© 1999, Cisco Systems, Inc. 7-1 Chapter 7 Improving IP Routing Performance with Multilayer Switching.

© 1999, Cisco Systems, Inc. 7-1

Chapter 7

Improving IP Routing Performance with

Multilayer Switching

© 1999, Cisco Systems, Inc. www.cisco.com BCMSN—7-2

ObjectivesObjectives

Upon completion of this chapter, you will be able to perform the following tasks:

• Identify network devices necessary to effect MLS

• Configure the distribution layer devices to participate in multilayer switching

• Verify existing flow information in the MLS cache

• Apply flow masks to influence the type of MLS cache entry


Improving IP Routing Performance with MLS


In this chapter, we discuss the following topics:

• Multilayer switching fundamentals

• Configuring the multilayer switch route processor

• Applying flow masks

• Configuring the Multilayer Switch Switching Engine

• MLS topology examples


Improving IP Routing Performance with MLS (cont.)

In this section we discuss the following topics:

• Multilayer Switching Fundamentals

—What is MLS

—Hardware/Software Requirements

—MLS Components

—How MLS works

—Commands that Disable MLS

• Configuring the Multilayer Switch Route Processor

• Applying Flow Masks



Defining Flows

Host B

p1

Host A

p3

11

22

• Each packet of a traditional flow must be processed by the router

• The first packet of an MLS flow is processed by the router; all subsequent packets are switched

Host B

Conventional Environment First Packet

Subsequent PacketsHost A

Multilayer Switched Environmentp2


Route Switch Module (RSM)

Cisco IOS™ Release 11.3(2)WA4(4) or Later

Internal Router ProcessorSoftware/Hardware Requirements

Catalyst 2926G, 5000, or 6000 Series Switch

Supervisor Engine III, FSX, III FLX, IIG, or IIIG Module

Supervisor Engine Software Release 4.1(1) or Later

NetFlow Feature Card (NFFC), NFFC II


Catalyst 2926G, 5000, or 6000 Series Switch

Supervisor Engine III, FSX, III FLX, IIG, or IIIG Module

Supervisor Engine Software Release 4.1(1) or Later

NetFlow Feature Card (NFFC), NFFC II

Cisco High-End Routers, such as Cisco 3620, 3640, 7500, 7200, 4500, or 4700 Series

Cisco IOS Release 11.3(2)WA4(4) or Later

External Router ProcessorSoftware/Hardware Requirements


MLS Components

MLS-SE—MultilayerSwitching Switch Engine

MLSP—Multilayer Switching ProtocolMulticast Hello Messages sent to MLS-SE by MLS-RP to Inform:• MAC addresses used on different VLANs• Routing/access—lists changes occurring on MLS-RP

Cisco85xx75XX72XX4XXX

OR

RSM

MLS-RP—Multilayer Switching Route Processor


MLS-RP Advertisement

• MLS-RP sends out multicast hello messages • Messages contain MAC, VLAN, and route information• Messages use the CGMP multicast well-known

address

Hello Message


Hello Message

• All switches receive the hello message• Layer 3 switches process the hello message• IP multicast passes transparently through non-

Cisco switches

Receiving MLSP Hello MessagesReceiving MLSP Hello Messages

Hello Message

I am not a Layer 3 Switch but I will still pass on the

message.


Assigning XTAGs

MLS-RP A MLS-RP B

• The MLS-SE assigns a unique identifier to each MSL-RP

• XTAG value is a one-byte value that the MLS-SE attaches to the MAC address

• Used to delete a specific Layer 3 entries when then MLS-RP fails or exits the network

MLS-RP C

MLS-RP A = XTAG34MLS-RP B = XTAG11MLS-RP C = XTAG28


Candidate PacketCandidate Packet

Source MAC = 0010.f663.d000Destination MAC = 0010.0679.5800

L3 InformationL3 Information


Source IP = 172.16.10.123Destination IP = 172.16.22.57

Establishing an MLS Cache Entry

• The MLS-SE receives initial frame

• The MLS-SE reads and recognizes the destination MAC Address

• The MLS-SE checks the MLS cache for like entries

• The MLS-SE forwards the frame to the MLS-RP

11

22

33

44

B

0010.0679.5800172.16.68.13

0090.b133.7000172.16.22.57

11

22 33Cache Entry?

