Re: vlan access-map... match-all or match-any

From: Matt White (mwhite23@gmail.com)
Date: Wed Feb 22 2006 - 21:41:30 GMT-3

• Next message: Ajay V m: "tcl scripts in switchs"
• Previous message: Chris Lewis: "Re: vlan access-map... match-all or match-any"
• Maybe in reply to: Matt White: "vlan access-map... match-all or match-any"
• Next in thread: Chris Lewis: "Re: vlan access-map... match-all or match-any"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Chris,

To take your example, does the "first entry in a VLAN map" they refer
to the "vlan access-map 10" portion, or the "match mac" and/or "match
ip" part of the map...?

I fully comprehend that the numeric order part acts like an
access-list, where the first match is acted on and no more processing
occurs. If it matches 10, it does its thing, and doesn't care about
20, 30 or 40.

Do you think the link from CCO also refers to multiple matches in the
same vlan access-map statement?

Scott,

I like your answer, but it seems too good to be true. Why can't the
documentation just come right out and say this? (Aren't you a
journalism major? You should get Cisco to hire you as their "Expert
Documentation Translator" and make everyone's life a lot easier.)

Matt White
CCIE #14533
Systems Engineering
Connecting Business With Technology
(207) 773-5245

On 2/22/06, Chris Lewis <chrlewiscsco@gmail.com> wrote:
> So the question is I think whether the VLAN map acts like an ACL in that if
> a match is found, the packet escapes further processing within the ACL, or
> more like a class-map configured with match-all, whereby all match entries
> have to be met in order to match in to the class.
>
> Referring to the configuration guide, the VLAN MAP Configuration Guidelines
> at
> http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225seb/scg/swacl.htm#wp1075348
> quote the following:
>
> Each VLAN map consists of a series of entries. The order of entries in an
> VLAN map is important. A packet that comes into the switch is tested against
> the first entry in the VLAN map. If it matches, the action specified for
> that part of the VLAN map is taken. If there is no match, the packet is
> tested against the next entry in the map.
>
> Chris
>
> On 2/22/06, Matt White <mwhite23@gmail.com> wrote:
> >
> > Trying to remember the operation of this command; can recall how it
> > differs from policy-maps as it doesn't allow the option,
> >
> > Example:
> >
> > mac access-list extended MAC
> > permit any any cos 0
> >
> > ip access-list extended IP
> > permit ip 172.19.233.0 0.0.0.255 any
> >
> > vlan access-map BLOCK 10
> > action forward
> > match mac address MAC
> > match ip address IP
> > vlan access-map BLOCK 20
> > action drop
> >
> > Can someone explain if the "match mac" and "match ip" both need to be
> > satisfied? I am away from a "testable" 3550 currently so I cannot
> > replicate.
> >
> > Thanks!
> >
> >
> _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

• Next message: Ajay V m: "tcl scripts in switchs"
• Previous message: Chris Lewis: "Re: vlan access-map... match-all or match-any"
• Maybe in reply to: Matt White: "vlan access-map... match-all or match-any"
• Next in thread: Chris Lewis: "Re: vlan access-map... match-all or match-any"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Mar 01 2006 - 11:28:18 GMT-3