Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

MLS and access lists

Why does the keyword "log" on an access list on a VLAN router interface always disable MLS on your switch? The question is not as simple as it sounds, and here is a suggestion for the product developers. But first, let me summarise how MLS works:

When you enable MLS, the first packet of each flow is passed from the switch to the router, routed back on the destination VLAN, and sent back to the switch. The switch then creates an MLS cache entry, which allows subsequent packets to take the shortcut without being sent to the router.

So what happens if you put an access-list in the router? Well, if the first packet of the flow is permitted by the access-list, then it will get routed, and the MLS cache entry is created, enabling the shortcut. If, on the other hand, the access-list denies the first packet, then it will not be routed, and the MLS cache entry is not confirmed. Therefore, only the "permit" packets create cache entries, while "deny" packets all get passed to the router, where they can be ... well .... denied.

So, what happens if one of the lines in your access list has the "log" keyword. Well, according Cisco logic, the router has been asked to log all matching packets, so it cannot allow the switch to create any MLS cache entries.

But I think this only applies if the "log" keyword is on a "permit" line. I think that if the "log" keyword appears only on the "deny" lines in the ACL, then it would be perfectly OK for the switch to do MLS. Let us consider an ACL with the "log" keyword on one of its "deny" lines, and no "log" on any "permit" line. If the flow is permitted, then the first packet will be sent to the router, routed back again, and will form a cache entry in the normal way; from then on the switch does MLS. If the flow is denied, then the first packet will be sent to the router, where it will be blocked and logged, but will not be able to complete an MLS cache entry.

Furthermore, you are much more likely to want to put "log" on your "deny" lines than on your "permit" lines. MLS is safe for "log"+"deny" access list entries, but not for "log"+"permit" entries. But the actual behaviour is that any "log" keyword will prevent MLS from working.

Does anyone agree? Does anyone understand what I am saying?

Best regards,

Kevin Dorrell,


New Member

Re: MLS and access lists

Makes perfect sense. Probably was just a shortcut or perhaps some code quirk that isn't apparent to the casual observer.

Or perhaps is was done intentionally so no one would get a false sense of security. Say someone implements a list with a deny + log statement towards the bottom of the list. A permit statement towards the beginning of the list allows the flow. The list is never again referenced. A packet that normally would have been denied is allowed becuase of the cached flow. Someone comes along checking the "hits" on that deny statement. It reads zero.

Just a thought.

Re: MLS and access lists

Makes good sense...



Re: MLS and access lists

Moderator : Is there any way this can be passed to your product engineering people as a suggestion? What is the correct procedure.

Kevin Dorrell,


Re: MLS and access lists

Product enhancement requests can be formally made through the Cisco Technical Assistance Center ( or through your local Cisco Sales office. Once filed, you will be given a bug id number which you can track using Bug Toolkit (

I will informally forward your posting to the product team but strongly recommend you go through the process outlined above.

Thank you for posting.

-Cisco Moderator

CreatePlease to create content