Configuring MLS-RP | CCNP: Building Cisco Multilayer Switched Networks Study Guide (642-811)

To fully enable MLS, you must properly configure all participating devices. This section will cover the different configurations and settings that must be executed on the MLS-RP. Remember, the MLS-RP can be an external router or an MSFC on a 6000 series switch.

We will discuss optional configuration settings. These options depend on the existing layer 2 network and configuration. All the remaining subsections, except for “Verifying the MLS Configuration,” apply only to external routers. We will start with the most basic and essential commands and then move on to management commands that can be used for verification and troubleshooting if necessary.

Enabling MLS

Although MLS is enabled on an MSFC, other routers may or may not need MLS enabled before it can be used. To enable MLS on a route processor, type the command mls rp ip while in global configuration mode. Much like the ip routing command, enabling MLS on a router just begins the process; you still need to configure more. Here is an example:

Terry_2620#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Terry_2620(config)#mls rp ip Terry_2620(config)#^Z Terry_2620# ! ip subnet-zero mls rp ip !

Enabling MLS on the router is just the tip of the iceberg as far as required configuration tasks are concerned. We’ll continue with the domain information that is needed.

VTP Domain Assignments

If a router interface is connected to a switch that is a VTP server or client, assigning the VLAN Trunk Protocol (VTP) domain is also a necessary step for MLS to work properly. It is very important to note that this step should be executed before any further MLS interface-specific commands are entered.

Warning

Failing to assign the VTP domain before configuring interfaces will place interfaces into a “null domain” rather than the proper one. Fixing this requires disabling MLS on the interfaces, and then fixing the domain and adding the interfaces back in.

Verifying the VTP Domain

First you should verify which VTP domain the interface belongs to. This is done with the show vtp domain command from the switch. You can also obtain this information by looking at the switch configuration. Here are the two examples:

Terry_6509> show vtp domain Domain Name Domain Index VTP Version Local Mode Password ----------- ------------ ----------- ---------- -------- test     1      2      server   - Vlan-count Max-vlan-storage Config Revision Notifications ---------- ---------------- --------------- ------------- 7     1023       2        disabled Last Updater  V2 Mode Pruning PruneEligible on Vlans -------------- -------- -------- ------------------------- 172.16.10.1  disabled disabled 2-1000 Terry_6509> Terry_6509> (enable) show running-config ….. ……… ……… ……… ……… .. -- omitted text -- ! #vtp set vtp domain test set vtp mode server

VTP Interface Configuration

After you have the VTP domain name, you are ready to assign the router interface to that VTP domain. This is done with the execution of the command mls rp vtp-domain domain_name on the specified interface.

Here is an example:

Terry_2620#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Terry_2620(config)#interface fastethernet 4/0 Terry_2620(config-if)#mls rp vtp-domain test Terry_2620(config-if)#^Z Terry_2620# ! interface FastEthernet4/0  ip address 172.16.10.1 255.255.255.0  no ip directed-broadcast  no ip route-cache  no ip mroute-cache  mls rp vtp-domain test !

VLAN Assignments

The command to establish a VLAN is used only if an external router’s interface is not using ISL or 802.1Q encapsulation. (RSMs and MSFCs use logical VLAN interfaces.) An example is a router that has two physical interfaces connected to the same switch, each to a different VLAN. This scenario doesn’t require that the router be aware of VLAN assignments and would typically be found on routers that have only 10Mb interfaces.

If you wish to enable MLS on interfaces that don’t use VLANs, you can issue the mls rp vlan- id vlan_id_number command to assign a VLAN to the interface. Here is an example:

Terry_2620#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Terry_2620(config)#interface fastethernet 4/0 Terry_2620(config-if)#mls rp vlan-id 10 Terry_2620(config-if)#^Z Terry_2620# ! interface FastEthernet4/0  ip address 172.16.10.1 255.255.255.0  no ip directed-broadcast  no ip route-cache  no ip mroute-cache  mls rp vtp-domain test  mls rp vlan-id 10 !

