From: Mohammad Saeed (mzsaeed@gmail.com)
Date: Mon Jun 11 2007 - 19:39:34 ART
The first configuration is right and this is what is recommended in
using VLAN Access Maps, that:
Match what you want to drop by permitting that in an ACL
Match that ACL in VLAN Access MAP and give action DROP
In Second Entry of Access MAP forward everything else \
Apply that ACCESS MAP using VLAN FILTER....
in reverse logic that you are using look at your statement by:
vlan access-map test2 20
action drop
now as no ACL is defined here, it means everything will match and will
be eventually be dropped.....Why Access-map 10 entry is not forwarding
the rest of the traffic in your second config, may be Narbik or other
seniors can shed light on this?
Regards,
Mohammad Zahed Saeed
On 6/11/07, Mike Kraus (mikraus) <mikraus@cisco.com> wrote:
> Hi all!
>
> Assume I am trying to prohibit DHCP within a given VLAN.
>
> If I use this configuration, it all seems to work fine:
>
> access-list 101 permit udp any eq bootpc any eq bootps
> vlan access-map test1 10
> action drop
> match ip address 101
> vlan access-map test1 20
> action forward
> vlan filter test1 vlan-list 11
>
> However, if I reverse the logic, I seem to lose all IP connectivity:
>
> access-list 102 deny udp any eq bootpc any eq bootps
> access-list 102 permit ip any any
> vlan access-map test2 10
> action forward
> match ip address 102
> vlan access-map test2 20
> action drop
> vlan filter test2 vlan-list 12
>
> I do not see why the second configuration does not do the exact same
> thing as the first. Can someone clarify?
>
> Thanks,
> Mike
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:48 ART