Figure 11.5: An MLS switch and two MLS routers.

IP Access Lists and MLS Interaction

When any interface has an inbound access list applied, the interface where the access list is applied cannot be used for MLS. However, you can apply an output access list on an interface, and it will not affect MLS.

When MLS is enabled, standard and extended access lists are handled at the speed of the physical wire. Any modifications or changes to the access lists on any interface used for MLS take effect immediately after being applied to the interface on the MLS−SE, on any internal route processor, or on external routers.

If a flow has been established by the MLS−SE and a new access list is created on the MLS−RP, the MLS−SE learns of the change through MLSP. This immediately changes the flow mask and purges the cache entries from the MLS cache on all the MLS−SEs. Any new flows are created based on the new access list information.

IP−Flow Flow Mask

The IP−flow flow mask is the most stringent of all flow masks. This flow mask is used when any of the MLS−RPs has an extended access list configured on it, as shown in Figure 11.6. Router C contains an extended access list. This access list determines that the IP−flow flow mask is used for all flows. The MLS−SE creates a separate MLS cache entry for all IP flows. The IP−flow entry contains the source IP address, destination IP address, protocol, and protocol interfaces.

Figure 11.6: An MLS switch and three MLS routers.

MLS Troubleshooting Notes

There are a few pieces of information about MLS that will save you time when troubleshooting. Quite a few Cisco IOS commands can affect how MLS operates, and MLS doesn’t work well with a few other data traffic features.

232

Page 248
Image 248
Cisco Systems RJ-45-to-AUX manual MLS Troubleshooting Notes, IP Access Lists and MLS Interaction, IP−Flow Flow Mask, 232