Re: vlan access-map... match-all or match-any

From: Chris Lewis (chrlewiscsco@gmail.com)
Date: Fri Feb 24 2006 - 18:47:15 GMT-3

• Next message: jnkmail4eva@yahoo.com: "prefix-list"
• Previous message: Ice Fire: "RE: HSRP and sw port-security"
• Maybe in reply to: Matt White: "vlan access-map... match-all or match-any"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

The latter I believe. If there are multiple matches in a statement, the
first one to find a match executes the action on hte matched packet.

Chris

On 2/22/06, Matt White <mwhite23@gmail.com> wrote:
>
> Chris,
>
> To take your example, does the "first entry in a VLAN map" they refer
> to the "vlan access-map 10" portion, or the "match mac" and/or "match
> ip" part of the map...?
>
> I fully comprehend that the numeric order part acts like an
> access-list, where the first match is acted on and no more processing
> occurs. If it matches 10, it does its thing, and doesn't care about
> 20, 30 or 40.
>
> Do you think the link from CCO also refers to multiple matches in the
> same vlan access-map statement?
>
> Scott,
>
> I like your answer, but it seems too good to be true. Why can't the
> documentation just come right out and say this? (Aren't you a
> journalism major? You should get Cisco to hire you as their "Expert
> Documentation Translator" and make everyone's life a lot easier.)
>
>
>
> Matt White
> CCIE #14533
> Systems Engineering
> Connecting Business With Technology
> (207) 773-5245
>
>
> On 2/22/06, Chris Lewis <chrlewiscsco@gmail.com> wrote:
> > So the question is I think whether the VLAN map acts like an ACL in that
> if
> > a match is found, the packet escapes further processing within the ACL,
> or
> > more like a class-map configured with match-all, whereby all match
> entries
> > have to be met in order to match in to the class.
> >
> > Referring to the configuration guide, the VLAN MAP Configuration
> Guidelines
> > at
> >
>
http://www.cisco.com/univercd/cc/td/doc/product/lan/c3550/12225seb/scg/swacl.
htm#wp1075348
> > quote the following:
> >
> > Each VLAN map consists of a series of entries. The order of entries in
> an
> > VLAN map is important. A packet that comes into the switch is tested
> against
> > the first entry in the VLAN map. If it matches, the action specified for
> > that part of the VLAN map is taken. If there is no match, the packet is
> > tested against the next entry in the map.
> >
> > Chris
> >
> > On 2/22/06, Matt White <mwhite23@gmail.com> wrote:
> > >
> > > Trying to remember the operation of this command; can recall how it
> > > differs from policy-maps as it doesn't allow the option,
> > >
> > > Example:
> > >
> > > mac access-list extended MAC
> > > permit any any cos 0
> > >
> > > ip access-list extended IP
> > > permit ip 172.19.233.0 0.0.0.255 any
> > >
> > > vlan access-map BLOCK 10
> > > action forward
> > > match mac address MAC
> > > match ip address IP
> > > vlan access-map BLOCK 20
> > > action drop
> > >
> > > Can someone explain if the "match mac" and "match ip" both need to be
> > > satisfied? I am away from a "testable" 3550 currently so I cannot
> > > replicate.
> > >
> > > Thanks!
> > >
> > >
> > _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html

• Next message: jnkmail4eva@yahoo.com: "prefix-list"
• Previous message: Ice Fire: "RE: HSRP and sw port-security"
• Maybe in reply to: Matt White: "vlan access-map... match-all or match-any"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Mar 01 2006 - 11:28:18 GMT-3