Router Access Lists

The router access list does not affect the MLS flow. After the packets hit the access list, any subsequent packets will be MLS switched. The role of the access list is in the initial flow. If the router access list denies the traffic from Host1 to Host2, the MLS entry will never be created.

If the log parameter is enabled in the access list, all traffic will be process switched. The log parameter can be CPU intensive and dramatically affect the performance of the router. The access list 1 is created to log all IP traffic that traverses through the router. This is only for testing purposes and should not be enabled in the production network. If the log parameter will be used, ensure that it is very specific and granular (see Example 6-8). The matching number of the access list shows the number of packets that has hit this access list. Also note that there is no entry in the MLS table under the show mls entry in Example 6-8.

Example 6-8. Creating the Access List

RSM(config)# access-list 1 permit any log

RSM#show access-lists 1

Standard IP access list 1

    permit any log (2443 matches)

Switch3 (enable) show mls entry

Destination IP  Source IP       Prot DstPrt SrcPrt Destination Mac   Vlan Port

--------------- --------------- ---- ------ ------ ----------------- ---- -----

MLS-RP 10.1.2.10:

 No entries