RE: BCMSN: Flow Masks

Ole Drews Jensen Mon, 25 Sep 2000 13:07:06 -0700
Thanks Francisco, but according to the BCMSN book by Karen Webb, page 233 :
"Most Cisco documentation explains flow masks as a way to determine how
packets are compared to entries in the MLS cache.  This is inaccurate. Flow
masks are actually used to determine how much information agbout the packet
is placed in the MLS cache. The flow mask is not used to compare packets to
existing entries in the MLS cache."

Furthermore (page 237) "The MLS-SE switches a packet by comparing its
destination addresss to what it has in cache. After it has determined that
it knows the destination, it switches the packet without ever sending the
packet to the MLS-RP. This example shows that there could be a potential
security hole with the use of access lists and MLS. The information that is
cached for MLS is useful for determining traffic patterns aned accounting.
It is not, however, used to compare packets all the way through the Layer 4
information to ensure security."

Still confused...

Ole

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
 Ole Drews Jensen
 Systems Network Manager
 CCNA, MCSE, MCP+I
 RWR Enterprises, Inc.
 [EMAIL PROTECTED]
 http://www.oledrews.com/ccnp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



-----Original Message-----
From: Francisco Muniz [mailto:[EMAIL PROTECTED]]
Sent: Monday, September 25, 2000 2:07 PM
To: [EMAIL PROTECTED]
Subject: Re: BCMSN: Flow Masks


According to CCIE LAN Switching pag.  479 "The flow mask is used to set
the granularity with which the NFFC determines what constitutes a flow"
and it (the NFFC) creates shortcuts for each flow. Of course, the MAC
address will be the same for any given address no matter what the source
address or port number, but if you are using access lists on the router,
you wouldn't want your switch to bypass them, so you set a smaller
granularity so that each flow corresponds to a flow that has passed your
access list. This way the switch won't "route" the wrong packets. Hope
this helps.
By the way, thank you for the link.

Francisco Muniz.

**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]

**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: BCMSN: Flow Masks

Reply via email to
