Example 117 Sample show mls entry Output When Using a Full Flow Mask

Cat-A> (enable) show mls entry Destination IP Source IP Prot DstPrt SrcPrt

Destination Mac Vlan Port-------------------------------------------------------------

-----------MLS-RP 10.0.1.1: 10.0.1.2 10.0.2.2 TCP 11778 69 00-00-0c-7c-3c-90 1

2/16 10.0.2.2 10.0.1.3 TCP 110 11004 00-00-0c-5d-0b-f4 2 2/17 10.0.2.2 10.0.1.2 TCP 69 11778 00-00-0c-5d-0b-f4 2 2/17 10.0.1.2 10.0.2.2 TCP 65026 SMTP 00-00-0c-7c-3c-90 1 2/16 10.0.1.3 10.0.2.2 TCP 11002 Telnet 00-60-3e-26-96-00 1 2/15 10.0.1.2 10.0.2.2 TCP 12290 110 00-00-0c-7c-3c-90 1 2/16 10.0.1.2 10.0.2.2 TCP 11266 WWW 00-00-0c-7c-3c-90 1 2/16 10.0.1.2 10.0.2.2 TCP 64514 FTP 00-00-0c-7c-3c-90 1 2/16 10.0.2.2 10.0.1.2 TCP FTP 64514 00-00-0c-5d-0b-f4 2 2/17 10.0.2.2 10.0.1.3 TCP 69 11005 00-00-0c-5d-0b-f4 2 2/17 10.0.2.2 10.0.1.2 TCP WWW 63490 00-00-0c-5d-0b-f4 2 2/17 10.0.2.2 10.0.1.3 TCP 9 11001 00-00-0c-5d-0b-f4 2 2/17 10.0.2.2 10.0.1.3 ICMP - - 00-00-0c-5d-0b-f4 2 2/17 10.0.1.2 10.0.2.2 TCP 62978 9 00-00-0c-7c-3c-90 1 2/16 10.0.1.2 10.0.2.2 TCP 64002 20 00-00-0c-7c-3c-90 1 2/16 10.0.2.2 10.0.1.2 TCP Telnet 62466 00-00-0c-5d-0b-f4 2 2/17 10.0.1.2 10.0.2.2 TCP 63490 WWW 00-00-0c-7c-3c-90 1 2/16 10.0.1.2 10.0.2.2 TCP 62466 Telnet 00-00-0c-7c-3c-90 1 2/16 10.0.2.2 10.0.1.3 TCP Telnet 11002 00-00-0c-5d-0b-f4 2 2/17 10.0.2.2 10.0.1.2 TCP WWW 11266 00-00-0c-5d-0b-f4 2 2/17 10.0.1.3 10.0.2.2 TCP 11004 110 00-60-3e-26-96-00 1 2/15 10.0.2.2 10.0.1.2 TCP

SMTP 65026 00-00-0c-5d-0b-f4 2 2/17 10.0.1.3 10.0.2.2 TCP 11005 69 00-60-3e-26-96-00 1 2/15 10.0.2.2 10.0.1.2 TCP 110 12290 00-00-0c-5d-0b-f4 2 2/17 10.0.2.2 10.0.1.3 TCP WWW 11003 00-00-0c-5d-0b-f4 2 2/17 10.0.1.3 10.0.2.2 TCP 11003 WWW 00-60-3e-26-96-00 1 2/15 10.0.2.2 10.0.1.2 TCP 20 64002 00-00-0c-5d-0b-f4 2 2/17 10.0.1.3 10.0.2.2 ICMP - - 00-60-3e-26-96-00 1 2/15 10.0.1.3 10.0.2.2 TCP 11001 9 00-60-3e-26-96-00 1 2/15 10.0.2.2 10.0.1.2 TCP 9 62978 00-00-0c-5d-0b-f4 2 2/17

Notice that Example 11-7 includes every pair of communicating applications (both IP addresses and port numbers are considered). Also notice that none of the fields include a Last Used header because all of the individual flows are fully accounted for.

The multiple flow masks allow the NFFC to track information at a sufficient level of granularity to ensure that denied packets do not slip through using a pre-existing shortcut entry. However, to be truly secure, input access lists need to process every packet. As a result, configuring an input access on the router disables MLS on that interface. However, an optional parameter was introduced in 12.0 IOS images to allow input access lists at the expense of some security risk. To enable this feature, specify the input-acl parameter on the end of the mls rp ip global router command (Step 1 in the five-step router configuration process discussed later).

Was this article helpful?

0 0

Post a comment