Is it like I said? I think so :) Thanks for confirmation mate! Regards, Piotr
2011/9/12 Kingsley Charles <[email protected]> > Labbed it and confirmed that it is ORed between the mac and ip ACL. > > access-list 124 permit ip host 10.20.30.41 host 10.20.30.42 > > mac access-list extended r1r2 > > permit any any 0x806 0x0 > > vlan access-map king 10 > action drop > match mac address r1r2 > match ip address 124 > > vlan access-map king 20 > action forward > > > > With regards > Kings > > > On Mon, Sep 12, 2011 at 12:59 PM, Kingsley Charles < > [email protected]> wrote: > >> Now consider the following configuration. In vlan access-map king 10, the >> operation is OR between "123" and "124". If there is no match for access-map >> 10, then it goes for access-map 20. >> >> vlan access-map king 10 >> action forward >> match ip address 123 124 >> vlan access-map king 20 >> action forward >> match ip address 125 >> >> >> The route-maps and vlan access-maps uses nearly the same logic. In entry >> 10, either 123 or 124 should me matched which is OR operation and that is >> ANDed >> with match length. So either 123 + match length or 124 + match length is >> the matching criteria for entry 10. >> >> If there is no match for 10, 20 is checked for. >> >> >> route-map king permit 10 >> match ip address 123 124 >> match length 100 200 >> >> route-map king permit 20 >> match ip address 125 >> >> >> Now with vlan access-maps, you can't define two match criterias within an >> entry that can be ANDed like we do for route-maps. Hence there is concept of >> AND operation in vlan access map. The exception to this is the following one >> which has the match ip and mac. Since the match is in different lines, they >> should ANDed. >> >> So my question, is the following valid which ANDs a mac IP and mac mac? >> >> >> vlan access-map king >> action forward >> match mac address macking >> match ip address 123 >> >> >> >> With regards >> KIngs >> >> >> On Sun, Sep 11, 2011 at 2:16 PM, Andrey <[email protected]> wrote: >> >>> Kingsley, >>> >>> I do not quite understand your interpretation of the rules, >>> just clarify how I understand: >>> >>> It is "OR" inside sequence of access-map, >>> and "AND" between sequences. >>> >>> Piotr, >>> >>> I agree with you in all except one - >>> "When a flow matches permit ACL entry, the associated action is taken and >>> the flow is not checked against the remaing sequences" >>> >>> My understanding - it is not checked against the remaining entries in >>> same sequence, but checked against the remaining sequences. >>> >>> Best regards, >>> Andrey >>> >> >> >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
