Yes, sure and I thought I answered you there:
"forbid arp resolution for block adresses..."
and in my example needed to add this:
ip access-list ext IP
permit ip 192.168.10.0 0.0.0.255 any
!
match ip address IP
and we get this:
LABSW1#sh vlan access-map block_arp
Vlan access-map "block_arp" 10
Match clauses:
ip address: IP
mac address: ARP_Packet
Action:
drop
Vlan access-map "block_arp" 20
Match clauses:
Action:
forward
LABSW1#sh access-l
Extended IP access list IP
10 permit ip 192.168.10.0 0.0.0.255 any
Extended MAC access list ARP_Packet
permit any any 0x806 0x0
BUT I guess that my answer is almost useless because, logic inside entry
"vlan access-map "block_arp" 10" will be OR and not AND.
Thus there is one answer - Cisco gave us this option for certain
facilities that we would not have to add extra lines config
"vlan access-map <MAP> <NUMBER>" and "action drop" if we have to match by
ethertype and address+port at the same time.
Sorry, I see no other explanation.
On Thu, Sep 8, 2011 at 3:40 PM, Kingsley Charles <[email protected]
> wrote:
> Actually I wanted to know the use case of having mac and ip acl as matching
> criteria in the same VACL entry.
>
>
--
Best regards,
Andrey
_______________________________________________
For more information regarding industry leading CCIE Lab training, please visit
www.ipexpert.com
Are you a CCNP or CCIE and looking for a job? Check out
www.PlatinumPlacement.com
