[EMAIL PROTECTED] wrote: > > As far as I am aware, the 1st packet in the flow has to be L3 > switched. A > router just does not send an enable packet back to the SE if it > fails an > ACL. In terms of the telnet, FTP scenarios, I assume that the > flow does not > matter at the SE, cause the packet processing at the router > justs denies it > and an MLS flow never get created for that L4 based connection.
If a simple destination flow mask (the default) gets created on the SE that says how to send traffic to a host, both Telnet and FTP traffic will be sent to the host despite the access list on the router. It's a huge security hole. However, the Cisco developers thought of this, of course. (I wonder if it was an afterthought or if they realized this was a problem right away? :-) They created more complicated flow masks: * Destination-source flow mask to handle a standard access list or simple extended access list without L4 port numbers on the router * Full flow mask to handle an extended access list that uses L4 port numbers It turns out that MLSP is used by the router to signal to the SE which flow masks must be used. Thank-you Kennedy Clark and the other person who cleared that up. (Great to hear from Kennedy, author of one of the best Cisco Press books, Cisco LAN Switching. It's right up there with Doyle's books.) The books say that MLSP flushes the MLS cache when access lists are configured or changed, or the routing table changes, but they aren't too clear that on bootup, if a router has access lists, it better tell the SE to use a more specific flow mask. I'd like to see that protocol in action?! Of course, if it's a built-in RSP, that wouldn't be possible. Thanks everyone for replying. Priscilla > > Hope this helps. > > -----Original Message----- > From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] > Sent: 30 March 2003 00:10 > To: [EMAIL PROTECTED] > Subject: MLS and access lists [7:66464] > > > With Multilayer Switching (MLS), how does the MLS Switch > (MLS-SE) know that > the router (MLS-RP) has an access list? In other words, how > does the switch > know that it should use a destination flow mask, a > destination-source flow > mask, or a full-flow mask? The access list, afterall, is on the > router, not > the switch, according to descriptions of MLS. > > The switch definitely knows, because you see different output > with the "show > mls" command, but how does it know? Does the router pass it to > the switch in > MLSP messages, or is there something more obvious that I'm > missing. > > With some access lists, an enable packet would never come back > from the > router. Is that what triggers the switch to use the more > advanced flow > masks? This would imply that the switch is always looking at > upper layers > and knows that Telnet between 2 hosts results in an enable > packet but FTP > (or whatever) does not. That seems like a lot of burden to put > on a switch. > > I checked Clark and Hamilton "Cisco LAN Switching," and the > Ethernet LAN > switching papers at CertificationZone, but am still left > wondering.... > > Thanks for your help. > > Priscilla > For more information about Barclays Capital, please > visit our web site at http://www.barcap.com. > > > Internet communications are not secure and therefore the > Barclays > Group does not accept legal responsibility for the contents of > this > message. Although the Barclays Group operates anti-virus > programmes, > it does not accept responsibility for any damage whatsoever > that is > caused by viruses being passed. Any views or opinions > presented are > solely those of the author and do not necessarily represent > those of the > Barclays Group. Replies to this email may be monitored by the > Barclays > Group for operational or business reasons. > > ------------------------------------------------------------------------ > > Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66500&t=66464 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
