Figure 11.5: An MLS switch and two MLS routers.
IP Access Lists and MLS Interaction
When any interface has an inbound access list applied, the interface where the access list is applied cannot be
used for MLS. However, you can apply an output access list on an interface, and it will not affect MLS.
When MLS is enabled, standard and extended access lists are handled at the speed of the physical wire. Any
modifications or changes to the access lists on any interface used for MLS take effect immediately after being
applied to the interface on the MLS−SE, on any internal route processor, or on external routers.
If a flow has been established by the MLS−SE and a new access list is created on the MLS−RP, the MLS−SE
learns of the change through MLSP. This immediately changes the flow mask and purges the cache entries
from the MLS cache on all the MLS−SEs. Any new flows are created based on the new access list
information.
IP−Flow Flow Mask
The IP−flow flow mask is the most stringent of all flow masks. This flow mask is used when any of the
MLS−RPs has an extended access list configured on it, as shown in Figure 11.6. Router C contains an
extended access list. This access list determines that the IP−flow flow mask is used for all flows. The
MLS−SE creates a separate MLS cache entry for all IP flows. The IP−flow entry contains the source IP
address, destination IP address, protocol, and protocol interfaces.
Figure 11.6: An MLS switch and three MLS routers.
MLS Troubleshooting Notes
There are a few pieces of information about MLS that will save you time when troubleshooting. Quite a few
Cisco IOS commands can affect how MLS operates, and MLS doesn’t work well with a few other data traffic
features.
232