Configuring Multilayer Switching

This chapter describes how to configure your network to perform Multilayer Switching (MLS). Carefully read and follow the procedures in these sections:

• Software and Hardware Requirements

• Configuration Notes, Guidelines, and Restrictions

• Configuration Examples

• Router Configuration

• Catalyst 5000 Series Switch Configuration

• NetFlow Data Export Configuration

• Router show Commands

• Catalyst Switch clear Commands

• Catalyst Switch show Commands

• Router Debug Commands

Software and Hardware Requirements

MLS requires these software and hardware versions:

• Catalyst 5000 series supervisor engine software

  • Release 4.1(1) or later

• Cisco IOS router software

  • 11.3(2)WA4(4) or later

• Supervisor Engine III with NetFlow Feature Card (NFFC)

• Route Switch Module (RSM) or Cisco 7500, 7200, 4500, or 4700 series router

Configuration Notes, Guidelines, and Restrictions

Read the configuration information in the following sections before starting the configuration procedures.

Terminology

The following terminology is used in the configuration procedures:

External Routers

When using an external router, follow these guidelines:

• We recommend one directly attached external router per Catalyst 5000 series switch to ensure that the MLS-SE caches the appropriate flow information from both sides of the routed flow.

• You can use Cisco high-end routers (Cisco 7500, 7200, 4500, and 4700 series) for MLS when they are externally attached to the Catalyst 5000 series switch. You can make the attachment with multiple Ethernets (one per subnet) or by using Fast Ethernet with the Inter-Switch Link (ISL).

• You can connect end hosts through any media (Ethernet, Fast Ethernet, ATM, and Fiber Distributed Data Interface [FDDI]) but the connection between the external router and the Catalyst 5000 series switch must be through standard 10/100 Ethernet interfaces or ISL links.

Access Lists

This section describes how access lists affect MLS.

Input Access Lists

Router interfaces with input access lists cannot participate in MLS. If you configure an input access list on an interface, all packets for a flow that are destined for that interface go through the router (even if the flow is allowed by the router it is not Layer 3 switched). Existing flows for that interface get purged and no new flows are cached.

Output Access Lists

If an output access list is applied to an interface, the MLS cache entries for that interface are purged. Entries associated with other interfaces are not affected; they follow their normal aging or purging procedures.

Applying an output access list to an interface, when the access list is configured using the log, precedence, tos, or establish options, prevents the interface from participating in MLS.

Access List Impact on Flow Masks

Access lists impact the flow mask advertised by an MLS-RP. When there is no access list on any MLS-RP interface, the flow mask mode is destination-ip (the least specific). When there is a standard access list on any of the MLS-RP interfaces, the mode is source-destination-ip. When there is an extended access list on any of the MLS-RP interfaces, the mode is ip-flow (the most specific).

Reflexive Access Lists

Router interfaces with reflexive access lists cannot participate in Layer 3 switching.

Features

This section describes how certain features affect MLS.

IP Accounting

Enabling IP accounting on an MLS-enabled interface disables the IP accounting functions on that interface.

Data Encryption

MLS is disabled on an interface when the data encryption feature is configured on the interface.

Policy Route-Map

MLS is disabled on an interface when a policy route-map is configured on the interface.

TCP Intercept

With MLS interfaces enabled, the TCP intercept feature (enabled in global configuration mode) might not work properly. When you enable the TCP intercept feature, the following message displays:

Command accepted, interfaces with mls might cause inconsistent behavior.

Network Address Translation

MLS is disabled on an interface when Network Address Translation (NAT) is configured on the interface.

Committed Access Rate

MLS is disabled on an interface when Committed Access Rate (CAR) is configured on the interface.

Maximum Transmission Unit

The maximum transmission unit (MTU) for an MLS interface must be the default Ethernet MTU, 1500 bytes.

To change the MTU on an MLS-enabled interface, you must first disable MLS on the interface (enter no mls rp ip on the interface). If you attempt to change the MTU with MLS enabled, the following message displays:

Need to turn off the mls router for this interface first.

If you attempt to enable MLS on an interface that has an MTU value other than the default value, the following message displays:

mls only supports interfaces with default mtu size

Restrictions on Using IP Router Commands with MLS Enabled

When you enable some IP processes on an interface, you will disable MLS on the interface. The affected commands are as follows:

• clear ip-route--Clears all MLS cache entries for all Catalyst 5000 series switches performing Layer 3 switching for this MLS-RP.

• ip routing--The no form purges all MLS cache entries and disables MLS on this
  MLS-RP.

• ip security (all forms of this command)--Disables MLS on the interface.

• ip tcp compression-connections--Disables MLS on the interface.

• ip tcp header-compression--Disables MLS on the interface.

General Guidelines

• When you enable MLS, the RSM or externally attached router continues to handle all non-IP protocols while offloading the switching of IP packets to the MLS-SE.

• Do not confuse MLS with the NetFlow switching supported by Cisco routers. MLS uses both the RSM or directly attached external router and the MLS-SE. With MLS, you are not required to use NetFlow switching on the RSM or directly attached external router; any switching path on the RSM or directly attached external router will work (process, fast, optimum, and so on).

• Read the "Configuration Examples" section to understand the configuration steps required to initialize MLS and NDE.

Configuration Examples

In these examples, VLAN interfaces 1 and 3 are in VTP domain Engineering. The management interface is configured on the VLAN 1 interface. Only information relevant to MLS is shown in the following configurations:

• Router Configuration With No Access Lists

• Router Configuration With Standard Access List

• Router Configuration with Extended Access List

• Catalyst 5000 Series Switch Configuration

Router Configuration With No Access Lists

No access lists are configured on the RSM VLAN interfaces; the flow mask is
destination-ip.

router# write terminal
Building configuration...
 
