From: adz (ccie1day@totalise.co.uk)
Date: Fri Mar 14 2003 - 16:46:37 GMT-3
the interfaces are completely independant of each other and the access-lists
area therefore checked independantly,
if access-list 169 has "permit any" then any ethernet packets would use
access-list 169 and be permitted.
access-list 102 is only for ISL trames tagged with vlan id 10
-----Original Message-----
From: kasturi cisco [mailto:kasturi_cisco@hotmail.com]
Sent: 14 March 2003 18:29
To: ccie1day@totalise.co.uk; ccielab@groupstudy.com
Subject: RE: Access-list doubt
Adz,
Thanks for ur reply and time taken. I understand what u say and the reason
i asked the Q was bcoz i have another related doubt is as follows:
If i have "permit ip any any" in ACL 169 then would it effect ACL 102.
Which ACL gets processed first..or does it not matter as there may be some
common traffic to both which i want to deny .
Thanks again,
Good Luck,
Kasturi.
>From: "adz"
>Reply-To: "adz"
>To: "kasturi cisco" ,
>Subject: RE: Access-list doubt
>Date: Fri, 14 Mar 2003 08:21:36 -0000
>
>interfaces are logically seperate, so
>
>access-list 169 is applied to traffic entering and leaving 19.170.156.240
>subnet
>access-list 102 is applied to traffic entering and leaving 192.168.11.0
>subnet
>
>It isn't more complicated than this honest!
>Consider that a Vlan 10 - ISL 10 frame is an ISL frame - not an IP packet
>until it has been de-capsulated by the router. Fast 0/0 and fast 0/0.10 -
>isl 10 are logically separate!
>
>Incidently, VLAN 1 using ISL trunking is a tagged frame, unlike 802.1Q -
so
>Vlan 1 ising ISL is usally configured like this:
>!
>interface FastEthernet0/0.1
>encapsulation isl 1
>ip address 19.170.156.242 255.255.255.248
>ip access-group 169 in
>ip access-group 169 out
>
>cheers
>
>
>
>
>
>-----Original Message-----
>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>kasturi cisco
>Sent: 13 March 2003 19:58
>To: ccielab@groupstudy.com
>Subject: Access-list doubt
>
>
>Group,
>
>I have a doubt and dont have a router with trunk capabilties to test
>this. Can some one confirm and direct me to the document(s) if any. I
>could not locate this on Cisco.
>
>Problem: If i have any acces-list on Physical interface and also on
>sub-interface which takes precedence. See the config below.
>
>interface FastEthernet0/0
>ip address 19.170.156.242 255.255.255.248
>ip access-group 169 in
>ip access-group 169 out
>speed 10
>half-duplex
>
>interface FastEthernet0/1.10
>encapsulation isl 10
>ip address 192.168.11.3 255.255.255.224
>ip access-group 102 in
>ip access-group 102 out
>
>Thanks in advance for ur answers.
>
>Good Luck,[IMAGE]
>Kasturi.
>
>------------------------------------------------------------------------
>
>Cricket World Cup 2003 News, Views and Match Reports.
----------------------------------------------------------------------------
-- Cricket - World Cup 2003 News, Views and Match Reports.
This archive was generated by hypermail 2.1.4 : Sat Apr 05 2003 - 08:51:39 GMT-3