Hello everyone,

If you use the example ACL 121 for CoPP best pratice :

access-list 121 permit tcp <NOC block> <router receive block> eq telnet
access-list 121 permit tcp <NOC block> eq telnet <router receive block> established
access-list 121 permit tcp <NOC block> <router receive block> eq 22
access-list 121 permit tcp <NOC block> eq 22 <router receive block> established
access-list 121 permit udp <NOC block> <router receive block> eq snmp
access-list 121 permit tcp <NOC block> <router receive block> eq www
access-list 121 permit udp <NOC block> <router receive block> eq 443
access-list 121 permit tcp <NOC block> <router receive block> eq ftp
access-list 121 permit tcp <NOC block> <router receive block> eq ftp-data
access-list 121 permit udp <NOC block> <router receive block> eq syslog
access-list 121 permit udp <DNS block> eq domain <router receive block>
access-list 121 permit udp <NTP block> <router receive block> eq ntp
---etc--- for known good management traffic...

and than the class definition also from CoPP best practice:

!
class-map match-all Management
 match access-group 121

My question is:

Does a packet that is checked with the ACL has to match all the permit statements before it is considered a member of the

class Management:

Or is it like this: A packet is received and checked with the ACL 121 if it matches to one permit statement it is a member of

the class Management.

The "match-all" makes me confusion.

Is someone out there to explain this ?