Re: VACL issue

From: Rich Collins (nilsi2002@gmail.com)
Date: Sun Sep 30 2007 - 09:13:52 ART

• Next message: Rich Collins: "Re: rate-limiting"
• Previous message: Gary Duncanson: "European Study Partners"
• Maybe in reply to: Jason Guy \(jguy\): "VACL issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

> I'm not exactly sure myself but looking through my notes it seems that all
> VACL examples are based on access groups with a permit statement (positive
> match versus negative match).
>
> Rich
>
> On 9/29/07, Jason Guy (jguy) <jguy@cisco.com> wrote:
> >
> > I know this has been touched on in the past, though I cannot find this
> > in the achieves. I found many with the IP acl based vlan access map,
> > but not mac acl based.
> >
> > I thought I would try to set up a VACL 2 different ways on a vlan. The
> > goal was to drop decnet-stp frames and allow all others types of traffic
> > to pass.
> >
> > This is the one that is not working. My logic here was in the mac acl,
> > match everything except DEC and forward those. I am not quite sure the
> > mac acl works this manner. Doesn't a permit any any match any
> > ethertype?
> >
> > mac access-list extended NO_DEC
> > deny any any dec-spanning
> > permit any any
> > !
> > vlan access-map NO_DEC 10
> > action forward
> > match mac address NO_DEC
> > vlan access-map NO_DEC 20
> > action drop
> > !
> > vlan filter NO_DEC vlan-list 363
> > !
> >
> > My second version does work. It is defined in a way I find to be
> > logical. Drop the unwanted frames (by getting a positive match on the
> > mac acl = drop). Then it just forwards by default.
> >
> > mac access-list extended DEC
> > permit any any dec-spanning
> > spanning-tree mode pvst
> > spanning-tree extend system-id
> > !
> > vlan access-map NO_DEC 10
> > action drop
> > match mac address DEC
> > vlan access-map NO_DEC 20
> > action forward
> > !
> > vlan filter NO_DEC vlan-list 363
> > !
> >
> > Can someone refresh my memory as to why the first approach does not
> > match all but the unwanted frame type?
> >
> > Thanks,
> > Jason
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html

• Next message: Rich Collins: "Re: rate-limiting"
• Previous message: Gary Duncanson: "European Study Partners"
• Maybe in reply to: Jason Guy \(jguy\): "VACL issue"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sat Oct 06 2007 - 12:01:17 ART