Hi Priscilla, Quoting Multilayer Switching Companion Guide on p. 340... MLS creates flows based on access lists configured on the MLS-RP...the MLS-SE handles standard and extended access list PERMIT traffic...Route topology changes and the addition or modification of access lists are reflected in the IP MLS switching path automatically on the MLS-SE...the MLS-SE learns of the change through MLSP and immediately enforces security. I believe this is the reason why you need a L3 switch to do MLS. HTH. Elmer
-----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Saturday, March 29, 2003 7:10 PM To: [EMAIL PROTECTED] Subject: MLS and access lists [7:66464] With Multilayer Switching (MLS), how does the MLS Switch (MLS-SE) know that the router (MLS-RP) has an access list? In other words, how does the switch know that it should use a destination flow mask, a destination-source flow mask, or a full-flow mask? The access list, afterall, is on the router, not the switch, according to descriptions of MLS. The switch definitely knows, because you see different output with the "show mls" command, but how does it know? Does the router pass it to the switch in MLSP messages, or is there something more obvious that I'm missing. With some access lists, an enable packet would never come back from the router. Is that what triggers the switch to use the more advanced flow masks? This would imply that the switch is always looking at upper layers and knows that Telnet between 2 hosts results in an enable packet but FTP (or whatever) does not. That seems like a lot of burden to put on a switch. I checked Clark and Hamilton "Cisco LAN Switching," and the Ethernet LAN switching papers at CertificationZone, but am still left wondering.... Thanks for your help. Priscilla Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66471&t=66464 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