Current configuration:
.
.
.
mls rp ip
interface Vlan1
 ip address 172.20.26.56 255.255.255.0
 mls rp vtp-domain Engineering
 mls rp management-interface
 mls rp ip
interface Vlan2
 ip address 128.6.2.73 255.255.255.0
interface Vlan3
 ip address 128.6.3.73 255.255.255.0
 mls rp vtp-domain Engineering
 mls rp ip
 .
 .
 end
router#
router# show mls rp
multilayer switching is globally enabled
mls id is 0006.7c71.8600
mls ip address 172.20.26.56
mls flow mask is destination-ip
number of domains configured for mls 1
vlan domain name: Engineering
   current flow mask: destination-ip
   current sequence number: 82078006
   current/maximum retry count: 0/10
   current domain state: no-change
   current/next global purge: false/false
   current/next purge count: 0/0
   domain uptime: 02:54:21
   keepalive timer expires in 11 seconds
   retry timer not running
   change timer not running
 
   1 management interface(s) currently defined:
      vlan 1 on Vlan1
 
   2 mac-vlan(s) configured for multi-layer switching:
 
      mac 0006.7c71.8600
         vlan id(s)
         1    3
 
   router currently aware of following 1 switch(es):
      switch id 00e0.fe4a.aeff
router#

Router Configuration With Standard Access List

This configuration is the same as the previous example but with a standard access list configured on the VLAN 3 interface. The flow mask changes to source-destination-ip.

.
interface Vlan3
 ip address 128.6.3.73 255.255.255.0
 ip access-group 2 out
 mls rp vtp-domain Engineering
 mls rp ip
.
router# show mls rp
multilayer switching is globally enabled
mls id is 0006.7c71.8600
mls ip address 172.20.26.56
mls flow mask is source-destination-ip
 
number of domains configured for mls 1
vlan domain name: Engineering
   current flow mask: source-destination-ip
   current sequence number: 82078007
   current/maximum retry count: 0/10
   current domain state: no-change
   current/next global purge: false/false
   current/next purge count: 0/0
   domain uptime: 02:57:31
   keepalive timer expires in 4 seconds
   retry timer not running
   change timer not running
 
   1 management interface(s) currently defined:
      vlan 1 on Vlan1
 
   2 mac-vlan(s) configured for multi-layer switching:
 
      mac 0006.7c71.8600
         vlan id(s)
         1    3
 
   router currently aware of following 1 switch(es):
      switch id 00e0.fe4a.aeff
 
router#

Router Configuration with Extended Access List

This configuration is the same as the previous examples but with an extended access list configured on the VLAN 3 interface. The flow mask changes to ip-flow.

.
interface Vlan3
 ip address 128.6.3.73 255.255.255.0
 ip access-group 101 out
 mls rp vtp-domain Engineering
 mls rp ip
.
router# show mls rp
multilayer switching is globally enabled
mls id is 0006.7c71.8600
mls ip address 172.20.26.56
mls flow mask is ip-flow
 
number of domains configured for mls 1
vlan domain name: Engineering
   current flow mask: ip-flow
   current sequence number: 82078009
   current/maximum retry count: 0/10
   current domain state: no-change
   current/next global purge: false/false
   current/next purge count: 0/0
   domain uptime: 03:01:52
   keepalive timer expires in 3 seconds
   retry timer not running
   change timer not running
 
   1 management interface(s) currently defined:
      vlan 1 on Vlan1
 
   2 mac-vlan(s) configured for multi-layer switching:
 
      mac 0006.7c71.8600
         vlan id(s)
         1    3
 
   router currently aware of following 1 switch(es):
      switch id 00e0.fe4a.aeff
 
router#

Catalyst 5000 Series Switch Configuration

This configuration shows the Catalyst 5000 series switch MLS configuration with NDE enabled (displayed using the show config command).

.
#mls
set mls enable
set mls agingtime 256
set mls agingtime fast 0 0
set mls nde flow destination 10.0.2.25/255.255.255.0
set mls nde 171.69.194.140 8000
set mls nde enable
.

Router Configuration

Perform the steps in this section to configure your router(s) for MLS. The commands you will use to perform these steps are listed below and described in detail in the step-by-step configuration procedure. Depending upon your configuration, you might not have to perform all the steps in the procedure. To ensure a successful MLS configuration, read and understand all information contained in the step-by-step configuration procedure.

• router(config)# mls rp ip

Globally enable MLSP. MLSP is the protocol that runs between the MLS-SE and the MLS-RP.

• router(config-if)# mls rp vtp-domain [domain_name]

Select the router interface to be Layer 3 switched and then add that interface to the same VLAN Trunking Protocol (VTP) domain as the switch. This interface is referred to as the MLS interface. This command is required only if the Catalyst switch is in a VTP domain.

• router(config-if)# mls rp vlan-id [vlan_id_num]

Assign a VLAN ID to the MLS interface. MLS requires that each interface has a
VLAN ID. This step is not required for RSM VLAN interfaces or ISL-encapsulated interfaces.

• router(config-if)# mls rp ip

Enable each MLS interface.

• router(config-if)# mls rp management-interface

Select one MLS interface as a management interface. MLSP packets are sent and received through this interface. This can be any MLS interface connected to the switch.

Global Configuration Commands

When you enter global configuration commands at the router(config)# prompt, you can configure all interfaces on the router to a specified setting. You cannot fully configure MLS using only the global commands; you must use the interface-specific commands to assign attributes necessary for MLS.

Interface Configuration Commands

When you enter interface configuration commands at the router(config-if)# prompt, you can configure interfaces individually on the router.

After you perform the steps in this section to configure the router, see the "Catalyst 5000 Series Switch Configuration" section in this chapter.

Step 1. Enable or Disable MLSP on the Router

Enter this command to globally enable MLSP.

