Verifying the MLS Configuration

Verifying the MLS Configuration
After all the pieces have been configured, you can issue the show mls rp command to view the
MLS status and information on the router. There are two options in correlation with the main
command. All three commands are shown here:
show mls rp This command displays global MLS information.
show mls rp interface interface This command displays interface-specific MLS information.
show mls rp vtp-domain domain_name This command displays MLS information for the
VTP domain.
Here is an example of the global command:
Terry_2620#show mls rp
multilayer switching is globally enabled
mls id is 0010.a6a9.3400
mls ip address 172.16.21.4
mls flow mask is destination-ip
number of domains configured for mls 1
vlan domain name: test
current flow mask: destination-ip
current sequence number: 3041454903
current/maximum retry count: 0/10
Configuring MLS-RP 569
current domain state: no-change
current/next global purge: false/false
current/next purge count: 0/0
domain uptime: 00:34:35
keepalive timer expires in 4 seconds
retry timer not running
change timer not running
fcp subblock count = 1
1 management interface(s) currently defined:
vlan 10 on FastEthernet4/0
1 mac-vlan(s) configured for multi-layer switching:
mac 0010.a6a9.3470
vlan id(s)
10
router currently aware of following 1 switch(es):
switch id 00-e0-4e-2d-43-ef
Terry_2620#
Here’s an example of the interface option:
Terry_2620#show mls rp interface fastethernet 4/0
mls active on FastEthernet4/0, domain test
interface FastEthernet4/0 is a management interface

Terry_2620#
These are the show commands, and as with any IOS, there are debugging opportunities.
Table 18.1 provides a summary of the debug commands available for MLS troubleshooting.
TABLE 1 8 . 1 MLS Debug Command Summary
Command Description
all Performs all MLS debugging
error Displays information about MLS errors
events Displays information from MLS events
570 Chapter 18  Multilayer Switching (MLS)
Access Control Lists (ACLs)
It’s not unusual to want to use an access control list (ACL) to filter traffic from one VLAN to
another, especially if one VLAN needs higher security than the others do. The problem is that
you usually want all the packets to be examined by the access control list, and the switch is forwarding
only the first one.
Until IOS release 12.0(2), inbound access control lists were not supported. If a router interface
had an inbound access control list applied, MLS was disabled. With versions after 12.0(2),
inbound access control lists are supported, but the support is not enabled by default. Use the
command mls rp ip input-acl from global configuration mode to enable the router to use
MLS with inbound access control lists.
Outbound access control lists are a little more problematic. Although they have always been
supported, applying the access control list to an interface will clear the MLS cache information
for connections passing through that interface. Another packet needs to be forwarded to the
router to start the MLS process again. Also, outbound lists utilizing the following functions will
disable MLS on the interface to which they are applied:
 TOS
 Established
 Log
 Precedence
 Reflexive
This is because these features require the router to examine every packet. Because these features
tend to be more security related than a simple access control list often is, using these features disables
MLS on the interface in question.
Configuring the MLS Switch Engine
The configuration of MLS on a switch is very simple. MLS is on by default for the 6000. The
only time when it is necessary to perform configuration tasks on the MLS-SE is when you
ip Displays IP MLS events
locator Displays MLS locator information
packets Displays information for all MLS packets
verbose packets Displays information on all MLS verbose packets