a single flow if only the destination IP address is used to identify a flow.
Layer 3 MLS Cache
The NFFC (or NFFC II) maintains a Layer 3 switching table (the Layer 3 MLS cache) for Layer 3 switched flows. The cache also includes entries for traffic statistics that are updated in tandem with the switching of packets. After the MLS cache is created, packets identified as belonging to an existing flow can be Layer 3-switched based on the cached information. The MLS cache maintains flow information for all active flows.
An MLS cache entry is created for the initial packet of each flow. Upon receipt of a packet that does not match any flow currently in the MLS cache, a new IP MLS entry is created.
The state and identity of the flow are maintained while packet traffic is active; when traffic for a flow ceases, the entry ages out. You can configure the aging time for MLS entries kept in the MLS cache. If an entry is not used for the specified period of time, the entry ages out and statistics for that flow can be exported to a flow collector application.
The maximum MLS cache size is 128K. However, an MLS cache larger than 32K increases the probability that a flow will not be switched by the MLS-SE and will get forwarded to the router.
Note
Flow Masks
The MLS-SE uses flow masks to determine how MLS entries are created. The flow mask is based on the access lists configured on the MLS-RP (router) interfaces. The MLS-SE learns the flow mask through Multilayer Switching Protocol (MLSP) messages from each MLS-RP for which the MLS-SE is performing Layer 3 switching. MLSP is the protocol running between the MLS-SE and MLS-RP to enable MLS.
These sections describe how the flow mask modes work:
•
Flow Mask Modes
An MLS-SE supports only one flow mask (the most specific one) for all MLS-RPs that are Layer 3 switched by that MLS-SE. If the MLS-SE detects different flow masks from different MLS-RPs for which it is performing Layer 3 switching, it changes its flow mask to the most specific flow mask detected.
When the MLS-SE flow mask changes, the entire MLS cache is purged. When an MLS-SE exports cached entries, flow records are created based on the current flow mask. Depending on the current flow mask, some fields in the flow record might not have values.
Note
The three flow masks are as follows:
•
•
•
Flow Mask Mode and show mls entry Command Output
This section describes how the flow mask impacts the screen output of the show mls entry command.
With the destination-ip flow mask, the source IP, protocol, and source and destination port fields show the details of the last packet that was Layer 3 switched using the MLS cache entry.
This example shows how the show mls entry command output appears in destination-ip mode:
Console> (enable) show mls entryLast Used Last UsedDestination IP Source IP Port DstPrt SrcPrt Destination Mac Vlan Port--------------- --------------- ---- ------ ------ ----------------- ---- -----MLS-RP 10.20.6.161:10.19.6.2 10.19.26.9 UDP 6009 69 00-10-0b-16-98-00 250 1/1-210.19.22.8 10.19.2.1 TCP 6001 Telnet 00-00-00-00-00-08 22 4/610.19.2.1 10.19.22.8 TCP 6008 Telnet 00-10-0b-16-98-00 250 1/1-210.19.27.10 10.19.7.3 TCP 6003 20 00-00-00-00-00-10 27 4/810.19.28.11 10.19.8.4 UDP 6004 DNS 00-00-00-00-00-11 28 4/910.19.26.9 10.19.6.2 UDP 6002 69 00-00-00-00-00-09 26 4/710.19.7.3 10.19.27.10 TCP 6010 FTP 00-10-0b-16-98-00 250 1/1-2MLS-RP 132.68.9.10:10.19.86.12 10.19.85.7 TCP 6007 SMTP 00-00-00-00-00-12 86 4/1010.19.85.7 10.19.86.12 TCP 6012 WWW 00-00-00-00-00-07 85 4/5MLS-RP 10.20.6.82:10.19.63.13 10.19.73.14 TCP 6014 Telnet 00-00-00-00-00-13 63 4/1110.19.73.14 10.19.63.13 TCP 6013 FTP 00-00-00-00-00-14 73 4/12Console> (enable)With the source-destination-ip flow mask, the protocol, source port, and destination port fields show the details of the last packet that was Layer 3 switched using the MLS cache entry.
This example shows how the show mls entry command output appears in source-destination-ip mode:
Console> (enable) show mls entryLast UsedDestination IP Source IP Port DstPrt SrcPrt Destination Mac Vlan Port--------------- --------------- ---- ------ ------ ----------------- ---- -----MLS-RP 10.20.6.161:10.19.26.9 10.19.6.2 UDP 6002 69 00-00-00-00-00-09 26 4/710.19.28.11 10.19.8.4 UDP 6004 DNS 00-00-00-00-00-11 28 4/910.19.6.2 10.19.26.9 UDP 6009 69 00-10-0b-16-98-00 251 1/1-210.19.2.1 10.19.22.8 TCP 6008 Telnet 00-10-0b-16-98-00 251 1/1-210.19.27.10 10.19.7.3 TCP 6003 20 00-00-00-00-00-10 27 4/810.19.22.8 10.19.2.1 TCP 6001 Telnet 00-00-00-00-00-08 22 4/610.19.7.3 10.19.27.10 TCP 6010 FTP 00-10-0b-16-98-00 251 1/1-2MLS-RP 132.68.9.10:10.19.85.7 10.19.86.12 TCP 6012 WWW 00-00-00-00-00-07 85 4/510.19.86.12 10.19.85.7 TCP 6007 SMTP 00-00-00-00-00-12 86 4/10MLS-RP 10.20.6.82:10.19.63.13 10.19.73.14 TCP 6014 Telnet 00-00-00-00-00-13 63 4/1110.19.73.14 10.19.63.13 TCP 6013 FTP 00-00-00-00-00-14 73 4/12Console> (enable)With the ip-flow flow mask, details are shown for every flow because a separate MLS entry is created for every flow.