After entering these commands, you see these displays:

router(config)# mls rp ip
router(config)# 
router(config)# no mls rp ip
router(config)# 

Step 2. Add an MLS Interface to a VTP Domain

After you determine what router interfaces you will use as MLS interfaces, use Step 2 to add the interfaces to the same VTP domain as the switch. A switch can be in only one VTP domain and the MLS interfaces must be in the same domain.

You must perform Step 2 prior to entering any other MLS interface commands on the MLS interface (specifically, the mls rp ip or mls rp management-interface commands). Entering an MLS interface command on an interface prior to putting the interface into a VTP domain places the interface in the null domain. To put the MLS interface into a domain other than the null domain, you have to clear the MLS interface configuration prior to adding it to another VTP domain (see "Remove an MLS Interface from a VTP Domain (Including the Null Domain)" in this section).

For an ISL interface, you can enter this command only on the primary interface. All subinterfaces that are part of the primary interface inherit the primary's VTP domain.

Putting an MLS interface into a VTP domain does not activate MLS on the interface. You need to specifically enable MLS on the interface using the mls rp ip command (you will do this in "Step 4. Specify a Router Interface for MLS.")

After entering this command, you see this display:

router(config-if)# mls rp vtp-domain engineering
router(config-if)# 

Remove an MLS Interface from a VTP Domain (Including the Null Domain)

Router(config-if)# no mls rp vtp-domain engineering
Router(config-if)# mls rp vtp-domain wbu

Router(config-if)# no mls rp ip
Router(config-if)# no mls rp management-interface
Router(config-if)# mls rp vtp-domain wbu
Router(config-if)#

Router(config-if)# no mls rp ip
Router(config-if)# no mls rp management-interface
Router(config-if)# no mls rp vtp-domain engineering
Router(config-if)# mls rp vtp-domain wbu
Router(config-if)#

Step 3. Assign a VLAN ID to a Router Interface

The MLS interface must have a VLAN ID configured before you can enable it for MLS. Removing the VLAN ID from an interface disables MLS for the interface.

The assigned interface must be either an Ethernet or Fast Ethernet interface with no subinterfaces.

After entering these commands, you see these displays:

router(config-if)# mls rp vlan-id 23
router(config-if)# 
router(config-if)# no mls rp vlan-id 23
router(config-if)# 

Step 4. Specify a Router Interface for MLS

To perform MLS on a specific interface, you must specify the interface as follows:

After entering these commands, you see these displays:

router(config-if)# mls rp ip
router(config-if)# 
router(config-if)# no mls rp ip
router(config-if)# 

Step 5. Specify a Router Interface as a Management Interface

MLSP packets are sent and received through the management interface. You must specify a router interface as a management interface. If you do not specify an interface, MLSP packets will not be sent or received.

The management interface can be any MLS interface connected to the Catalyst 5000 series switch. Specifying more than one interface is not necessary.

After entering these commands, you see these displays:

router(config-if)# mls rp management-interface 
router(config-if)# 
router(config-if)# no mls rp management-interface 
router(config-if)#

Catalyst 5000 Series Switch Configuration

MLS is enabled by default on Catalyst 5000 series switches. If the MLS-RP is the co-resident RSM, there is no configuration needed for the Catalyst switch. Configuration of the Catalyst switch is necessary only when:

• You have an external router as the MLS-RP (enter the set mls include command)

• You want to change the aging time (enter the set mls agingtime and set mls agingtime fast commands)

• You want to enable NDE (see the "NetFlow Data Export Configuration" section)

The Catalyst 5000 series switch configuration steps for MLS are listed below and described in detail in the step-by-step configuration procedure. Depending upon your configuration, you might not have to perform all (or any) of the steps in this procedure.

• set mls {enable | disable}

Enable or disable MLS on the switch (note that it is enabled by default).

• set mls include [ip_addr]

Include external routers for participation in MLS. The RSM is automatically included.

• set mls agingtime [agingtime] and set mls agingtime fast [fastagingtime] [pkt_threshold]

Specify the aging time (in seconds) for an MLS entry. The fast aging option is used to purge entries associated with very short flows, such as DNS and Trivial File Transfer Protocol (TFTP).

Syntax Requirements

Use this syntax to identify a router when configuring the Catalyst 5000 series switch:

ip_addr--Four-byte IP address format, YY.YY.YY.YY, in decimal or the MLS-RP name. If you specify a name, you must enable DNS to resolve the router's IP address.

A router might have many IP addresses and names; enter the show mls rp command on the router to get the correct router ip address to use in the set mls include command. The router's IP address is shown as "mls ip address YY.YY.YY.YY."

Step 1. Enable or Disable MLS on the MLS-SE

MLS is enabled by default on the MLS-SE.

Enter the set mls disable command to disable MLS on the MLS-SE; the MLS-SE does not process any MLSP messages from any MLS-RPs, and all existing MLS cache entries are purged.

Enter the set mls enable command to enable MLS in an MLS-SE. The MLS-SE starts to process MLSP messages from the MLS-RPs and starts Layer 3 switching.

After entering these commands, you see these displays:

Console>(enable) set mls enable
Multilayer switching is enabled
Console>(enable) 
Console>(enable) set mls disable
Multilayer switching is disabled
Console>(enable) 

Step 2. Specify Routers to Participate in MLS

Enter the set mls include command to specify that an MLS-RP participate in MLS. The MLS-SE does not process MLSP messages from external routers that have not been included as MLS-RPs. You can specify multiple MSL-RPs on the same command line; up to 16 MLS-RPs can be selected to participate in MLS.

The included MLS-RP ip_addr must be the same as the "mls ip address" that is displayed when you enter the show mls rp command on the MLS-RP you want to include.

