CCNP: Building Cisco Multilayer Switched Networks Study Guide (642-811)
Switch configuration of MLS is very simple. MLS is on by default for the 6000. The only time when it is necessary to perform configuration tasks on the MLS-SE is when you want to change specific MLS attributes or when the device requires configuration. Here are some examples:
-
Using an external router
-
Establishing flows
-
Changing the MLS cache aging timers
-
Enabling NetFlow Data Export (NDE)
Each of these topics are addressed in this section.
Enabling MLS on the MLS-SE
As mentioned, the only time you need to actually enable MLS on the switch is when it has been disabled or on a system on which MLS is off by default.
To enable MLS on the MLS-SE, issue the command set mls enable. Here is an example:
Terry_6506> (enable) set mls enable Multilayer switching is enabled Terry_6506> (enable)
If the MLS route processor being used is an external router, the switch needs to be told to send MLSP packets to the appropriate IP address. Use the command set mls include rp_ip_ address to tell the switch which IP address that is. The command show mls include displays the list of IP addresses of external route processors.
Configuring Flow Masks
A flow is the cache entry on the switch that is used for layer 3 switching. The switch learns the appropriate information from the MLS router and the switch caches the information for subsequent packets in the stream. Typically, flow information is received from a router based on what type of access control list is configured on the outbound interface.
There are three ways of configuring flow masks:
Destination-IP This is the default mask and is the least specific. A flow is created for each destination IP address, and all packets—no matter the source—get layer-3 switched if they match the destination. This mask is used if no outbound access control list is used.
Source-Destination-IP The switch engine will have a flow entry for each source/destination pair of addresses. No matter what applications are used between the two addresses, all traffic that matches the source and destination IP addresses will be switched according to this flow. This mask is used if there is a standard access control list used on the outbound interface.
IP-Flow This mask builds flows that have a specific source and destination port in addition to specific source and destination IP addresses. Two different processes—for example, HTTP and Telnet—from one client to a single server will create two different masks because the port numbers are different. This mask is used if the outbound access control list is extended.
If no outbound access control list is configured on the router but either IP-Flow or Source- Destination-IP is desired, it is possible to configure the switch to build flows in a more specific fashion. The command set mls flow [destination|destination-source|full] can be used to tell the MLS switch what information to cache with candidate packets.
Using Cache Entries
MLS entry or shortcut cache exists on the PFC for 6000 series switches. The purpose of the cache is consistent across all platforms: The cache is a layer 3 switching table. It maintains the flow information that facilitates MLS.
Here is a sample of a layer 3 cache table:
Terry_6509> (enable) show mls entry Dest-IP Source-IP Prot DstPrt SrcPrt Dest-Mac Vlan EDst ESrc DPort SPort Stat-Pkts Stat-Bytes Uptime Age --------------- --------------- ----- ------ ------ ----------------- ---- ---- ---- ------ ------ ---------- ----------- -------- ---- ---- MSFC 10.10.100.5 (Module 15): 172.16.10.1 - - - - 00-30-96-2d-24-20 188 ARPA ARPA 2/7 2/6 870 157785 00:05:29 00:00:27 172.16.55.115 - - - - 00-30-96-2d-24-20 188 ARPA ARPA 2/7 2/6 2407 642886 00:00:39 00:00:00 172.16.96.101 - - - - 00-d0-bc-f3-69-44 4 ARPA ARPA 2/2 2/7 2710 2200670 00:12:23 00:00:00 172.16.8.35 - - - - 00-d0-bc-f3-66-9c 180 ARPA ARPA 3/7 3/3 76634 24951932 00:24:31 00:00:00 172.16.8.17 - - - - 00-30-96-2d-24-20 188 ARPA ARPA 2/7 2/6 81752 26599352 00:18:32 00:00:00 172.16.8.102 - - - - 00-30-96-2d-24-20 188 ARPA ARPA 2/7 2/6 313 148298 00:00:24 00:00:22
This command has many options, but the most basic ones involve viewing cache information based on the source and destination IP addresses. The syntax of the command is show mls entry [rp|destination|source] ip_address. Also, be aware that the display has room for many pieces of information, but you won’t see them unless the flow is based on that information. For example, when using the preceding Destination-IP flow, the source IP address isn’t displayed. You will always be able to see the destination IP address as well as the destination MAC address.
Cache entries are kept while the flow is active. After the flow no longer receives traffic, the cache entry gets aged out and removed from the layer 3 cache on the NFFC or PFC. This attribute can be modified and adjusted. You’ll learn how to do that next.
A candidate entry is cached for five seconds to allow for an enable packet to arrive from the router. If the enable packet doesn’t arrive in that time, the switch assumes that the best path is not through itself and removes the entry.
Modifying the Cache Aging Time
A layer 3 cache entry remains in cache for 256 seconds after the last packet for the flow has passed through the switch. This is the default value. The value can be changed to different values depending on your needs as a network administrator.