This example shows how the show mls entry command output appears in ip-flow mode:
Console> (enable) show mls entryDestination IP Source IP Port DstPrt SrcPrt Destination Mac Vlan Port--------------- --------------- ---- ------ ------ ----------------- ---- -----MLS-RP 10.20.6.161:10.19.26.9 10.19.6.2 UDP 6002 69 00-00-00-00-00-09 26 4/710.19.6.2 10.19.26.9 UDP 6009 69 00-10-0b-16-98-00 251 1/1-210.19.22.8 10.19.2.1 TCP 6001 Telnet 00-00-00-00-00-08 22 4/610.19.2.1 10.19.22.8 TCP 6008 Telnet 00-10-0b-16-98-00 251 1/1-210.19.27.10 10.19.7.3 TCP 6003 20 00-00-00-00-00-10 27 4/810.19.28.11 10.19.8.4 UDP 6004 DNS 00-00-00-00-00-11 28 4/910.19.7.3 10.19.27.10 TCP 6010 FTP 00-10-0b-16-98-00 251 1/1-2MLS-RP 132.68.9.10:10.19.86.12 10.19.85.7 TCP 6007 SMTP 00-00-00-00-00-12 86 4/1010.19.85.7 10.19.86.12 TCP 6012 WWW 00-00-00-00-00-07 85 4/5MLS-RP 10.20.6.82:10.19.63.13 10.19.73.14 TCP 6014 Telnet 00-00-00-00-00-13 63 4/1110.19.73.14 10.19.63.13 TCP 6013 FTP 00-00-00-00-00-14 73 4/12Console> (enable)Layer 3-Switched Packet Rewrite
When a packet is Layer 3 switched from a source host to a destination host, the switch (MLS-SE) performs a packet rewrite based on information learned from the router (MLS-RP) and stored in the MLS cache.
If Host A and Host B are on different virtual LANs (VLANs) and Host A sends a packet to the MLS-RP to be routed to Host B, the MLS-SE recognizes that the packet was sent to the Media Access Control (MAC) address of the MLS-RP. The MLS-SE checks the MLS cache and finds the entry matching the flow in question.
When the MLS-SE receives the packet, it is formatted as follows:
Destination
Source
Destination
Source
TTL
Checksum
Data
Checksum
MLS-RP MAC
Host A MAC
Host B IP
Host A IP
n
calculation1
The MLS-SE rewrites the Layer 2 frame header, changing the destination MAC address to the MAC address of Host B and the source MAC address to the MAC address of the MLS-RP (these MAC addresses are stored in the MLS cache entry for this flow). The Layer 3 IP addresses remain the same, but the IP header Time to Live (TTL) is decremented and the checksum is recomputed. The MLS-SE rewrites the switched Layer 3 packets so that they appear to have been routed by a router.
The MLS-SE forwards the rewritten packet to Host B's VLAN (the destination VLAN is stored in the MLS cache entry) and Host B receives the packet.
After the MLS-SE performs the packet rewrite, the packet is formatted as follows:
Destination
Source
Destination
Source
TTL
Checksum
Data
Checksum
Host B MAC
MLS-RP MAC
Host B IP
Host A IP
n+1
calculation2
Note
IP MLS Operation
shows a simple IP MLS network topology. In this example, Host A is on the Sales VLAN (IP subnet 171.59.1.0), Host B is on the Marketing VLAN (IP subnet 171.59.3.0), and Host C is on the Engineering VLAN (IP subnet 171.59.2.0).
When Host A initiates an FTP file transfer to Host B, an MLS entry for this flow is created (this entry is the first item in the MLS cache shown in ). The MLS-SE stores the MAC addresses of the MLS-RP and Host B in the MLS entry when the MLS-RP forwards the first packet from Host A through the switch to Host B. The MLS-SE uses this information to rewrite subsequent packets from Station A to Station B.
Similarly, a separate MLS entry is created in the MLS cache for the HTTP traffic from Host A to Host C, and for the HTTP traffic from Host C to Host A. The destination VLAN is stored as part of each MLS entry so that the correct VLAN identifier is used when encapsulating traffic on trunk links.
Figure 5-1 IP MLS Example Topology
Standard and Extended Access Lists
Note
IP MLS allows you to enforce access lists on every packet of the flow without compromising IP MLS performance. When you enable IP MLS, the MLS-SE handles standard and extended access list permit traffic at wire speed.
Note
Route topology changes and the addition or modification of access lists are reflected in the IP MLS switching path automatically on the MLS-SE. The techniques for handling route and access list changes apply to the RSM and to directly attached external routers.
For example, when Station A wants to communicate with Station B, it sends the first packet to the MLS-RP. If an access list is configured on the MLS-RP to deny access from Station A to Station B, the MLS-RP receives the packet, checks the access list to see if the packet flow is permitted, and discards the packet based on the access list. Because the first packet for this flow does not return from the MLS-RP, an MLS cache entry is not established by the MLS-SE.
If a flow is already being Layer 3 switched by the MLS-SE and the access list is created on the MLS-RP, the MLS-SE learns of the change through MLSP and immediately enforces security for the affected flow by purging it from the MLS cache. New flows are created based on the restrictions imposed by the access list.
Similarly, when the MLS-RP detects a routing topology change, the appropriate MLS cache entries are deleted in the MLS-SE. New flows are created based on the new topology.
Packet Export Rate
Note
Export rates for MLS entries depend on the traffic pattern; there is no typical packet rate. The worst-case packet export rate occurs when all existing MLS entries are purged due to an event such as a route change. The MLS entries are exported at a burst rate of 1,213 datagrams of 27 flows each.
Software and Hardware Requirements
IP MLS requires these software and hardware versions:
•
•
•
•
•
•
•
•
•
•
•
•
Note
Default IP MLS Configuration
shows the default IP MLS configuration.
Table 5-1 Default IP MLS Configuration
IP MLS enable state
Enabled
Participating routers
None1
IP MLS aging-time
256 seconds
IP MLS fast aging-time
0 seconds (no fast aging)
IP MLS fast aging-time packet threshold
0 packets
Minimum IP MLS flow mask
Varies depending on router access list configuration
1 If an RSM is installed in the switch, the device is automatically included as a participating IP MLS router.
Configuration Guidelines and Restrictions
These sections describe configuration guidelines that apply when configuring IP MLS:
•
•
•
•
General Configuration Guidelines
Follow these general guidelines when configuring IP MLS:
•
•
External Routers
Follow these guidelines when using an external router:
•
•
•
•
•
•
Access Lists
Access lists affect IP MLS as follows:
•
Prior to IOS release 12.0(2), input access lists are not supported with IP MLS and router interfaces with input access lists cannot participate in IP MLS. No packets destined for that interface are Layer 3 switched, even if the flow is not filtered by the access list. Existing flows for that interface are purged, and no new flows are cached.
Note
•
Applying an output access list that uses the log, precedence, tos, or establish options prevents the interface from participating in IP MLS.