A

0010.f663.d000172.16.10.123

44


B

0010.0679.5800172.16.68.13

0090.b133.7000172.16.22.57

A

0010.f663.d000172.16.10.123

Source MAC = 0010.0679.5800Destination MAC = 0090.b133.7000

Enable PacketEnable Packet




Establishing an MLS Cache Entry (cont.)

• The MLS-RP receives the frame and consults the routing table

• The MLS-RP rewrites the header with the new destination MAC address

• The MLS-RP enters its own MAC address for the source address

• The MLS-RP forwards the frame to the MLS-SE

55

66

77

88

55

66 88

77


MLS-RP IP MLS-RP ID XTAG MLS-RP MAC-Vlans172.16.68.13 001006795800 28 00-10-67-95-80-00 1,41,42

Establishing an MLS Cache Entry (cont.)

A B0010.f663.d000

172.16.10.123

0010.0679.5800172.16.68.13

0090.b133.7000172.16.22.57

MLS Cache

Candidate Packet XTAG = 28

• The MLS-SE receives the frame

• The MLS-SE compares the XTAGs of the candidate and enable packets

• The MLS-SE records the enable packet information in the MLS cache

• The MLS-SE forwards the frame to the destination

99

1010

1111

1212

99

Enable Packet XTAG = 28 1010

1212

Destination IP Source IP Port DstPrt SrcPrt Destination Mac Vlan Port172.16.22.57 172.16.10.123 UDP 1238 60224 00-90-b1-33-70-00 45 2/9

MLS Cache Entry1111


Switching Subsequent Frames in a Flow

• The MLS-SE receives subsequent frames in the flow

• The MLS-SE compares the incoming frame with the MLS cache entry

• The MLS-SE rewrites the frame header

• The MLS-SE forwards the frame to the destination

1313

1414

1515

1616

Incoming FrameIncoming Frame





Destination IP Source IP Port DstPrt SrcPrt Destination Mac Vlan Port172.16.22.57 172.16.10.123 UDP 1238 60224 00-90-b1-33-70-00 45 2/9

MLS Cache Entry




Rewritten FrameRewritten Frame


0010.f663.d000172.16.10.123

0090.b133.7000172.16.22.57

A B

1313

1414

1515

1616


A B

Commands that Disable MLS

• no ip routing

• ip security (all forms of this command)

• ip tcp compression-connections

• ip tcp header-compression

All MLS Cache Entries Purged

• Any command that requires the router to process the packet will disable MLS






—Enabling MLS on a route processor

—Configuring an External Interface

—Configuring an Internal Interface

—Verifying the Configuration



• MLS Topology Examples


Enabling MLS on the MLS-RP

Router(config)#mls rp ipRouter#show mls rpmultilayer switching is globally enabledmls id is 0010.f6b3.d000mls ip address 172.16.31.113

• Globally enabling MLS on a router activates the MLSP protocol for that route processor


Router(config)#int ethernet 0Router (config-if)#mls rp vlan-id 41

Assigning a VLAN ID to an Interface on an External Router

• This command is required on external routers with a non-ISL interface only

E0VLAN41


Router(config)#int vlan41Router(config-if)#mls rp vtp-domain bcmsn

Assigning an MLS Interface to a VTP Domain

• The RSM automatically maps a VLAN to an internal interface

Router#show mls rpmultilayer switching is globally disabledmls id is 0010.f6b3.d000mls ip address 172.16.1.141mls flow mask is destination-ipnumber of domains configured for mls 1

vlan domain name: bcmsn

bcmsnVTP Domain


Verifying the MLS VTP Domain

Router#show mls rp vtp-domain bcmsnvlan domain name: bcmsn vlan domain name: bcmsn current flow mask: destination-ip current sequence number: 779898042 current/maximum retry count: 0/10 current domain state: no-change current/next global purge: false/false current/next purge count: 0/0 domain uptime: 6d05h keepalive timer expires in 6 seconds retry timer not running change timer not running

