I read this as well...BUT...
The BCMSN book says "Most Cisco Documnetation explains flow masks as a way to
determine how packets are compared to entries in the MLS cache. This is inacurate.
Flow masks are actually used to determine how much infomration about a packet is
placed in the MLS cache. The flow mask is not used to compare packets to existing
entries in the MLS cache."
The book goes further to explain a security issue where a workstation pings another
and creates an entry in the MLS cache. This workstation is then able to establish a
FTP session session even though the access lists on the MLS-RP would not have allowed
it. The book says "The MLS-SE switches a packet by comparing its destination address
to what it has in cache. After it has determined that it knows the destination, it
switches the packet without ever sending the packet to the MLS-RP."
The book also says the the PFC addresses this issue by allowing the creation of VLAN
Access Control Lists.
If the statement about a a MLS-SE only looking at the destination address is true, Why
must the MLS-SE's flow mask be at least as restrictive as the access list? For
example, if the router has an extended access list, the switch must have an IP-Flow
mask.
Additionally, I don't really understand why MLSP hellos cariies information about
VLANs that the routers interfaces route for and it the MLS-SE (without PFC)really does
not care about access lists, why they need to be advertised.
Any clarification would be greatly appreciated.
Tom Kager
**NOTE: New CCNA/CCDA List has been formed. For more information go to
http://www.groupstudy.com/list/Associates.html
_________________________________
UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html
FAQ, list archives, and subscription info: http://www.groupstudy.com
Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