•
•
IP MLS Interaction with Other Features
Other Cisco IOS software features affect IP MLS as follows:
•
Note
•
•
In Cisco IOS releases prior to release 12.0(3), IP MLS is disabled on an interface when a policy route-map is configured on the interface.
•
Command accepted, interfaces with mls might cause inconsistent behavior.•
•
Maximum Transmission Unit Size
The maximum transmission unit (MTU) for an IP MLS interface must be the default Ethernet MTU, 1500 bytes.
To change the MTU on an IP MLS-enabled interface, you must first disable IP MLS on the interface (enter the no mls rp ip command on the interface). If you attempt to change the MTU with IP MLS enabled, the following message displays:
Need to turn off the mls router for this interface first.If you attempt to enable IP MLS on an interface that has an MTU value other than the default value, the following message displays:
mls only supports interfaces with default mtu sizeRestrictions on Using IP Router Commands with IP MLS Enabled
When you enable some IP processes on an interface, you will disable IP MLS on the interface. shows the affected commands.
Configuring IP MLS on the Router
These sections describe how to configure one or more routers for IP MLS. Depending upon your configuration, you might not have to perform all the steps in the procedure.
•
•
•
•
•
•
•
•
•
•
•
•
Note
For information on configuring IP MLS on the switch, see the "Configuring IP MLS on the Switch" section.
Enabling IP MLS on the Router
To use IP MLS, you must globally enable IP MLS on the router.
To enable IP MLS globally on the MLS-RP, perform this task in global configuration mode:
This example shows how to enable IP MLS globally on the router:
Router(config)#mls rp ipRouter(config)#Adding an IP MLS Interface to a VTP Domain
Note
Determine which router interfaces you will use as IP MLS interfaces and add those interfaces to the same VTP domain as the MLS-SE.
To view the VTP configuration on the switch, including the VTP domain name, enter the show vtp domain command on the switch.
CautionPerform this task before you enter any other IP MLS interface commands on the IP MLS interface (specifically, the mls rp ip interface command or mls rp management-interface interface command). Entering IP MLS interface commands on an interface prior to putting the interface into a VTP domain places the interface in the null domain. To put the IP MLS interface into a domain other than the null domain, you must clear the IP MLS interface configuration before you can add it to another VTP domain (for more information, see the "Removing an Interface from a VTP Domain (Including the Null Domain)" section).
On ISL or 802.1Q trunk links, enter the mls rp vtp-domain command on the primary interface (not on the individual subinterfaces). All subinterfaces on the primary interface inherit the VTP domain assigned to the primary interface.
To add an IP MLS interface to a VTP domain, perform this task in interface configuration mode:
This example shows how to add an IP MLS interface to a VTP domain:
Router(config-if)#mls rp vtp-domain engineeringRouter(config-if)#Assigning a VLAN ID to a Router Interface
Note
Note
In these configurations, the IP MLS interface must have a VLAN ID configured before you can enable it for IP MLS:
•
•
To assign a VLAN ID to an IP MLS interface, perform this task in interface configuration mode:
This example shows how to assign a VLAN ID to an IP MLS interface:
Router(config-if)#mls rp vlan-id 23Router(config-if)#Enabling IP MLS on a Router Interface
Note
To enable IP MLS on a specific router interface, perform this task in interface configuration mode:
This example shows how to enable IP MLS on a router interface:
Router(config-if)#mls rp ipRouter(config-if)#Specifying a Router Interface as a Management Interface
MLSP packets are sent and received through the management interface. You must specify at least one router interface as a management interface. If you do not specify a management interface, IP MLS will not function.
Every switch participating in IP MLS must have an active port in at least one VLAN that has a corresponding router interface configured as a management interface. If the VLAN to which the management interface belongs does not span the whole IP MLS network, you must configure multiple management interfaces such that each switch has an active port in a VLAN with a management interface.
To specify a router interface as a management interface, perform this task in interface configuration mode:
This example shows how to specify a router interface as a management interface:
Router(config-if)#mls rp management-interfaceRouter(config-if)#Removing a Router Interface as a Management Interface
To remove a router interface as a management interface, perform this task in interface configuration mode:
This example shows how to remove a router interface as a management interface:
Router(config-if)#no mls rp management-interfaceRouter(config-if)#Disabling IP MLS on a Router Interface
To disable IP MLS on a specific router interface, perform this task in interface configuration mode:
This example shows how to disable IP MLS on a router interface:
Router(config-if)#no mls rp ipRouter(config-if)#Clearing a VLAN ID from a Router Interface
Note
Removing the VLAN ID from an interface disables IP MLS for the interface.
To clear a VLAN ID from an IP MLS interface, perform this task in interface configuration mode:
This example shows how to clear a VLAN ID from an IP MLS interface:
Router(config-if)#no mls rp vlan-id 23Router(config-if)#Removing an Interface from a VTP Domain (Including the Null Domain)
To remove an interface from a VTP domain (including the null domain) and add it to another domain, perform this task in interface configuration mode:
This example shows how to remove an interface from one VTP domain (including the null domain) and add it to another VTP domain:
Router(config-if)#no mls rp ipRouter(config-if)#no mls rp management-interfaceRouter(config-if)#no mls rp vtp-domain engineeringRouter(config-if)#mls rp vtp-domain wbuRouter(config-if)#Disabling IP MLS on the Router
To disable IP MLS on the router, perform this task in global configuration mode:
This example shows how to disable IP MLS on the router:
Router(config)#no mls rp ipRouter(config)#Monitoring IP MLS on the Router
The show mls rp command displays IP MLS details, including specific information about MLSP. The output of the show mls rp command includes:
•
•
•
•
•
To display detailed IP MLS information on the router, perform one of these tasks in privileged mode:
•
show mls rp [interface]
•
show mls rp vtp-domain [domain_name]
This example shows how to display details about IP MLS on the router:
Router# show mls rpmultilayer switching is globally enabledmls id is 00e0.fefc.6000mls ip address 10.20.26.64mls flow mask is ip-flowvlan domain name: WBUcurrent flow mask: ip-flowcurrent sequence number: 80709115current/maximum retry count: 0/10current domain state: no-changecurrent/next global purge: false/falsecurrent/next purge count: 0/0domain uptime: 13:03:19keepalive timer expires in 9 secondsretry timer not runningchange timer not runningfcp subblock count = 71 management interface(s) currently defined:vlan 1 on Vlan17 mac-vlan(s) configured for multi-layer switching:mac 00e0.fefc.6000vlan id(s)1 10 91 92 93 95 100router currently aware of following 1 switch(es):switch id 0010.1192.b5ffRouter#This example shows how to display IP MLS information about a specific interface (in this case, interface vlan 10):
Router# show mls rp interface vlan 10mls active on Vlan10, domain WBURouter#This example shows how to show detailed information about IP MLS interfaces in a specific VTP domain:
Router# show mls rp vtp-domain WBUvlan domain name: WBUcurrent flow mask: ip-flowcurrent sequence number: 80709115current/maximum retry count: 0/10current domain state: no-changecurrent/next global purge: false/falsecurrent/next purge count: 0/0domain uptime: 13:07:36keepalive timer expires in 8 secondsretry timer not runningchange timer not runningfcp subblock count = 71 management interface(s) currently defined:vlan 1 on Vlan17 mac-vlan(s) configured for multi-layer switching:mac 00e0.fefc.6000vlan id(s)1 10 91 92 93 95 100router currently aware of following 1 switch(es):switch id 0010.1192.b5ffRouter#Using Debug Commands on the IP MLS Router
describes IP MLS-related debug commands that you can use to troubleshoot IP MLS problems on the router.
