Labbed it and confirmed that it is ORed between the mac and ip ACL. access-list 124 permit ip host 10.20.30.41 host 10.20.30.42
mac access-list extended r1r2 permit any any 0x806 0x0 vlan access-map king 10 action drop match mac address r1r2 match ip address 124 vlan access-map king 20 action forward With regards Kings On Mon, Sep 12, 2011 at 12:59 PM, Kingsley Charles < [email protected]> wrote: > Now consider the following configuration. In vlan access-map king 10, the > operation is OR between "123" and "124". If there is no match for access-map > 10, then it goes for access-map 20. > > vlan access-map king 10 > action forward > match ip address 123 124 > vlan access-map king 20 > action forward > match ip address 125 > > > The route-maps and vlan access-maps uses nearly the same logic. In entry > 10, either 123 or 124 should me matched which is OR operation and that is > ANDed > with match length. So either 123 + match length or 124 + match length is > the matching criteria for entry 10. > > If there is no match for 10, 20 is checked for. > > > route-map king permit 10 > match ip address 123 124 > match length 100 200 > > route-map king permit 20 > match ip address 125 > > > Now with vlan access-maps, you can't define two match criterias within an > entry that can be ANDed like we do for route-maps. Hence there is concept of > AND operation in vlan access map. The exception to this is the following one > which has the match ip and mac. Since the match is in different lines, they > should ANDed. > > So my question, is the following valid which ANDs a mac IP and mac mac? > > > vlan access-map king > action forward > match mac address macking > match ip address 123 > > > > With regards > KIngs > > > On Sun, Sep 11, 2011 at 2:16 PM, Andrey <[email protected]> wrote: > >> Kingsley, >> >> I do not quite understand your interpretation of the rules, >> just clarify how I understand: >> >> It is "OR" inside sequence of access-map, >> and "AND" between sequences. >> >> Piotr, >> >> I agree with you in all except one - >> "When a flow matches permit ACL entry, the associated action is taken and >> the flow is not checked against the remaing sequences" >> >> My understanding - it is not checked against the remaining entries in same >> sequence, but checked against the remaining sequences. >> >> Best regards, >> Andrey >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