Console>(enable) set mls include 170.170.2.1
Multilayer switching is enabled for router 170.170.2.1
Console>(enable) 
Console>(enable) set mls include Stargate
Multilayer switching is enabled for router 170.20.15.1 (Stargate)
Console>(enable)
Enter the clear mls include command to remove the MLS-RP. If all is specified, all MLS-RPs are removed from the inclusion list.

Console>(enable) clear mls include stargate
Multilayer switching is disabled for router 170.20.15.1 (Stargate)
Console>(enable) 

Step 3. Specify the MLS Aging Time

Enter the set mls agingtime command to specify the aging time (in seconds) for an MLS entry. You can specify two different aging times, as follows:

• agingtime--This aging time applies to all MLS cache entries. Any MLS entry that has not been used for agingtime seconds is aged out. The default is 256 seconds. You can configure the aging time in the range of 64 to 1920 seconds in 64-second increments. Any aging time value that is not a multiple of 64 seconds is adjusted to the closest one. For example, a value of 65 is adjusted to 64 and a value of 100 is adjusted to 128.

Normal aging of an MLS entry occurs every 256 seconds (the default). The maximum cache time for an entry is 32 minutes (the maximum specification of 1920 seconds).

Note that other events might cause the MLS entries to be purged, such as routing changes or a change in link state (MLS-SE link down).

• agingtime fast-- This aging time applies to an MLS entry that has no more than pkt_threshold packets switched within fastagingtime seconds after it is created. A typical example is the MLS entry destined to or sourced from a DNS or TFTP server. The entry might never be used again after it is created (such as when there is only one request to the server and one reply from the server--the connection is then closed). Detecting and aging out these entries saves a lot of MLS cache space for real data traffic.

The default fastagingtime is 0 (no fast aging). You can configure it to 32, 64, 96, or
128 seconds (values were picked for efficient aging). The default pkt_threshold is 0. You can configure it to 0, 1, 3, 7, 15, 31, or 63 (again, values were picked for efficient aging). If fastagingtime is not configured exactly the same as the values indicated, it adjusts to the closest one. A typical value for fastagingtime and pkt_threshold is 32 seconds and
0 packets (no packets switched within 32 seconds after the entry is created).

We recommend that you keep the number of MLS entries in the MLS cache below 32K. If the number of MLS entries is more than 32K, some flows (less than 1 percent) are sent to the router.

To keep the number of MLS cache entries below 32K, enable agingtime fast. Initially set it at 128 seconds. If the number of cache entries continues to go over 32K, decrease the setting; start with 96, then 64, and 32 as necessary. If cache entries continue to go over 32K, decrease the normal agingtime in increments of 64 seconds from the
256-second default.

Specify MLS Aging Time

After entering this command, you see this display:

Console>(enable) set mls agingtime 512
Multilayer switching aging time set to 512
Console>(enable)

Specify MLS Fast Aging Time and Packet Threshold

After entering this command, you see this display:

Console>(enable) set mls agingtime fast 32 0
Multilayer switching fast aging time set to 32 seconds for entries with no more than 0 packets switched.
Console>(enable)

NetFlow Data Export Configuration

Perform the steps in this section to configure your Cisco router and Catalyst 5000 series switch(es) for NDE. The commands you will use to perform these steps are listed below and described in detail in the step-by-step configuration procedure. This summary of the step-by-step configuration procedure is provided to give you an overview of the NDE configuration process. To ensure a successful NDE configuration, read and understand all information contained in the detailed configuration steps.

Router Configuration

router(config)# mls rp nde-address [ip_addr]

Specify an NDE IP address for the router doing the Layer 3 switching. The router and the Catalyst 5000 series switch use the NDE IP address when sending MLS statistics to a data collection application.

Catalyst Switch Configuration

• set mls nde [collector_ip] [udp_port_number]

Specify an NDE collector address and User Datagram Protocol (UDP) port number.

• set mls nde {disable | enable}

Enable or disable NDE.

• set mls nde flow [destination ip_addr_spec] [source ip_addr_spec]

[src_port port_number] [dst_port port_number]

Specify a filter for NDE (all expired flows are exported until you specify a filter).

Step 1. Specify a NetFlow Data Export Address

Perform this step to specify an NDE IP address for the MLS-RP doing the Layer 3 switching. The MLS-RP and the MLS-SE use the NDE IP address when sending MLS statistics to a data collection application. You need to configure the IP address on the
MLS-RP so the data collection application can aggregate export data from both the
MLS-RP and the MLS-SE for the same flow.

If you do not specify an NDE IP address for the MLS-RP, the MLS-RP automatically selects one of its interface's IP addresses and uses that IP address as its NDE IP address and its mls ip address.

If you do specify an NDE IP address for the MLS-RP, the MLS-RP uses this IP address as its mls ip address, "replacing" the one that was automatically selected. After specifying the NDE IP address for the MLS-RP, enter the show mls rp command (see the "Show MLS Details" section) and note the "mls ip address." You must specify this address in the included router list, see "Step 2. Specify Routers to Participate in MLS" in the section "Catalyst 5000 Series Switch Configuration."

Problem Example

You enable MLS (with NDE disabled) and the MLS-RP automatically selects one of its interfaces, 10.0.0.1, as the NDE IP address (and the mls ip address in the switches' inclusion list).

A week later you decide to enable NDE and you specify the NDE IP address as 15.1.1.1. This would exclude the MLS-RP from participating in MLS because the MLS-RP would use 15.1.1.1 as its mls ip address. For MLS to work, you would need to include 15.1.1.1 on the switch.

After entering these commands, you see these displays:

router(config)# mls rp nde-address 170.170.2.1
router(config)# 
router(config)# no mls rp nde-address 170.170.2.1
router(config)# 

Step 2. Specify a NetFlow Data Export Collector

Prior to the first time you enable NDE, you must specify an NDE collector and UDP port to receive the exported statistics (you get an error message if the port is not specified). The collector address and UDP port number are saved in nonvolatile random access memory (NVRAM) and do not need to be specified again. If you already specified an NDE collector and UDP port number, they are overwritten in NVRAM with the new values. Values in NVRAM are not overwritten when NDE is disabled and are saved across power cycles.