Table 5-3
IP MLS Debug Commands
Configuring IP MLS on the Switch
IP MLS is enabled by default on Catalyst 5000 family and 2926G series switches. If the MLS-RP is an RSM installed in the Catalyst 5000 family switch chassis, you do not need to configure the switch. You only need to configure the switch in these circumstances:
•
•
•
These sections describe how to configure IP MLS on the switch:
•
•
•
•
•
•
•
•
•
•
•
Note
For information on configuring IP MLS on the router, see the "Configuring IP MLS on the Router" section.
Enabling IP MLS on the Switch
When you enable IP MLS on the switch, the switch (MLS-SE) starts to process MLSP messages from the MLS-RPs and starts Layer 3 switching. IP MLS is enabled by default on the MLS-SE.
To enable IP MLS on the switch, perform this task in privileged mode:
Step 1
set mls enable
Step 2
show mls [noalias]
This example shows how to enable IP MLS on the switch and verify the configuration:
Console> (enable) set mls enableMultilayer switching is enabledConsole> (enable)Specifying Routers to Participate in IP MLS
If the MLS-RP is an external router, you must specify the IP address of an interface on the MLS-RP to participate in IP MLS. The MLS-SE does not process MLSP messages from external routers that have not been included as MLS-RPs.
If an RSM is installed in the switch, it participates in IP MLS automatically and is included in the inclusion list (provided the device is running the correct Cisco IOS software version). If you physically remove the RSM or if you disable IP MLS on the RSM, the device is removed from the inclusion list.
On the Catalyst 2926G series switches, you must specify at least one external router to participate in IP MLS.
Note
To specify a router to participate in IP MLS, perform this task in privileged mode:
Step 1
set mls include [ip_addr]
Step 2
show mls include
Note
This example shows how to identify the MLS-RP IP address on the router, how to specify the MLS-RP to participate in IP MLS, and how to verify the configuration:
Console> (enable) set mls include 170.170.2.1Multilayer switching is enabled for router 170.170.2.1Console> (enable) show mls includeIncluded MLS-RP---------------------------------------170.67.2.13170.67.2.12Console> (enable)Specifying IP MLS Aging-Time Value
The IP MLS aging time applies to all MLS cache entries. Any MLS entry that has not been used for agingtime seconds is aged out. The default is 256 seconds.
You can configure the aging time in the range of 8 to 2032 seconds in 8-second increments. Any aging-time value that is not a multiple of 8 seconds is adjusted to the closest one. For example, a value of 65 is adjusted to 64 and a value of 127 is adjusted to 128.
Other events might cause MLS entries to be purged, such as routing changes or a change in link state (MLS-SE link down).
Note
To specify the IP MLS aging time, perform this task in privileged mode:
This example shows how to set the IP MLS aging time:
Console> (enable) set mls agingtime 512Multilayer switching aging time set to 512Console> (enable)Specifying IP MLS Fast Aging Time and Packet Threshold Values
To help keep the MLS cache size below 32K, enable IP MLS fast aging time. The IP MLS fast aging time applies to MLS entries that have no more than pkt_threshold packets switched within fastagingtime seconds after it is created. A typical cache entry that is removed is the entry for flows to and from a Domain Name Server (DNS) or TFTP server; the entry might never be used again after it is created. Detecting and aging out these entries saves space in the MLS cache for other data traffic.
The default fastagingtime value is 0 (no fast aging). You can configure the fastagingtime value to 32, 64, 96, or 128 seconds. Any fastagingtime value that is not configured exactly as the indicated values is adjusted to the closest one. You can configure the pkt_threshold value to 0, 1, 3, 7, 15, 31, or 63 packets.
If you need to enable IP MLS fast aging time, initially set the value to 128 seconds. If the size of the MLS cache continues to grow over 32K, decrease the setting until the cache size stays below 32K. If the cache continues to grow over 32K, decrease the normal IP MLS aging time.
Typical values for fastagingtime and pkt_threshold are 32 seconds and 0 packets (no packets switched within 32 seconds after the entry is created).
To specify the IP MLS fast aging time and packet threshold, perform this task in privileged mode:
Specify the IP MLS fast aging time and packet threshold for an MLS cache entry.
set mls agingtime fast [fastagingtime] [pkt_threshold]
This example shows how to set the IP MLS fast aging time to 32 seconds with a packet threshold of 0 packets:
Console> (enable) set mls agingtime fast 32 0Multilayer switching fast aging time set to 32 seconds for entries with no more than 0 packets switched.Console> (enable)Setting the Minimum IP MLS Flow Mask
You can set the minimum granularity of the flow mask for the MLS cache on the MLS-SE. The actual flow mask used will be at least of the granularity specified by this command. For information on how the different flow masks work, see the "Flow Masks" section.
For example, if you do not configure access lists on any MLS-RP, then the IP MLS flow mask on the MLS-SE is destination-ip by default. However, you can force the MLS-SE to use the source-destination-ip flow mask by setting the minimum IP MLS flow mask using the set mls flow destination-source command. If an extended access list is configured on MLS-RP, then the flow mask is changed to ip-flow, which is a more granular flow mask than the configured source-destination-ip flow mask.
CautionBe careful when using this command. This command purges all existing shortcuts in the MLS cache and affects the number of active shortcuts on the MLS-SE.
