Manualshelf

Specifications

ManualsBrandsCisco ManualsComputer equipmentIOS XE Intelligent Services
231232233234235236237238239240
Multilayer Switching Overview
Standard and Extended Access Lists
6
Standard and Extended Access Lists
Note Router interfaces with input access lists cannot participate in MLS. However, any input access list can
be translated to an output access list to provide the same effect on the interface. For complete details on
how input and output access lists affect MLS, see the chapter “Configuring Multilayer Switching.
MLS allows you to enforce access lists on every packet of the flow without compromising MLS
performance. When you enable MLS, standard and extended access lists are handled at wire speed by
the MLS-SE. Access lists configured on the MLS-RP take effect automatically on the MLS-SE.
Additionally, route topology changes and the addition of access lists are reflected in the switching path
of MLS.
Consider the case where an access list is configured on the MLS-RP to deny access from Station A to
Station B. When Station A wants to communicate with Station B, it sends the first packet to the MLS-RP.
The MLS-RP receives this packet and checks to learn if this packet flow is permitted. If an ACL is
configured for this flow, the packet is discarded. Because the first packet for this flow does not return
from the MLS-RP, an MLS cache entry is not established by the MLS-SE.
In another case, access lists are introduced on the MLS-RP while the flow is already being Layer 3
switched within the MLS-SE. The MLS-SE immediately enforces security for the affected flow by
purging it.
Similarly, when the MLS-RP detects a routing topology change, the appropriate MLS cache entries are
deleted in the MLS-SE. The techniques for handling route and access list changes apply to both the RSM
and directly attached external routers.
Restrictions on Using IP Router Commands with MLS Enabled
The following Cisco IOS commands affect MLS on your router:
clear ip-route—Clears all MLS cache entries for all Catalyst 5000 series switches performing
Layer 3 switching for this MLS-RP.
ip routing—The no form purges all MLS cache entries and disables MLS on this MLS-RP.
ip security (all forms of this command)—Disables MLS on the interface.
ip tcp compression-connections—Disables MLS on the interface.
ip tcp header-compression—Disables MLS on the interface.
General Guidelines
The following is a list of general guidelines to enabling MLS:
When you enable MLS, the RSM or externally attached router continues to handle all non-IP
protocols while offloading the switching of IP packets to the MLS-SE.
Do not confuse MLS with the NetFlow switching supported by Cisco routers. MLS uses both the
RSM or directly attached external router and the MLS-SE. With MLS, you are not required to use
NetFlow switching on the RSM or directly attached external router; any switching path on the RSM
or directly attached external router will work (process, fast, and so on).