• The show mls rp vtp-domain command displays information about a specific VTP domain

• Each interface belongs to only one VTP domain


Router(config)#int vlan41Router(config-if)#mls rp vtp-domain bcmsnRouter(config-if)#mls rp ip

Enabling MLS on an Interface

Router#show mls rp(text deleted)

2 mac-vlan(s) configured for multi-layer switching: mac 0010.f6b3.d000 vlan id(s) 1 41

• MLS must be explicitly entered on the interface


Router(config)#int vlan41Router(config-if)#mls rp ip

Problem: Creating a Null Domain

• Enabling MLS on an interface before assigning the interface in a VTP domain places the interface in a null domain

• When in a null domain, the interface cannot interact with any switches

-null-Domain

Router#show mls rpmultilayer switching is globally enabled(text deleted)number of domains configured for mls 2vlan domain name: -null-(text deleted)vlan domain name: bcmsn

bcmsnVTP Domain


bcmsnVTP Domain

Solution: Removing an Interface from a Null VTP Domain

• Disabling MLS on an interface removes the interface from a null domain

Router(config)#int vlan41Router(config-if)#no mls rp ip

Router#show mls rpmultilayer switching is globally enabled(text deleted)number of domains configured for mls 1

vlan domain name: bcmsn


Router(config)#int vlan1Router(config-if)#mls rp ip management-interface

Assigning an MLS Management Interface

• At least one interface on the MSL-RP must be configured as the management interface

Router#show mls rp(text deleted)

1 management interface(s) currently defined: vlan 1 on Vlan1


Verifying the MLS-RP Configuration

This MAC address appears in the MLS Cache

The domain name must match with the MLS-SE

The interface sending MLSP messages

The number of switches for which the MLS-RP is routing

Router#show mls rpMultilayer switching is globally enabledmls id is 0010.f6b3.d000mls ip address 172.16.1.142mls flow mask is destination-ipnumber of domains configured for mls 1vlan domain name: bcmsn current flow mask: destination-ip current sequence number: 779898001 current/maximum retry count: 0/10 current domain state: no-change current/next global purge: false/false current/next purge count: 0/0 domain uptime: 00:21:40 keepalive timer expires in 6 seconds retry timer not running change timer not running1 management interface(s) currently defined:vlan 1 on Vlan1 2 mac-vlan(s) configured for multi-layer switching: mac 0010.f6b3.d000

vlan id(s) 1 41 42

router currently aware of following 0 switch(es):

The IP Address given to the MLS-SE


Verifying the MLSP-RP Interface Configuration

RSM#show mls rp interface vlan1

mls active on Vlan1, domain bcmsninterface Vlan1 is a management interface







—What is a Flow Mask?

—Types of Flow Masks

—Output Access Lists and MLS

—Input Access lists and MLS



Flows from MLS-RP A, MLS-RP B, and MLS-RP C Are Based on Criteria from MLS-RP C

MLS Flow Masks

MLS-RP AMLS-RP A

MLS-RP BMLS-RP BNo Access List

Standard Access List

MLS-RP CMLS-RP C

Extended Access List


Flow Mask: Destination-IP

MLS-RP A

No Access List

interface Vlan41 ip address 172.16.41.168 255.255.255.0 mls rp vtp-domain bcmsn mls rp management-interface mls rp ip

Flow Mask

multilayer switching is globally enabledmls id is 0010.f6b3.d000mls ip address 172.16.41.168mls flow mask is destination-ip number of domains configured for mls 1vlan domain name: bcmsn current flow mask: destination-ip


Flow Mask: Source-Destination-IP

Standard Access List

Flow Mask

interface Vlan11 ip address 172.16.11.113 255.255.255.0 ip access-group 2 out mls rp vtp-domain bcmsn mls rp management-interface mls rp ip

Router#show mls rp multilayer switching is globally enabledmls id is 0010.f6b3.d000mls ip address 172.16.31.113mls flow mask is source-destination-ipnumber of domains configured for mls 1vlan domain name: Engineering current flow mask: source-destination-ip

