Access Control Lists (ACLs)

Access Control Lists (ACLs)
It’s not unusual to want to use an access control list (ACL) to filter traffic from one VLAN to
another, especially if one VLAN needs higher security than the others do. The problem is that
you usually want all the packets to be examined by the access control list, and the switch is forwarding
only the first one.
Until IOS release 12.0(2), inbound access control lists were not supported. If a router interface
had an inbound access control list applied, MLS was disabled. With versions after 12.0(2),
inbound access control lists are supported, but the support is not enabled by default. Use the
command mls rp ip input-acl from global configuration mode to enable the router to use
MLS with inbound access control lists.
Outbound access control lists are a little more problematic. Although they have always been
supported, applying the access control list to an interface will clear the MLS cache information
for connections passing through that interface. Another packet needs to be forwarded to the
router to start the MLS process again. Also, outbound lists utilizing the following functions will
disable MLS on the interface to which they are applied:
 TOS
 Established
 Log
 Precedence
 Reflexive
This is because these features require the router to examine every packet. Because these features
tend to be more security related than a simple access control list often is, using these features disables
MLS on the interface in question.