To specify the minimum IP MLS flow mask, perform this task in privileged mode:
Specify the minimum IP MLS flow mask.
set mls flow {destination | destination-source | full}
This example shows how to set the minimum IP MLS flow mask to destination-source-ip:
Console> (enable) set mls flow destination-sourceConfigured flow mask is set to destination-source flow.Console> (enable)Removing Routers from Participation in IP MLS
To remove a router from the list of routers participating in IP MLS, perform this task in privileged mode:
Note
This example shows how to remove a router from the IP MLS inclusion list on the switch:
Console> (enable) clear mls include stargateMultilayer switching is disabled for router 170.20.15.1 (Stargate)Console> (enable)Disabling IP MLS on the Switch
When you disable IP MLS on the switch, the MLS-SE does not process any MLSP messages from any MLS-RPs, and all existing MLS cache entries are purged.
Note
To disable IP MLS on the switch, perform this task in privileged mode:
Step 1
set mls disable
Step 2
show mls
This example shows how to disable IP MLS on the switch:
Console> (enable) set mls disableMultilayer switching is disabledConsole> (enable)Displaying CAM Entries on the Switch
The show cam command displays the content-addressable memory (CAM) entries associated with a specific MAC address. If the MAC address belongs to an MLS-RP, an "R" is appended to the MAC address.
If you specify a VLAN number, only those CAM entries corresponding to that VLAN number are displayed. If a VLAN is not specified, entries for all VLANs are displayed.
The show cam mlsrp command displays entries in the forwarding table for the specified MLS-RP.
To display CAM entries on the switch, perform one of these tasks:
•
show cam [mac_addr] [vlan]
•
show cam mlsrp [ip_addr] [vlan]
This example shows how to display the CAM entries on the switch:
Console> (enable) show cam 00-10-29-8a-4c-00* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.VLAN Dest MAC/Route Des Destination Ports or VCs / [Protocol Type]---- ------------------ ----------------------------------------------------10 00-10-29-8a-4c-00R 9/1 IP51 00-10-29-8a-4c-00R 9/1 IP52 00-10-29-8a-4c-00R 9/1 IP53 00-10-29-8a-4c-00# 9/1 IP54 00-10-29-8a-4c-00# 9/1 IPTotal Matching CAM Entries Displayed = 5Console> (enable)This example shows how to display CAM entries for the specified MLS-RP:
Console> (enable) show cam mlsrp 10.1.1.3VLAN Destination MAC Destination Ports or VCs Xtag Status---- ------------------ -------------------------------------52 00-10-29-8a-4c-00R 9/1 5 H51 00-10-29-8a-4c-00R 9/1 5 H10 00-10-29-8a-4c-00R 9/1 5 HTotal Matching CAM Entries Displayed = 3Console> (enable)Displaying IP MLS Information
The show mls command displays IP MLS information and MLS-RP-specific information. The show mls rp command displays MLS-RP-specific information for the specified MLS-RP.
To display IP MLS information on the switch, perform one of these tasks:
This example shows how to display IP MLS information on the switch:
Console> (enable) show mlsMultilayer switching enabledMultilayer switching aging time = 256 secondsMultilayer switching fast aging time = 0 seconds, packet threshold = 1Destination-ip flowTotal packets switched = 101892Active entries = 2153Netflow data export enabledNetflow data export configured for port 8010 on host 10.0.2.15Total packets exported = 20MLS-RP IP MLS-RP ID Xtag MLS-RP MAC-Vlans----------- ------------ ---- ----------------------172.20.25.2 0000808cece0 2 00-00-80-8c-ec-e0 1-2000-00-80-8c-ec-e1 21-3000-00-80-8c-ec-e2 31-4000-00-80-8c-ec-e3 41-5000-00-80-8c-ec-e4 51-60172.20.27.1 0000808c1214 3 00-00-80-8c-12-14 1-20,31-4000-00-80-8c-12-15 21-3000-00-80-8c-12-16 41-50Console> (enable)This example shows how to display IP MLS information for a specific MLS-RP:
Console> (enable) show mls rp 172.20.25.2MLS-RP IP MLS-RP ID Xtag MLS-RP MAC-Vlans----------- ------------ ---- ----------------------172.20.25.2 0000808cece0 2 00-00-80-8c-ec-e0 1-2000-00-80-8c-ec-e1 21-3000-00-80-8c-ec-e2 31-4000-00-80-8c-ec-e3 41-5000-00-80-8c-ec-e4 51-60Console> (enable)Displaying IP MLS Cache Entries
Note
These sections describe how to display MLS cache entries on the switch:
•
•
•
•
Displaying All MLS Entries
To display all MLS entries on the switch, perform this task in privileged mode:
This example shows how to display all MLS entries on the switch:
Console> (enable) show mls entryLast Used Last UsedDestination IP Source IP Port DstPrt SrcPrt Destination Mac Vlan Port--------------- --------------- ---- ------ ------ ----------------- ---- -----MLS-RP 10.20.6.161:10.19.6.2 10.19.26.9 UDP 6009 69 00-10-0b-16-98-00 250 1/1-210.19.26.9 10.19.6.2 UDP 6002 69 00-00-00-00-00-09 26 4/7MLS-RP 132.68.9.10:10.19.86.12 10.19.85.7 TCP 6007 SMTP 00-00-00-00-00-12 86 4/1010.19.85.7 10.19.86.12 TCP 6012 WWW 00-00-00-00-00-07 85 4/5MLS-RP 10.20.6.82:10.19.63.13 10.19.73.14 TCP 6014 Telnet 00-00-00-00-00-13 63 4/1110.19.73.14 10.19.63.13 TCP 6013 FTP 00-00-00-00-00-14 73 4/12Console> (enable)Displaying MLS Entries for a Specific Destination Address
To display MLS entries for a specific destination IP address, perform this task in privileged mode:
Show MLS entries for the specified destination IP address.
