From: Petr Lapukhov (petr@internetworkexpert.com)
Date: Wed Dec 06 2006 - 04:01:45 ART
A good one! :)
Actually, it's not that hard, if you recall how VLAN ACLs match packets.
First, an IP packet is matched *only* against IP acl; A non-IP packet
matches MAC acls *only*.
Therefore, your VLAN filter will permit IP traffic only from mentioned IP
addresses (note that this may be really bad, if your VLAN is transit);
In addition this VLAN filter will only permit NON-IP packets with COS of 0.
For a more readable filter, I'd split the matching of IP and non-IP packets
in two secions of VLAN access-map.
And yes, I did test this list in the lab - with IP and IPX; IPX was sent
over
the trunk link, marked with CoS 6 or Cos0.
HTH
2006/12/6, Lab Rat #109385382 <techlist01@gmail.com>:
>
> How would you guys interpret the behavior of the following combination of
> statements:
>
>
> mac access-list extended COS-0
> permit any any cos 0
>
> ip access-list extended IP-ALLOW
> permit ip host 1.1.1.1
> permit ip host 1.1.1.100
>
> vlan access-map V-FILT 10
> action forward
> match mac address COS-0
> match ip address IP-ALLOW
>
> vlan filter V-FILT vlan-list 555
>
>
> Thanks,
>
> Ed
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- Petr Lapukhov, CCIE #16379 petr@internetworkexpert.comInternetwork Expert, Inc. http://www.InternetworkExpert.com Toll Free: 877-224-8987 Outside US: 775-826-4344
This archive was generated by hypermail 2.1.4 : Tue Jan 02 2007 - 07:50:36 ART