As far as I am aware, the 1st packet in the flow has to be L3 switched. A router just does not send an enable packet back to the SE if it fails an ACL. In terms of the telnet, FTP scenarios, I assume that the flow does not matter at the SE, cause the packet processing at the router justs denies it and an MLS flow never get created for that L4 based connection.
Hope this helps. -----Original Message----- From: Priscilla Oppenheimer [mailto:[EMAIL PROTECTED] Sent: 30 March 2003 00:10 To: [EMAIL PROTECTED] Subject: MLS and access lists [7:66464] With Multilayer Switching (MLS), how does the MLS Switch (MLS-SE) know that the router (MLS-RP) has an access list? In other words, how does the switch know that it should use a destination flow mask, a destination-source flow mask, or a full-flow mask? The access list, afterall, is on the router, not the switch, according to descriptions of MLS. The switch definitely knows, because you see different output with the "show mls" command, but how does it know? Does the router pass it to the switch in MLSP messages, or is there something more obvious that I'm missing. With some access lists, an enable packet would never come back from the router. Is that what triggers the switch to use the more advanced flow masks? This would imply that the switch is always looking at upper layers and knows that Telnet between 2 hosts results in an enable packet but FTP (or whatever) does not. That seems like a lot of burden to put on a switch. I checked Clark and Hamilton "Cisco LAN Switching," and the Ethernet LAN switching papers at CertificationZone, but am still left wondering.... Thanks for your help. Priscilla For more information about Barclays Capital, please visit our web site at http://www.barcap.com. Internet communications are not secure and therefore the Barclays Group does not accept legal responsibility for the contents of this message. Although the Barclays Group operates anti-virus programmes, it does not accept responsibility for any damage whatsoever that is caused by viruses being passed. Any views or opinions presented are solely those of the author and do not necessarily represent those of the Barclays Group. Replies to this email may be monitored by the Barclays Group for operational or business reasons. ------------------------------------------------------------------------ Message Posted at: http://www.groupstudy.com/form/read.php?f=7&i=66491&t=66464 -------------------------------------------------- FAQ, list archives, and subscription info: http://www.groupstudy.com/list/cisco.html Report misconduct and Nondisclosure violations to [EMAIL PROTECTED]
