There was typo in second case, the corrected is below:
*Working* class-map match-any ipf match protocol telnet match protocol http policy-map ipf class ipf drop Non-working class-map match-all ipf match protocol telnet match protocol http policy-map ipf class ipf drop With regards Kings On Fri, May 20, 2011 at 12:58 PM, Kingsley Charles < [email protected]> wrote: > Hi all > > I was trying another lab and observed a similar behavior again. It's seen > both with physical interface and control plane. > > With access-list, if you are matching multiple access-list, it seems we > need match-all. When we use multiple "match protocol", "match-any" works as > expected. > > Similarly for CPPr port filter, we required "match-all" which we previously > discussed. > > > > > *Working * > > access-list 1 permit 10.20.30.0 0.0.0.255 log > access-list 2 permit any log > > class-map match-all ipf > match access-group 2 > match not access-group 1 > > policy-map ipf > class ipf > drop > > > *Non-working* > > > access-list 1 permit 10.20.30.0 0.0.0.255 log > access-list 2 permit any log > > class-map match-any ipf > match access-group 2 > match not access-group 1 > > policy-map ipf > class ipf > drop > > > > *Working * > > class-map match-any ipf > match protocol telnet > match not protocol http > > policy-map ipf > class ipf > drop > > > *Non-working* > > > class-map match-all ipf > match protocol telnet > match not protocol http > > policy-map ipf > class ipf > drop > > > With regards > Kings > > > ---------- Forwarded message ---------- > From: Tyson Scott <[email protected]> > Date: Sun, May 8, 2011 at 7:48 PM > Subject: Re: [OSL | CCIE_Security] match-all or match-any for control-plane > port-filter > To: Jim Terry <[email protected]>, Kingsley Charles < > [email protected]> > Cc: "[email protected]" <[email protected] > > > > > I am Confirming PF requires match-all. Others comments are correct. > > Regards, > > Tyson Scott > CCIE # 13513 (R&S, Security, SP) > Managing Partner/Technical Instructor - IPexpert Inc. > [email protected] > > > > ----- Reply message ----- > From: "Jim Terry" <[email protected]> > Date: Sun, May 8, 2011 12:10 am > Subject: [OSL | CCIE_Security] match-all or match-any for control-plane > port-filter > To: "Kingsley Charles" <[email protected]> > Cc: "[email protected]" <[email protected] > > > > > Hi all, > > I thought I would add my confusion on this thread of > match-all/match-any..... > > I have not labbed this scenario;but the last time I looked at this I tried > match-any (which in my mind should work) but I had to do match-all for it > to > work with the port-filter. > > JT > > > > > On Sat, May 7, 2011 at 12:37 AM, Kingsley Charles < > [email protected]> wrote: > > > Hi all > > > > Should we use "match-all" or "match-any", when using multiple criterias > in > > the port-filter class-map. I thought "any" was the correct one. > > > > > > Snippet from > > > http://www.cisco.com/en/US/docs/ios/qos/configuration/guide/ctrl_plane_prot_ps6441_TSD_Products_Configuration_Guide_Chapter.html > > > > Router(config)# class-map type port-filter pf-class > > > > Router(config-cmap)# match not port udp 123 > > > > Router(config-cmap)# match closed-ports > > > > Router(config-cmap)# exit > > > > Router(config)# policy-map type port-filter pf-policy > > > > Router(config-pmap)# class pf-class > > > > Router(config-pmap-c)# drop > > > > Router(config-pmap-c)# end > > > > > > > > With regards > > Kings > > > > _______________________________________________ > > For more information regarding industry leading CCIE Lab training, please > > visit www.ipexpert.com > > > > Are you a CCNP or CCIE and looking for a job? Check out > > www.PlatinumPlacement.com <http://www.platinumplacement.com/> > > > > > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