MLS-RP B


Extended Access List

Flow Mask

MLS-RP C

Flow Mask: IP-Flow

interface Vlan11 ip address 172.16.11.113 255.255.255.0 ip access-group 101 out mls rp vtp-domain bcmsn mls rp management-interface mls rp ip

multilayer switching is globally enabledmls id is 0010.f6b3.d000mls ip address 172.16.31.113mls flow mask is ip-flownumber of domains configured for mls 1vlan domain name: Engineering current flow mask: ip-flow


Output Access Lists and MLS

ip access-group 101 out

A B0010.f663.d000

172.16.10.123

0010.0679.5800172.16.68.13

0090.b133.7000172.16.22.57

MLS Cache Entries for Flow AB Are Purged


A B0010.f663.d000

172.16.10.123

0010.0679.5800172.16.68.13

0090.b133.7000172.16.22.57

Output Access Lists and MLS (cont)

New MLS Cache EntryNew MLS Cache Entryfor Flow ABfor Flow AB

ip access-group 101 out

Candidate PacketCandidate Packet






Enable PacketEnable Packet




Destination IP Source IP Port DstPrt SrcPrt Destination Mac Vlan Port172.16.22.57 172.16.10.123 TCP 7001 7004 00-90-b1-33-70-00 68 2/9


Input Access Lists and MLS

• All subsequent packets between A and B on that interface are routed

ip access-group 101 in

A B0010.f663.d000

172.16.10.123

0010.0679.5800172.16.68.13

0090.b133.7000172.16.22.57

MLS Cache Entries for Flow AB Are Purged


Supporting Input Access Lists

Router(config)#mls rp ip input-acl

Router#sho runBuilding configuration...

Current configuration:!version 11.3(Text Deleted)mls rp nde-address 172.16.31.113mls rp ip input-aclmls rp ip

A B

L3 Switched for Flow AB

ip access-group 101 in








— Enabling MLS on the Switch

— Aging out Cache Entries

— Managing Short-Lived Flows

— Adding External Router MLS Ids

— Verifying the Configuration

• MLS Topology Examples


Enabling MLS on the MLS-SE

Switch(enable)#set mls enable

Switch (enable)#show config(Text Deleted)#mlsset mls enable

• Must be enabled before a switch can participate in MLS• Automatically enabled on MLS-capable switches


A0010.f663.d000

172.16.10.123

0010.0679.5800

Aging Out Cache Entries

I haven’t seen any packets for this entry within

256 seconds. I willdelete this entry from the cache

I haven’t seen any packets for this entry within

256 seconds. I willdelete this entry from the cache

B0090.b133.7000172.16.22.57

Destination IP Source IP Port DstPrt SrcPrt Destination Mac Vlan Port172.16.46.122 172.16.10.123 00-90-b1-33-70-00 3 2/8

MLS Cache EntryMLS Cache Entryfor Flow ABfor Flow AB


Modifying the Cache Aging Time

Switch(enable)show config(Text Deleted)#mlsset mls enableset mls agingtime 304

• MLS-SE automatically “rounds up” in 8-second increments

Switch (enable)#set mls agingtime 297Multilayer switching agingtime set to 304


A0010.f663.d000

172.16.10.123

0010.0679.5800

Managing Short-Lived Flows

DNS Server

DNS Response

0010.7bee.9501172.16.46.122

Destination IP Source IP Port DstPrt SrcPrt Destination Mac Vlan Port172.16.46.122 172.16.10.123 TCP DNS DNS 00-10-7b-ee-95-01 3 2/8172.16.10.123 182.16.46.122 TCP DNS DNS 00-10-16-63-d0-00 3 2/6

DNS Request

• Short-lived flows entries take up MLS cache space even though there is no flow activity

I haven’t seen any packetsfor this entry for over 10

seconds but I still must keep these entries in the cache for

the default aging time.

I haven’t seen any packetsfor this entry for over 10

seconds but I still must keep these entries in the cache for

the default aging time.


