MLS

I think that used to be my favorite questions on the old CCNA exam, because Security Device Manager was so intuitive to navigate the GUI, there is a similar tool ASDM for ASA’s that can make life so much easier on them but getting that exact Java version / OS down for it to work can make you pull your hair out.

/rant

Switching Device Manager is also and more importantly for SWITCH a function on MultiLayer Switches (MLS) as seen above in the icon, that allows for you to use templates to allocate the resources of the switch to suit its role in the network, whether for more routing or switching intensive roles (and more).

The best part, and I mean the absolute bees knees, is that they are pre-defined. For those who took the CCNA Security “version 1”, your materials may have included a section on creating profile templates for user access on the router on the CLI, I forget the exact name now but trying to remember the maze of syntax to assign permissions was mind boggling – So when you see “Templates” all you have to do is choose from the existing list:

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#sdm pref ?
access Access bias
default Default bias
dual-ipv4-and-ipv6 Support both IPv4 and IPv6
routing Unicast bias
vlan VLAN bias

SW1(config)#sdm pref routing ?
<cr>

SW1(config)#sdm pref vlan ?
<cr>

SW1(config)#sdm pref access ?
<cr>

SW1(config)#

So as can be seen these are very straight forward, there is no extra syntax after, so if you get a set of answers with anything beyond a single word after “sdm prefer (role)” in global configuration mode it is an incorrect answer ***UNLESS IT IS THE DUAL-IPV4-AND-IPV6 OPTION***!

This isn’t just a function of 15.x IOS either, I did check it on the 3560 running 12.2 and it has SDM Templates as well, so I believe it is just an MLS function regardless of code.

By default as you might guess the sdm template is “default”, however I will go through them bullet point style with an explanation of the different roles, then configure some and go through the commands and gotchas on the topic:

  • Access = Dedicates resources to maximum # of ACL’s, I think of this one as the “Security Template” for obvious reasons
  • Default = All resources are shared across all walks of life, the default template
  • Dual-ipv4-and-ipv6 = This give more resources to “Dual-Stacking” within a network, essentially giving extra resources to help the IPv4 and IPv6 transmissions between hosts on the LAN
  • Routing = Dedicates resources to IPv4 “Unicast” routing
  • VLAN = Dedicates more resources to CAM table growth for maximum # Unicast MAC entries, but completely takes away Routing from the Switch!

So a couple of things to watch there, “Default” is of course the default template and ipv4-and-ipv6 should scream “I am used for some sort of IPv6 network”, however the last one is a big one to watch because it completely disables Layer 3 routing on the switch!

So I’ll bullet point the commands here quick, including the one you saw above, and we’ll look at a couple of Templates:

  • “show sdm prefer” – In user exec
  • “sdm prefer (role)” – In global config
  • “wr mem, reload” – To load into the new template

That is one thing I don’t know that I’ve mentioned, when changing a template you will need to do a reload of the switch, and it is completely unavoidable or other ways to do it with less impact at the time this was written.

So lets take a look at the Default Template to begin with:

SW1#sh sdm pref
The current template is “desktop default” template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.

number of unicast mac addresses: 6K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 8K
number of directly-connected IPv4 hosts: 6K
number of indirect IPv4 routes: 2K
number of IPv6 multicast groups: 0
number of IPv6 unicast routes: 0
number of directly-connected IPv6 addresses: 0
number of indirect IPv6 unicast routes: 0
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 1K
number of IPv6 policy based routing aces: 0
number of IPv6 qos aces: 20
number of IPv6 security aces: 25

SW1#

So by default, this is pretty hefty, 6K MAC addresses / hosts supported, 4K Unicast routes, etc. However we do have some 0’s in there, and actually a lot of them are in the IPv6 fields, so lets change it to “dual-ipv4-and-ipv6” to see what it looks like:

SW1#conf t
Enter configuration commands, one per line. End with CNTL/Z.
SW1(config)#sdm prefer dual
SW1(config)#sdm prefer dual-ipv4-and-ipv6
% Incomplete command.

SW1(config)#sdm prefer dual-ipv4-and-ipv6 ?
default Default bias
routing Unicast bias
vlan VLAN bias

Well look what I found, of course the one role I don’t check has options for a bias, which means it will dedicate its IPv6 resources towards either L2 / L3 / I assume default means it takes away some from IPv4 and adds IPv6 resources so we will use that as the bias:

SW1(config)#sdm prefer dual-ipv4-and-ipv6 default
Changes to the running SDM preferences have been stored, but cannot take effect
until the next reload.
Use ‘show sdm prefer’ to see what SDM preference is currently active.
SW1(config)#

So it tells you right there on next reload it will run the new template, and gives the command to see the current, so lets see how the current may have changed:

SW1(config)#do sh sdm prefer
The current template is “desktop default” template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.

number of unicast mac addresses: 6K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 8K
number of directly-connected IPv4 hosts: 6K
number of indirect IPv4 routes: 2K
number of IPv6 multicast groups: 0
number of IPv6 unicast routes: 0
number of directly-connected IPv6 addresses: 0
number of indirect IPv6 unicast routes: 0
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 1K
number of IPv6 policy based routing aces: 0
number of IPv6 qos aces: 20
number of IPv6 security aces: 25

On next reload, template will be “desktop IPv4 and IPv6 default” template.

SW1(config)#

Shazam! So we can see if a new role has been elected for the switch upon reload, and what it is currently running, so I’ll do a reload and check out the new Template figures:

SW1#sh sdm prefer
The current template is “desktop IPv4 and IPv6 default” template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.

number of unicast mac addresses: 2K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 3K
number of directly-connected IPv4 hosts: 2K
number of indirect IPv4 routes: 1K
number of IPv6 multicast groups: 1.125k
number of IPv6 unicast routes: 3K
number of directly-connected IPv6 addresses: 2K
number of indirect IPv6 unicast routes: 1K
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 1K
number of IPv6 policy based routing aces: 0
number of IPv6 qos aces: 0.625k
number of IPv6 security aces: 0.5K

SW1#

Looks like we now have a little bit of resources except into PBR ACE’s (Access Control Exceptions), which I won’t go too far down this rabbit hole of looking at ALL of them, however I do want to give VLAN a load to see what the table looks like with Routing resources turned off:

SW1#sh sdm prefer
The current template is “desktop vlan” template.
The selected template optimizes the resources in
the switch to support this level of features for
8 routed interfaces and 1024 VLANs.

number of unicast mac addresses: 12K
number of IPv4 IGMP groups + multicast routes: 1K
number of IPv4 unicast routes: 0
number of IPv6 multicast groups: 0
number of IPv6 unicast routes: 0
number of directly-connected IPv6 addresses: 0
number of indirect IPv6 unicast routes: 0
number of IPv4 policy based routing aces: 0
number of IPv4/MAC qos aces: 0.5K
number of IPv4/MAC security aces: 1K
number of IPv6 policy based routing aces: 0
number of IPv6 qos aces: 20
number of IPv6 security aces: 25

SW1#

I am not quite clear on the IGMP / Multicast groups being allowed to have routes, but notice Unicast routing is indeed toast (Node to Node IP Communication).

I think that wraps it up for SDM templates, very easy couple of commands, and the roles are pretty intuitive so there you have it!