To fully enable MLS, you must properly configure all participating devices. This section will cover the different configurations and settings that must be executed on the MLS-RP. Remember, the MLS-RP can be an external router or an MSFC on a 6000 series switch.
We will discuss optional configuration settings. These options depend on the existing layer 2 network and configuration. All the remaining subsections, except for “Verifying the MLS Configuration,” apply only to external routers. We will start with the most basic and essential commands and then move on to management commands that can be used for verification and troubleshooting if necessary.
Although MLS is enabled on an MSFC, other routers may or may not need MLS enabled before it can be used. To enable MLS on a route processor, type the command mls rp ip while in global configuration mode. Much like the ip routing command, enabling MLS on a router just begins the process; you still need to configure more. Here is an example:
Terry_2620#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Terry_2620(config)#mls rp ip Terry_2620(config)#^Z Terry_2620# ! ip subnet-zero mls rp ip !
Enabling MLS on the router is just the tip of the iceberg as far as required configuration tasks are concerned. We’ll continue with the domain information that is needed.
If a router interface is connected to a switch that is a VTP server or client, assigning the VLAN Trunk Protocol (VTP) domain is also a necessary step for MLS to work properly. It is very important to note that this step should be executed before any further MLS interface-specific commands are entered.
Warning | Failing to assign the VTP domain before configuring interfaces will place interfaces into a “null domain” rather than the proper one. Fixing this requires disabling MLS on the interfaces, and then fixing the domain and adding the interfaces back in. |
First you should verify which VTP domain the interface belongs to. This is done with the show vtp domain command from the switch. You can also obtain this information by looking at the switch configuration. Here are the two examples:
Terry_6509> show vtp domain Domain Name Domain Index VTP Version Local Mode Password ----------- ------------ ----------- ---------- -------- test 1 2 server - Vlan-count Max-vlan-storage Config Revision Notifications ---------- ---------------- --------------- ------------- 7 1023 2 disabled Last Updater V2 Mode Pruning PruneEligible on Vlans -------------- -------- -------- ------------------------- 172.16.10.1 disabled disabled 2-1000 Terry_6509> Terry_6509> (enable) show running-config ….. ……… ……… ……… ……… .. -- omitted text -- ! #vtp set vtp domain test set vtp mode server
After you have the VTP domain name, you are ready to assign the router interface to that VTP domain. This is done with the execution of the command mls rp vtp-domain domain_name on the specified interface.
Here is an example:
Terry_2620#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Terry_2620(config)#interface fastethernet 4/0 Terry_2620(config-if)#mls rp vtp-domain test Terry_2620(config-if)#^Z Terry_2620# ! interface FastEthernet4/0 ip address 172.16.10.1 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache mls rp vtp-domain test !
The command to establish a VLAN is used only if an external router’s interface is not using ISL or 802.1Q encapsulation. (RSMs and MSFCs use logical VLAN interfaces.) An example is a router that has two physical interfaces connected to the same switch, each to a different VLAN. This scenario doesn’t require that the router be aware of VLAN assignments and would typically be found on routers that have only 10Mb interfaces.
If you wish to enable MLS on interfaces that don’t use VLANs, you can issue the mls rp vlan- id vlan_id_number command to assign a VLAN to the interface. Here is an example:
Terry_2620#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Terry_2620(config)#interface fastethernet 4/0 Terry_2620(config-if)#mls rp vlan-id 10 Terry_2620(config-if)#^Z Terry_2620# ! interface FastEthernet4/0 ip address 172.16.10.1 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache mls rp vtp-domain test mls rp vlan-id 10 !
After VTP and VLAN assignments have been made, you can finally enable MLS on the interface. This is done with the same command that was used to globally enable MLS, mls rp ip. Here is an example:
Terry_2620#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Terry_2620(config)#interface fastethernet 4/0 Terry_2620(config-if)#mls rp ip Terry_2620(config-if)#^Z Terry_2620# ! interface FastEthernet4/0 ip address 172.16.10.1 255.255.255.0 no ip directed-broadcast no ip route-cache no ip mroute-cache mls rp vtp-domain test mls rp vlan-id 10 mls rp ip !
As you may remember, MLS has three components. The third component is MLSP, the communication protocol itself. Well, in order for MLS to function between a switch and a router, MLSP must be able to communicate between both devices.
This requirement makes this next configuration step essential for MLS functionality. At least one interface on the router that is connected to the same switch must be enabled as the management interface. This indicates which interface is going to participate in MLSP exchanges.
Another requirement is that there be at least one management interface per VLAN on the switch. To specify a router interface as a management interface, issue the mls rp management-interface command on the specified interface. Here is an example of the syntax for the command:
Terry_2620#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Terry_2620(config)#interface fastethernet 4/0 Terry_2620(config-if)#mls rp management-interface Terry_2620(config-if)#^Z Terry_2620#
After all the pieces have been configured, you can issue the show mls rp command to view the MLS status and information on the router. There are two options in correlation with the main command. All three commands are shown here:
show mls rp Provides global MLS information.
show mls rp interface interface Provides interface-specific MLS information.
show mls rp vtp-domain domain_name Provides MLS information for the VTP domain.
Here is an example of the global command:
Terry_2620#show mls rp multilayer switching is globally enabled mls id is 0010.a6a9.3400 mls ip address 172.16.21.4 mls flow mask is destination-ip number of domains configured for mls 1 vlan domain name: test current flow mask: destination-ip current sequence number: 3041454903 current/maximum retry count: 0/10 current domain state: no-change current/next global purge: false/false current/next purge count: 0/0 domain uptime: 00:34:35 keepalive timer expires in 4 seconds retry timer not running change timer not running fcp subblock count = 1 1 management interface(s) currently defined: vlan 10 on FastEthernet4/0 1 mac-vlan(s) configured for multi-layer switching: mac 0010.a6a9.3470 vlan id(s) 10 router currently aware of following 1 switch(es): switch id 00-e0-4e-2d-43-ef Terry_2620#
Here is an example of the interface option:
Terry_2620#show mls rp interface fastethernet 4/0 mls active on FastEthernet4/0, domain test interface FastEthernet4/0 is a management interface Terry_2620#
These are the show commands, and as with any IOS, there are debugging opportunities. Table 7.1 provides a summary of the debug commands available for MLS troubleshooting.
Command | Description |
---|---|
all | Performs all MLS debugging |
error | Displays information about MLS errors |
events | Displays information from MLS events |
ip | Displays IP MLS events |
locator | Displays MLS locator information |
packets | Displays information for all MLS packets |
verbose packets | Displays information on all MLS verbose packets |
It’s not unusual to want to use an access control list to filter traffic from one VLAN to another, especially if one VLAN needs higher security than the others do. The problem is that you usually want all the packets to be examined by the access control list, and the switch is forwarding only the first one.
Until IOS release 12.0(2), inbound access control lists were not supported. If a router interface had an inbound access control list applied, MLS was disabled. With versions after 12.0(2), inbound access control lists are supported, but the support is not enabled by default. Use the command mls rp ip input-acl from global configuration mode to enable the router to use MLS with inbound access control lists.
Outbound access control lists are a little more problematic. Although they have always been supported, applying the access control list to an interface will clear the MLS cache information for connections passing through that interface. Another packet needs to be forwarded to the router to start the MLS process again. Also, outbound lists utilizing the following functions will disable MLS on the interface to which they are applied:
TOS
Established
Log
Precedence
Reflexive
This is because these features require the router to examine every packet. Because these features tend to be more security related than a simple access control list often is, using these features disables MLS on the interface in question.