It should be AND operation between entries that are in two different lines and OR operatio, if the entries are on the same line.
Thus in your example, the access-list IP and ARP_Packet should be ANDed. With regards Kings On Thu, Sep 8, 2011 at 4:34 PM, Andrey <[email protected]> wrote: > Yes, sure and I thought I answered you there: > "forbid arp resolution for block adresses..." > and in my example needed to add this: > > ip access-list ext IP > permit ip 192.168.10.0 0.0.0.255 any > ! > match ip address IP > > and we get this: > > LABSW1#sh vlan access-map block_arp > Vlan access-map "block_arp" 10 > Match clauses: > ip address: IP > mac address: ARP_Packet > Action: > drop > Vlan access-map "block_arp" 20 > Match clauses: > Action: > forward > > LABSW1#sh access-l > Extended IP access list IP > 10 permit ip 192.168.10.0 0.0.0.255 any > Extended MAC access list ARP_Packet > permit any any 0x806 0x0 > > BUT I guess that my answer is almost useless because, logic inside entry > "vlan access-map "block_arp" 10" will be OR and not AND. > Thus there is one answer - Cisco gave us this option for certain > facilities that we would not have to add extra lines config > "vlan access-map <MAP> <NUMBER>" and "action drop" if we have to match by > ethertype and address+port at the same time. > Sorry, I see no other explanation. > > > On Thu, Sep 8, 2011 at 3:40 PM, Kingsley Charles < > [email protected]> wrote: > >> Actually I wanted to know the use case of having mac and ip acl as >> matching criteria in the same VACL entry. >> >> > -- > Best regards, > Andrey > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