If you are using the NetFlow FlowCollector application for data collection, verify that the UDP port number you specify is the same port number shown in the FlowCollector's nfconfig.file. (The file is located at: /opt/csconfc/config/nfconfig.file in the FlowCollector application.)

Console>(enable) set mls nde Stargate 9996
Netflow data export not enabled.
Netflow data export to port 9996 on 172.20.15.1(Stargate)
Console>(enable)

Note in the screen example that the system warns you that NDE is not enabled. Enable NDE using the set mls nde enable command described in "Step 3. Enable or Disable NetFlow Data Export."

Step 3. Enable or Disable NetFlow Data Export

After entering these commands, you see these displays:

Console>(enable) set mls nde enable
Netflow data export enabled.
Netflow data export to port 9996 on 172.20.15.1 (Stargate)
Console>(enable)
Console>(enable) set mls nde disable
Netflow data export disabled.
Console>(enable)

If you attempt to enable NDE without first specifying a collector, you see this display:

Console>(enable) set mls nde enable
Please set host name and UDP port number with 'set mls nde <collector_ip> <udp_port_number>'.
Console>(enable)

Step 4. Specify a Filter for NDE Flow

Enter this command to set a filter for NDE. By default, all expired flows are exported until you specify a filter. After specifying a filter, only expired and purged flows matching the specified filter criteria are exported. Filter values are stored in NVRAM and are not cleared when NDE is disabled. Enter the clear mls nde flow command to reset the filter to the default.

Flow Mask Impact on Filters

If the flow mask is destination-ip mode and the NDE filter contains a filter on both source and destination, only the destination filter is effective. For example, in the filter specified in the following display if you are in destination-ip mode, all flows with destination address 9.1.2.15 are exported. The source filter for host 10.1.2.15 is not effective (it is ignored).

Console>(enable) set mls nde flow destination 9.1.2.15/32 source 10.1.2.15/32
Netflow data export: destination filter set to 9.1.2.15/32
Netflow data export: source filter set to 10.1.2.15/32
Console>(enable)

Specify Destination Host Filter

After entering this command, you see this display:

Console>(enable) set mls nde flow destination 171.69.194.140
Netflow data export: destination filter set to 171.69.194.140/32
Console>(enable)

Only expired flows to host 171.69.194.140 are exported.

Specify Destination and Source Subnet Filter

After entering this command, you see this display:

Console>(enable) set mls nde flow destination 171.69.194.140/24 source 171.69.173.5/24
Netflow data export: destination filter set to 171.69.194.0/24
Netflow data export: source filter set to 171.69.173.0/24
Console>(enable)

Only expired flows to subnet 171.69.194.0 from subnet 171.69.173.0 are exported (assuming the flow mask is source-destination-ip).

Specify Destination TCP/UDP Port Filter

After entering this command, you see this display:

Console>(enable) set mls nde flow dst_port 23
Netflow data export: destination port filter set to 23.
Console>(enable)

Only expired flows to destination port 23 are exported (assuming the flow mask is ip-flow).

Specify Source Host and Destination TCP/UDP Port Filter

After entering this command, you see this display:

Console>(enable) set mls nde flow source 171.69.194.140 dst_port 23
Netflow data export: destination port filter set to 23
Netflow data export: source filter set to 171.69.194.140/32
Console>(enable)

Only expired flows from host 171.69.194.140 to destination port 23 are exported (assuming the flow mask is ip-flow).

Clear NDE Flow Filter

Enter this command to clear the NDE flow filter. The clear command resets the filter to defaults (all flows are exported).

After entering this command, you see this display:

Console>(enable) clear mls nde flow
Netflow data export filter cleared.
Console>(enable)

All flows are now exported.

Router show Commands

The router show commands that display MLS-related information are listed below and described in the sections that follow:

• show mls rp

• show mls rp [interface]

• show mls rp vtp-domain [domain_name]

Show MLS Details

Enter the show mls rp command to display MLS details including specifics for MLSP. Displays include:

• MLS status (enabled or disabled) for switch interfaces and subinterfaces

• Flow mask used by this MLS-enabled switch when creating Layer 3-switching entries for the router

• Current settings of the keepalive timer, retry timer, and retry count

• MLSP-ID used in MLSP messages

• List of interfaces in all VTP domains that are enabled for MLS

After entering this command, you see this display:

router# show mls rp
multilayer switching is globally enabled
mls id is 00e0.fefc.6000
mls ip address 10.20.26.64
mls flow mask is ip-flow
 
vlan domain name: WBU
   current flow mask: ip-flow
   current sequence number: 80709115
   current/maximum retry count: 0/10
   current domain state: no-change
   current/next global purge: false/false
   current/next purge count: 0/0
   domain uptime: 13:03:19
   keepalive timer expires in 9 seconds
   retry timer not running
   change timer not running
   fcp subblock count = 7
 
   1 management interface(s) currently defined:
      vlan 1 on Vlan1
 
   7 mac-vlan(s) configured for multi-layer switching:
 
      mac 00e0.fefc.6000
         vlan id(s)
         1    10   91   92   93   95   100
 
   router currently aware of following 1 switch(es):
      switch id 0010.1192.b5ff
 
router#

Task
Command
 Show MLS details for a specific interface.
 show mls rp [interface]
 After entering this command, you see this display:
router# show mls rp int vlan 10
mls active on Vlan10, domain WBU
router#


