Configuring the MLS Engine
283
Access Lists
Access control lists (ACLs) throw an interesting twist into MLS configura-
tion and operation. There are some definite caveats when trying to use MLS
and ACLs at the same time.
Until IOS release 12.0(2), inbound access lists were not supported. If a
router interface had an inbound access list applied, MLS was disabled. With
versions after 12.0(2), inbound access lists are supported.
Outbound ACLs are a little more problematic. Although they have always
been supported, application thereof causes the MLS cache to clear and rees-
tablish. Also, outbound lists utilizing the following functions will disable
MLS on the interface to which they are applied:
TOS
Established
Log
Precedence
Configuring the MLS Engine
S
witch configuration is very simple. MLS is on by default for both the
6000 and 2926G and for the 5000s with RSMs and NFFC cards in them.
The only time that it is necessary to perform configuration tasks on the MLS-
SE is when you want to change specific MLS attributes or when the device
requires configuration. Here are some examples:
Using an external router
Changing the MLS cache aging timers
Enabling NDE (NetFlow Data Export)
Each of these topics will be addressed in the following sections.
Copyright ©2000 SYBEX , Inc., Alameda, CA
www.sybex.com