Re: BCMSN: Flow Masks
Beats me :( Apparently, the books contradict each other so I guess we'll have to wait for wiser minds to come and rescue us. I would love a definite answer on this one. Francisco. **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BCMSN: Flow Masks
I read this as well...BUT... The BCMSN book says "Most Cisco Documnetation explains flow masks as a way to determine how packets are compared to entries in the MLS cache. This is inacurate. Flow masks are actually used to determine how much infomration about a packet is placed in the MLS cache. The flow mask is not used to compare packets to existing entries in the MLS cache." The book goes further to explain a security issue where a workstation pings another and creates an entry in the MLS cache. This workstation is then able to establish a FTP session session even though the access lists on the MLS-RP would not have allowed it. The book says "The MLS-SE switches a packet by comparing its destination address to what it has in cache. After it has determined that it knows the destination, it switches the packet without ever sending the packet to the MLS-RP." The book also says the the PFC addresses this issue by allowing the creation of VLAN Access Control Lists. If the statement about a a MLS-SE only looking at the destination address is true, Why must the MLS-SE's flow mask be at least as restrictive as the access list? For example, if the router has an extended access list, the switch must have an IP-Flow mask. Additionally, I don't really understand why MLSP hellos cariies information about VLANs that the routers interfaces route for and it the MLS-SE (without PFC)really does not care about access lists, why they need to be advertised. Any clarification would be greatly appreciated. Tom Kager **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: BCMSN: Flow Masks
Thanks Francisco, but according to the BCMSN book by Karen Webb, page 233 : "Most Cisco documentation explains flow masks as a way to determine how packets are compared to entries in the MLS cache. This is inaccurate. Flow masks are actually used to determine how much information agbout the packet is placed in the MLS cache. The flow mask is not used to compare packets to existing entries in the MLS cache." Furthermore (page 237) "The MLS-SE switches a packet by comparing its destination addresss to what it has in cache. After it has determined that it knows the destination, it switches the packet without ever sending the packet to the MLS-RP. This example shows that there could be a potential security hole with the use of access lists and MLS. The information that is cached for MLS is useful for determining traffic patterns aned accounting. It is not, however, used to compare packets all the way through the Layer 4 information to ensure security." Still confused... Ole Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] http://www.oledrews.com/ccnp -Original Message- From: Francisco Muniz [mailto:[EMAIL PROTECTED]] Sent: Monday, September 25, 2000 2:07 PM To: [EMAIL PROTECTED] Subject: Re: BCMSN: Flow Masks According to CCIE LAN Switching pag. 479 "The flow mask is used to set the granularity with which the NFFC determines what constitutes a flow" and it (the NFFC) creates shortcuts for each flow. Of course, the MAC address will be the same for any given address no matter what the source address or port number, but if you are using access lists on the router, you wouldn't want your switch to bypass them, so you set a smaller granularity so that each flow corresponds to a flow that has passed your access list. This way the switch won't "route" the wrong packets. Hope this helps. By the way, thank you for the link. Francisco Muniz. **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: BCMSN: Flow Masks
Ole, Wow, you don't miss anything.Your right. I remember discussion about this before. I think the answer was, that is a big hole with the security so unless you setup your access list to deny everything from that source altogether than the only way to get around it is to disable the fast switching. I think it was Prescilla that was talking about this a while back... Please correct me if I'm wrong.. Cory -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Monday, September 25, 2000 12:36 PM To: 'Stull, Cory'; Ole Drews Jensen Cc: '[EMAIL PROTECTED]' Subject: RE: BCMSN: Flow Masks I know Cory, but it still only checks on the destination address. If an extended access list has been configured to allow ping only, once a ping has been made, an entry has been created in the MLS cache, and from there on the access list is not worth anything, because the MLS-SE will allow anything through directly to the destination, because the extended access list which is at the MLS-RP doesn't see anymore data to that destination. I'm a bit confused here. Thanks, Ole Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] http://www.oledrews.com/ccnp -Original Message- From: Stull, Cory [mailto:[EMAIL PROTECTED]] Sent: Monday, September 25, 2000 2:33 PM To: 'Ole Drews Jensen' Cc: '[EMAIL PROTECTED]' Subject: RE: BCMSN: Flow Masks Ole, If you have an extended access-list setup it might be needing more info than just the destination IP address. You may be filtering on a source address or something. This is why your flow would change. Cory -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Monday, September 25, 2000 11:48 AM To: '[EMAIL PROTECTED]' Subject: BCMSN: Flow Masks I can understand that even though you use a full IP flow for the flow masks, the switch only looks at the destination IP in the MLS cache before forwarding the packet. The flow masks are not used to check the cache, but to determine how much information to put in the cache. My question is, why would you use the full IP flow or IP source/destination flow instead of only IP destination when it only looks at the destination no matter what ??? Thanks, Ole Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] http://www.oledrews.com/ccnp **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: BCMSN: Flow Masks
I know Cory, but it still only checks on the destination address. If an extended access list has been configured to allow ping only, once a ping has been made, an entry has been created in the MLS cache, and from there on the access list is not worth anything, because the MLS-SE will allow anything through directly to the destination, because the extended access list which is at the MLS-RP doesn't see anymore data to that destination. I'm a bit confused here. Thanks, Ole Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] http://www.oledrews.com/ccnp -Original Message- From: Stull, Cory [mailto:[EMAIL PROTECTED]] Sent: Monday, September 25, 2000 2:33 PM To: 'Ole Drews Jensen' Cc: '[EMAIL PROTECTED]' Subject: RE: BCMSN: Flow Masks Ole, If you have an extended access-list setup it might be needing more info than just the destination IP address. You may be filtering on a source address or something. This is why your flow would change. Cory -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Monday, September 25, 2000 11:48 AM To: '[EMAIL PROTECTED]' Subject: BCMSN: Flow Masks I can understand that even though you use a full IP flow for the flow masks, the switch only looks at the destination IP in the MLS cache before forwarding the packet. The flow masks are not used to check the cache, but to determine how much information to put in the cache. My question is, why would you use the full IP flow or IP source/destination flow instead of only IP destination when it only looks at the destination no matter what ??? Thanks, Ole Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] http://www.oledrews.com/ccnp **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
RE: BCMSN: Flow Masks
Ole, If you have an extended access-list setup it might be needing more info than just the destination IP address. You may be filtering on a source address or something. This is why your flow would change. Cory -Original Message- From: Ole Drews Jensen [mailto:[EMAIL PROTECTED]] Sent: Monday, September 25, 2000 11:48 AM To: '[EMAIL PROTECTED]' Subject: BCMSN: Flow Masks I can understand that even though you use a full IP flow for the flow masks, the switch only looks at the destination IP in the MLS cache before forwarding the packet. The flow masks are not used to check the cache, but to determine how much information to put in the cache. My question is, why would you use the full IP flow or IP source/destination flow instead of only IP destination when it only looks at the destination no matter what ??? Thanks, Ole Ole Drews Jensen Systems Network Manager CCNA, MCSE, MCP+I RWR Enterprises, Inc. [EMAIL PROTECTED] http://www.oledrews.com/ccnp **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED] **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
Re: BCMSN: Flow Masks
According to CCIE LAN Switching pag. 479 "The flow mask is used to set the granularity with which the NFFC determines what constitutes a flow" and it (the NFFC) creates shortcuts for each flow. Of course, the MAC address will be the same for any given address no matter what the source address or port number, but if you are using access lists on the router, you wouldn't want your switch to bypass them, so you set a smaller granularity so that each flow corresponds to a flow that has passed your access list. This way the switch won't "route" the wrong packets. Hope this helps. By the way, thank you for the link. Francisco Muniz. **NOTE: New CCNA/CCDA List has been formed. For more information go to http://www.groupstudy.com/list/Associates.html _ UPDATED Posting Guidelines: http://www.groupstudy.com/list/guide.html FAQ, list archives, and subscription info: http://www.groupstudy.com Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