 Show MLS Interfaces for VTP Domains

Task
Command
 Show MLS interfaces for a specific VTP domain.
 show mls rp vtp-domain [domain_name]
 After entering this command, you see this display:
router# show mls rp vtp-domain WBU
vlan domain name: WBU
   current flow mask: ip-flow
   current sequence number: 80709115
   current/maximum retry count: 0/10
   current domain state: no-change
   current/next global purge: false/false
   current/next purge count: 0/0
   domain uptime: 13:07:36
   keepalive timer expires in 8 seconds
   retry timer not running
   change timer not running
   fcp subblock count = 7
 
   1 management interface(s) currently defined:
      vlan 1 on Vlan1
 
   7 mac-vlan(s) configured for multi-layer switching:
 
      mac 00e0.fefc.6000
         vlan id(s)
         1    10   91   92   93   95   100
 
   router currently aware of following 1 switch(es):
      switch id 0010.1192.b5ff
 
router#


 Catalyst Switch clear Commands
 Use the commands in this section to clear MLS entries and statistics. The clear commands are listed below and described in detail in the sections that follow:
 clear mls entry [destination ip_addr_spec] [source ip_addr_spec] 
[flow protocol src_port dst_port] [all]
 These commands clear the specified MLS entry. Use all to clear all entries. The keywords destination and source specify the source and destination IP addresses. The keyword flow specifies additional flow information (protocol family and protocol port pair). Protocol can be tcp, udp, icmp, or a decimal number for other protocol families; src_port and dst_port specify the port pair if the protocol is TCP or UDP. A 0 value for src_port and dst_port or protocol is treated as a wildcard and all entries are cleared (unspecified options are treated as wildcards). If the protocol selected is not tcp or udp, set the src_port and dst_port to 0 (or no entries will be cleared).

 Clear Entries for a Specified IP Address

Note ip_addr_spec can be a full IP address or a subnet address in the following formats: ip_subnet_addr, ip_addr/subnet_mask, or ip_addr/#subnet_mask_bits.

 
Task
Command
 Clear MLS entries for a specified IP address.
 clear mls entry destination [ip_addr_spec] 
 After entering this command, you see this display:
Console>(enable) clear mls entry destination 172.20.26.22
Console>(enable)

 This command clears the MLS entries with destination IP address 172.20.26.22.

 Clear the More Specific Entries
Task
Command
 Clear specific MLS entries.
 clear mls entry destination [ip_addr_spec] source [ip_addr_spec] flow [protocol src_port dst_port] [all]
 After entering this command, you see this display:
Console>(enable) clear mls entry destination 172.20.26.22 source 172.20.22.113 flow tcp 520 320
Console>(enable)


 Clear MLS Statistics
 Use the clear mls statistics command to clear the following statistics:

Total packets switched

Total packets exported (for NDE)



 Catalyst Switch show Commands
 Use the Catalyst 5000 series switch show commands to display MLS-related information. The show commands are listed below and described in detail in the sections that follow:

show cam [mac_addr] [vlan]

show cam mlsrp [ip_addr] [vlan]

show mls [noalias]

show mls rp [ip_addr] [noalias]

show mls entry [destination ip_addr_spec] [source ip_addr_spec] 
[flow protocol src_port dst_port] [rp ip_addr]

show mls include

show mls statistics protocol

show mls statistics rp [ip_addr] [noalias]

show mls statistics entry [destination ip_addr_spec] [source ip_addr_spec] 
[flow protocol src_port dst_port]

show mls debug

show mls nde



 Show CAM Entries
 Enter the show cam command to display all content-addressable memory (CAM) entries associated with a specific Media Access Control (MAC) address. If the MAC address belongs to an MLS-RP, it is designated as such by appending an "R" to the MAC address. If you specify a VLAN number, only those CAM entries corresponding to that VLAN number are displayed. If a VLAN is not specified, all VLANs are displayed. 
Task
Command
 Show CAM entries by MAC address.
 show cam [mac_addr] [vlan]
 After entering this command, you see this display:
Console> (enable) show cam 00-10-29-8a-4c-00
* = Static Entry. + = Permanent Entry. # = System Entry. R = Router Entry.
 
VLAN  Dest MAC/Route Des  Destination Ports or VCs / [Protocol Type]
----  ------------------  ----------------------------------------------------
10    00-10-29-8a-4c-00R  9/1                         IP
51    00-10-29-8a-4c-00R  9/1                         IP
52    00-10-29-8a-4c-00R  9/1                         IP
53    00-10-29-8a-4c-00#  9/1                         IP
54    00-10-29-8a-4c-00#  9/1                         IP
Total Matching CAM Entries Displayed = 5
Console> (enable)

 Show Router CAM Entries
 Use the show cam mlsrp command to display the specified MLS-RP's entries in the forwarding table. If you specify a VLAN number, only the router MAC addresses corresponding to that VLAN are displayed. If you do not specify a VLAN, all VLANs are displayed.
Task
Command
 Show CAM entries for a router.
 show cam mlsrp [ip_addr] [vlan]
 After entering this command, you see this display:
Console>(enable) show cam mlsrp 51.0.0.3
VLAN Destination MAC     Destination Ports or VCs  Xtag Status
---- ------------------  -------------------------------------
52    00-10-29-8a-4c-00R   9/1                        5  H
51    00-10-29-8a-4c-00R   9/1                        5  H
10    00-10-29-8a-4c-00R   9/1                        5  H
Total Matching CAM Entries Displayed = 3
Console> (enable)


 Show MLS Information for Routers
 Two commands show MLS information for all MLS-RPs: show mls and show mls rp. The first command shows both general MLS information and router-specific information for all MLS-RPs. The second command shows only router-specific information for the specified MLS-RP. If DNS is enabled, use the noalias option with show mls rp to display all 
MLS-RPs by IP address, rather than by name.
Task
Command
 Show general MLS information and router-specific information for all MLS-RPs.
 show mls [noalias]
 After entering this command, you see this display:

Note The destination-ip flow field in the following example could also be source-destination-ip flow or ip-flow. 