show mls entry destination [ip_addr]
This example shows how to display MLS entries for a specific destination IP address:
Console> (enable) show mls entry destination 172.20.22.14/24Destination IP Source IP Port DstPrt SrcPrt Destination Mac Vlan Port-------------- ------------ ---- ------- ------ ---------------------- ---- ----MLS-RP 172.20.25.1:172.20.22.14 172.20.25.10 TCP 6001 Telnet 00-60-70-6c-fc-22 4 2/1MLS-RP 172.20.27.1:172.20.22.16 172.20.27.139 TCP 6008 Telnet 00-60-70-6c-fc-24 4 2/3....Console> (enable)Displaying Entries for a Specific Source Address
To display MLS entries for a specific source IP address, perform this task in privileged mode:
This example shows how to display MLS entries for a specific source IP address:
Console> (enable) show mls entry source 10.0.2.15Destination IP Source IP Port DstPrt SrcPrt Destination Mac Vlan Port--------------- --------------- ---- ------ ------ ----------------- ---- ----MLS-RP 51.0.0.3:51.0.0.2 10.0.2.15 TCP Telnet 37819 00-e0-4f-15-49-ff 51 1/951.0.0.2 10.0.2.15 ICMP 00-e0-4f-15-49-ff 51 1/9Console> (enable)Displaying Entries for a Specific IP Flow
The show mls entry flow command displays MLS entries for a specific IP flow. The protocol argument can be tcp, udp, icmp, or a decimal number for other protocol families. The src_port and dst_port arguments specify the protocol ports if the protocol is TCP or User Datagram Protocol (UDP). A value of zero (0) for src_port and dst_port or protocol is treated as a wildcard and all entries are displayed (unspecified options are treated as wildcards). If the protocol selected is not TCP or UDP, set the src_port and dst_prt to 0 or no flows will be displayed.
To display MLS entries for a specific IP flow (when the switch flow mask mode is ip-flow), perform this task in privileged mode:
Show entries for a specific IP flow (when the switch flow mask mode is ip-flow).
show mls entry flow [protocol src_port dst_port]
This example shows how to display MLS entries for a specific IP flow:
Console> (enable) show mls entry flow tcp 23 37819Destination IP Source IP Port DstPrt SrcPrt Destination Mac Vlan Port--------------- --------------- ---- ------ ------ ----------------- ---- -----MLS-RP 51.0.0.3:10.0.2.15 51.0.0.2 TCP 37819 Telnet 08-00-20-7a-07-75 10 3/1Console> (enable)Displaying Entries for a Specific MLS-RP
To display MLS entries for a specific MLS-RP, perform this task in privileged mode:
This example shows how to display MLS entries for a specific MLS-RP:
Console> (enable) show mls entry rp 172.20.27.1Destination IP Source IP Port DstPrt SrcPrt Destination Mac Vlan Port--------------- --------------- ---- ------ ------ ----------------- ---- -----MLS-RP 172.20.27.1:172.20.22.16 172.20.27.139 TCP DNS DNS 00-60-70-6c-fc-24 4 2/3172.20.21.17 172.20.27.138 TCP 7001 7003 00-60-70-6c-fc-25 3 2/4Console> (enable)Clearing MLS Cache Entries
The clear mls entry command removes specific MLS cache entries on the switch. The all keyword clears all MLS entries. The destination and source keywords specify the source and destination IP addresses. The destination and source ip_addr_spec can be a full IP address or a subnet address in the format ip_subnet_addr, ip_addr/subnet_mask, or ip_addr/subnet_mask_bits.
The flow keyword specifies the following additional flow information:
•
•
To clear an MLS entry, perform this task in privileged mode:
Clear an MLS entry on the switch.
clear mls entry destination [ip_addr_spec] source [ip_addr_spec] flow [protocol src_port dst_port] [all]
This example shows how to clear MLS entries with destination IP address 172.20.26.22:
Console> (enable) clear mls entry destination 172.20.26.22Console> (enable)This example shows how to clear MLS entries with destination IP address 172.20.22.113, TCP source port 1652, and TCP destination port 23:
Console> (enable) clear mls entry destination 172.20.26.22 source 172.20.22.113 flow tcp 1652 23Console> (enable)Displaying IP MLS Statistics
These sections describe how to display a variety of IP MLS statistics:
•
•
•
Displaying IP MLS Statistics by Protocol
The show mls statistics protocol command displays IP MLS statistics by protocol (such as Telnet, FTP, and WWW). The protocol keyword functions only if the flow mask mode is ip-flow. Use the show mls command to see the current flow mask.
To display IP MLS statistics by protocol, perform this task in privileged mode:
Show IP MLS statistics by protocol (only if IP MLS is in ip-flow mode).
show mls statistics protocol
This example shows how to display IP MLS statistics by protocol:
Console> (enable) show mls statistics protocolProtocol TotalFlows TotalPackets Total Bytes------- ---------- -------------- ------------Telnet 900 630 4298FTP 688 2190 3105WWW 389 42679 623686SMTP 802 4966 92873X 142 2487 36870DNS 1580 52 1046Others 82 1 73Total 6583 53005 801951Console> (enable)Displaying Statistics for MLS-RPs
The show mls statistics rp command displays IP MLS statistics for MLS-RPs. If you do not specify a particular MLS-RP, statistics for all MLS-RPs are displayed.
To display IP MLS statistics for MLS-RPs, perform this task in privileged mode:
Show IP MLS statistics for MLS-RPs. If a particular MLS-RP is not specified, statistics for all MLS-RPs are shown.
show mls statistics rp [ip_addr] [noalias]
This example shows how to display IP MLS statistics for all MLS-RPs:
Console> (enable) show mls statistics rpTotal packets switched = 212540292Active shortcuts = 2000Total packets exported= 1889Total switchedMLS-RP IP MLS-RP ID packets bytes--------------- ------------ ---------- ------------10.20.26.64 00e0fefc6000 7877192 803473584Console> (enable)Displaying Statistics for MLS Cache Entries
The show mls statistics entry command displays IP MLS statistics for MLS cache entries. Specify the destination IP address, source IP address, protocol, and source and destination ports to see specific MLS cache entries.
A value of zero (0) for src_port or dst_port is treated as a wildcard, and all statistics are displayed (unspecified options are treated as wildcards). If the protocol specified is not TCP or UDP, set the src_port and dst_prt to 0 or no statistics will be displayed.
To display statistics for MLS cache entries, perform this task in privileged mode:
This example shows how to display statistics for a particular MLS cache entry:
Console> (enable) show mls statistics entry destination 92.1.0.219Destination IP Source IP Port DstPrt SrcPrt Stat-Pkts Stat-Bytes--------------- --------------- ---- ------ ------ ---------- ----------MLS-RP 10.20.26.64:92.1.0.219 10.1.0.219 ICMP - - 511 52122Console> (enable)Clearing IP MLS Statistics
The clear mls statistics command clears the following statistics on the switch:
•
•
To clear IP MLS statistics on the switch, perform this task in privileged mode:
This example shows how to clear IP MLS statistics on the switch:
Console> (enable) clear mls statisticsConsole> (enable)Displaying IP MLS Debug Information
The show mls debug command displays IP MLS debug information that you can send to your technical support representative for analysis if necessary.