Modifying agingtime fast

Switch (enable)#set mls agingtime fast 64 7

Switch (enable)show config(Text Deleted)#mlsset mls enableset mls agingtime 304set mls agingtime fast 64 7

• agingtime fast sets a threshold for cache entries• agingtime fast removes entries from the cache if the

threshold has been crossed.


Verifying the Configuration

Switch (enable) show mls

Multilayer switching enabledMultilayer switching aging time = 304 secondsMultilayer switching fast aging time = 64 seconds, packet threshold = 7Full flowTotal packets switched = 101892Active shortcuts = 2138Netflow Data Export disabledNetflow Data Export port/host is not configured.Total packets exported = 0

MLS-RP IP MLS-RP ID XTAG MLS-RP MAC-Vlans--------- ----------- ---- ------------------------172.16.41.168 0010f6b3d000 28 00-10-f6-b3-d0-00 1,41-42


Switch (enable) set mls include 172.16.41.168Multilayer switching enabled for router 172.16.41.168

Including an External Router MLS IP Address

• Required for external routers

Interface FE 0 172.16.41.168


Displaying the Switch Inclusion List

17.16.1.142

17.16.41.168

Switch (enable) show mls includeIncluded MLS-RP----------------------172.16.1.142 172.16.41.168

Automatically Added Internal Route Processor

Manually Added External Route Processor


Display MLS Cache Entries

Switch (enable) show mls entry

Destination IP Source IP Prot DstPrt SrcPrt Destination Mac Vlan Port--------------- --------------- ---- ------ ------ ----------------- ---- -----MLS-RP 172.16.1.142:172.16.53.1 172.16.87.3 UDP 1238 60224 00-10-7b-ee-94-70 1 2/9172.16.53.1 172.16.87.3 UDP 69 60224 00-10-7b-ee-94-70 1 2/9172.16.53.1 172.16.87.3 UDP 69 36776 00-10-7b-ee-94-70 1 2/9

MLS-RP 172.16.41.168:172.16.41.17 172.16.53.1 UDP 60224 1238 00-00-0c-06-5b-1e 41 2/1172.16.41.17 172.16.53.1 UDP 36776 69 00-00-0c-06-5b-1e 41 2/1


Removing MLS Cache Entries

Switch (enable) clear mls entry destination 172.16.1.142

Switch (enable) show mls entryDestination IP Source IP Prot DstPrt SrcPrt Destination Mac Vlan Port--------------- --------------- ---- ------ ------ ----------------- ---- -----MLS-RP 172.16.41.168:172.16.41.17 172.16.53.1 UDP 60224 1238 00-00-0c-06-5b-1e 41 2/1172.16.41.17 172.16.53.1 UDP 36776 69 00-00-0c-06-5b-1e 41 2/1








• MLS Topologies

—Topology Examples

—Topology Quiz

—Unsupported Topology

—Topology Changes and Routing Impacts


MLS Topology Example 1

R2MLS-RP

BR2R2R1 MLS-SE

A

• Host A sends a packet to the default gateway• R1 rewrites the frame header to reflect the destination as

the next-hop router (R2)• MLS-SE forwards the frame to R2• R2 rewrites the frame header to reflect the destination as

Host B• MLS-SE forwards the frame to Host B• All subsequent frames are switched

11

22

33

44

55

11 22

33

44

66

55

66


MLS Topology Example 2 MLS-RP

MLS-SE3

MLS-SE2

MLS-SE1

A B

• Host A sends a packet to the default gateway

• MLS-SE1 forwards the frame to MLS-SE2


• MLS-SE3 forwards the frame to MLS-RP1

• MLS-RP1 rewrites the frame header and

forwards the frame to MLS-SE3



• MLS-SE1 forwards the frame to Host B

• All subsequent frames are switched

through MLS-SE1

• Entries in MLS-SE2 and 3 time out

11

22

33

44

55

66

77

88

99

1010

11

22

33

44 55

66

77

88

99

1010

1010


Quiz: MLS Topology Example

BA

MLS-RP

S1

S2

S6S5

S4 S7

Port inBlocking State

S3

• Original MLS path was AA S4 S4 S2 S2 S1 S1 S3 S3 S7 S7BB• Spanning tree blocked the link between S1 and S3• What is the next available MLS path?