Console>(enable) show mls
Multilayer switching enabled
Multilayer switching aging time = 256 seconds
Multilayer switching fast aging time = 0 seconds, packet threshold = 1
Destination-ip flow
Total packets switched = 101892
Active entries = 2153
Netflow data export enabled
Netflow data export configured for port 8010 on host 10.0.2.15
Total packets exported = 20
MLS-RP IP   MLS-RP ID        Xtag   MLS-RP MAC-Vlans
----------- ------------     ----   ----------------------
172.20.25.2 0000808cece0     2      00-00-80-8c-ec-e0 1-20
                                    00-00-80-8c-ec-e1 21-30
                                    00-00-80-8c-ec-e2 31-40
                                    00-00-80-8c-ec-e3 41-50
                                    00-00-80-8c-ec-e4 51-60
172.20.27.1 0000808c1214     3      00-00-80-8c-12-14 1-20,31-40
                                    00-00-80-8c-12-15 21-30
                                    00-00-80-8c-12-16 41-50
Console> (enable)

Task
Command
 Show router-specific information for a specified MLS-RP.
 show mls rp [ip_addr] [noalias]
 After entering this command, you see this display:
Console>(enable) show mls rp 172.20.25.2
MLS-RP IP   MLS-RP ID        Xtag   MLS-RP MAC-Vlans
----------- ------------     ----   ----------------------
172.20.25.2 0000808cece0     2      00-00-80-8c-ec-e0 1-20
                                    00-00-80-8c-ec-e1 21-30
                                    00-00-80-8c-ec-e2 31-40
                                    00-00-80-8c-ec-e3 41-50
                                    00-00-80-8c-ec-e4 51-60
Console> (enable)


 Show MLS Entries
 Use the show mls entry command to display MLS entries, as follows:
 show mls entry [destination ip_addr_spec] [source ip_addr_spec] 
[flow protocol src_port dst_port] [rp ip_addr]
 The keyword destination ip_addr_spec displays destination IP address entries. The keyword source ip_addr_spec displays source IP address entries. The ip_addr_spec can be a full IP address or a subnet address. 
 The keyword flow [protocol src_port dst_port] displays additional flow information. Protocol can be tcp, udp, icmp, or a decimal number for other protocol families; src_port and dst_port specify the port pair if the protocol is tcp or udp. A 0 value for src_port and dst_port or protocol is treated as a wildcard and all entries are displayed (unspecified options are treated as wildcards). If the protocol selected is not TCP or UDP, set the src_port and dst_prt to 0 (or no flows will be displayed). 
 Use the keyword rp ip_addr to specify the MLS-RP for which MLS entries are displayed. 

Note See Chapter 2, "Network Implementation" for a description of how changes in the flow mask affect the screen displays when showing MLS entries and statistics.


 Show All Entries
Task
Command
 Show all MLS entries.
 show mls entry
 After entering this command, you see this display:
Console>(enable) show mls entry
                Last Used         Last    Used
Destination IP  Source IP       Prot DstPrt SrcPrt Destination Mac   Vlan Port
--------------- --------------- ---- ------ ------ ----------------- ---- -----
MLS-RP 10.20.6.161:
10.19.6.2       10.19.26.9      UDP  6009   69     00-10-0b-16-98-00 250  1/1-2
10.19.26.9      10.19.6.2       UDP  6002   69     00-00-00-00-00-09 26   4/7
MLS-RP 132.68.9.10:
10.19.86.12     10.19.85.7      TCP  6007   SMTP   00-00-00-00-00-12 86   4/10
10.19.85.7      10.19.86.12     TCP  6012   WWW    00-00-00-00-00-07 85   4/5
MLS-RP 10.20.6.82:
10.19.63.13     10.19.73.14     TCP  6014   Telnet 00-00-00-00-00-13 63   4/11
10.19.73.14     10.19.63.13     TCP  6013   FTP    00-00-00-00-00-14 73   4/12
Console>(enable)

 Show Entries for Destination Address
Task
Command
 Show MLS entries for the specified destination IP address.
 show mls entry destination [ip_addr_spec]
 After entering this command, you see this display:
Console>(enable) show mls entry destination 172.20.22.14/24
Destination IP   Source IP     Prot  DstPrt   SrcPrt  Destination Mac         Vlan  Port
--------------   ------------  ----  -------  ------  ----------------------  ----  ----
MLS-RP 172.20.25.1:
172.20.22.14     172.20.25.10  TCP   6001     Telnet  00-60-70-6c-fc-22       4     2/1
MLS-RP 172.20.27.1:
172.20.22.16     172.20.27.139 TCP   6008     Telnet  00-60-70-6c-fc-24       4     2/3
                   ..
                   ..
Console>(enable)

 Show Entries for Source Address
 
Task
Command
 Show MLS entries for the specified source IP address.
 show mls entry source [ip_addr_spec] 
 After entering this command, you see this display:
Console>(enable) show mls entry source 10.0.2.15
Destination IP  Source IP       Prot DstPrt SrcPrt Destination Mac   Vlan Port
--------------- --------------- ---- ------ ------ ----------------- ---- ----
MLS-RP 51.0.0.3:
51.0.0.2        10.0.2.15       TCP  Telnet 37819  00-e0-4f-15-49-ff 51   1/9
51.0.0.2        10.0.2.15       ICMP               00-e0-4f-15-49-ff 51   1/9
Console>(enable)

 Show Entries for ip-flow Mode
Task
Command
 Show entries for ip-flow mode.
 show mls entry flow [protocol src_port dst_port]
 After entering this command, you see this display:
Console>(enable) show mls entry flow tcp 23 37819
Destination IP  Source IP       Prot DstPrt SrcPrt Destination Mac   Vlan Port
--------------- --------------- ---- ------ ------ ----------------- ---- -----
MLS-RP 51.0.0.3:
10.0.2.15       51.0.0.2        TCP  37819  Telnet 08-00-20-7a-07-75 10   3/1
Console>(enable)

