From: Mike Kraus \(mikraus\) (mikraus@cisco.com)
Date: Mon Jun 11 2007 - 20:26:02 ART
Narbik,
Thank you for your response, but ask for a bit more clarification.
Shouldn't sequence 10 of access-map test2 forward all IP traffic (other
than what is explicitly denied) due to the permit ip any any in the
access list prior to using sequence 20? I would have expected it to
work sequentially.
________________________________
From: Narbik Kocharians [mailto:narbikk@gmail.com]
Sent: Monday, June 11, 2007 4:30 PM
To: Mike Kraus (mikraus)
Cc: Cisco certification
Subject: Re: VACL - two methods...
vlan access-map test2 20
action drop
This is the cause.
On 6/11/07, Mike Kraus (mikraus) <mikraus@cisco.com> wrote:
Hi all!
Assume I am trying to prohibit DHCP within a given VLAN.
If I use this configuration, it all seems to work fine:
access-list 101 permit udp any eq bootpc any eq bootps
vlan access-map test1 10
action drop
match ip address 101
vlan access-map test1 20
action forward
vlan filter test1 vlan-list 11
However, if I reverse the logic, I seem to lose all IP
connectivity:
access-list 102 deny udp any eq bootpc any eq bootps
access-list 102 permit ip any any
vlan access-map test2 10
action forward
match ip address 102
vlan access-map test2 20
action drop
vlan filter test2 vlan-list 12
I do not see why the second configuration does not do the exact
same
thing as the first. Can someone clarify?
Thanks,
Mike
This archive was generated by hypermail 2.1.4 : Sun Jul 01 2007 - 17:24:48 ART