The syntax is set mls agingtime agingtime, where agingtime is a value of seconds. The value is a multiple of 8. The valid range is from 8 to 2032. If the value specified is not a multiple of 8, the nearest multiple is used. Here is an example:
Terry_6506> (enable) set mls agingtime 125 Multilayer switching aging time set to 128 Terry_6506> (enable)
Modifying Fast Aging Time
When the layer 3 cache grows greater than 32KB in size, the possibility increases that the PFC or NFFC will not be able to perform all layer 3 switching, causing some packets to be forwarded to the router. To aid in maintaining a layer 3 cache smaller than 32KB, you can enable and adjust fast aging times.
Because some flows can be very short—a DNS query, for example—you can enable packet thresholds that can be used in correlation with the fast aging time to quickly age out these entries. Both of these attributes are thresholds. When you set the fast aging time, you specify the amount of time for which n number of packets (defined by the packet threshold) must have used the cache entry.
When a flow is initialized, the switch must see a number of packets equal to or greater than the packet threshold set within the time specified by the fast aging time. If this criterion isn’t met, the cache entry is aged out immediately.
Valid values for the fast aging time are 32, 64, 96, and 128. Valid values for the packet threshold are 0, 1, 3, 7, 15, 31, and 63. Let’s try an example so you can understand how this works.
Say you configured a fast aging time of 64 seconds and set the packet threshold to 31 packets by using the set mls agingtime fast 64 31 command on the switch. This is telling the MLS-SE that a layer 3 cache entry has 64 seconds in which 31 packets or more must utilize the entry. If this doesn’t happen, the cache entry is removed.
The actual syntax for the command is set mls agingtime fast fastagingtime pkt_threshold. An example configuration follows:
Terry_6506> (enable) set mls agingtime fast 64 31 Multilayer switching fast aging time set to 64 seconds for entries with no more than 31 packets switched. Terry_6506> (enable)
Verifying the Configuration
MLS-SE configuration settings can be seen by using the show mls ip command. The command provides information regarding the aging time, the fast aging time, and the packet threshold values. In addition, it gives summary statistics for the type of flow mask and MLS entries. Finally, it provides details about the MLS-RP, including XTAG, MAC, and VLAN values. Here is an example:
Terry_6509> show mls ip IP Multilayer switching aging time = 256 seconds IP Multilayer switching fast aging time = 64 seconds, packet threshold = 31 IP Current flow mask is Destination flow Active IP MLS entries = 87 Netflow Data Export version: 7 Netflow Data Export disabled Netflow Data Export port/host is not configured. Total packets exported = 0 IP MSFC ID Module XTAG MAC Vlans --------------- ------ ---- ----------------- ------------ 172.16.10.1 15 1 00-d0-bc-f4-81-c0 10,100 Terry_6509>
Displaying the MLS Cache Entries
There are several methods of viewing MLS cache entries. The base command is show mls entry. However, many options are available to customize the output of this basic command.
If you are on a switch and issue the help command for show mls entry, this is what you get:
Terry_6509> (enable) show mls entry ? Usage: show mls entry [mod] [long|short] show mls entry ip [mod] [destination <ip_addr_spec>] [source <ip_addr_spec>] [protocol <protocol>] [src-port <src_port>] [dst-port <dst_port>] [short|long] show mls entry ipx [mod] [destination <ipx_addr_spec>] [short|long] (mod = 15 or 16 ip_addr_spec = ip_addr|ip_addr/netmask|ip_addr/maskbit (maskbit: 0..32) protocol = 1..255|ip|ipinip|icmp|igmp|tcp|udp src_port, dst_port = 1..65535|dns|ftp|smtp|telnet|x|www ipx_addr_spec = dest_net.dest_node|dest_net/mask) Terry_6509> (enable)
As you can see, there are quite a few options. This command, with the options shown, enables the administrator to view very general information or very specific information. To get an idea of what can be generated from this command, let’s review the options.
You can show MLS entries based on the module. The long and short options modify the output in different ways. Long displays the information all on one line, and short displays the information by using carriage returns. It is impossible to give an example due to the formatting limitations in this book.
More specific information can be obtained by specifying an IP address or port information. By specifying options, you can refine your output. Instead of getting pages and pages of cache entries, you get entries that match your criteria.
Removing MLS Cache Entries
If you do not want to wait for aging times to expire, or if you want to clear the cache immediately, you can issue the clear mls entry command. This command also has options that enable the network administrator to clear specific cache entries instead of the entire table.
The syntax of the command is as follows:
clear mls entry destination ip_addr_spec source ip_addr_spec flow protocol src_port dst_port [all]
The use of the all optional keyword causes all MLS cache entries to be removed. If you use specific IP addresses, ports, or protocols, specific cache entries can be removed.