Section 7.4: Flow Masks

The MLS-SE uses flow mask modes to determine how packets are compared to MLS entries in the MLS cache. The flow mask mode is based on the access lists configured on the MLS router interfaces. The MLS-SE learns the flow mask through MLSP messages from each MLS-RP for which the MLS-SE is performing Layer 3 switching. MLS-SE supports only one flow mask for all MLS-RPs that are serviced by the MLS-SE. If the MLS-SE detects different flow masks from different MLS-RPs for which the MLS-SE is performing Layer 3 switching, the MLS-SE changes its flow mask to the most specific flow mask detected.

The MLS-SE supports three flow mask modes: Destination-IP, Source-Destination-IP, and IP-Flow.

• Destination-IP is the default flow mask mode and is the least specific flow mask. This mode is used if no access lists are configured on any of the MLS router interfaces.

• Source-Destination-IP is the entry that the MLS-SE maintains for each source and destination IP address pair. All flows between a given source and destination use this MLS entry regardless of the IP protocol ports. This mode is used if a standard access list is on any of the MLS interfaces.

• IP-Flow represents the most specific flow mask. An IP-Flow entry includes the source IP address, destination IP address, protocol, and protocol ports. This mode is used if there is an extended access list on any MLS interface.

When the MLS-SE flow mask changes, the entire MLS cache is purged. You can set a flow mask on the MLS-SE without applying an access list on the route processor. To set the flow mask on the MLS-SE without setting an access list on a route processor interface, enter the following command in privilege mode:

set mls flow [ destination | destination-source | full ]

The destination keyword indicates that you are applying the IP-Destination mode, the destination-source keyword indicates that you are applying Source-Destination-IP mode, and full keywords indicates that you are applying IP-Flow mode.