Interface Configurations

After VTP and VLAN assignments have been made, you can finally enable MLS on the interface. This is done with the same command that was used to globally enable MLS, mls rp ip. Here is an example:

Terry_2620#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Terry_2620(config)#interface fastethernet 4/0 Terry_2620(config-if)#mls rp ip Terry_2620(config-if)#^Z Terry_2620# ! interface FastEthernet4/0  ip address 172.16.10.1 255.255.255.0  no ip directed-broadcast  no ip route-cache  no ip mroute-cache  mls rp vtp-domain test  mls rp vlan-id 10  mls rp ip !

MSA Management Interface

As you may remember, MLS has three components. The third component is MLSP, the communication protocol itself. Well, in order for MLS to function between a switch and a router, MLSP must be able to communicate between both devices.

This requirement makes this next configuration step essential for MLS functionality. At least one interface on the router that is connected to the same switch must be enabled as the management interface. This indicates which interface is going to participate in MLSP exchanges.

Another requirement is that there be at least one management interface per VLAN on the switch. To specify a router interface as a management interface, issue the mls rp management-interface command on the specified interface. Here is an example of the syntax for the command:

Terry_2620#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Terry_2620(config)#interface fastethernet 4/0 Terry_2620(config-if)#mls rp management-interface Terry_2620(config-if)#^Z Terry_2620#

Verifying the MLS Configuration

After all the pieces have been configured, you can issue the show mls rp command to view the MLS status and information on the router. There are two options in correlation with the main command. All three commands are shown here:

show mls rp Provides global MLS information.

show mls rp interface interface Provides interface-specific MLS information.

show mls rp vtp-domain domain_name Provides MLS information for the VTP domain.

Here is an example of the global command:

Terry_2620#show mls rp multilayer switching is globally enabled mls id is 0010.a6a9.3400 mls ip address 172.16.21.4 mls flow mask is destination-ip number of domains configured for mls 1 vlan domain name: test   current flow mask: destination-ip   current sequence number: 3041454903   current/maximum retry count: 0/10   current domain state: no-change   current/next global purge: false/false   current/next purge count: 0/0   domain uptime: 00:34:35   keepalive timer expires in 4 seconds   retry timer not running   change timer not running   fcp subblock count = 1   1 management interface(s) currently defined:    vlan 10 on FastEthernet4/0   1 mac-vlan(s) configured for multi-layer switching:    mac 0010.a6a9.3470      vlan id(s)      10   router currently aware of following 1 switch(es):    switch id 00-e0-4e-2d-43-ef Terry_2620#

Here is an example of the interface option:

Terry_2620#show mls rp interface fastethernet 4/0 mls active on FastEthernet4/0, domain test interface FastEthernet4/0 is a management interface Terry_2620#

These are the show commands, and as with any IOS, there are debugging opportunities. Table 7.1 provides a summary of the debug commands available for MLS troubleshooting.

Table 7.1: MLS Debug Command Summary
Command	Description
all	Performs all MLS debugging
error	Displays information about MLS errors
events	Displays information from MLS events
ip	Displays IP MLS events
locator	Displays MLS locator information
packets	Displays information for all MLS packets
verbose packets	Displays information on all MLS verbose packets

Access Control Lists (ACLs)

It’s not unusual to want to use an access control list to filter traffic from one VLAN to another, especially if one VLAN needs higher security than the others do. The problem is that you usually want all the packets to be examined by the access control list, and the switch is forwarding only the first one.

Until IOS release 12.0(2), inbound access control lists were not supported. If a router interface had an inbound access control list applied, MLS was disabled. With versions after 12.0(2), inbound access control lists are supported, but the support is not enabled by default. Use the command mls rp ip input-acl from global configuration mode to enable the router to use MLS with inbound access control lists.

Outbound access control lists are a little more problematic. Although they have always been supported, applying the access control list to an interface will clear the MLS cache information for connections passing through that interface. Another packet needs to be forwarded to the router to start the MLS process again. Also, outbound lists utilizing the following functions will disable MLS on the interface to which they are applied:

TOS
Established
Log
Precedence
Reflexive

This is because these features require the router to examine every packet. Because these features tend to be more security related than a simple access control list often is, using these features disables MLS on the interface in question.