XX


Answer: MLS Topology Example

BA

MLS-RP

S1

S2

S6S5

S4 S7

Port inblocking state

S3

XX

• First packet path = AA S4 S4 S2 S2 S1 S1 S2 S2 S3 S3 S7 S7 B B• Subsequent packet path = AA S4 S4 S2 S2 S3 S3 S7 S7 B B


Unsupported MLS Topology

BA

VLAN41 VLAN42

RSM1 RSM2


Unsupported MLS Topology—Solution 1

BA

VLAN 41 VLAN 42

ISL Link

• Configure an ISL link from MLS-SE1 to MLS-RP1 to carry both VLAN41 and VLAN42

MLS-RP 2

MLS-SE 2

MLS-RP 1

MLS-SE 1


VLAN 41 VLAN 42

Unsupported MLS Topology—Solution 2

• Configure a second link from MLS-SE1 to MLS-RP1 to route for Subnet 42

Link 1

MLS-RP 2

MLS-SE 2

BA

MLS-RP 1

MLS-SE 1

Link 2


C 172.16.68.0 is directly connected, VLAN41C 172.16.22.0 is directly connected, VLAN 42

Impact of a Host Move on the MLS Cache

A

B

MLS-RP

Destination IP Source IP Port DstPrt SrcPrt Destination Mac Vlan Port--------------- --------------- ------ -------- ------ ---------------------- ------ ------172.16.22.57 172.16.10.123 TCP 7001 7003 00-90-b1-33-70-00 12 2/4

MLS Port Designation

172.16.10.123

172.16.22.57

Interface VLAN41 Interface VLAN42

Port 2/4

• Station A is Layer 3 switching through port 2/4 to Station B


Port 2/7

Impact of a Host Move on the MLS Cache (cont.)

Flush EntryFrom MLS Cache

CandidatePacket

Enabled Packet

A

B

MLS-RP

Interface VLAN41


172.16.10.123

172.16.22.57

Interface VLAN42

Destination IP Source IP Port DstPrt SrcPrt Destination Mac Vlan Port--------------- --------------- ------ -------- ------ ---------------------- ------ ------


• Station B is moved to port 2/7

• The MLS cache is flushed


Impact of a Host Move on the MLS Cache (cont.)

New MLS Cache Entry

C 172.16.68.0 is directly connected, Vlan11C 172.16.22.0 is directly connected, Vlan 12


A

B

MLS-RP


172.16.10.123

172.16.22.57

Interface VLAN41 Interface VLAN42

Destination IP Source IP Port DstPrt SrcPrt Destination Mac Vlan Port--------------- --------------- ------ -------- ------ ---------------------- ------ ------172.16.22.57 172.16.10.123 TCP 7001 7003 00-90-b1-33-70-00 41 2/7

• A new MLS cache entry is established

• Station A is Layer 3 switching through port 2/7 to Station B

Port 2/7


Laboratory Exercise: Visual Objective

Switch Block X

VLAN x1

VLAN x3

VLAN x2

VLAN x4

Multilayer Switched IP Flow


Summary Summary

• Multilayer switching enhances IP routing performance

• Cisco MLS switches consists of both routing and switching entities that function together to effect MLS

• MLS identifies and maintains a separate cache entry for each MLS flow

• Flow mask determine how MLS entries are created in the MLS cache

• The presence or absence of ACLs determine the flow mask used

• Changes to the routing table in the MLS-RP may or may not affect MLS cache entries.


Review Review

• Explain how the routing and switching functions of a Cisco MLS switch work together to enable multilayer switching.

• Describe the three flow mask modes and the impact ACLs have on those modes.

• Discuss how various router/switch configuration can effect multilayer switching.

© 1999, Cisco Systems, Inc. 7-1 Chapter 7 Improving IP Routing Performance with Multilayer Switching.

Documents

mlsrp cisco

mlsrp advertisement

mls flow

network mlsrp c mlsrp

mlsse forwards

xtag34 mlsrp b

mlsse attaches

cisco systems