 Show Entries for a Specific MLS-RP
 
Task
Command
 Show MLS entries for the specified 
MLS-RP.
 show mls entry rp ip_addr
 After entering this command, you see this display:
Console>(enable) show mls entry rp 172.20.27.1
Destination IP  Source IP       Prot DstPrt SrcPrt Destination Mac   Vlan Port
--------------- --------------- ---- ------ ------ ----------------- ---- -----
MLS-RP 172.20.27.1:
172.20.22.16    172.20.27.139   TCP  DNS    DNS    00-60-70-6c-fc-24 4    2/3
172.20.21.17    172.20.27.138   TCP  7001   7003   00-60-70-6c-fc-25 3    2/4
Console>(enable)

 Show MLS-Included Routers
 Use this command to display all routers that are included as MLS-RPs.
Task
Command
 Show MLS-included routers.
 show mls include
 After entering this command, you see this display:
Console>(enable) show mls include
Included MLS-RP
---------------------------------------
170.67.2.13
170.67.2.12
Console>(enable)


 Show MLS Statistics
 Use this command to display a variety of MLS statistics. The show MLS statistics commands are listed below and described in detail in the sections that follow:

show mls statistics protocol

show mls statistics rp [ip_addr] [noalias]

show mls statistics entry [destination ip_addr_spec] [source ip_addr_spec] 
[flow protocol src_port dst_port]


 The keyword protocol displays statistics by protocol (such as Telnet, FTP, and World Wide Web [WWW]). The protocol option is valid only if the flow mask mode is ip-flow. 
 The keyword rp [ip_addr] [noalias] is used to specify a specific MLS-RP. If you do not specify an MLS-RP, statistics for all MLS-RPs are displayed. If DNS is enabled, use the noalias option with the keyword rp to display all MLS-RPs by IP address, rather than by name. 
 The keyword entry with options [destination ip_addr_spec] [source ip_addr_spec] [flow protocol src_port dst_port] shows statistics for the option specified. A 0 value for src_port and dst_port is treated as a wildcard and all statistics are displayed (unspecified options are treated as wildcards). If the protocol selected is not TCP or UDP, set the src_port and dst_prt to 0 (or no statistics will be displayed). If no option is specified with the keyword entry, statistics for all entries are shown.

 Show All Statistics
Task
Command
 Show all MLS statistics by protocol (can be used only in ip-flow mode).
 show mls statistics protocol
 After entering this command, you see this display:
Console>(enable) show mls statistics protocol
Protocol  TotalFlows  TotalPackets    Total Bytes
-------   ----------  --------------  ------------
Telnet    900         630             4298
FTP       688         2190            3105	
WWW       389         42679           623686
SMTP      802         4966            92873
X         142         2487            36870
DNS       1580        52              1046
Others    82          1               73
Total     6583        53005           801951
Console>(enable)


Note This option is only available for ip-flow. Enter the show mls command to see the current flow mask.


 Show Statistics for a Specific Router
Task
Command
 Show MLS statistics for a specific MLS-RP. If no MLS-RP is specified, statistics for all MLS-RPs are shown.
 show mls statistics rp [ip_addr] [noalias]
 After entering this command, you see this display:
Console>(enable) show mls statistics rp
Total packets switched = 212540292
Active shortcuts = 2000
Total packets exported= 1889
 
                             Total switched
MLS-RP IP       MLS-RP ID    packets    bytes
--------------- ------------ ---------- ------------
10.20.26.64     00e0fefc6000    7877192 803473584
Console>(enable)


 Show Statistics for the Option Specified

Task
Command
 Show statistics for the specified MLS cache entries. If no option is specified for the MLS cache entries, all statistics are shown.
 show mls statistics entry
[destination ip_addr_spec] [source ip_addr_spec] [flow protocol src_port dst_port]
 After entering this command, you see this display:
Console>(enable) show mls statistics entry destination 92.1.0.219
Destination IP  Source IP       Prot DstPrt SrcPrt Stat-Pkts  Stat-Bytes
--------------- --------------- ---- ------ ------ ---------- ----------
MLS-RP 10.20.26.64:
92.1.0.219      10.1.0.219      ICMP -      -      511        52122
Console>(enable)


 Show MLS Debug Information
 Enter the show mls debug command when reporting an MLS problem. The command dumps all MLS-related debugging information that you should send to your technical support representative for analysis.

 Show the NetFlow Data Export Configuration
 Enter this command to display the NDE configuration.
Task
Command
 Show the NDE configuration.
 show mls nde
 After entering this command, you see this display:
Console>(enable) show mls nde
Netflow Data Export enabled
Netflow Data Export configured for port 1098 on host 172.20.15.1 
Source filter is 171.69.194.140/255.255.255.0
Destination port filter is 23
Total packets exported = 26784
Console>(enable)


 Router Debug Commands
 The commands listed in Table 3-1 provide a variety of statistical information useful for troubleshooting MLS problems.

Note To turn off any of the debugging commands, use the no forms of the command.



 Table  3-1: Router Debug Commands 
Command 
Description
 debug mls rp events
 Displays a run-time sequence of events for the MLSP.
 debug mls rp packets
 Displays packet contents (in verbose and hexadecimal formats) for MLSP messages.
 debug mls rp error
 Displays error messages related to MLS.
 debug mls rp ip
 Turns on IP-related events for MLS, including:

Route purging

Changes of access lists and flow masks


 debug mls rp locator
 Identifies which Catalyst 5000 series switch is handling a particular flow by using MLS explorer packets.
 debug mls rp all
 Turns on all MLS debugging events.