Standard and Extended Access Lists
Note
Router interfaces with input access lists cannot participate in MLS. However, any input access list can be translated to an output access list to provide the same effect on the interface. For complete details on how input and output access lists affect MLS, see Chapter 13, "Configuring Multilayer Switching."
MLS allows you to enforce access lists on every packet of the flow without compromising MLS performance. When you enable MLS, standard and extended access lists are handled at wire speed by the MLS-SE. Access lists configured on the MLS-RP take effect automatically on the MLS-SE. Additionally, route topology changes and the addition of access lists are reflected in the switching path of MLS.
Consider the case where an access list is configured on the MLS-RP to deny access from station A to station B. When station A wants to talk to station B, it sends the first packet to the MLS-RP. The MLS-RP receives this packet and checks to see if this packet flow is permitted. If an access control list is configured for this flow, the packet is discarded. Because the first packet for this flow does not return from the MLS-RP, an MLS cache entry is not established by the MLS-SE.
In another case, access lists are introduced on the MLS-RP while the flow is already being Layer 3 switched within the MLS-SE. The MLS-SE immediately enforces security for the affected flow by purging it.
Similarly, when the MLS-RP detects a routing topology change, the appropriate MLS cache entries are deleted in the MLS-SE. The techniques for handling route and access list changes apply to both the RSM and directly attached external routers.