10/1/2000 -- If you ask someone--better make it a Cisco someone--what an MSFC is, you'll most likely get a blank look.

If the person does attempt to answer, the response will most likely be something that's technically accurate but absolutely useless, along the lines of, "It's part of a high-end switch."

So, what is a MSFC? A Multilayer Switch Feature Card (MSFC) is a routing daughter card that sits on the supervisor module of a 6000 or 6500 series switch and works with a piece called the PFC. No, not a Private First Class. The PFC is the Policy Feature Card. The cool thing about the PFC is packet filtering, which I'll talk more about shortly.

If you've gone through the CLSC or BCMSN courses or exams, then you're probably familiar with a Route Switch Module (RSM). The RSM from a 5000-series Catalyst switch isn't much smaller than the blade off a guillotine, which is why these modules are often called blades. They do the same work as a regular router (e.g., they route), but because a RSM is a part of the switch, it doesn't have physical ports. Well, actually, it does--but not at the level you'd normally think. Instead, it uses VLAN ports that are then matched up with the VLANs created on the switch, allowing the RSM to route VLAN traffic.

Still with me? Good. Now, if you shrink a RSM down to a card the size of a NIC and then attach it directly to the supervisor card, you get a MSFC.

You may see a potential problem here. In order to get redundancy in a Catalyst 5000 with a RSM, you need two Supervisor modules--both have the capability of working with the single RSM. You could also have RSM redundancy, but you don't have a single point of failure. With the router now sitting on the Supervisor, if the Supervisor card goes, so does your router. This means you need to have two Supervisor cards, each with MSFCs on board. As anyone who has had to outfit a 6509 for redundancy can tell you, this gets expensive fast!

Benefits of MSFC
What does a MSFC card give you that the old RSM didn't? The first thing that most people latch on to is up to 15 million packets per second of forwarding while attached to a 32 gigabit backplane! MSFC can also do regular routing and packet filtering with Access Control Lists (ACLs). But beyond the basic access lists, you can also configure dynamic and reflexive lists. The most interesting list is called a VLAN Access Control List (VACL), which requires the PFC.

As more and more people think they're qualified to make changes willy-nilly on their work PCs, the frequency of rogue DHCP servers is increasing. (I can see several heads nodding at this last statement.) There are a couple of ways of dealing with this, and one is using tried and true basic Extended Access Lists. This method works fine, except it's rather process intensive and won't filter any packets that stay on the same VLAN they originated on.

If you're using an Extended Access List, how do you filter a packet that doesn't touch the router? You don't, so you need to configure a list off the router. With regards to the rogue DHCP problem, you'd be able to specify that only a certain device is able to forward a response to a DHCP client request through the switch.

For more information on the packet filtering capabilities of the 6000-series switch, check out this Cisco page on configuring ACLs: www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/sw_5_4/msfc/acc_list.htm.

Reprinted from TCPmag.com, October 2000.