Hi all I was trying another lab and observed a similar behavior again. It's seen both with physical interface and control plane.
With access-list, if you are matching multiple access-list, it seems we need match-all. When we use multiple "match protocol", "match-any" works as expected. Similarly for CPPr port filter, we required "match-all" which we previously discussed. *Working * access-list 1 permit 10.20.30.0 0.0.0.255 log access-list 2 permit any log class-map match-all ipf match access-group 2 match not access-group 1 policy-map ipf class ipf drop *Non-working* access-list 1 permit 10.20.30.0 0.0.0.255 log access-list 2 permit any log class-map match-any ipf match access-group 2 match not access-group 1 policy-map ipf class ipf drop *Working * class-map match-any ipf match protocol telnet match not protocol http policy-map ipf class ipf drop *Non-working* class-map match-all ipf match protocol telnet match not protocol http policy-map ipf class ipf drop With regards Kings ---------- Forwarded message ---------- From: Tyson Scott <[email protected]> Date: Sun, May 8, 2011 at 7:48 PM Subject: Re: [OSL | CCIE_Security] match-all or match-any for control-plane port-filter To: Jim Terry <[email protected]>, Kingsley Charles < [email protected]> Cc: "[email protected]" <[email protected]> I am Confirming PF requires match-all. Others comments are correct. Regards, Tyson Scott CCIE # 13513 (R&S, Security, SP) Managing Partner/Technical Instructor - IPexpert Inc. [email protected] ----- Reply message ----- From: "Jim Terry" <[email protected]> Date: Sun, May 8, 2011 12:10 am Subject: [OSL | CCIE_Security] match-all or match-any for control-plane port-filter To: "Kingsley Charles" <[email protected]> Cc: "[email protected]" <[email protected]> Hi all, I thought I would add my confusion on this thread of match-all/match-any..... I have not labbed this scenario;but the last time I looked at this I tried match-any (which in my mind should work) but I had to do match-all for it to work with the port-filter. JT On Sat, May 7, 2011 at 12:37 AM, Kingsley Charles < [email protected]> wrote: > Hi all > > Should we use "match-all" or "match-any", when using multiple criterias in > the port-filter class-map. I thought "any" was the correct one. > > > Snippet from > http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/ctrl_plane_prot_ps6441_TSD_Products_Configuration_Guide_Chapter.html > > Router(config)# class-map type port-filter pf-class > > Router(config-cmap)# match not port udp 123 > > Router(config-cmap)# match closed-ports > > Router(config-cmap)# exit > > Router(config)# policy-map type port-filter pf-policy > > Router(config-pmap)# class pf-class > > Router(config-pmap-c)# drop > > Router(config-pmap-c)# end > > > > With regards > Kings > > _______________________________________________ > For more information regarding industry leading CCIE Lab training, please > visit www.ipexpert.com > > Are you a CCNP or CCIE and looking for a job? Check out > www.PlatinumPlacement.com <http://www.platinumplacement.com/> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
