From: Jason Guy \(jguy\) (jguy@cisco.com)
Date: Sat Sep 29 2007 - 15:13:46 ART
I know this has been touched on in the past, though I cannot find this
in the achieves. I found many with the IP acl based vlan access map,
but not mac acl based.
I thought I would try to set up a VACL 2 different ways on a vlan. The
goal was to drop decnet-stp frames and allow all others types of traffic
to pass.
This is the one that is not working. My logic here was in the mac acl,
match everything except DEC and forward those. I am not quite sure the
mac acl works this manner. Doesn't a permit any any match any
ethertype?
mac access-list extended NO_DEC
deny any any dec-spanning
permit any any
!
vlan access-map NO_DEC 10
action forward
match mac address NO_DEC
vlan access-map NO_DEC 20
action drop
!
vlan filter NO_DEC vlan-list 363
!
My second version does work. It is defined in a way I find to be
logical. Drop the unwanted frames (by getting a positive match on the
mac acl = drop). Then it just forwards by default.
mac access-list extended DEC
permit any any dec-spanning
spanning-tree mode pvst
spanning-tree extend system-id
!
vlan access-map NO_DEC 10
action drop
match mac address DEC
vlan access-map NO_DEC 20
action forward
!
vlan filter NO_DEC vlan-list 363
!
Can someone refresh my memory as to why the first approach does not
match all but the unwanted frame type?
Thanks,
Jason
This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:16 ART