To display IP MLS debug information on the switch, perform this task:
Display IP MLS debug information that you can send to your technical support representative.
show mls debug
IP MLS Supported Network Topologies
IP MLS requires specific network topologies to function correctly. These sections describe the supported topologies:
•
•
•
•
•
•
Note
Packets Traversing a Single Router between Two Hosts
In , the path from Host A to Host B is through a single router. After the MLS cache entry is created for this flow, packets from Host A to Host B are multilayer switched directly by the switch, bypassing the router.
Figure 5-2 Packets Traversing a Single Router Between Two Hosts
Destination Host Connected to a Switch Through a Router
In , the path from Host A to Host B is through two routers. Router R-2 is located between the switch and the destination host (Host B). After the MLS cache entry is created for this flow, packets from Host A to Host B are multilayer switched directly by the switch. However, Router R-2 still routes the packets.
Figure 5-3 Destination Host Connected to a Switch Through a Router
Source Host Connected to a Switch Through a Router
In , the path from Host A to Host B is through two routers. Router R-2 is located between the source host (Host A) and the switch. After the MLS cache entry is created for this flow, packets from Host A to Host B are routed by Router R-2 and then multilayer switched directly by the switch to the destination host.
Figure 5-4 Source Host Connected to a Switch Through a Router
Source and Destination Hosts Connected to a Switch Through Different Routers
In , the path from Host A to Host B is through three routers. Router R-2 is located between the source host (Host A) and the switch. Router R-3 is located between the switch and the destination host (Host B). After the MLS cache entry is created for this flow, packets from Host A to Host B are routed by Router R-2, multilayer switched directly by the switch to Router R-3, and then routed by Router R-3 to the destination host.
Figure 5-5 Source and Destination Hosts Connected to a Switch Through Different Routers
Source Host Connected to a Switch Through an FDDI Ring
In , the path from Host A to Host B is through an FDDI ring and one router. After the MLS cache entry is created for this flow, packets from Host A to Host B are received on an FDDI VLAN by the switch, translated to an Ethernet VLAN, and then multilayer switched directly by the switch to the destination host.
Figure 5-6 Source Host Connected to Switch Through FDDI Ring
Source Host Connected to a Switch Through an ATM Cloud
In , the path from Host A to Host B is through an ATM cloud and one router. After the MLS cache entry is created for this flow, packets from Host A to Host B are received as cells on the ATM LAN Emulation (LANE) module, translated to Ethernet frames, and then multilayer switched directly by the switch to the destination host.
Figure 5-7 Source Host Connected to Switch Through ATM Cloud
IP MLS Unsupported Network Topologies
IP MLS does not support some network topologies. In , the routed path from Host A to Host B traverses Switch S-1, Routers R-1 and R-2, and Switch S-2. Layer 3 switching is not possible because the candidate packet creates an entry in the MLS cache on Switch S-1, but the enabler packet is forwarded to Router R-2 rather than to Switch S-1. The entry created in the MLS cache for the candidate packet times out because no enabler packet returns to the switch. In this topology, Routers R-1 and R-2 forward all packets between Hosts A and Host B.
Figure 5-8 Unsupported Topologies—Incomplete MLS Cache Entry
In , Layer 3 switching is not possible because MLSP is not supported over FDDI and Token Ring media.
In addition, MLSP is supported over ATM media only with Cisco IOS software release 12.0(3)W5(8) or later on the MLS-RP.
Figure 5-9 Unsupported Topologies—MLSP Over FDDI or Token Ring
IP MLS Examples
These sections contain example IP MLS implementations:
•
Basic IP MLS Implementation
This section provides a step-by-step description of IP MLS implementation.
Step 1
Figure 5-10 IP MLS Implementation: Step 1
Step 2
The MLS-RP receives the packet, looks at its route table to determine how to forward the packet, and applies services such as access control lists and class of service (COS) policy.
The MLS-RP rewrites the MAC header adding a new destination MAC address (Host B's) and its own MAC address as the source.
Figure 5-11 IP MLS Implementation: Step 2
Step 3
Figure 5-12 IP MLS Implementation: Step 3
Step 4
Note
After the Layer 3-switched path is established, the MLS-SE rewrites the packet from the source host before it is forwarded to the destination host. The rewritten information includes the MAC addresses, encapsulations (when applicable), and some Layer 3 information.
The resultant packet format and protocol behavior is identical to that of a packet routed by the RSM or external Cisco router.
Note
Figure 5-13 IP MLS Implementation: Step 4
IP MLS With Cisco 7505 Over IEEE 802.1Q
This example consists of these sections:
Example Network Topology
shows an IP MLS example network topology using three Catalyst 5000 family switches and a Cisco 7505 router, all interconnected using IEEE 802.1Q trunk links. The network is configured as follows:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Figure 5-14 IP MLS With Cisco 7505 Over IEEE 802.1Q Example Network
Operation before IP MLS
Before IP MLS is implemented, when the source host S1 (on VLAN 10) transmits traffic destined for destination server D1 (on VLAN 30), Switch B forwards the traffic (based on the Layer 2 forwarding table) to Switch A over the 802.1Q trunk link. Switch A forwards the packet to the router over the 802.1Q trunk.
The router receives the packet on the VLAN 10 subinterface, checks the destination IP address, and routes the packet to the VLAN 30 subinterface. Switch A receives the routed packet and forwards it to Switch C. Switch C receives the packet and forwards it to destination server D1. This process is repeated for each packet in the flow between source host S1 and destination server D1.
When source host S2 sends traffic to destination server D2, Switch C forwards the packets over the 802.1Q trunk to Switch A. Switch A forwards the packet to the MLS-RP, which receives it on the VLAN 30 subinterface. Because the standard access list configured on the outgoing VLAN 20 subinterface denies all traffic from VLAN 30, the router drops the traffic to Destination D2 from Source S2. Any subsequent traffic from Source S2 for Destination D2 also reaches the router and is dropped.
