Section 7.5: Configuring the MLS-SE
MLS is enabled by default on Catalyst series switches that support Layer 3 switching. There are, however, a few instances where configuring the switch is necessary, such as when the MLS-RP is an external router.
Enter the set mls disable command to disable MLS on the MLS-SE. This command stops the MLS-SE from processing the MLSP messages from the MLS-RP and purges all existing MLS cache entries in the switch.
If a switch has been disabled for Layer 3 switching, you can use the set mls enable command in privilege exec mode re-enable it.
7.5.1: MLS Caching
Because the MLS cache has a size limitation, MLS entries will be purged from the cache under certain conditions. This purging, or aging, process takes into effect when candidate entries remain in the cache for five seconds with no enabled entry before timing out; when a flow for an entry has not been detected for the specified aging time; when access lists are applied; when routing changes; or when MLS is disabled on the switch.
The amount of time an MLS entry remains in the cache, which is called the aging time, is adjustable. To adjust the value of the aging time you can use the following command in privileged exec mode:
Switch(enable)#set mls agingtime agingtime
The range of the aging time value is from 8 to 2032 seconds and the default value is 256 seconds.
Some MLS flows are sporadic or short-lived, such as packets that are sent to or received from a Domain Name System (DNS) or Trivial File Transfer Protocol (TFTP) server which may be closed after one request and one reply cycle. The MLS entry for such a packet will still consume cache space until the entry is purged. To overcome this, a different type of aging mechanism, called fast aging, can be implemented. In fast aging, the entry is removed from the cache if the MLS-SEdoes not detect a specified number of packets in a certain time period. To configure the fast aging option, enter the following command in privilege exec mode:
Switch(enable)# set mls agingtime fast fast_agingtime pkt_threshold
The allowable fast_agingtime values are 32, 64, 96, or 128 seconds while the default is 0 seconds. The pkt_threshoid argument indicates the number of packets that must be detected within the specified amount of time. The allowable pkt_threshoid values are 0, 1, 3, 7, 15, 31 or 63 packets, and the default is 0 packets.
7.5.2: Verifying MLS Configurations
You can verify MLS configurations by using the show mls command in privileged exec mode. This command displays information about MLS on a MLS-SE, including the status of MLS; the aging time for an MLS cache entry; the fast aging time and the packet threshold for a flow; the flow mask; the total packets switched; the number of active MLS entries in the cache; whether and for which port and host Netflow data export is enabled; and the MLS-RP IP address, MAC address, XTAG, and supported VLANs.
You can also display information about a specific MLS-RP by using the show mls rp command and specifying the IP address of the target MLS-RP.
7.5.3: External Router Support
If the switch supports an externally attached MLS-RP, the switch must be manually configured to recognize that MLS-RP. Use the following command in privilege exec mode on the switch to manually include an external MLS-RP:
Switch (enable) set mls include ip_address
7.5.4: Switch Inclusion Lists
Use the following command in privilege exec mode to display the contents of the switch inclusion list to determine which MLS-RPs are participating in MLS with the MLS-SE:
Switch (enable) show mls include
This command displays the IP addresses of all MLS-RPs that are participating in MLS with the MLS-SE.
7.5.5: Displaying MLS Cache Entries
Use the following command in privilege exec mode to display the MLS cache entries:
Switch (enable) show mls entry
This command can be further defined to show specific MLS cache entries by using certain parameters. These parameters are listed in Table 7.1.
Table 7.1: Displaying Specific MLS Cache Entries
MLS Cache Entry
Command
Specific destination IP address Specific source IP address Specific MLS_RP ID Specific IP flow
show mls entry destination ip_address
show mls entry source ip_address
show mls entry rp ip_address
show mls entry flow protocol source_port destination_port
Use the clear mls entry command in privilege exec mode to remove entries from the MLS cache.