Access List Flow Masks - Cisco RJ-45-to-AUX Brochure

go through the router. The MLS−SE rewrites the packets to look as if they had been forwarded by a router.
Note The MLS cache size can grow to a maximum of 128K. When the cache on the MLS−SE grows larger
than 32K, it is likely that flows in the network will not be switched by the MLS−SE and forwarded to a
router.
When the conversation between the two nodes ends or discontinues for any reason, the MLS cache entry is
aged out of the cache. For a new conversation to take place, the process must start again.

Access List Flow Masks

Flow masks are used by the MLS−SE to determine how the network flows are compared to the MLS cache
entries. Which flow mask mode to use is determined by the types of access lists that are configured on the
routers (MLS−RPs) participating in MLS. The MLS−SE is given this information via the MLSP messages
from each MLS−RP for which the MLS−SE performs Layer 3 switching.
The three types of access list flow masks are as follows:
Destination−IP
Source−destination−IP
IP−flow
Destination−IP Flow Mask
Only one flow mask is used at a time; the flow mask used is determined by the most stringent type of access
list. The least stringent is a Destination−IP flow mask. It is used if no access lists are configured on any router
participating in MLS, as shown in Figure 11.4. In this situation, the MLS−SE will maintain only one MLS
entry for each destination IP address. Any flows that go to a given destination IP address will use this MLS
entry.
Figure 11.4: An MLS switch and one MLS router. The router has no access list configured, so the flow mask
will be Destination−IP.
Warning If a different flow mask is detected, the MLS−SE will automatically change the currently used flow
mask to the most stringent flow mask detected on the network and purge its cached entries.
Source−Destination−IP Flow Mask
The Source−destination−IP is the next most stringent flow mask. This mask is used if any MLS−RP in the
network is using a standard access list, as shown in Figure 11.5. Router B contains a standard access list. Even
though router A has no access lists configured, the flow mask is determined by the highest policies placed on
a router. Therefore, the Source−destination−IP flow mask is used for all flows. The MLS−SE maintains one
MLS entry for each source and destination IP address pair. Any flow between a given source and destination
use this MLS entry, regardless of which IP protocol the interfaces use.
231