Operation after IP MLS
After IP MLS is implemented, when the source host S1 (on VLAN 10) transmits traffic destined for destination server D1 (on VLAN 30), Switch B forwards the traffic (based on the Layer 2 forwarding table) to Switch A (the MLS-SE) over the 802.1Q trunk link. When the first packet enters Switch A, a candidate flow entry is established in the MLS cache. Switch A forwards the packet to the MLS-RP over the 802.1Q trunk.
The MLS-RP receives the packet on the VLAN 10 subinterface, checks the destination IP address, and routes the packet to the VLAN 30 subinterface. Switch A receives the routed packet (the enabler packet) and completes the flow entry in the MLS cache for destination IP address 10.1.30.100. Switch A forwards the packet to Switch C, where it is forwarded to destination server D1.
Subsequent packets destined for IP address 10.1.30.100 are multilayer switched by the MLS-SE based on the flow entry in the MLS cache. For example, subsequent packets in the flow from source host S1 are forwarded by Switch B to Switch A (the MLS-SE). The MLS-SE determines that the packets are part of the established flow, rewrites the packet headers, and switches the packets directly to Switch C, bypassing the router.
When source host S2 sends traffic to destination server D2, Switch C forwards the packets over the 802.1Q trunk to Switch A. Switch A forwards the candidate packet to the MLS-RP, which receives it on the VLAN 30 subinterface. Because the standard access list configured on the outgoing VLAN 20 subinterface denies all, traffic from VLAN 30, the router drops the traffic to Destination D2 from Source S2.
Switch A never receives the enabler packet for the flow on VLAN 20 and no MLS cache entry is completed for the flow. Any subsequent traffic from Source S2 for Destination D2 also reaches the router and is dropped.
Note
Router Configuration
This example shows how to configure the router (MLS-RP):
Cisco7505#configure terminalEnter configuration commands, one per line. End with CNTL/Z.Cisco7505(config)#mls rp ipCisco7505(config)#access-list 1 deny 10.1.30.0 0.0.0.255Cisco7505(config)1#access-list 1 permit anyCisco7505(config)#interface fastethernet 2/0Cisco7505(config-if)#full-duplexCisco7505(config-if)#mls rp vtp-domain CorporateCisco7505(config-if)#interface fastethernet2/0.1Cisco7505(config-subif)#encapsulation dot1q 1Cisco7505(config-subif)#ip address 10.1.1.1 255.255.255.0Cisco7505(config-subif)#mls rp ipCisco7505(config-subif)#mls rp management-interfaceCisco7505(config-subif)#interface fastethernet2/0.10Cisco7505(config-subif)#encapsulation dot1q 10Cisco7505(config-subif)#ip address 10.1.10.1 255.255.255.0Cisco7505(config-subif)#mls rp ipCisco7505(config-subif)#interface fastethernet2/0.20Cisco7505(config-subif)#encapsulation dot1q 20Cisco7505(config-subif)#ip address 10.1.20.1 255.255.255.0Cisco7505(config-subif)#ip access-group 1 outCisco7505(config-subif)#mls rp ipCisco7505(config-subif)#interface fastethernet2/0.30Cisco7505(config-subif)#encapsulation dot1q 30Cisco7505(config-subif)#ip address 10.1.30.1 255.255.255.0Cisco7505(config-subif)#mls rp ipCisco7505(config-subif)#^ZCisco7505#Switch A Configuration
Note
This example shows how to configure Switch A (MLS-SE):
SwitchA> (enable) set vtp domain Corporate mode serverVTP domain Corporate modifiedSwitchA> (enable) set vlan 5Vlan 5 configuration successfulSwitchA> (enable) set vlan 10Vlan 10 configuration successfulSwitchA> (enable) set vlan 20Vlan 20 configuration successfulSwitchA> (enable) set vlan 30Vlan 30 configuration successfulSwitchA> (enable) set port name 1/1 Router LinkPort 1/1 name set.SwitchA> (enable) set trunk 1/1 on dot1qPort(s) 1/1 trunk mode set to on.Port(s) 1/1 trunk type set to dot1q.SwitchA> (enable) set port name 1/2 SwitchB LinkPort 1/2 name set.SwitchA> (enable) set trunk 1/2 desirable dot1qPort(s) 1/2 trunk mode set to desirable.Port(s) 1/2 trunk type set to dot1q.SwitchA> (enable) set port name 1/3 SwitchC LinkPort 1/3 name set.SwitchA> (enable) set trunk 1/3 desirable dot1qPort(s) 1/3 trunk mode set to desirable.Port(s) 1/3 trunk type set to dot1q.SwitchA> (enable) set vlan 5 1/1-3VLAN 5 modified.VLAN 1 modified.VLAN Mod/Ports---- -----------------------5 1/1-3SwitchA> (enable) set mls enableIP Multilayer switching is enabled.SwitchA> (enable) set mls include 10.1.1.1IP Multilayer switching enabled for router 10.1.1.1.SwitchA> (enable) set port name 3/1 Destination D2Port 3/1 name set.SwitchA> (enable) set vlan 20 3/1VLAN 20 modified.VLAN 1 modified.VLAN Mod/Ports---- -----------------------20 3/1SwitchA> (enable)Switch B Configuration
This example shows how to configure Switch B:
SwitchB> (enable) set port name 1/1 SwitchA LinkPort 1/1 name set.SwitchB> (enable) set vlan 5 1/1VLAN 5 modified.VLAN 1 modified.VLAN Mod/Ports---- -----------------------5 1/1SwitchB> (enable) set port name 3/1 Source S1Port 3/1 name set.SwitchB> (enable) set vlan 10 3/1VLAN 10 modified.VLAN 1 modified.VLAN Mod/Ports---- -----------------------10 3/1SwitchB> (enable)Switch C Configuration
This example shows how to configure Switch C:
SwitchC> (enable) set port name 1/1 SwitchA LinkPort 1/1 name set.SwitchC> (enable) set vlan 5 1/1VLAN 5 modified.VLAN 1 modified.VLAN Mod/Ports---- -----------------------5 1/1SwitchC> (enable) set port name 3/1 Destination D1Port 3/1 name set.SwitchC> (enable) set vlan 30 3/1VLAN 30 modified.VLAN 1 modified.VLAN Mod/Ports---- -----------------------30 3/1SwitchC> (enable) set port name 4/1 Source S2Port 4/1 name set.SwitchC> (enable) set vlan 30 4/1VLAN 30 modified.VLAN 1 modified.VLAN Mod/Ports---- -----------------------30 3/14/1SwitchC> (enable)
