Features That Affect MLS
This section describes how certain features affect MLS.
Access Lists
The following sections describe how access lists affect MLS.
Input Access Lists
Router interfaces with input access lists cannot participate in MLS. If you configure an input access list on an interface, all packets for a flow that are destined for that interface go through the router (even if the flow is allowed by the router, it is not Layer 3 switched). Existing flows for that interface get purged and no new flows are cached.
Note
Any input access list can be translated to an output access list to provide the same effect on the interface.
Output Access Lists
If an output access list is applied to an interface, the MLS cache entries for that interface are purged. Entries associated with other interfaces are not affected; they follow their normal aging or purging procedures.
Applying an output access list to an interface, when the access list is configured using the log, precedence, tos, or establish options, prevents the interface from participating in MLS.
Access List Impact on Flow Masks
Access lists affect the flow mask advertised by an MLS-RP. When there is no access list on any MLS-RP interface, the flow mask mode is destination-ip (the least specific). When there is a standard access list on any of the MLS-RP interfaces, the mode is source-destination-ip. When there is an extended access list on any of the MLS-RP interfaces, the mode is ip-flow (the most specific).
Reflexive Access Lists
Router interfaces with reflexive access lists cannot participate in Layer 3 switching.
IP Accounting
Enabling IP accounting on an MLS-enabled interface disables the IP accounting functions on that interface.
Note
To collect statistics for the Layer 3-switched traffic, enable NetFlow Data Export (NDE).
Data Encryption
MLS is disabled on an interface when the data encryption feature is configured on the interface.
Policy Route-Map
MLS is disabled on an interface when a policy route-map is configured on the interface.
TCP Intercept
With MLS interfaces enabled, the TCP intercept feature (enabled in global configuration mode) might not work properly. When you enable the TCP intercept feature, the following message displays:
Command accepted, interfaces with mls might cause inconsistent behavior.
Network Address Translation
MLS is disabled on an interface when Network Address Translation (NAT) is configured on the interface.
Committed Access Rate
MLS is disabled on an interface when Committed Access Rate (CAR) is configured on the interface.
Maximum Transmission Unit
The MTU for an MLS interface must be the default Ethernet MTU, 1500 bytes.
To change the MTU on an MLS-enabled interface, you must first disable MLS on the interface (enter no mls rp ip on the interface). If you attempt to change the MTU with MLS enabled, the following message displays:
Need to turn off the mls router for this interface first.
If you attempt to enable MLS on an interface that has an MTU value other than the default value, the following message will be displayed:
mls only supports interfaces with default mtu size